chore(release): 0.5.35 [skip ci]

## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)

### Bug Fixes

* **helmfile:** Eliminate some yamllint errors ([1d03a6e](1d03a6e11f))
* **helmfile:** Move ldap host variable into helpers ([08811de](08811decd9))
* **helmfile:** Update charts to use proper quoting ([69ea840](69ea840517))
* **services:** Add minio as service and consume by OpenProject ([baa5827](baa5827de3))

.gitignore

@@ -2,7 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 .vscode
 .idea
+.yamllint
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml
+helmfile/environments/dev/values.gotmpl
+helmfile/environments/test/values.yaml
+helmfile/environments/test/values.gotmpl
 helmfile/environments/prod/values.yaml
+helmfile/environments/prod/values.gotmpl

.gitlab-ci.yml

@@ -78,6 +78,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_CRYPTPAD:
+    description: "Enable CryptPad deployment."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ELEMENT:
     description: "Enable Element deployment."
     value: "no"
@@ -183,8 +189,16 @@ env-cleanup:
           $ENV_STOP_BEFORE != "no"
       when: "always"
   script:
-    - "helmfile destroy --namespace ${NAMESPACE}"
+    - |
-    - "kubectl delete pvc --all --namespace ${NAMESPACE}"
+      if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
+        for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
+          helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
+        done
+        kubectl delete pvc --all --namespace ${NAMESPACE};
+        kubectl delete jobs --all --namespace ${NAMESPACE};
+      else
+        helmfile destroy --namespace ${NAMESPACE};
+      fi
   stage: "env-cleanup"
 
 env-start:
@@ -334,6 +348,18 @@ collabora-deploy:
   variables:
     COMPONENT: "collabora"
 
+cryptpad-deploy:
+  stage: "component-deploy-stage-1"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
+      when: "always"
+  variables:
+    COMPONENT: "cryptpad"
+
 nextcloud-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"

CHANGELOG.md

@@ -1,3 +1,342 @@
+## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)
+
+
+### Bug Fixes
+
+* **helmfile:** Eliminate some yamllint errors ([1d03a6e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1d03a6e11f368fd81dd10b91b0d9d7fc29c0cb24))
+* **helmfile:** Move ldap host variable into helpers ([08811de](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/08811decd92e7fd7802d0eba2644046512ec58a4))
+* **helmfile:** Update charts to use proper quoting ([69ea840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/69ea84051721f3aaf36a5dbafdfb37dd86b66dbb))
+* **services:** Add minio as service and consume by OpenProject ([baa5827](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/baa5827de3e1e368abf238a932a5849f169af723))
+
+## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)
+
+
+### Bug Fixes
+
+* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0d8e92fc5a4729ff7649e5a10e629b962a9b671b))
+
+## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)
+
+
+### Bug Fixes
+
+* **cryptpad:** Update security context ([89ae1d9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/89ae1d94ea4c4e8a15a395a80847a7f235365747))
+
+## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)
+
+
+### Bug Fixes
+
+* **collabora:** Resource definitions ([65ce9a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65ce9a171b7c8ebc453fb6bbe96743c8516da2c6))
+
+## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Update optional UMS preview state ([d0a0799](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d0a07997c12ddb9731a0dfed0d6fa71d9a3790e7))
+
+## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)
+
+
+### Bug Fixes
+
+* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ad043406bef7bb10d561ef1418b58cbd8714d43))
+* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/385d81b9a9e1ec319706493c51629c8e48822aa7))
+
+## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
+
+
+### Bug Fixes
+
+* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
+
+## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
+
+
+### Bug Fixes
+
+* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
+
+## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
+
+
+### Bug Fixes
+
+* **docs:** Re-include release artefacts ([4359b21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4359b21f1cdae91a87b87ad2b270d67a2b1eda21))
+
+## [0.5.26](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.25...v0.5.26) (2023-11-02)
+
+
+### Bug Fixes
+
+* **element:** Enables user directory search for all users ([8fafd90](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8fafd906a3b0efa7e4164b357656d7903fc55371))
+
+## [0.5.25](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.24...v0.5.25) (2023-11-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add CryptPad to support editing of diagrams.net files from within Nextcloud ([ab6014f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ab6014f8c6285785be5c56cd656fe0636df4434c))
+
+## [0.5.24](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.23...v0.5.24) (2023-11-01)
+
+
+### Bug Fixes
+
+* **collabora:** Update image to 23.05.5.3.1 ([38336d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/38336d024033f4fe1a28b0f76f9c63ecdb076156))
+
+## [0.5.23](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.22...v0.5.23) (2023-11-01)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web to latest release ([b47de62](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b47de62f987e8778878fee55ecda3032beb55f3d))
+
+## [0.5.22](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.21...v0.5.22) (2023-10-31)
+
+
+### Bug Fixes
+
+* **openproject:** Nextcloud integration within K8s instances ([d249d0e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d249d0e3ce3ee0966033e870ea5c4d9e1928f045))
+
+## [0.5.21](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.20...v0.5.21) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Deinstall components if disabled ([7feaadf](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7feaadf7f8830d8d0d5df752733c9b8f47315df6))
+* **helmfile:** Put enviroments in first document inside of a yaml ([034e98c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/034e98c850fa1f67300c04883904737a69448a25))
+
+## [0.5.20](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.19...v0.5.20) (2023-10-30)
+
+
+### Bug Fixes
+
+* **helmfile:** Remove old XWiki image, set explicit timeout for OP deployment, bump Jitsi Helm chart to enable chat for stand-alone Jitsi ([5d01f8c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5d01f8ca46384d63d69dab0119998c4bb3183084))
+
+## [0.5.19](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.18...v0.5.19) (2023-10-30)
+
+
+### Bug Fixes
+
+* **element:** Update Element Web and Nordeck Widgets to latest releases ([2313f75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2313f75dbe32d855b0c440944bd0de51c8e104ca))
+
+## [0.5.18](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.17...v0.5.18) (2023-10-28)
+
+
+### Bug Fixes
+
+* **xwiki:** Switch to Alpine/Jetty slim image ([b399869](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b39986907cece3cec06012531a55b2699d131f90))
+
+## [0.5.17](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.16...v0.5.17) (2023-10-28)
+
+
+### Bug Fixes
+
+* **nextcloud:** Update swp_integration app and prepare CryptPad integration ([a046dea](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a046deaf173ab41029c2ab5e3161bd89e0fdabcb))
+
+## [0.5.16](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.15...v0.5.16) (2023-10-26)
+
+
+### Bug Fixes
+
+* **openproject:** Slim container with upgraded helm-chart ([535823e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/535823e0a8b2bde72d159835248b2287fd136af7))
+
+## [0.5.15](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.14...v0.5.15) (2023-10-25)
+
+
+### Bug Fixes
+
+* **helmfile:** Add XWiki Jetty and UniventionKeycloak to image.yaml for Compliance checks. They are not yet part of standard deployment. ([8e376bb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/8e376bb4a5e37e16d76ea527cd02a5f614cdfe3d))
+
+## [0.5.14](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.13...v0.5.14) (2023-10-20)
+
+
+### Bug Fixes
+
+* **element:** Support for openDesk top bar with central navigation ([e609b75](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e609b75cc7fcbb7f03997cb5e26dd9cf4628f77d))
+
+## [0.5.13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.12...v0.5.13) (2023-10-20)
+
+
+### Bug Fixes
+
+* **element:** Configure rights and roles ([59d58e3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/59d58e320e503727e42dbfe0b027ba7948275ac6))
+
+## [0.5.12](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.11...v0.5.12) (2023-10-19)
+
+
+### Bug Fixes
+
+* **element:** Add an application service for the intercom-service ([1a4eced](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1a4eced998998faa7ac862b8c409bbd743b16ec0))
+* **element:** Add the Matrix NeoBoard Widget deployment ([5afd233](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5afd2339c20a0be41078ae4c3ce703c62f332557))
+* **element:** Add the Matrix NeoChoice Widget deployment ([7756d35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7756d35fa156b36ed50ba8f837273db56323f45f))
+* **element:** Add the Matrix NeoDateFix Bot deployment ([785989e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/785989e91df5547ab5ac60914b82bc99c4f1a790))
+* **element:** Add the Matrix NeoDateFix Widget deployment ([27b6796](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/27b6796639f37dbd6c26f21fd54502153398aed0))
+* **element:** Add the Matrix User Verification Service deployment ([30405d1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/30405d182d44a5586a4070738dfbe1c141841d19))
+* **element:** Upgrade Element to v1.11.46 ([82a037e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/82a037ec7c25baf41bd0542c3ded47402adc2844))
+* **element:** Upgrade the opendesk-element charts to 2.3.0 ([fd9e04d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fd9e04d9922b949d0f213016169a9024a66a1ded))
+* **element:** Upgrade the opendesk-matrix-widgets charts to 2.3.0 ([cbe5141](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/cbe514176a4d86d166db248d7297d215409016d2))
+* **element:** Use a separate image configuration for the bootstrap tasks ([7f7c364](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7f7c364071072b01d485d3e248a3f8de49a07309))
+* **intercom-service:** Allow access from the non-istio domain and reference to the correct synapse hostname ([16f2ac4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/16f2ac464eb7267f1c4d87c3ccaca2c91a7ecc1b))
+* **intercom-service:** Fix the nordeck configuration ([06dcdd7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/06dcdd78afe0e6514c1f30d24924d3e7077ae6da))
+* **jitsi:** Use template for the cluster networking domain ([0898d96](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0898d9657145d66fd4c52fe6036c955ad58a0cfe))
+* **keycloak:** Use the correct backchannel logout configuration for element ([86657b1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/86657b139a6d8f4ff3f921b8755e04cb790c3786))
+* **open-xchange:** Enable Element calendar integration ([f564efd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f564efd97f8db39cffaea317e36db3825fc9121e))
+
+## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
+
+
+### Bug Fixes
+
+* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
+* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
+
+## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
+
+
+### Bug Fixes
+
+* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
+
+## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
+
+
+### Bug Fixes
+
+* **element:** Enable the guest module in Synapse ([da1bf35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/da1bf3581c5790786601948cabcef8a1d1c680ad))
+
+## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)
+
+
+### Bug Fixes
+
+* **helmfile:** Add default port for SMTP in environment ([74f9ec2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74f9ec28e401f7caeefc4e50ac0a7e95fea41a53))
+
+## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Mail sender address ([711d29e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/711d29e374d13a3c8b7bcdf3e8440d03e0ef2b7d))
+
+## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
+
+
+### Bug Fixes
+
+* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
+* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
+
+## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e42feb4c260fc24692bc2742c97754230f8e2857))
+
+## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)
+
+
+### Bug Fixes
+
+* **helmfile:** Add third environment (test) ([7dbcbfe](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7dbcbfe7237b365cf53f4c850b149e8b95149901))
+
+## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)
+
+
+### Bug Fixes
+
+* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e33acd33e79740144e8fe318fe34dc705834ddf3))
+
+## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)
+
+
+### Bug Fixes
+
+* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6fd655a0b1afd40303ac11130692202146bab215))
+
+## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)
+
+
+### Bug Fixes
+
+* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b6b4972a5dd426bcc8fa00137d7e7b60056376c8))
+* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d86f516747323d117f620658c4368408926c507a))
+* **element:** Use OCI registry and verify chart signatures ([a41b9a6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a41b9a699c79bf90163bbb3c233c805b8d0a999e))
+* **helmfile:** Add cleanup flag for job resources ([0f01b94](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f01b94aa19b40b4774ba11d9886fe6f12090e73))
+* **helmfile:** Create directory for gpg pubkeys ([4c5731e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4c5731e6bb057cb272f660b4df0369b67709c203))
+* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74b3d41381474efd2fbc5a9f3a0f1c0713811106))
+* **jitsi:** Verify chart signatures ([1dd6582](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1dd6582ec7d742250ba08f69eba9a4679984b1ae))
+* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ca5d5f82800ea6d7ecfa38eb2b5d8b85e709bb9f))
+* **keycloak:** Use OCI registry and verify chart signatures ([095059c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/095059c7e53bbe8a874773f574cc6794ef8af6e4))
+* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41dfdc0c8f83e3d79fa5a763ac449f6edfc76676))
+* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2d5d3708f7f45600961c22ce11e750561de1fd27))
+* **open-xchange:** Use renamed istio gateway ([65d2642](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65d2642d34c1c21a00a29278f7e1143f7fabb2aa))
+* **openproject:** Use OCI registry and verify chart signatures ([5343840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5343840bed01992b3132eace362f91588c705a98))
+* **services:** Add wildcard certifcate request support ([15ad8ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15ad8ca7ab34b079252f7b69219ede81ad43aa1c))
+* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4372f063e0a27d5156da963d44d3ed4e72490fc4))
+* **services:** Only create istio gateway with webmail domain ([6a39011](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6a390112dab11afaca06118a0ca7a18afe633a30))
+* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/892920b0487b41a35b5a96596c61101827e8dd6d))
+* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/424317ed585f7bd5036259d7e3d77d081d2aec1b))
+
+# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)
+
+
+### Bug Fixes
+
+* **element:** Move the static configuration into the values.yaml ([f22619b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f22619bd8ef11cb43147ef19dcff2c02d9fe0503))
+* **element:** Specify resources for the guest module init container ([275798c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/275798c1d6aa47ef33fbb0da3bb03a86d3e4b0ee))
+
+
+### Features
+
+* **element:** Activate the guest module ([5ad25ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5ad25acafd54d19dd2ed330b19f7860aff5d49f4))
+
+## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/62b767ef38c8eae2874b20a9aa51e85d2a3fe5a3))
+
+## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Digest rollback ([9acce08](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9acce081397c06426820b61f39c9aa0dcc1234a5))
+
+## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Add timeout for database services ([98ec02f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/98ec02f230f1691eb8c17d8d3552fceda329bf7c))
+* **openproject:** Image digest ([b340373](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b340373133ad973cfd6a3632adc9a74a23419cc7))
+
+## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
+
+## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
+
+## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
+
+
+### Bug Fixes
+
+* **open-xchange:** Updates for mail templates and mail export ([ae3d0da](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ae3d0daa117d3d0ff307f379590394914a757546))
+
 ## [0.4.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.2...v0.4.3) (2023-09-25)
 
 
@@ -315,3 +654,8 @@
 * **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
 * **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
 * **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
+
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->

COMPONENTS-SERVICE.md

@@ -60,3 +60,6 @@ This service is used by
 - Open-Xchange
 
 ## Objectstore - MinIO
+
+This services is used by:
+- OpenProject (attachment storage)

README.md

@@ -6,11 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 
 [[_TOC_]]
 
-# Disclaimer August 2023
+# Disclaimer
 
-The current state of the Sovereign Workplace contains components that are going to be
+openDesk will face breaking changes in the near future without upgrade paths.
-replaced. Like for example the UCS dev container monolith will be substituted by
+
-multiple Univention Management Stack containers.
+While most components support upgrades, major configuration or component changes
+may occur, therefore we recommend always installing from scratch.
+
+Components that are going to be replaced soon are:
+- The UCS dev container monolith will be substituted by multiple Univention
+Management Stack containers,
+- the Nextcloud community container is going to be replaced by an openDesk
+specific Nextcloud distroless container and
+- Dovecot Community is going to be replaced by a Dovecot container tailored for the
+needs of the public sector.
 
 In the next months we not only expect upstream updates of the functional
 components within their feature scope, but we are also going to address
@@ -19,8 +28,6 @@ operational issues like monitoring and network policies.
 Of course, further development also includes enhancing the documentation.
 
 The first release of the Sovereign Workplace is scheduled for December 2023.
-Before that release there will be breaking changes in the deployment.
-
 
 # The Sovereign Workplace (SWP)
 
@@ -66,11 +73,12 @@ up your own instance for development purposes. Please see the project
 
 These are the requirements of the Sovereign Workplace deployment:
 
-- Vanilla K8s cluster
+- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
-- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and
+- [Helm](https://helm.sh/) >= v3.9.0
-[HelmDiff](https://github.com/databus23/helm-diff)
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
+- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 - [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
@@ -155,6 +163,12 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+Deployments can be removed with:
+
+```shell
+helmfile destroy -n <NAMESPACE>
+```
+
 ## Offline deployment
 
 Before executing a [local deployment](#local-deployment), you can set following
@@ -202,12 +216,15 @@ subdirectory `/helmfile/apps/services`.
 | ClamAV (Distributed)        | `clamavDistributed.enabled`         | `false` | Antivirus engine               | Eval       |
 | ClamAV (Simple)             | `clamavSimple.enabled`              | `true`  | Antivirus engine               | Eval       |
 | Collabora                   | `collabora.enabled`                 | `true`  | Weboffice                      | Functional |
+| CryptPad                    | `cryptpad.enabled`                  | `true`  | Weboffice                      | Functional |
 | Dovecot                     | `dovecot.enabled`                   | `true`  | Mail backend                   | Functional |
 | Element                     | `element.enabled`                   | `true`  | Secure communications platform | Functional |
 | Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    | Functional |
 | Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
 | Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
 | MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
+| Memcached                   | `memcached.enabled`                 | `true`  | Cache Database                 | Eval       |
+| MinIO                       | `minio.enabled`                     | `true`  | Object Storage                 | Eval       |
 | Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
 | OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
 | OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
@@ -231,8 +248,8 @@ subdirectory `/helmfile/apps/services`.
 
 #### Databases
 
-In case you don't got for a develop or evaluation environment you want to point
+When deploying this suite to production, you need to configure the applications to use your production grade database
-the application to your own database instances.
+service.
 
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
@@ -276,6 +293,24 @@ the application to your own database instances.
 |             |                    |            | Username  | `databases.xwiki.username`             | `xwiki_user`               |
 |             |                    |            | Password  | `databases.xwiki.password`             |                            |
 
+#### Cache
+
+When deploying this suite to production, you need to configure the applications to use your production grade cache
+service.
+
+| Component        | Name             | Type      | Parameter | Key                          | Default          |
+|------------------|------------------|-----------|-----------|------------------------------|------------------|
+| Intercom Service | Intercom Service | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.intercomService.host` | `redis-headless` |
+|                  |                  |           | Port      | `cache.intercomService.port` | `6379`           |
+| Nextcloud        | Nextcloud        | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.nextcloud.host`       | `redis-headless` |
+|                  |                  |           | Port      | `cache.nextcloud.port`       | `6379`           |
+| OpenProject      | OpenProject      | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
+|                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
+
+
 ### Scaling
 
 The Replicas of components can be increased, while we still have to look in the
@@ -289,6 +324,7 @@ actual scalability of the components (see column `Scaling (verified)`).
 |             | `replicas.icap`        | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.milter`      | :white_check_mark:  | :white_check_mark: |
 | Collabora   | `replicas.collabora`   | :white_check_mark:  |       :gear:       |
+| CryptPad    | `replicas.cryptpad`    | :white_check_mark:  |       :gear:       |
 | Dovecot     | `replicas.dovecot`     |         :x:         |       :gear:       |
 | Element     | `replicas.element`     | :white_check_mark:  | :white_check_mark: |
 |             | `replicas.synapse`     |         :x:         |       :gear:       |
@@ -307,7 +343,7 @@ actual scalability of the components (see column `Scaling (verified)`).
 
 ### Mail/SMTP configuration
 
-To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from 
+To use the full potential of the openDesk, you need to set up a STMP Smarthost/Relay which allows to send emails from
 the whole subdomain.
 
 ```yaml
@@ -336,33 +372,118 @@ turn:
 
 ## Security
 
+This section summarizes various aspects of security and compliance aspects.
+
+### Kubernetes Security Enforcements
+
 This list gives you an overview of default security settings and if they comply with security standards:
 
 
-| Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+| Component   | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| ClamAV      | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+| CryptPad    | cryptpad                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |   4001     |  4001   |
-|            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
+| Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
-|            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-| Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Jitsi       | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|             | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
-|            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|             | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Keycloak    | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|             | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|             | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-| MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|             | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-| Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| MariaDB     | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Memcached   | memcached                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
+| Postfix     | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| OpenProject | openproject              |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| PostgreSQL  | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+
+
+### Helm Chart Trust Chain
+
+Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
+`pubkey.gpg` file and are validated during helmfile installation.
+
+| Repository                           | OCI |     Verifiable     |
+|--------------------------------------|:---:|:------------------:|
+| bitnami-repo (openDesk build)        | yes | :white_check_mark: |
+| clamav-repo                          | yes | :white_check_mark: |
+| collabora-online-repo                | no  |        :x:         |
+| cryptpad-online-repo                 | no  |        :x:         |
+| intercom-service-repo                | yes | :white_check_mark: |
+| istio-resources-repo                 | yes | :white_check_mark: |
+| jitsi-repo                           | yes | :white_check_mark: |
+| keycloak-extensions-repo             | no  |        :x:         |
+| keycloak-theme-repo                  | yes | :white_check_mark: |
+| mariadb-repo                         | yes | :white_check_mark: |
+| nextcloud-repo                       | no  |        :x:         |
+| opendesk-certificates-repo           | yes | :white_check_mark: |
+| opendesk-dovecot-repo                | yes | :white_check_mark: |
+| opendesk-element-repo                | yes | :white_check_mark: |
+| opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
+| opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
+| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
+| openproject-repo                     | no  |        :x:         |
+| openxchange-repo                     | yes |        :x:         |
+| ox-connector-repo                    | no  |        :x:         |
+| postfix-repo                         | yes | :white_check_mark: |
+| postgresql-repo                      | yes | :white_check_mark: |
+| univention-corporate-container-repo  | yes | :white_check_mark: |
+| ums-repo                             | no  |        :x:         |
+| xwiki-repo                           | no  |        :x:         |
+
+
+## Monitoring
+Together with 
+[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) into
+you can monitor openDesk components with Prometheus and Grafana.
+
+Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack 
+repository.
+
+
+### Metrics
+To deploy podMonitor and serviceMonitor custom resources, enable it by:
+
+```yaml
+prometheus:
+  serviceMonitors:
+    enabled: true
+  podMonitors:
+    enabled: true
+```
+
+### Alerts
+Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
+
+```yaml
+prometheus:
+  prometheusRules:
+    enabled: true
+```
+
+### Dashboards for Grafana
+To deploy optional ConfigMaps with Grafana dashboards, enable it by:
+
+```yaml
+grafana:
+  dashboards:
+    enabled: true
+```
+
+### Components
+| Component   | Metrics (pod- or serviceMonitor)  | Alerts (prometheusRule) | Dashboard (Grafana) |
+|:------------|-----------------------------------|-------------------------|---------------------|
+| Collabora   | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |
 
 
 # Component integration
@@ -451,6 +572,7 @@ flowchart TD
     J[Jitsi]-->K
     I[IntercomService]-->K
     C[Collabora]-->N
+    R[CryptPad]-->N
     F[Postfix]-->D
 ```
 
@@ -502,6 +624,11 @@ that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should h
 If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
 `TESTS_BRANCH` while creating a new pipeline.
 
+# License
+This project uses the following license: Apache-2.0
+
+# Copyright
+Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 
 # Footnotes
 

helmfile.yaml

@@ -29,6 +29,7 @@ missingFileHandler: "Error"
 # - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
 # - Installing a single release from app directory via helmfile apply
 # Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
+
 environments:
   default:
     values:
@@ -39,9 +40,17 @@ environments:
       - "helmfile/environments/default/*.gotmpl"
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
+      - "helmfile/environments/dev/values.gotmpl"
+  test:
+    values:
+      - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/test/values.yaml"
+      - "helmfile/environments/test/values.gotmpl"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
+      - "helmfile/environments/prod/values.gotmpl"
 ...

helmfile/apps/collabora/helmfile.yaml

@@ -1,7 +1,13 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # Collabora Online
+  # Source: https://github.com/CollaboraOnline/online
   - name: "collabora-online-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -14,12 +20,9 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "collabora.enabled"
+    installed: {{ .Values.collabora.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "collabora"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/collabora/values.gotmpl

@@ -5,37 +5,55 @@ SPDX-License-Identifier: Apache-2.0
 ---
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
-  tag: "{{ .Values.images.collabora.tag }}"
+  tag: {{ .Values.images.collabora.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
-  className: "{{ .Values.ingress.ingressClassName }}"
+  className: {{ .Values.ingress.ingressClassName | quote }}
   hosts:
     - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
       paths:
         - path: "/"
           pathType: "Prefix"
   tls:
-    - secretName: "{{ .Values.ingress.tls.secretName }}"
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
       hosts:
         - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 
 collabora:
   # Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
   username: "collabora-internal-admin"
-  password: {{ .Values.secrets.collabora.adminPassword }}
+  password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 
-
 replicaCount: {{ .Values.replicas.collabora }}
 
 resources:
   {{ .Values.resources.collabora | toYaml | nindent 2 }}
+
+prometheus:
+  servicemonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    labels:
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+  rules:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    additionalLabels:
+      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+
+grafana:
+  dashboards:
+    enabled: {{ .Values.grafana.dashboards.enabled }}
+    labels:
+      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
+    annotations:
+      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
+
 ...

helmfile/apps/cryptpad/helmfile.yaml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # CryptPad
+  # Source: https://github.com/cryptpad/helm
+  - name: "cryptpad-online-repo"
+    url: >-
+      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+         default "https://cryptpad.github.io/helm" }}
+
+releases:
+  - name: "cryptpad"
+    chart: "cryptpad-online-repo/cryptpad"
+    version: "0.0.13"
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.cryptpad.enabled }}
+
+commonLabels:
+  deploy-stage: "component-1"
+  component: "cryptpad"
+...

helmfile/apps/cryptpad/values.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...

helmfile/apps/cryptpad/values.yaml

@@ -0,0 +1,47 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or
+# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml
+
+# Disable registration and access to unregistered users:
+# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config)
+
+application_config:
+  availablePadTypes:
+    - "diagram"
+
+# Deactivating public access breaks nextcloud plugin!
+#  registeredOnlyTypes:
+#    - "diagram"
+
+autoscaling:
+  enabled: false
+
+enableEmbedding: true
+
+fullnameOverride: "cryptpad"
+
+persistence:
+  enabled: false
+
+podSecurityContext:
+  fsGroup: 4001
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  # readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 4001
+  runAsGroup: 4001
+
+serviceAccount:
+  create: true
+
+workloadStateful: false
+...

helmfile/apps/element/helmfile.yaml

@@ -1,49 +1,136 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # openDesk Element
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
   - name: "opendesk-element-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
+  # openDesk Matrix Widgets
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
+  - name: "opendesk-matrix-widgets-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "opendesk-element"
     chart: "opendesk-element-repo/opendesk-element"
-    version: "2.0.1"
+    version: "2.5.0"
     values:
       - "values-element.yaml"
       - "values-element.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-well-known"
     chart: "opendesk-element-repo/opendesk-well-known"
-    version: "2.0.1"
+    version: "2.5.0"
     values:
       - "values-well-known.yaml"
       - "values-well-known.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-synapse-web"
     chart: "opendesk-element-repo/opendesk-synapse-web"
-    version: "2.0.1"
+    version: "2.5.0"
     values:
       - "values-synapse-web.yaml"
       - "values-synapse-web.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
   - name: "opendesk-synapse"
     chart: "opendesk-element-repo/opendesk-synapse"
-    version: "2.0.1"
+    version: "2.5.0"
     values:
       - "values-synapse.yaml"
       - "values-synapse.gotmpl"
-    condition: "element.enabled"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-matrix-user-verification-service-bootstrap"
+    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    version: "2.5.0"
+    values:
+      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "opendesk-matrix-user-verification-service"
+    chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
+    version: "2.5.0"
+    values:
+      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neoboard-widget"
+    chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neochoice-widget"
+    chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-widget"
+    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-bot-bootstrap"
+    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    version: "2.5.0"
+    values:
+      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
+
+  - name: "matrix-neodatefix-bot"
+    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
+    version: "3.1.0"
+    values:
+      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.gotmpl"
+    installed: {{ .Values.element.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "element"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/element/values-element.gotmpl

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
@@ -15,19 +15,106 @@ configuration:
   additionalConfiguration:
     logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
 
+    "net.nordeck.element_web.module.opendesk":
+      config:
+        ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
+        ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
+        portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+        portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
+        custom_css_variables:
+          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
+
+    "net.nordeck.element_web.module.widget_lifecycle":
+      widget_permissions:
+        "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/jitsi.html":
+          identity_approved: true
+        "https://{{ .Values.global.hosts.matrixNeoBoardWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          capabilities_approved:
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.create
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.create
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.chunk
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.chunk
+            - org.matrix.msc2762.send.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.receive.event:net.nordeck.whiteboard.document.snapshot
+            - org.matrix.msc2762.send.state_event:m.room.power_levels#
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels#
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard
+            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard
+            - org.matrix.msc2762.send.state_event:net.nordeck.whiteboard.sessions#*
+            - org.matrix.msc2762.receive.state_event:net.nordeck.whiteboard.sessions
+            - org.matrix.msc3819.send.to_device:net.nordeck.whiteboard.connection_signaling
+            - org.matrix.msc3819.receive.to_device:net.nordeck.whiteboard.connection_signaling
+            - town.robin.msc3846.turn_servers
+        "https://{{ .Values.global.hosts.matrixNeoChoiceWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          capabilities_approved:
+            - org.matrix.msc2762.send.event:net.nordeck.poll.vote
+            - org.matrix.msc2762.receive.event:net.nordeck.poll.vote
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.settings
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.send.state_event:net.nordeck.poll.group
+            - org.matrix.msc2762.receive.state_event:net.nordeck.poll.group
+            - org.matrix.msc2762.send.event:net.nordeck.poll.start
+            - org.matrix.msc2762.receive.event:net.nordeck.poll.start
+        "https://{{ .Values.global.hosts.matrixNeoDateFixWidget }}.{{ .Values.global.domain }}/*":
+          preload_approved: true
+          identity_approved: true
+          capabilities_approved:
+            - org.matrix.msc2931.navigate
+            - org.matrix.msc2762.timeline:*
+            - org.matrix.msc2762.receive.state_event:m.room.power_levels
+            - org.matrix.msc2762.receive.event:m.reaction
+            - org.matrix.msc2762.receive.state_event:m.room.create
+            - org.matrix.msc2762.receive.state_event:m.room.tombstone
+            - org.matrix.msc2762.receive.state_event:m.room.member
+            - org.matrix.msc2762.send.state_event:m.room.member
+            - org.matrix.msc2762.receive.state_event:m.room.name
+            - org.matrix.msc2762.receive.state_event:m.room.topic
+            - org.matrix.msc2762.receive.state_event:m.space.parent
+            - org.matrix.msc2762.receive.state_event:m.space.child
+            - org.matrix.msc2762.receive.state_event:net.nordeck.meetings.metadata
+            - org.matrix.msc2762.receive.state_event:im.vector.modular.widgets
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.create
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.create
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.breakoutsessions.create
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.breakoutsessions.create
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.close
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.close
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.widgets.handle
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.widgets.handle
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.participants.handle
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.participants.handle
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.update
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.update
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.meeting.change.message_permissions
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.meeting.change.message_permissions
+            - org.matrix.msc2762.send.event:net.nordeck.meetings.sub_meetings.send_message
+            - org.matrix.msc2762.receive.event:net.nordeck.meetings.sub_meetings.send_message
+            - org.matrix.msc3973.user_directory_search
+
+  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
+
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.element.repository }}"
+  repository: {{ .Values.images.element.repository | quote }}
-  tag: "{{ .Values.images.element.tag }}"
+  tag: {{ .Values.images.element.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}

helmfile/apps/element/values-matrix-neoboard-widget.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
+  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neoboard-widget.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-neochoice-widget.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
+  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neochoice-widget.yaml

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+...

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
+...

helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl

@@ -0,0 +1,37 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+persistence:
+  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neodatefix-bot.yaml

@@ -0,0 +1,50 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+    displayname: "Terminplaner Bot"
+
+  strings:
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
+    matrixNeoBoardWidgetName: "Whiteboard"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "matrix-neodatefix-bot-account"
+        key: "access_token"
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+livenessProbe:
+  enabled: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+readinessProbe:
+  enabled: false
+...

helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl

@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-neodatefix-widget.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+...

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml

@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+...

helmfile/apps/element/values-matrix-user-verification-service.gotmpl

@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+...

helmfile/apps/element/values-matrix-user-verification-service.yaml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  # TODO: the service can't run with read only filesystem or as non-root
+  # readOnlyRootFilesystem: true
+  # runAsGroup: 101
+  # runAsNonRoot: true
+  # runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "UVS_ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "opendesk-matrix-user-verification-service-account"
+        key: "access_token"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...

helmfile/apps/element/values-synapse-web.gotmpl

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.synapseWeb.repository }}"
+  repository: {{ .Values.images.synapseWeb.repository | quote }}
-  tag: "{{ .Values.images.synapseWeb.tag }}"
+  tag: {{ .Values.images.synapseWeb.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 replicaCount: {{ .Values.replicas.synapseWeb }}
 

helmfile/apps/element/values-synapse.gotmpl

@@ -4,47 +4,65 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.synapse.repository }}"
+  repository: {{ .Values.images.synapse.repository | quote }}
-  tag: "{{ .Values.images.synapse.tag }}"
+  tag: {{ .Values.images.synapse.tag | quote }}
 
 configuration:
   database:
-    host: "{{ .Values.databases.synapse.host }}"
+    host: {{ .Values.databases.synapse.host | quote }}
-    name: "{{ .Values.databases.synapse.name }}"
+    name: {{ .Values.databases.synapse.name | quote }}
-    user: "{{ .Values.databases.synapse.username }}"
+    user: {{ .Values.databases.synapse.username | quote }}
-    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+    password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
+    appServiceConfigs:
+      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
+        id: intercom-service
+        namespaces:
+          users:
+            - exclusive: false
+              regex: "@.*"
+        url: null
+        sender_localpart: intercom-service
+
     oidc:
-      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
       issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
     turn:
-      sharedSecret: {{ .Values.turn.credentials }}
+      sharedSecret: {{ .Values.turn.credentials | quote }}
       servers:
         {{- if .Values.turn.tls.host }}
-        - server: {{ .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host | quote }}
           port: {{ .Values.turn.tls.port }}
-          transport: {{ .Values.turn.transport }}
+          transport: {{ .Values.turn.transport | quote }}
         {{- else if .Values.turn.server.host }}
-        - server: {{ .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host | quote }}
           port: {{ .Values.turn.server.port }}
-          transport: {{ .Values.turn.transport }}
+          transport: {{ .Values.turn.transport | quote }}
         {{- end }}
 
+    guestModule:
+      image:
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        registry: {{ .Values.global.imageRegistry | quote }}
+        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
+        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
+
 persistence:
-  size: "{{ .Values.persistence.size.synapse }}"
+  size: {{ .Values.persistence.size.synapse | quote }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 replicaCount: {{ .Values.replicas.synapse }}
 

helmfile/apps/element/values-synapse.yaml

@@ -1,6 +1,21 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+configuration:
+  additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
+    room_prejoin_state:
+      additional_event_types:
+        - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
+        - "m.room.power_levels"
+
+  homeserver:
+    guestModule:
+      enabled: true
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/element/values-well-known.gotmpl

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.wellKnown.repository }}"
+  repository: {{ .Values.images.wellKnown.repository | quote }}
-  tag: "{{ .Values.images.wellKnown.tag }}"
+  tag: {{ .Values.images.wellKnown.tag | quote }}
 
 ingress:
-  host: "{{ .Values.global.domain }}"
+  host: {{ .Values.global.domain | quote }}
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 replicaCount: {{ .Values.replicas.wellKnown }}
 

helmfile/apps/intercom-service/helmfile.yaml

@@ -1,25 +1,30 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # Intercom Service
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "intercom-service"
     chart: "intercom-service-repo/intercom-service"
-    version: "1.1.3"
+    version: "2.0.1"
     values:
-      - "values.yaml"
       - "values.gotmpl"
-    condition: "intercom.enabled"
+    installed: {{ .Values.intercom.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "intercom-service"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/intercom-service/values.gotmpl

@@ -4,41 +4,46 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 ics:
-  secret: {{ .Values.secrets.intercom.secret }}
+  secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
-  originRegex: "{{ .Values.istio.domain }}"
+  originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
   default:
-    domain: "{{ .Values.global.domain }}"
+    domain: {{ .Values.global.domain | quote }}
   oidc:
-    secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
+    secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
   matrix:
-    asSecret: {{ .Values.secrets.jitsi.synapseAsToken }}
+    asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
-    serverName: "matrix.{{ .Values.global.domain }}"
+    subdomain: {{ .Values.global.hosts.synapse | quote }}
+    serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
+  nordeck:
+    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
   portal:
-    apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
+    apiKey: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   redis:
-    password: {{ .Values.secrets.redis.password }}
+    host: {{ .Values.cache.intercomService.host | quote }}
+    port: {{ .Values.cache.intercomService.port }}
+    password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  repository: {{ .Values.images.intercom.repository | quote }}
-  repository: "{{ .Values.images.intercom.repository }}"
+  tag: {{ .Values.images.intercom.tag | quote }}
-  tag: "{{ .Values.images.intercom.tag }}"
 
 ingress:
   host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...

helmfile/apps/jitsi/helmfile.yaml

@@ -1,24 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # openDesk Jitsi
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
   - name: "jitsi-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
 releases:
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"
-    version: "1.5.1"
+    version: "1.7.1"
     values:
       - "values-jitsi.gotmpl"
-    condition: "jitsi.enabled"
+    installed: {{ .Values.jitsi.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "jitsi"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -4,21 +4,24 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
+  repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
-  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
+  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
 
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+  jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}
@@ -29,16 +32,16 @@ jitsi:
     replicaCount: {{ .Values.replicas.jitsi }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
-      tag: "{{ .Values.images.jitsi.tag }}"
+      tag: {{ .Values.images.jitsi.tag | quote }}
     ingress:
-      enabled: "{{ .Values.ingress.enabled }}"
+      enabled: {{ .Values.ingress.enabled }}
-      ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+      ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
       hosts:
         - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
           paths:
             - "/"
       tls:
-        - secretName: "{{ .Values.ingress.tls.secretName }}"
+        - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     extraEnvs:
@@ -48,10 +51,10 @@ jitsi:
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
-      tag: "{{ .Values.images.prosody.tag }}"
+      tag: {{ .Values.images.prosody.tag | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     extraEnvs:
       - name: "AUTH_TYPE"
@@ -59,70 +62,74 @@ jitsi:
       - name: "JWT_APP_ID"
         value: "myappid"
       - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+        value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
+      - name: "MATRIX_UVS_SYNC_POWER_LEVELS"
+        value: "true"
+      - name: "MATRIX_UVS_URL"
+        value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
       - name: TURNS_HOST
-        value: "{{ .Values.turn.tls.host }}"
+        value: {{ .Values.turn.tls.host | quote }}
       - name: TURNS_PORT
-        value: "{{ .Values.turn.tls.port }}"
+        value: {{ .Values.turn.tls.port | quote }}
       - name: TURN_HOST
-        value: "{{ .Values.turn.server.host }}"
+        value: {{ .Values.turn.server.host | quote }}
       - name: TURN_PORT
-        value: "{{ .Values.turn.server.port }}"
+        value: {{ .Values.turn.server.port | quote }}
       - name: TURN_TRANSPORT
-        value: "{{ .Values.turn.transport }}"
+        value: {{ .Values.turn.transport | quote }}
       - name: TURN_CREDENTIALS
-        value: "{{ .Values.turn.credentials }}"
+        value: {{ .Values.turn.credentials | quote }}
     resources:
       {{ .Values.resources.prosody | toYaml | nindent 6 }}
     persistence:
-      size: "{{ .Values.persistence.size.prosody }}"
+      size: {{ .Values.persistence.size.prosody | quote }}
-      storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
-      tag: "{{ .Values.images.jicofo.tag }}"
+      tag: {{ .Values.images.jicofo.tag | quote }}
     xmpp:
-      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
+      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
-      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
+      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
-      tag: "{{ .Values.images.jvb.tag }}"
+      tag: {{ .Values.images.jvb.tag | quote }}
     xmpp:
-      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
+      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
     resources:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
-      type: "{{ .Values.cluster.service.type }}"
+      type: {{ .Values.cluster.service.type | quote }}
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
-      tag: "{{ .Values.images.jibri.tag }}"
+      tag: {{ .Values.images.jibri.tag | quote }}
     recorder:
-      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
+      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
     xmpp:
-      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
+      password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
     resources:
       {{ .Values.resources.jibri | toYaml | nindent 6 }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
   {{- end }}
 
 patchJVB:
   configuration:
-    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
-    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
+    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
   image:
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
+    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
-    tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
+    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
 
 resources:

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -1,27 +1,35 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap-repo"
+  # openDesk Keycloak Bootstrap
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
+  - name: "opendesk-keycloak-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  - name: "sovereign-workplace-keycloak-bootstrap"
+  - name: "opendesk-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
+    chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
-    version: "1.1.11"
+    version: "1.1.12"
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
     # as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
     timeout: 1800
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak-bootstrap"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -4,22 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
 config:
   administrator:
-    password: "{{ .Values.secrets.keycloak.adminPassword }}"
+    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.keycloakBootstrap.repository }}"
+  repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
-  tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml

@@ -4,7 +4,4 @@
 config:
   administrator:
     username: "kcadmin"
-
-cleanup:
-  deletePodsOnSuccess: true
 ...

helmfile/apps/keycloak/helmfile.yaml

@@ -1,16 +1,30 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
   - name: "bitnami-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Keycloak Theme
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
   - name: "keycloak-theme-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Keycloak Extensions
   - name: "keycloak-extensions-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -18,20 +32,20 @@ repositories:
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme-repo/sovereign-workplace-theme"
+    chart: "keycloak-theme-repo/opendesk-keycloak-theme"
-    version: "1.1.0"
+    version: "2.0.0"
     values:
       - "values-theme.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
-    version: "12.2.0"
+    version: "12.1.5"
     values:
       - "values-keycloak.gotmpl"
       - "values-keycloak.yaml"
       - "values-keycloak-idp.yaml"
     wait: true
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
   - name: "keycloak-extensions"
     chart: "keycloak-extensions-repo/keycloak-extensions"
     version: "0.1.0"
@@ -40,12 +54,9 @@ releases:
     values:
       - "values-extensions.yaml"
       - "values-extensions.gotmpl"
-    condition: "keycloak.enabled"
+    installed: {{ .Values.keycloak.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "keycloak"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -5,42 +5,41 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   keycloak:
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
+    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
   postgresql:
     connection:
-      host: "{{ .Values.databases.keycloakExtension.host }}"
+      host: {{ .Values.databases.keycloakExtension.host | quote }}
-      port: "{{ .Values.databases.keycloakExtension.port }}"
+      port: {{ .Values.databases.keycloakExtension.port }}
     auth:
-      database: "{{ .Values.databases.keycloakExtension.name }}"
+      database: {{ .Values.databases.keycloakExtension.name | quote }}
-      username: "{{ .Values.databases.keycloakExtension.username }}"
+      username: {{ .Values.databases.keycloakExtension.username | quote }}
-      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
+      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
 handler:
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+    repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
-    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+    tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   appConfig:
-    smtpPassword: "{{ .Values.smtp.password }}"
+    smtpPassword: {{ .Values.smtp.password | quote }}
-    smtpHost: "{{ .Values.smtp.host }}"
+    smtpHost: {{ .Values.smtp.host | quote }}
-    smtpUsername: "{{ .Values.smtp.username }}"
+    smtpUsername: {{ .Values.smtp.username | quote }}
     mailFrom: "noreply@{{ .Values.global.domain }}"
   resources:
     {{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
 proxy:
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
+    repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
-    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
+    tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   ingress:
-    enabled: "{{ .Values.ingress.enabled }}"
+    enabled: {{ .Values.ingress.enabled }}
-    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
-      enabled: "{{ .Values.ingress.tls.enabled }}"
+      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: "{{ .Values.ingress.tls.secretName }}"
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
   resources:
     {{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
-
 ...

helmfile/apps/keycloak/values-keycloak-idp.yaml

@@ -181,7 +181,7 @@ keycloakConfigCli:
             "attributes": {
               "backchannel.logout.revoke.offline.tokens": "true",
               "backchannel.logout.session.required": "true",
-              "backchannel.logout.url": "https://$(ELEMENT_DOMAIN)/_synapse/client/oidc/backchannel_logout",
+              "backchannel.logout.url": "https://$(MATRIX_DOMAIN)/_synapse/client/oidc/backchannel_logout",
               "post.logout.redirect.uris": "https://$(ELEMENT_DOMAIN)/*##https://$(MATRIX_DOMAIN)/*##https://$(UNIVENTION_CORPORATE_SERVER_DOMAIN)/*"
             },
             "authenticationFlowBindingOverrides": {},

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.keycloak.repository }}"
+  repository: {{ .Values.images.keycloak.repository | quote }}
-  tag: "{{ .Values.images.keycloak.tag }}"
+  tag: {{ .Values.images.keycloak.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 externalDatabase:
-  host: "{{ .Values.databases.keycloak.host }}"
+  host: {{ .Values.databases.keycloak.host | quote }}
   port: {{ .Values.databases.keycloak.port }}
-  user: "{{ .Values.databases.keycloak.username }}"
+  user: {{ .Values.databases.keycloak.username | quote }}
-  database: "{{ .Values.databases.keycloak.name }}"
+  database: {{ .Values.databases.keycloak.name | quote }}
-  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
+  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
 
 auth:
-  adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
+  adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 replicaCount: {{ .Values.replicas.keycloak }}
 
@@ -34,7 +34,7 @@ keycloakConfigCli:
     - name: "LDAP_USERS_DN"
       value: "cn=users,dc=swp-ldap,dc=internal"
     - name: "LDAP_SERVER_URL"
-      value: "univention-corporate-container"
+      value: {{ .Values.ldap.host | quote }}
     - name: "IDENTIFIER"
       value: "souvap"
     - name: "THEME"
@@ -62,23 +62,23 @@ keycloakConfigCli:
     - name: "INTERCOM_SERVICE_DOMAIN"
       value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
     - name: "CLIENT_SECRET_INTERCOM_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
+      value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
     - name: "CLIENT_SECRET_MATRIX_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
     - name: "CLIENT_SECRET_JITSI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
     - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
+      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
     - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.openproject }}
+      value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
     - name: "CLIENT_SECRET_XWIKI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.xwiki }}
+      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     - name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
+      value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
     - name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
       value: "storage_provider_ucsldap"
     - name: "LDAPSEARCH_PASSWORD"
-      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
+      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
     - name: "LDAPSEARCH_USERNAME"
       value: "ldapsearch_keycloak"
   resources:

helmfile/apps/keycloak/values-theme.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
 

helmfile/apps/nextcloud/helmfile.yaml

@@ -1,7 +1,14 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # openDesk Keycloak Bootstrap
+  # Source:
+  #  https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
   - name: "opendesk-nextcloud-bootstrap-repo"
     oci: true
     # yamllint disable rule:line-length
@@ -9,6 +16,10 @@ repositories:
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
     # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # Nextcloud
+  # Source: https://github.com/nextcloud/helm/
   - name: "nextcloud-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -17,14 +28,14 @@ repositories:
 releases:
   - name: "opendesk-nextcloud-bootstrap"
     chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "3.1.1"
+    version: "3.2.2"
     wait: true
     waitForJobs: true
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
-    condition: "nextcloud.enabled"
+    installed: {{ .Values.nextcloud.enabled }}
-    timeout: 1800
+    timeout: 900
 
   - name: "nextcloud"
     chart: "nextcloud-repo/nextcloud"
@@ -34,13 +45,10 @@ releases:
     values:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
-    condition: "nextcloud.enabled"
+    installed: {{ .Values.nextcloud.enabled }}
-    timeout: 1800
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "nextcloud"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -4,17 +4,17 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  istioDomain: "{{ .Values.istio.domain }}"
+  istioDomain: {{ .Values.istio.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 config:
   administrator:
-    password: {{ .Values.secrets.nextcloud.adminPassword }}
+    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
@@ -25,43 +25,49 @@ config:
 
   apps:
     integrationSwp:
-      password: {{ .Values.secrets.centralnavigation.apiKey }}
+      password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     userOidc:
-      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
+      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
 
   database:
-    host: "{{ .Values.databases.nextcloud.host }}"
+    host: {{ .Values.databases.nextcloud.host | quote }}
-    name: "{{ .Values.databases.nextcloud.name }}"
+    name: {{ .Values.databases.nextcloud.name | quote }}
-    user: "{{ .Values.databases.nextcloud.username }}"
+    user: {{ .Values.databases.nextcloud.username | quote }}
-    password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
+    password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 
   ldapSearch:
-    password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
+    host: {{ .Values.ldap.host | quote }}
+    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
 
   smtp:
-    host: "{{ .Values.smtp.host }}"
+    host: {{ .Values.smtp.host | quote }}
-    username: "{{ .Values.smtp.username }}"
+    username: {{ .Values.smtp.username | quote }}
-    password: "{{ .Values.smtp.password }}"
+    password: {{ .Values.smtp.password | quote }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.nextcloud.repository }}"
+  repository: {{ .Values.images.nextcloud.repository | quote }}
-  tag: "{{ .Values.images.nextcloud.tag }}"
+  tag: {{ .Values.images.nextcloud.tag | quote }}
 
 persistence:
   {{- if .Values.cluster.persistence.readWriteMany.enabled }}
   accessModes:
     - "ReadWriteMany"
-  storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
   {{- else }}
   accessModes:
     - "ReadWriteOnce"
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   {{- end }}
   size:
-    main: "{{ .Values.persistence.size.nextcloud.main }}"
+    main: {{ .Values.persistence.size.nextcloud.main | quote }}
-    data: "{{ .Values.persistence.size.nextcloud.data }}"
+    data: {{ .Values.persistence.size.nextcloud.data | quote }}
 
 resources:
   {{ .Values.resources.nextcloud | toYaml | nindent 2 }}

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -11,9 +11,6 @@ config:
     userOidc:
       username: "ncoidc"
 
-  ldapSearch:
+  cryptpad:
-    host: "univention-corporate-container"
+    enabled: true
-
-cleanup:
-  deletePodsOnSuccess: false
 ...

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -6,32 +6,36 @@ SPDX-License-Identifier: Apache-2.0
 nextcloud:
   host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
   username: "nextcloud"
-  password: {{ .Values.secrets.nextcloud.adminPassword }}
+  password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 externalDatabase:
-  database: "{{ .Values.databases.nextcloud.name }}"
+  database: {{ .Values.databases.nextcloud.name | quote }}
-  user: "{{ .Values.databases.nextcloud.username }}"
+  user: {{ .Values.databases.nextcloud.username | quote }}
-  host: "{{ .Values.databases.nextcloud.host }}"
+  host: {{ .Values.databases.nextcloud.host | quote }}
-  password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
+  password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+extraEnv:
+  REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
+  REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
+  REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 redis:
   auth:
     enabled: true
-    password: {{ .Values.secrets.redis.password }}
+    password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 ingress:
   enabled: {{ .Values.ingress.enabled }}
-  className: {{ .Values.ingress.ingressClassName }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    - secretName: "{{ .Values.ingress.tls.secretName }}"
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
       hosts:
         - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.nextcloud.tag }}"
+  tag: {{ .Values.images.nextcloud.tag | quote }}
   pullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 metrics:
-  token: "{{ .Values.secrets.nextcloud.metricsToken }}"
+  token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.nextcloud }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -44,6 +44,18 @@ externalDatabase:
 metrics:
   enabled: false
 
+nextcloud:
+  configs:
+    mimetypealiases.json: |-
+      {
+        "application/x-drawio": "image"
+      }
+
+    mimetypemapping.json: |-
+      {
+        "drawio": ["application/x-drawio"]
+      }
+
 # this is not documented but can be found in values.yaml
 service:
   port: "80"

helmfile/apps/open-xchange/helmfile.yaml

@@ -1,49 +1,67 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "dovecot-repo"
+  # openDesk Dovecot
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
+  - name: "opendesk-dovecot-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # Open-Xchange
   - name: "openxchange-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
-         default "registry.open-xchange.com" }}
+  # openDesk Open-Xchange Bootstrap
-  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
+  - name: "opendesk-open-xchange-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "dovecot"
-    chart: "dovecot-repo/dovecot"
+    chart: "opendesk-dovecot-repo/dovecot"
-    version: "1.3.1"
+    version: "1.3.4"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
-    condition: "dovecot.enabled"
+    installed: {{ .Values.dovecot.enabled }}
+    timeout: 900
+
   - name: "open-xchange"
     chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "2.0.3"
+    version: "2.1.1"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
       - "values-openxchange-enterprise-contact-picker.yaml"
       - "values-openxchange-enterprise-contact-picker.gotmpl"
-    condition: "oxAppsuite.enabled"
+    installed: {{ .Values.oxAppsuite.enabled }}
-  - name: "sovereign-workplace-open-xchange-bootstrap"
+    timeout: 900
-    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+
+  - name: "opendesk-open-xchange-bootstrap"
+    chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
     version: "1.3.1"
     values:
-      - "values-openxchange-bootstrap.yaml"
+      - "values-openxchange-bootstrap.gotmpl"
-    condition: "oxAppsuite.enabled"
+    installed: {{ .Values.oxAppsuite.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "open-xchange"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -4,30 +4,31 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  url: "{{ .Values.images.dovecot.repository }}"
+  url: {{ .Values.images.dovecot.repository | quote }}
-  tag: "{{ .Values.images.dovecot.tag }}"
+  tag: {{ .Values.images.dovecot.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 
 dovecot:
-  mailDomain: "{{ .Values.global.domain }}"
+  mailDomain: {{ .Values.global.domain | quote }}
-  password: {{ .Values.secrets.dovecot.doveadm }}
+  password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
+    host: {{ .Values.ldap.host | quote }}
+    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   oidc:
     introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
-    clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
+    clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
     clientID: "as8oidc"
-  loginTrustedNetworks: "{{ .Values.cluster.networking.cidr }}"
+  loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
 
 certificate:
-  secretName: "{{ .Values.ingress.tls.secretName }}"
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.dovecot }}
@@ -37,15 +38,15 @@ replicaCount: 1
 
 persistence:
   {{- if .Values.cluster.persistence.readWriteMany.enabled }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
   accessModes:
     - "ReadWriteMany"
   {{- else }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   accessModes:
     - "ReadWriteOnce"
   {{- end }}
-  size: "{{ .Values.persistence.size.dovecot }}"
+  size: {{ .Values.persistence.size.dovecot | quote }}
 
 resources:
   {{ .Values.resources.dovecot | toYaml | nindent 2 }}

helmfile/apps/open-xchange/values-dovecot.yaml

@@ -7,7 +7,6 @@ containerSecurityContext:
 dovecot:
   ldap:
     enabled: true
-    host: "univention-corporate-container"
     port: 389
     base: "dc=swp-ldap,dc=internal"
 

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -3,14 +3,18 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
-  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 ...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -8,6 +8,10 @@ appsuite:
     secretYAMLFiles:
       ldap-client-config.yml:
         contactsLdapClient:
+          pool:
+            host:
+              address: {{ .Values.ldap.host | quote }}
+              port: 389
           auth:
             adminDN:
               password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -6,7 +6,7 @@ appsuite:
 
     properties:
       # Enterprise contact picker
-      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
       com.openexchange.admin.bypassAccessCombinationChecks: "true"
       ENABLE_INTERNAL_USER_EDIT: "false"
 
@@ -16,9 +16,6 @@ appsuite:
         contactsLdapClient:
           pool:
             type: "simple"
-            host:
-              address: "univention-corporate-container"
-              port: 389
           auth:
             type: "adminDN"
             adminDN:
@@ -153,7 +150,7 @@ appsuite:
             # allows to sort the attributes lexicographically, either "ascending" or "descending".
             dynamicAttributes:
               attributeName: "o"
-              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
               contactSearchScope: "sub"
               # refreshInterval: 1h
               refreshInterval: "5m"
@@ -174,6 +171,48 @@ appsuite:
                 - "Management"
                 - "Human Resources"
 
+        other:
+          name: "Other contacts"
+          ldapClientId: "contactsLdapClient"
+          mappings: "ucs"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+              folders:
+                - name: "Ohne Organisation"
+                  contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+
+        functional:
+          name: "Functional mailboxes"
+          ldapClientId: "contactsLdapClient"
+          mappings: "functional"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
+              folders:
+                - name: "Funktionale Postfächer"
+                  contactFilter: "(univentionObjectType=oxmail/functional_account)"
+
       contacts-provider-ldap-mappings.yml:
         # Example definitions of contact property <-> LDAP attribute mappings.
         #
@@ -347,3 +386,9 @@ appsuite:
           # image_last_modified   :
           # Will be set automatically to "image/jpeg" if not defined.
           # image1_content_type   :
+
+        functional:
+          objectid: "mailPrimaryAddress"
+          displayname: "oxPersonal,cn,mailPrimaryAddress"
+          file_as: "oxPersonal,cn,mailPrimaryAddress"
+          email1: "mailPrimaryAddress"

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -4,37 +4,37 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   mysql:
-    host: "{{ .Values.databases.oxAppsuite.host }}"
+    host: {{ .Values.databases.oxAppsuite.host | quote }}
-    database: "{{ .Values.databases.oxAppsuite.name }}"
+    database: {{ .Values.databases.oxAppsuite.name | quote }}
     auth:
-      user: "{{ .Values.databases.oxAppsuite.username }}"
+      user: {{ .Values.databases.oxAppsuite.username | quote }}
-      password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
+      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
-      rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
+      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}
 
 nextcloud-integration-ui:
   image:
-    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository }}
+    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
-    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag }}
+    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
   {{- end }}
 
 public-sector-ui:
   image:
-    repository: {{ .Values.images.openxchangePublicSectorUI.repository }}
+    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
-    tag: {{ .Values.images.openxchangePublicSectorUI.tag }}
+    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
   {{- end }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 appsuite:
   istio:
@@ -53,6 +53,15 @@ appsuite:
   core-mw:
     masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
     hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+    gotenberg:
+      imagePullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . | quote }}
+      {{- end }}
+      image:
+        repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
+        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
+        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     properties:
       "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
       "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -74,19 +83,20 @@ appsuite:
     propertiesFiles:
       "/opt/open-xchange/etc/ldapauth.properties":
         bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
       # Dynamic theme
-      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
       io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
-      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
-      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
-      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
-      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
-      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
-      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
-      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
     secretETCFiles:
       # Format of the OX Guard master key:
       # MC+base64(20 random bytes)
@@ -94,28 +104,31 @@ appsuite:
       oxguardpass: |
         {{ .Values.secrets.oxAppsuite.oxguardMC }}
         {{ .Values.secrets.oxAppsuite.oxguardRC }}
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
     image:
-      repository: {{ .Values.images.openxchangeCoreMW.repository }}
+      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     update:
       image:
-        repository: {{ .Values.images.openxchangeCoreMW.repository }}
+        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
-        tag: {{ .Values.images.openxchangeCoreMW.tag }}
+        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
 
   core-ui:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.images.openxchangeCoreUI.repository }}
+      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
   core-ui-middleware:
     ingress:
@@ -124,40 +137,55 @@ appsuite:
       enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
+      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
+
+  core-documentconverter:
+    image:
+      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
+      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
+    resources:
+      {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
+      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+  core-imageconverter:
+    image:
+      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
+      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
 
   guard-ui:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
+      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
-      tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
   core-user-guide:
     image:
-      repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
+      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
 ...

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -4,11 +4,16 @@
 appsuite:
   istio:
     ingressGateway:
-      name: "sovereign-workplace-gateway-istio-gateway"
+      name: "opendesk-gateway-istio-gateway"
+
+  switchboard:
+    enabled: false
 
   core-mw:
     enabled: true
     masterAdmin: "admin"
+    gotenberg:
+      enabled: true
     features:
       status:
         # enable admin pack
@@ -22,6 +27,13 @@ appsuite:
         open-xchange-authentication-oauth: "enabled"
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
+      # PDF Export
+      com.openexchange.capability.mail_export_pdf: "true"
+      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
+      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
+      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
       # OIDC
       com.openexchange.oidc.enabled: "true"
       com.openexchange.oidc.autologinCookieMode: "ox_direct"
@@ -54,11 +66,13 @@ appsuite:
       com.openexchange.mail.filter.credentialSource: "mail"
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
+      # Dovecot
+      com.openexchange.imap.attachmentMarker.enabled: "true"
       # Capabilities
       # Old capability can be used to toggle all integrations with a single switch
       com.openexchange.capability.public-sector: "true"
       # New capabilities in 2.0
-      com.openexchange.capability.public-sector-element: "false"
+      com.openexchange.capability.public-sector-element: "true"
       com.openexchange.capability.public-sector-navigation: "true"
       com.openexchange.capability.client-onboarding: "true"
       com.openexchange.capability.dynamic-theme: "true"
@@ -69,6 +83,7 @@ appsuite:
       com.openexchange.capability.smime: "true"
       com.openexchange.capability.share_links: "false"
       com.openexchange.capability.invite_guests: "false"
+      com.openexchange.capability.document_preview: "true"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
       com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -80,6 +95,8 @@ appsuite:
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
       # Guard
+      com.openexchange.guard.storage.file.fileStorageType: "file"
+      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
       com.openexchange.guard.guestSMTPServer: "postfix"
       # S/MIME
       # Usage (in browser console after login):
@@ -94,7 +111,6 @@ appsuite:
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
         bindOnly: "false"
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
@@ -120,6 +136,8 @@ appsuite:
       # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
       io.ox/core//apps/quickLaunchCount: "0"
       io.ox/core//coloredIcons: "false"
+      # Mail templates
+      io.ox/core//features/templates: "true"
 
     asConfig:
       default:
@@ -128,10 +146,31 @@ appsuite:
         oidcLogin: true
         oidcPath: "/oidc"
 
+    redis:
+      enabled: true
+      mode: "standalone"
+      hosts:
+        - "redis-master"
+
+    hooks:
+      beforeAppsuiteStart:
+        create-guard-dir.sh: |
+          mkdir -p /opt/open-xchange/guard-files
+          chown open-xchange:open-xchange /opt/open-xchange/guard-files
+
   core-ui:
     enabled: true
+
   core-ui-middleware:
     enabled: true
+    overrides: {}
+    redis:
+      mode: "standalone"
+      hosts:
+        - "redis-master:6379"
+      auth:
+        enabled: true
+
   core-guidedtours:
     enabled: true
   guard-ui:
@@ -140,12 +179,26 @@ appsuite:
     enabled: false
   core-user-guide:
     enabled: true
+
   core-imageconverter:
-    enabled: false
+    enabled: true
+    objectCache:
+      s3ObjectStores:
+        - id: -1
+          endpoint: "."
+          accessKey: "."
+          secretKey: "."
+
   core-spellcheck:
     enabled: false
+
   core-documentconverter:
-    enabled: false
+    enabled: true
+    documentConverter:
+      cache:
+        remoteCache:
+          enabled: false
+
   core-documents-collaboration:
     enabled: false
   office-web:

helmfile/apps/openproject/helmfile.yaml

@@ -1,7 +1,13 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # OpenProject
+  # Source: https://github.com/opf/helm-charts
   - name: "openproject-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -10,16 +16,16 @@ repositories:
 releases:
   - name: "openproject"
     chart: "openproject-repo/openproject"
-    version: "1.8.0"
+    version: "2.4.0"
+    wait: true
+    waitForJobs: true
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "openproject.enabled"
+    installed: {{ .Values.openproject.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "openproject"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/openproject/values.gotmpl

@@ -8,67 +8,79 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.openproject.repository }}"
+  repository: {{ .Values.images.openproject.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.openproject.tag }}"
+  tag: {{ .Values.images.openproject.tag | quote }}
 
-memcached:
+initdb:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
-    repository: "{{ .Values.images.memcached.repository }}"
+    repository: "{{ .Values.images.openprojectInitDb.repository }}"
-    tag: "{{ .Values.images.memcached.tag }}"
+    tag: "{{ .Values.images.openprojectInitDb.tag }}"
+    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+memcached:
+  connection:
+    host: {{ .Values.cache.openproject.host | quote }}
+    port: {{ .Values.cache.openproject.port }}
+  image:
+    registry: {{ .Values.global.imageRegistry | quote }}
+    repository: {{ .Values.images.memcached.repository | quote }}
+    tag: {{ .Values.images.memcached.tag | quote }}
 
 postgresql:
   auth:
-    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
+    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
-    username: "{{ .Values.databases.openproject.username }}"
+    username: {{ .Values.databases.openproject.username | quote }}
-    database: "{{ .Values.databases.openproject.name }}"
+    database: {{ .Values.databases.openproject.name | quote }}
   connection:
-    host: "{{ .Values.databases.openproject.host }}"
+    host: {{ .Values.databases.openproject.host | quote }}
-    port: "{{ .Values.databases.openproject.port }}"
+    port: {{ .Values.databases.openproject.port }}
 
 openproject:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   # Will only be set on initial seed / installation
   admin_user:
-    name: "OpenProject Interal Admin"
+    name: "OpenProject Internal Admin"
     mail: "openproject-admin@swp-domain.internal"
     password_reset: "false"
-    password: "{{ .Values.secrets.openproject.adminPassword }}"
+    password: {{ .Values.secrets.openproject.adminPassword | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 environment:
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }}
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
-  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-  OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
-  OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
-  OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
-  OPENPROJECT_SMTP__PORT: "587" # (default=587)
-  OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
-
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
-persistence:
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  size: "{{ .Values.persistence.size.openproject }}"
+  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
+  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
+  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
+  OPENPROJECT_SMTP__SSL: "false" # (default=false)
+  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
+  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
 
 replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
-
 ...

helmfile/apps/openproject/values.yaml

@@ -4,6 +4,9 @@
 image:
   registry: "registry.souvap-univention.de"
 
+memcached:
+  bundled: false
+
 probes:
   liveness:
     initialDelaySeconds: 300
@@ -27,6 +30,18 @@ openproject:
   # seed will only be executed on initial installation
   seed_locale: "de"
 
+securityContext:
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+
+persistence:
+  enabled: false
+
+s3:
+  enabled: true
+
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:
@@ -34,15 +49,14 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
+  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
-  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
-  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
-  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
@@ -59,5 +73,10 @@ environment:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
-
+  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
+  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
+  OPENPROJECT_FOG_DIRECTORY: "openproject"
+  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
+  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -1,7 +1,12 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # OX Connector
   - name: "ox-connector-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -14,12 +19,9 @@ releases:
     values:
       - "values-oxconnector.yaml"
       - "values-oxconnector.gotmpl"
-    condition: "oxConnector.enabled"
+    installed: {{ .Values.oxConnector.enabled }}
 
 commonLabels:
   deploy-stage: "component-2"
   component: "provisioning"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -4,24 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.oxConnector.repository }}"
+  repository: {{ .Values.images.oxConnector.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.oxConnector.tag }}"
+  tag: {{ .Values.images.oxConnector.tag | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 oxConnector:
-  domainName: "{{ .Values.global.domain }}"
+  domainName: {{ .Values.global.domain | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
   #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
   oxMasterAdmin: "admin"
-  oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
+  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   oxDefaultContext: "1"
 

helmfile/apps/provisioning/values-oxconnector.yaml

@@ -5,11 +5,9 @@ ingress:
   enabled: false
 
 oxConnector:
-  ldapHost: "univention-corporate-container"
   # ldapHostIp: ""
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  notifierServer: "univention-corporate-container"
   tlsMode: "off"
   # current static password for UCC
   ldapPassword: "ucctempldapstring"

helmfile/apps/services/helmfile.yaml

@@ -1,101 +1,151 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
-  - name: "sovereign-workplace-certificates-repo"
+  # openDesk Certificates
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
+  - name: "opendesk-certificates-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk PostgreSQL
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
   - name: "postgresql-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk MariaDB
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
   - name: "mariadb-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Postfix
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
   - name: "postfix-repo"
+    oci: true
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Istio Resources
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
   - name: "istio-resources-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk ClamAV
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
   - name: "clamav-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
   - name: "bitnami-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  - name: "sovereign-workplace-certificates"
+  - name: "opendesk-certificates"
-    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
+    chart: "opendesk-certificates-repo/opendesk-certificates"
-    version: "1.2.2"
+    version: "2.1.0"
     values:
       - "values-certificates.gotmpl"
-    condition: "certificates.enabled"
+    installed: {{ .Values.certificates.enabled }}
   - name: "redis"
     chart: "bitnami-repo/redis"
-    version: "18.0.4"
+    version: "18.1.2"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
-    condition: "redis.enabled"
+    installed: {{ .Values.redis.enabled }}
+  - name: "memcached"
+    chart: "bitnami-repo/memcached"
+    version: "6.6.2"
+    values:
+      - "values-memcached.yaml"
+      - "values-memcached.gotmpl"
+    installed: {{ .Values.memcached.enabled }}
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
-    version: "2.0.2"
+    version: "2.0.3"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
-    condition: "postgresql.enabled"
+    installed: {{ .Values.postgresql.enabled }}
+    timeout: 900
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
-    version: "2.1.0"
+    version: "2.1.1"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
-    condition: "mariadb.enabled"
+    installed: {{ .Values.mariadb.enabled }}
+    timeout: 900
   - name: "postfix"
     chart: "postfix-repo/postfix"
-    version: "2.0.3"
+    version: "2.0.4"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
-    condition: "postfix.enabled"
+    installed: {{ .Values.postfix.enabled }}
   - name: "clamav"
     chart: "clamav-repo/opendesk-clamav"
     version: "4.0.0"
     values:
       - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
-    condition: "clamavDistributed.enabled"
+    installed: {{ .Values.clamavDistributed.enabled }}
   - name: "clamav-simple"
     chart: "clamav-repo/clamav-simple"
     version: "4.0.0"
     values:
       - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
-    condition: "clamavSimple.enabled"
+    installed: {{ .Values.clamavSimple.enabled }}
-  - name: "sovereign-workplace-gateway"
+  - name: "opendesk-gateway"
     chart: "istio-resources-repo/istio-gateway"
-    version: "1.1.2"
+    version: "2.0.0"
     values:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
-    condition: "istio.enabled"
+    installed: {{ .Values.istio.enabled }}
+  - name: "minio"
+    chart: "bitnami-repo/minio"
+    version: "12.8.19"
+    values:
+      - "values-minio.yaml"
+      - "values-minio.gotmpl"
+    installed: {{ .Values.minio.enabled }}
 
 commonLabels:
   deploy-stage: "services"
   component: "services"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/services/values-certificates.gotmpl

@@ -4,18 +4,23 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
 
 issuerRef:
-  name: "{{ .Values.certificate.issuerRef.name }}"
+  name: {{ .Values.certificate.issuerRef.name | quote }}
 
 {{- if .Values.istio.enabled }}
 istio:
   enabled: {{ .Values.istio.enabled }}
-  domain: {{ .Values.istio.domain }}
+  domain: {{ .Values.istio.domain | quote }}
   issuerRef:
-    name: "{{ .Values.istio.issuerRef.name }}"
+    name: {{ .Values.istio.issuerRef.name | quote }}
 {{- end }}
+
+cleanup:
+  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+
+wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -7,10 +7,10 @@ clamd:
   podSecurityContext:
   replicaCount: {{ .Values.replicas.clamd }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.clamd.repository }}"
+    repository: {{ .Values.images.clamd.repository | quote }}
-    tag: "{{ .Values.images.clamd.tag }}"
+    tag: {{ .Values.images.clamd.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
@@ -18,10 +18,10 @@ freshclam:
   podSecurityContext:
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.freshclam.repository }}"
+    repository: {{ .Values.images.freshclam.repository | quote }}
-    tag: "{{ .Values.images.freshclam.tag }}"
+    tag: {{ .Values.images.freshclam.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -32,10 +32,10 @@ global:
 icap:
   replicaCount: {{ .Values.replicas.icap }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.icap.repository }}"
+    repository: {{ .Values.images.icap.repository | quote }}
-    tag: "{{ .Values.images.icap.tag }}"
+    tag: {{ .Values.images.icap.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
@@ -43,14 +43,14 @@ milter:
   podSecurityContext:
   replicaCount: {{ .Values.replicas.milter }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.milter.repository }}"
+    repository: {{ .Values.images.milter.repository | quote }}
-    tag: "{{ .Values.images.milter.tag }}"
+    tag: {{ .Values.images.milter.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
-  size: "{{ .Values.persistence.size.clamav }}"
+  size: {{ .Values.persistence.size.clamav | quote }}
 ...

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -7,15 +7,15 @@ replicaCount: {{ .Values.replicas.clamav }}
 
 image:
   clamav:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.clamd.repository }}"
+    repository: {{ .Values.images.clamd.repository | quote }}
-    tag: "{{ .Values.images.clamd.tag }}"
+    tag: {{ .Values.images.clamd.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   icap:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.icap.repository }}"
+    repository: {{ .Values.images.icap.repository | quote }}
-    tag: "{{ .Values.images.icap.tag }}"
+    tag: {{ .Values.images.icap.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 resources:
   {{ .Values.resources.clamd | toYaml | nindent 4 }}
@@ -25,6 +25,6 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.clamav }}"
+  size: {{ .Values.persistence.size.clamav | quote }}
 ...

helmfile/apps/services/values-istio-gateway.gotmpl

@@ -4,9 +4,9 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.istio.domain }}"
+  domain: {{ .Values.istio.domain | quote }}
   hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
+    openxchange: {{ .Values.global.hosts.openxchange | quote }}
 
 tls:
   secretName: "{{ .Values.istio.domain }}-tls"

helmfile/apps/services/values-mariadb.gotmpl

@@ -4,25 +4,25 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  repository: "{{ .Values.images.mariadb.repository }}"
+  repository: {{ .Values.images.mariadb.repository | quote }}
-  tag: "{{ .Values.images.mariadb.tag }}"
+  tag: {{ .Values.images.mariadb.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
 job:
   users:
     - username: "xwiki_user"
-      password: "{{ .Values.secrets.mariadb.xwikiUser }}"
+      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
     - username: "openxchange_user"
-      password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
+      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
     - username: "nextcloud_user"
-      password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
+      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
   databases:
     - name: "xwiki"
       user: "xwiki_user"
@@ -32,11 +32,11 @@ job:
       user: "openxchange_user"
 
 mariadb:
-  rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
+  rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.mariadb }}"
+  size: {{ .Values.persistence.size.mariadb | quote }}
 
 resources:
   {{ .Values.resources.mariadb | toYaml | nindent 2 }}

helmfile/apps/services/values-memcached.gotmpl

@@ -0,0 +1,19 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | quote }}
+  repository: {{ .Values.images.memcached.repository | quote }}
+  tag: {{ .Values.images.memcached.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+resources:
+  {{ .Values.resources.memcached | toYaml | nindent 2 }}
+...

helmfile/apps/services/values-memcached.yaml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+
+serviceAccount:
+  create: true
+...

helmfile/apps/services/values-minio.gotmpl

@@ -0,0 +1,80 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.minio.repository }}"
+  tag: "{{ .Values.images.minio.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+auth:
+  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+
+statefulset:
+  replicaCount: {{ .Values.replicas.minioDistributed }}
+
+resources:
+  {{ .Values.resources.minio | toYaml | nindent 2 }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+apiIngress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  prometheusRule:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+
+persistence:
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.minio }}"
+
+provisioning:
+  users:
+    - username: "openproject_user"
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+      disabled: false
+      policies:
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
+    - username: "ums_user"
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
+...

helmfile/apps/services/values-minio.yaml

@@ -0,0 +1,114 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+mode: "standalone"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  runAsUser: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+
+ingress:
+  annotations:
+    nginx.org/websocket-services: "minio"
+
+networkPolicy:
+  enabled: false
+
+defaultBuckets: "openproject,openxchange,ums,nextcloud"
+
+provisioning:
+  enabled: true
+  cleanupAfterFinished:
+    enabled: true
+  buckets:
+    - name: "openproject"
+      versioning: true
+      withLock: false
+    - name: "openxchange"
+      versioning: true
+      withLock: false
+    - name: "ums"
+      versioning: true
+      withLock: false
+    - name: "nextcloud"
+      versioning: true
+      withLock: false
+  policies:
+    - name: "openproject-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openproject"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openproject/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "openxchange-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openxchange"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openxchange/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "ums-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::ums"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::ums/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "nextcloud-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::nextcloud"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::nextcloud/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+startupProbe:
+  enabled: true
+  periodSeconds: 10
+  timeoutSeconds: 10
+...

helmfile/apps/services/values-postfix.gotmpl

@@ -4,28 +4,28 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.postfix.repository }}"
+  repository: {{ .Values.images.postfix.repository | quote }}
-  tag: "{{ .Values.images.postfix.tag }}"
+  tag: {{ .Values.images.postfix.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 certificate:
-  secretName: "{{ .Values.ingress.tls.secretName }}"
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 postfix:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  virtualMailboxDomains: "{{ .Values.global.domain }}"
+  virtualMailboxDomains: {{ .Values.global.domain | quote }}
   overrides:
     - fileName: "sasl_passwd.map"
       content:
-        - "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
+        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  relayHost: "[{{ .Values.smtp.host }}]:587"
+  relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
-  relayNets: {{ .Values.cluster.networking.cidr }}
+  relayNets: {{ .Values.cluster.networking.cidr | quote}}
   virtualTransport: "lmtps:dovecot:24"
   smtpdSASLPath: "inet:dovecot:3659"
   {{- if .Values.clamavDistributed.enabled }}
@@ -35,8 +35,8 @@ postfix:
   {{- end }}
 
 persistence:
-  size: "{{ .Values.persistence.size.postfix }}"
+  size: {{ .Values.persistence.size.postfix | quote }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
 
 replicaCount: {{ .Values.replicas.postfix }}
 

helmfile/apps/services/values-postgresql.gotmpl

@@ -4,27 +4,27 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  repository: "{{ .Values.images.postgresql.repository }}"
+  repository: {{ .Values.images.postgresql.repository | quote }}
-  tag: "{{ .Values.images.postgresql.tag }}"
+  tag: {{ .Values.images.postgresql.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 job:
   users:
     - username: "keycloak_user"
-      password: {{ .Values.secrets.postgresql.keycloakUser }}
+      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
     - username: "openproject_user"
-      password: {{ .Values.secrets.postgresql.openprojectUser }}
+      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
     - username: "keycloak_extensions_user"
-      password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
+      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
     - username: "matrix_user"
-      password: {{ .Values.secrets.postgresql.matrixUser }}
+      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+      password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"
@@ -39,11 +39,11 @@ job:
       user: "notificationsapi_user"
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.postgresql }}"
+  size: {{ .Values.persistence.size.postgresql | quote }}
 
 postgres:
-  password: {{ .Values.secrets.postgresql.postgresUser }}
+  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
 
 resources:
   {{ .Values.resources.postgresql | toYaml | nindent 2 }}

helmfile/apps/services/values-redis.gotmpl

@@ -4,23 +4,23 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 auth:
-  password: {{ .Values.secrets.redis.password }}
+  password: {{ .Values.secrets.redis.password | quote }}
 
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.redis.repository }}"
+  repository: {{ .Values.images.redis.repository | quote }}
-  tag: "{{ .Values.images.redis.tag }}"
+  tag: {{ .Values.images.redis.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 master:
   persistence:
-    size: "{{ .Values.persistence.size.redis }}"
+    size: {{ .Values.persistence.size.redis | quote }}
 
   resources:
     {{ .Values.resources.redis | toYaml | nindent 4 }}

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -1,11 +1,21 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # openDesk Univention Corporate Server (as eval Container)
   - name: "univention-corporate-container-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "univention-corporate-container"
@@ -14,12 +24,9 @@ releases:
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "univentionCorporateServer.enabled"
+    installed: {{ .Values.univentionCorporateServer.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-corporate-container"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -4,64 +4,64 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.univentionCorporateServer.repository }}"
+  repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
-  tag: "{{ .Values.images.univentionCorporateServer.tag }}"
+  tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.univentionCorporateServer }}"
+  size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
 
 extraEnvVars:
   - name: ISTIO_DOMAIN
-    value: {{ .Values.istio.domain }}
+    value: {{ .Values.istio.domain | quote }}
   - name: CENTRALNAVIGATION_API_SECRET
-    value: {{ .Values.secrets.centralnavigation.apiKey }}
+    value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   - name: LDAPSEARCH_OX_USERNAME
     value: "ldapsearch_ox"
   - name: LDAPSEARCH_OX_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
   - name: LDAPSEARCH_DOVECOT_USERNAME
     value: "ldapsearch_dovecot"
   - name: LDAPSEARCH_DOVECOT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   - name: LDAPSEARCH_KEYCLOAK_USERNAME
     value: "ldapsearch_keycloak"
   - name: LDAPSEARCH_KEYCLOAK_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
   - name: LDAPSEARCH_NEXTCLOUD_USERNAME
     value: "ldapsearch_nextcloud"
   - name: LDAPSEARCH_NEXTCLOUD_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
   - name: LDAPSEARCH_OPENPROJECT_USERNAME
     value: "ldapsearch_openproject"
   - name: LDAPSEARCH_OPENPROJECT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
   - name: LDAPSEARCH_XWIKI_USERNAME
     value: "ldapsearch_xwiki"
   - name: LDAPSEARCH_XWIKI_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
   - name: DEFAULT_ACCOUNT_USER_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
+    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
   - name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
+    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
 
 resources:
   {{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -4,114 +4,143 @@
 bases:
   - "../../bases/environments.yaml"
 
+---
 repositories:
-  - name: "univention"
+  # Univention Management Stack
+  - name: "ums-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
+  # {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
+  - name: "ums-stack-gateway"
+    chart: "bitnami-repo/nginx"
+    version: "15.3.5"
+    values:
+      - "values-ums-stack-gateway.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  # {{- end }}
   - name: "ums-store-dav"
-    chart: "univention/store-dav"
+    chart: "ums-repo/store-dav"
-    version: "0.2.0"
+    version: "0.5.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-store-dav.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-server"
-    chart: "univention/ldap-server"
+    chart: "ums-repo/ldap-server"
-    version: "0.1.0"
+    version: "0.4.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-ldap-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-notifier"
-    chart: "univention/ldap-notifier"
+    chart: "ums-repo/ldap-notifier"
-    version: "0.1.0"
+    version: "0.4.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-ldap-notifier.gotmpl"
       - "values-ldap-notifier.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-udm-rest-api"
-    chart: "univention/udm-rest-api"
+    chart: "ums-repo/udm-rest-api"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-udm-rest-api.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-ums"
-    chart: "univention/stack-data-ums"
+    chart: "ums-repo/stack-data-ums"
-    version: "0.1.0"
+    version: "0.15.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-ums.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-swp"
-    chart: "univention/stack-data-swp"
+    chart: "ums-repo/stack-data-swp"
-    version: "0.1.0"
+    version: "0.15.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-swp.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-server"
-    chart: "univention/portal-server"
+    chart: "ums-repo/portal-server"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-notifications-api"
-    chart: "univention/notifications-api"
+    chart: "ums-repo/notifications-api"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-notifications-api.gotmpl"
       - "values-notifications-api.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-listener"
-    chart: "univention/portal-listener"
+    chart: "ums-repo/portal-listener"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-listener.gotmpl"
       - "values-portal-listener.yaml"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-frontend"
-    chart: "univention/portal-frontend"
+    chart: "ums-repo/portal-frontend"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-portal-frontend-custom"
+    # TODO: Replace with our own Nginx chart.
+    chart: "bitnami-repo/nginx"
+    version: "15.3.5"
+    values:
+      - "values-portal-frontend-custom.yaml"
+      - "values-portal-frontend-custom.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-gateway"
-    chart: "univention/umc-gateway"
+    chart: "ums-repo/umc-gateway"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
-      - "values-umc-gateway.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
-    condition: "univentionManagementStack.enabled"
   - name: "ums-umc-server"
-    chart: "univention/umc-server"
+    chart: "ums-repo/umc-server"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-server.gotmpl"
-    condition: "univentionManagementStack.enabled"
+      - "values-umc-server.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
 
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-management-stack"
+...

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -3,12 +3,12 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
 ingress:
-  enabled: {{ .Values.ingress.enabled }}
+  enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
   host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     # The TLS configuration is on the "master" Ingress, see "portal-frontend"
     enabled: false
     secretName: ""
+...

helmfile/apps/univention-management-stack/values-common.yaml

@@ -1,6 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  configMapUcrDefaults: "ums-stack-data-ums-ucr"
+  configMapUcr: "ums-stack-data-swp-ucr"
+  configMapUcrForced: null
 
 istio:
   enabled: false

helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl

@@ -3,18 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
+  repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
+  tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:
   {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ldapServer:
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
 
   # TODO: Certificates handling
@@ -14,30 +14,34 @@ ldapServer:
   # dhParam: ""
   tlsMode: "off"
 
-  # TODO: SAML integration
+  samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
-  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  samlMetadataUrlInternal: null
-  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
+  serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
-  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsLdapServer.repository }}"
+  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsLdapServer.tag }}"
+  tag: {{ .Values.images.umsLdapServer.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
+  waitForDependency:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    imagePullPolicy: "Always"
+    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+
 # TODO: Pending upstream support, #199
 persistence:
   data:
-    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
   shared:
-    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
 
 resources:
   {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -11,16 +11,16 @@ postgresql:
   auth:
     username: "notificationsapi_user"
     database: "notificationsapi"
-    password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+    password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry }}
-  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
+  repository: {{ .Values.images.umsNotificationsApi.repository }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
-  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
+  tag: {{ .Values.images.umsNotificationsApi.tag }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ingress:
+  enabled: true
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "nginx"
+  annotations:
+    nginx.org/mergeable-ingress-type: "minion"
+  tls: false
+
+  pathType: Exact
+  path: /favicon.ico
+
+  extraPaths:
+    - pathType: Exact
+      path: /univention/portal/css/custom.css
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/icons/logo.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/icons/logo_small_border.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/custom/portal_background_image.png
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/custom/portal_background_image.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+service:
+  type: "ClusterIP"
+
+extraVolumes:
+  - name: "opendesk-branding"
+    configMap:
+      name: "ums-stack-data-swp-branding"
+
+extraVolumeMounts:
+  - name: "opendesk-branding"
+    mountPath: "/app/favicon.ico"
+    subPath: "favicon.ico"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/css/custom.css"
+    subPath: "custom.css"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/icons/logo.svg"
+    subPath: "logo.svg"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/icons/logo_small_border.svg"
+    subPath: "logo_small_border.svg"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/custom/portal_background_image.png"
+    subPath: "portal_background_image.png"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/custom/portal_background_image.svg"
+    subPath: "portal_background_image.svg"
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -3,29 +3,28 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
+  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
+  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 extraIngresses:
   redirects:
+    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     # The TLS configuration is on the "master" Ingress, see below.
     tls:
       enabled: false
   master:
-    enabled: {{ .Values.ingress.enabled }}
+    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: "{{ .Values.ingress.tls.secretName }}"
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 resources:
   {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -13,10 +13,10 @@ portalListener:
   umcSessionUrl: "http://ums-umc-server/get/session-info"
 
   ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHost: "ums-ldap-server"
+  ldapHost: "{{ .Values.ldap.host }}"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: "ums-ldap-notifier"
   portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
@@ -25,30 +25,29 @@ portalListener:
   tlsMode: "off"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsPortalListener.repository }}"
+  repository: {{ .Values.images.umsPortalListener.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsPortalListener.tag }}"
+  tag: {{ .Values.images.umsPortalListener.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
   waitForDependency:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
     imagePullPolicy: "Always"
-    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
 # TODO: Pending upstream support, #200
 persistence:
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
+  size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
 
 resources:
   {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
 
 resourcesDependencyWaiter:
   {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -7,20 +7,20 @@ portalServer:
   adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
   authMode: "saml"
   environment: "staging"
-  editable: "true"
+  editable: "false"
   logLevel: "DEBUG"
   ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
   umcGetUrl: "http://ums-umc-server/get"
   umcSessionUrl: "http://ums-umc-server/get/session-info"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsPortalServer.repository }}"
+  repository: {{ .Values.images.umsPortalServer.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsPortalServer.tag }}"
+  tag: {{ .Values.images.umsPortalServer.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -4,33 +4,40 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiUsername: "cn=admin"
+  udmApiUser: "cn=admin"
-  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
 stackDataContext:
   ldapBase: "dc=swp-ldap,dc=internal"
+  ldapSearchUsers:
+    {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    - username: {{ printf "ldapsearch_%s" $k | quote }}
+      password: {{ $v | quote }}
+      lastname: {{ "LDAP-Search-User" }}
+    {{- end }}
+
   externalDomainName: "{{ .Values.global.domain }}"
   externalMailDomain: "{{ .Values.global.domain }}"
 
-  portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
+  portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
+  portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
-  portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
+  portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-  portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
+  portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-  portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
+  portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-  portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
+  portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
 
   oxDefaultContext: "10"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  tag: {{ .Values.images.umsDataLoader.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -5,25 +5,39 @@ SPDX-License-Identifier: Apache-2.0
 ---
 stackDataUms:
   udmApiUser: "cn=admin"
-  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
 stackDataContext:
+  domainname: "{{ .Values.global.domain }}"
+  externalMailDomain: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ldapHost: "{{ .Values.ldap.host }}"
   ldapBase: "dc=swp-ldap,dc=internal"
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+
+  samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
+  samlMetadataUrlInternal: null
+  samlSpServer: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  samlSchemes: "https"
+  ssoFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+
   initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
 
   # The SWP configuration brings its own UMC policies.
   installUmcPolicies: false
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  tag: {{ .Values.images.umsDataLoader.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -6,33 +6,33 @@ SPDX-License-Identifier: Apache-2.0
 storeDav:
   auth:
     basicAuth:
-      portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
+      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
-      portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
+      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsStoreDav.repository }}"
+  repository: {{ .Values.images.umsStoreDav.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsStoreDav.tag }}"
+  tag: {{ .Values.images.umsStoreDav.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
   configHtpasswd:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
+    repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
     pullPolicy: "Always"
-    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
+    tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
     pullSecrets:
       {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
       {{- end }}
 
 # TODO: Pending upstream support, #201
 persistence:
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
+  size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
 
 resources:
   {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -4,41 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 udmRestApi:
-  apiLogLevel: "4"
-  authGroups:
-    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
-    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
-    domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
-  ldapHost: "ums-ldap-server"
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   # TODO: Secret should be entered without b64enc
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: why do we need this many subprocesses?
-  numberOfSubprocesses: 8
   # TODO: Stub value currently
   caCert: ""
   # TODO: This should not be part of the udm-rest-api anymore
   loadJoinData:
     enabled: true
-  # TODO: configurable
-  tlsMode: "off"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsUdmRestApi.repository }}"
+  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsUdmRestApi.tag }}"
+  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:
   {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -4,18 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcGateway:
-  domainname: "{{ .Values.global.domain }}"
+
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+extraVolumes:
-  ssoFqdn: "localhost:8097"
+  - name: "entrypoint-swp-patches"
+    configMap:
+      name: "ums-stack-data-swp-umc-gateway-entrypoint"
+      defaultMode: 0555
+
+extraVolumeMounts:
+  - name: "entrypoint-swp-patches"
+    mountPath: "/entrypoint.d/90-swp.sh"
+    subPath: "90-swp.sh"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsUmcGateway.repository }}"
+  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsUmcGateway.tag }}"
+  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-umcGateway:
-  showCookieBanner: true
-  cookieBannerTitleDE: "Cookie Zustimmung"
-  cookieBannerTitleEN: "Cookie Consent"
-  cookieBannerTextDE: >-
-    Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
-    verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
-    Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
-    Seite.
-  cookieBannerTextEN: >-
-    Usage of this site is only possible by storing and processing cookie
-    information (essential cookies). We require your consent. Please accept to
-    continue or close the page.
-
-...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -4,37 +4,19 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcServer:
-  domainname: "{{ .Values.global.domain }}"
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
-  ldapHost: "ums-ldap-server"
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
-  enforceSessionCookie: "true"
-
-  # TODO: The keycloak integration is pending
-  samlEnabled: false
-  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
-  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
-  samlSpServer: "localhost:8000"
-  samlSchemes: "http"
-
-  tlsMode: "off"
-
   # TODO: Secret should be entered without b64enc
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsUmcServer.repository }}"
+  repository: {{ .Values.images.umsUmcServer.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsUmcServer.tag }}"
+  tag: {{ .Values.images.umsUmcServer.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-umc-server.yaml

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+umcServer:
+  certPemFile: "/var/secrets/ssl/tls.crt"
+  privateKeyFile: "/var/secrets/ssl/tls.key"
+
+extraVolumes:
+  - name: "certificates"
+    secret:
+      secretName: "opendesk-certificates-tls"
+
+extraVolumeMounts:
+  - name: "certificates"
+    mountPath: "/var/secrets/ssl"
+
+...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ingress:
+  enabled: true
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls: false
+  extraTls:
+    - hosts:
+        - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+service:
+  type: "ClusterIP"
+
+# The content of the "serverBlock" does resemble the Ingress configuration of
+# the UMS components. The "location" entries do intentionally reflect precisely
+# the respective paths which are configured.
+serverBlock: |
+  server {
+    listen 8080;
+
+    ## portal-frontend
+    # The frontend does not own "/univention/portal", only these two bits
+    location = /univention/portal/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/portal/index.html {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+    # The following prefixes are owned by the frontend
+    location /univention/portal/css/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/fonts/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/i18n/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/media/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/js/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/oidc/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+
+
+    ## frontend redirects
+
+    location = / {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/ {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/portal {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+
+
+    ## portal-server
+    location = /univention/portal/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/portal/navigation.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+
+
+    ## store-dav
+    location /univention/portal/icons/entries/ {
+      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/portal/icons/logos/ {
+      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+
+
+    ## udm-rest-api
+    location /univention/udm/ {
+      rewrite ^/univention(/udm/.*)$ $1 break;
+      proxy_pass http://ums-udm-rest-api:80;
+      proxy_set_header X-Forwarded-Host $host;
+    }
+
+
+    ## umc-gateway
+    location = /univention/languages.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/meta.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/theme.css {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/js/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/login/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/management/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/themes/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+
+
+    ## umc-server
+    location = /univention/auth {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/logout/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/saml/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/get/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/set/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/command/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/upload/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+
+
+    ## notifications-api
+
+    location /univention/portal/notifications-api/ {
+      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
+      proxy_pass http://ums-notifications-api:80;
+    }
+
+  }

helmfile/apps/xwiki/helmfile.yaml

@@ -1,7 +1,13 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
 ---
 repositories:
+  # XWiki
+  # Source: https://github.com/xwiki-contrib/xwiki-helm
   - name: "xwiki-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -10,18 +16,15 @@ repositories:
 releases:
   - name: "xwiki"
     chart: "xwiki-repo/xwiki"
-    version: "1.1.3"
+    version: "1.2.3"
     wait: true
-    timeout: 600
     values:
       - "values.yaml"
       - "values.gotmpl"
-    condition: "xwiki.enabled"
+    installed: {{ .Values.xwiki.enabled }}
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
   component: "xwiki"
-
-bases:
-  - "../../bases/environments.yaml"
 ...

helmfile/apps/xwiki/values.gotmpl

@@ -5,50 +5,50 @@ SPDX-License-Identifier: Apache-2.0
 ---
 image:
   name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
-  tag: "{{ .Values.images.xwiki.tag }}"
+  tag: {{ .Values.images.xwiki.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
+  password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
-  database: "{{ .Values.databases.xwiki.name }}"
+  database: {{ .Values.databases.xwiki.name | quote }}
-  user: "{{ .Values.databases.xwiki.username }}"
+  user: {{ .Values.databases.xwiki.username | quote }}
-  host: "{{ .Values.databases.xwiki.host }}"
+  host: {{ .Values.databases.xwiki.host | quote }}
 
 customConfigs:
   "xwiki.cfg":
-    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
+    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
     ## LDAP Server configuration
-    # "xwiki.authentication.ldap.server": "univention-corporate-container"
+    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
-    # xwiki.authentication.ldap.port: 389
+    xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
-    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
-    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
 
   "xwiki.properties":
     "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
     "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
     "oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo"
     "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-    "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki }}
+    "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
+    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
 
 properties:
   "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": {{ .Values.theme.colors.primary | quote }}
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": {{ .Values.theme.colors.white | quote }}
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
   ## Link LDAP users and users authenticated through OIDC
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
-  className: "{{ .Values.ingress.ingressClassName }}"
+  className: {{ .Values.ingress.ingressClassName | quote }}
   annotations:
     haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   hosts:
@@ -57,13 +57,13 @@ ingress:
         - path: /
           pathType: "ImplementationSpecific"
   tls:
-    - secretName: "{{ .Values.ingress.tls.secretName }}"
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
       hosts:
         - "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
 
 persistence:
-  size: "{{ .Values.persistence.size.xwiki }}"
+  size: {{ .Values.persistence.size.xwiki | quote }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 replicaCount: {{ .Values.replicas.xwiki }}
 

helmfile/apps/xwiki/values.yaml

@@ -1,6 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  enabled: true
+
+customConfigs:
+  xwiki.cfg:
+    xwiki.url.protocol: "https"
+    ## Indicate the LDAP field defining the user UID
+    xwiki.authentication.ldap.UID_attr: "uid"
+    ## Indicate the LDAP field defining the user profile picture
+    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
+    ## Enable the synchronization of the LDAP profile picture
+    # xwiki.authentication.ldap.update_photo: 1
+
+  xwiki.properties:
+    oidc.scope: "openid,profile,email,address,phoenix"
+    oidc.endpoint.userinfo.method: "GET"
+    oidc.user.nameFormater: "${oidc.user.phoenixusername._clean._lowerCase}"
+    oidc.user.subjectFormater: "${oidc.user.phoenixusername._lowerCase}"
+    # yamllint disable-line rule:line-length
+    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
+    oidc.clientid: "xwiki"
+    oidc.endpoint.token.auth_method: "client_secret_basic"
+    oidc.skipped: false
+    oidc.logoutMechanism: "rpInitiated"
+
 image:
   pullPolicy: "IfNotPresent"
 
@@ -15,9 +40,8 @@ ingress:
 istio:
   enabled: false
 
-service:
+mariadb:
-  externalPort: 80
+  enabled: false
-  enabled: true
 
 mysql:
   enabled: false
@@ -25,14 +49,11 @@ mysql:
 postgresql:
   enabled: false
 
-mariadb:
-  enabled: false
-
 properties:
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.colorTheme": "FlamingoThemes.Iceberg"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.default_language": "de"
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.timezone": "Europe/Berlin"
-  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de_DE"
+  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.languages": "de"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.link-color": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.btn-primary-bg": "@brand-primary"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-color": "@brand-primary"
@@ -46,41 +67,29 @@ properties:
 
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-  #   "sn,givenname,uid"
+    "sn,givenname,uid"
   ## Restrict user import in the UI to global administrators
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
   ## Enable group and user synchronization
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
-  #   1
+    1
   ## Base DN under which groups should be searched for
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-  #  "dc=swp-ldap,dc=internal"
+    "dc=swp-ldap,dc=internal"
   ## LDAP filter to only synchronize some groups
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
-  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
+    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
-customConfigs:
+securityContext:
-  xwiki.cfg:
+  enabled: true
-    xwiki.url.protocol: "https"
-    ## Indicate the LDAP field defining the user UID
-    # xwiki.authentication.ldap.UID_attr: "uid"
-    ## Indicate the LDAP field defining the user profile picture
-    # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
-    ## Enable the synchronization of the LDAP profile picture
-    # xwiki.authentication.ldap.update_photo: 1
 
-  xwiki.properties:
+service:
-    oidc.scope: "openid,profile,email,address,phoenix"
+  externalPort: 80
-    oidc.endpoint.userinfo.method: "GET"
+  enabled: true
-    oidc.user.nameFormater: "${oidc.user.phoenixusername._lowerCase}"
+
-    oidc.user.subjectFormater: "${oidc.user.subject}"
+volumePermissions:
-    # yamllint disable-line rule:line-length
+  enabled: true
-    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
-    oidc.clientid: "xwiki"
-    oidc.endpoint.token.auth_method: "client_secret_basic"
-    oidc.skipped: false
-    oidc.logoutMechanism: "rpInitiated"
 ...