chore(release): 0.5.6 [skip ci]

## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)

### Bug Fixes

* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](70744d04c6))
* **services:** Bump redis chart to 18.1.2 ([d4c751d](d4c751d29f))

.gitignore

@@ -5,4 +5,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml
+helmfile/environments/dev/values.gotmpl
+helmfile/environments/test/values.yaml
+helmfile/environments/test/values.gotmpl
 helmfile/environments/prod/values.yaml
+helmfile/environments/prod/values.gotmpl

.gitlab-ci.yml

@@ -183,8 +183,16 @@ env-cleanup:
           $ENV_STOP_BEFORE != "no"
       when: "always"
   script:
-    - "helmfile destroy --namespace ${NAMESPACE}"
+    - |
-    - "kubectl delete pvc --all --namespace ${NAMESPACE}"
+      if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
+        for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
+          helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
+        done
+        kubectl delete pvc --all --namespace ${NAMESPACE};
+        kubectl delete jobs --all --namespace ${NAMESPACE};
+      else
+        helmfile destroy --namespace ${NAMESPACE};
+      fi
   stage: "env-cleanup"
 
 env-start:

CHANGELOG.md

@@ -1,3 +1,112 @@
+## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
+
+
+### Bug Fixes
+
+* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
+* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
+
+## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e42feb4c260fc24692bc2742c97754230f8e2857))
+
+## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)
+
+
+### Bug Fixes
+
+* **helmfile:** Add third environment (test) ([7dbcbfe](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7dbcbfe7237b365cf53f4c850b149e8b95149901))
+
+## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)
+
+
+### Bug Fixes
+
+* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e33acd33e79740144e8fe318fe34dc705834ddf3))
+
+## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)
+
+
+### Bug Fixes
+
+* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6fd655a0b1afd40303ac11130692202146bab215))
+
+## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)
+
+
+### Bug Fixes
+
+* **docs:** Add 'Helm Chart Trust Chain' section ([b6b4972](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b6b4972a5dd426bcc8fa00137d7e7b60056376c8))
+* **docs:** Highlight that Helmfile >= 0.157.0 is required ([d86f516](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d86f516747323d117f620658c4368408926c507a))
+* **element:** Use OCI registry and verify chart signatures ([a41b9a6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a41b9a699c79bf90163bbb3c233c805b8d0a999e))
+* **helmfile:** Add cleanup flag for job resources ([0f01b94](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0f01b94aa19b40b4774ba11d9886fe6f12090e73))
+* **helmfile:** Create directory for gpg pubkeys ([4c5731e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4c5731e6bb057cb272f660b4df0369b67709c203))
+* **intercom-service:** Use OCI registry and verify chart signatures ([74b3d41](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74b3d41381474efd2fbc5a9f3a0f1c0713811106))
+* **jitsi:** Verify chart signatures ([1dd6582](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1dd6582ec7d742250ba08f69eba9a4679984b1ae))
+* **keycloak-bootstrap:** Use OCI registry and verify chart signatures ([ca5d5f8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/ca5d5f82800ea6d7ecfa38eb2b5d8b85e709bb9f))
+* **keycloak:** Use OCI registry and verify chart signatures ([095059c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/095059c7e53bbe8a874773f574cc6794ef8af6e4))
+* **nextcloud:** Use OCI registry and verify chart signatures ([41dfdc0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/41dfdc0c8f83e3d79fa5a763ac449f6edfc76676))
+* **open-xchange:** Use OCI registry and verify chart signatures ([2d5d370](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2d5d3708f7f45600961c22ce11e750561de1fd27))
+* **open-xchange:** Use renamed istio gateway ([65d2642](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65d2642d34c1c21a00a29278f7e1143f7fabb2aa))
+* **openproject:** Use OCI registry and verify chart signatures ([5343840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5343840bed01992b3132eace362f91588c705a98))
+* **services:** Add wildcard certifcate request support ([15ad8ca](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/15ad8ca7ab34b079252f7b69219ede81ad43aa1c))
+* **services:** Bump opendesk-certificates to 2.1.0 ([4372f06](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/4372f063e0a27d5156da963d44d3ed4e72490fc4))
+* **services:** Only create istio gateway with webmail domain ([6a39011](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6a390112dab11afaca06118a0ca7a18afe633a30))
+* **services:** Use OCI registry for all services and add gpg verify mechanism ([892920b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/892920b0487b41a35b5a96596c61101827e8dd6d))
+* **univention-corporate-container:** Use OCI registry and verify chart signatures ([424317e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/424317ed585f7bd5036259d7e3d77d081d2aec1b))
+
+# [0.5.0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.9...v0.5.0) (2023-09-27)
+
+
+### Bug Fixes
+
+* **element:** Move the static configuration into the values.yaml ([f22619b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/f22619bd8ef11cb43147ef19dcff2c02d9fe0503))
+* **element:** Specify resources for the guest module init container ([275798c](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/275798c1d6aa47ef33fbb0da3bb03a86d3e4b0ee))
+
+
+### Features
+
+* **element:** Activate the guest module ([5ad25ac](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/5ad25acafd54d19dd2ed330b19f7860aff5d49f4))
+
+## [0.4.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.8...v0.4.9) (2023-09-27)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump Helm chart to add app "groupfolders" ([62b767e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/62b767ef38c8eae2874b20a9aa51e85d2a3fe5a3))
+
+## [0.4.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.7...v0.4.8) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Digest rollback ([9acce08](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/9acce081397c06426820b61f39c9aa0dcc1234a5))
+
+## [0.4.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.6...v0.4.7) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Add timeout for database services ([98ec02f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/98ec02f230f1691eb8c17d8d3552fceda329bf7c))
+* **openproject:** Image digest ([b340373](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/b340373133ad973cfd6a3632adc9a74a23419cc7))
+
+## [0.4.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.5...v0.4.6) (2023-09-26)
+
+
+### Bug Fixes
+
+* **openproject:** Use renamed registry open_desk ([a37faf3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a37faf3b5769aea9944ffa7626096c16296dcc85))
+
+## [0.4.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.4...v0.4.5) (2023-09-26)
+
+
+### Bug Fixes
+
+* **helmfile:** Streamline timeouts ([2703615](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/2703615dffb2ba5c70704a4f08bb0485629218f3))
+
 ## [0.4.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.4.3...v0.4.4) (2023-09-25)
 
 

README.md

@@ -66,11 +66,12 @@ up your own instance for development purposes. Please see the project
 
 These are the requirements of the Sovereign Workplace deployment:
 
-- Vanilla K8s cluster
+- K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
 - Ingress controller (supported are nginx-ingress, ingress-nginx, HAProxy)
-- [Helm](https://helm.sh/), [HelmFile](https://helmfile.readthedocs.io/en/latest/) and
+- [Helm](https://helm.sh/) >= v3.9.0
-[HelmDiff](https://github.com/databus23/helm-diff)
+- [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
+- [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 - [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8, we are talking to Open-Xchange and will try to get rid of this dependency.
@@ -155,6 +156,12 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+Deployments can be removed with:
+
+```shell
+helmfile destroy -n <NAMESPACE>
+```
+
 ## Offline deployment
 
 Before executing a [local deployment](#local-deployment), you can set following
@@ -336,6 +343,10 @@ turn:
 
 ## Security
 
+This section summarizes various aspects of security and compliance aspects.
+
+### Kubernetes Security Enforcements
+
 This list gives you an overview of default security settings and if they comply with security standards:
 
 
@@ -365,6 +376,39 @@ This list gives you an overview of default security settings and if they comply
 | PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
+### Helm Chart Trust Chain
+
+Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
+`pubkey.gpg` file and are validated during helmfile installation.
+
+| Repository                           | OCI |     Verifiable     |
+|--------------------------------------|:---:|:------------------:|
+| bitnami-repo (openDesk build)        | yes | :white_check_mark: |
+| clamav-repo                          | yes | :white_check_mark: |
+| collabora-online-repo                | no  |        :x:         |
+| intercom-service-repo                | yes | :white_check_mark: |
+| istio-resources-repo                 | yes | :white_check_mark: |
+| jitsi-repo                           | yes | :white_check_mark: |
+| keycloak-extensions-repo             | no  |        :x:         |
+| keycloak-theme-repo                  | yes | :white_check_mark: |
+| mariadb-repo                         | yes | :white_check_mark: |
+| nextcloud-repo                       | no  |        :x:         |
+| opendesk-certificates-repo           | yes | :white_check_mark: |
+| opendesk-dovecot-repo                | yes | :white_check_mark: |
+| opendesk-element-repo                | yes | :white_check_mark: |
+| opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
+| opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
+| opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
+| openproject-repo                     | no  |        :x:         |
+| openxchange-repo                     | yes |        :x:         |
+| ox-connector-repo                    | no  |        :x:         |
+| postfix-repo                         | yes | :white_check_mark: |
+| postgresql-repo                      | yes | :white_check_mark: |
+| univention-corporate-container-repo  | yes | :white_check_mark: |
+| ums-repo                             | no  |        :x:         |
+| xwiki-repo                           | no  |        :x:         |
+
+
 # Component integration
 
 ## Functional use cases

helmfile.yaml

@@ -29,6 +29,7 @@ missingFileHandler: "Error"
 # - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
 # - Installing a single release from app directory via helmfile apply
 # Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
+
 environments:
   default:
     values:
@@ -39,9 +40,17 @@ environments:
       - "helmfile/environments/default/*.gotmpl"
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
+      - "helmfile/environments/dev/values.gotmpl"
+  test:
+    values:
+      - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/test/values.yaml"
+      - "helmfile/environments/test/values.gotmpl"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
+      - "helmfile/environments/prod/values.gotmpl"
 ...

helmfile/apps/collabora/helmfile.yaml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # Collabora Online
+  # Source: https://github.com/CollaboraOnline/online
   - name: "collabora-online-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |

helmfile/apps/element/helmfile.yaml

@@ -2,15 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # openDesk Element
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
   - name: "opendesk-element-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/148/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "opendesk-element"
     chart: "opendesk-element-repo/opendesk-element"
-    version: "2.0.1"
+    version: "2.2.0"
     values:
       - "values-element.yaml"
       - "values-element.gotmpl"
@@ -18,7 +25,7 @@ releases:
 
   - name: "opendesk-well-known"
     chart: "opendesk-element-repo/opendesk-well-known"
-    version: "2.0.1"
+    version: "2.2.0"
     values:
       - "values-well-known.yaml"
       - "values-well-known.gotmpl"
@@ -26,7 +33,7 @@ releases:
 
   - name: "opendesk-synapse-web"
     chart: "opendesk-element-repo/opendesk-synapse-web"
-    version: "2.0.1"
+    version: "2.2.0"
     values:
       - "values-synapse-web.yaml"
       - "values-synapse-web.gotmpl"
@@ -34,7 +41,7 @@ releases:
 
   - name: "opendesk-synapse"
     chart: "opendesk-element-repo/opendesk-synapse"
-    version: "2.0.1"
+    version: "2.2.0"
     values:
       - "values-synapse.yaml"
       - "values-synapse.gotmpl"

helmfile/apps/element/values-synapse.gotmpl

@@ -42,6 +42,13 @@ configuration:
           transport: {{ .Values.turn.transport }}
         {{- end }}
     
+    guestModule:
+      image:
+        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+        registry: "{{ .Values.global.imageRegistry }}"
+        repository: "{{ .Values.images.synapseGuestModule.repository }}"
+        tag: "{{ .Values.images.synapseGuestModule.tag }}"
+
 persistence:
   size: "{{ .Values.persistence.size.synapse }}"
   storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

helmfile/apps/element/values-synapse.yaml

@@ -1,6 +1,11 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+configuration:
+  homeserver:
+    guestModule:
+      enabled: false
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/intercom-service/helmfile.yaml

@@ -2,10 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # Intercom Service
+  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/66/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "intercom-service"

helmfile/apps/jitsi/helmfile.yaml

@@ -2,11 +2,16 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # openDesk Jitsi
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
   - name: "jitsi-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
 releases:
   - name: "jitsi"
     chart: "jitsi-repo/sovereign-workplace-jitsi"
@@ -14,6 +19,7 @@ releases:
     values:
       - "values-jitsi.gotmpl"
     condition: "jitsi.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -11,6 +11,9 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 image:
   imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -2,14 +2,21 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-keycloak-bootstrap-repo"
+  # openDesk Keycloak Bootstrap
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
+  - name: "opendesk-keycloak-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/138/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  - name: "sovereign-workplace-keycloak-bootstrap"
+  - name: "opendesk-keycloak-bootstrap"
-    chart: "sovereign-workplace-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
+    chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
     version: "1.1.11"
     values:
       - "values-bootstrap.gotmpl"

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -11,6 +11,10 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
 config:
   administrator:
     password: "{{ .Values.secrets.keycloak.adminPassword }}"

helmfile/apps/keycloak-bootstrap/values-bootstrap.yaml

@@ -4,7 +4,4 @@
 config:
   administrator:
     username: "kcadmin"
-
-cleanup:
-  deletePodsOnSuccess: true
 ...

helmfile/apps/keycloak/helmfile.yaml

@@ -2,15 +2,25 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
   - name: "bitnami-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Keycloak Theme
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
   - name: "keycloak-theme-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/96/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Keycloak Extensions
   - name: "keycloak-extensions-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -18,14 +28,14 @@ repositories:
 
 releases:
   - name: "keycloak-theme"
-    chart: "keycloak-theme-repo/sovereign-workplace-theme"
+    chart: "keycloak-theme-repo/opendesk-keycloak-theme"
-    version: "1.1.0"
+    version: "2.0.0"
     values:
       - "values-theme.gotmpl"
     condition: "keycloak.enabled"
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
-    version: "12.2.0"
+    version: "12.1.5"
     values:
       - "values-keycloak.gotmpl"
       - "values-keycloak.yaml"

helmfile/apps/nextcloud/helmfile.yaml

@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # openDesk Keycloak Bootstrap
+  # Source:
+  #  https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
   - name: "opendesk-nextcloud-bootstrap-repo"
     oci: true
     # yamllint disable rule:line-length
@@ -9,6 +12,10 @@ repositories:
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
          "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
     # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # Nextcloud
+  # Source: https://github.com/nextcloud/helm/
   - name: "nextcloud-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -17,14 +24,14 @@ repositories:
 releases:
   - name: "opendesk-nextcloud-bootstrap"
     chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "3.1.1"
+    version: "3.1.2"
     wait: true
     waitForJobs: true
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"
     condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 
   - name: "nextcloud"
     chart: "nextcloud-repo/nextcloud"
@@ -35,7 +42,7 @@ releases:
       - "values-nextcloud.gotmpl"
       - "values-nextcloud.yaml"
     condition: "nextcloud.enabled"
-    timeout: 1800
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -43,6 +43,11 @@ config:
     username: "{{ .Values.smtp.username }}"
     password: "{{ .Values.smtp.password }}"
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
 image:
   imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -13,7 +13,4 @@ config:
 
   ldapSearch:
     host: "univention-corporate-container"
-
-cleanup:
-  deletePodsOnSuccess: false
 ...

helmfile/apps/open-xchange/helmfile.yaml

@@ -2,28 +2,42 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "dovecot-repo"
+  # openDesk Dovecot
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
+  - name: "opendesk-dovecot-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/80/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # Open-Xchange
   - name: "openxchange-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
-         default "registry.open-xchange.com" }}
+  # openDesk Open-Xchange Bootstrap
-  - name: "sovereign-workplace-open-xchange-bootstrap-repo"
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
+  - name: "opendesk-open-xchange-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/139/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "dovecot"
-    chart: "dovecot-repo/dovecot"
+    chart: "opendesk-dovecot-repo/dovecot"
     version: "1.3.1"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
     condition: "dovecot.enabled"
+    timeout: 900
+
   - name: "open-xchange"
     chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
     version: "2.0.4"
@@ -33,12 +47,15 @@ releases:
       - "values-openxchange-enterprise-contact-picker.yaml"
       - "values-openxchange-enterprise-contact-picker.gotmpl"
     condition: "oxAppsuite.enabled"
-  - name: "sovereign-workplace-open-xchange-bootstrap"
+    timeout: 900
-    chart: "sovereign-workplace-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+
+  - name: "opendesk-open-xchange-bootstrap"
+    chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
     version: "1.3.1"
     values:
-      - "values-openxchange-bootstrap.yaml"
+      - "values-openxchange-bootstrap.gotmpl"
     condition: "oxAppsuite.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -3,6 +3,10 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
 image:
   registry: "{{ .Values.global.imageRegistry }}"
   url: "{{ .Values.images.openxchangeBootstrap.repository }}"

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -4,7 +4,7 @@
 appsuite:
   istio:
     ingressGateway:
-      name: "sovereign-workplace-gateway-istio-gateway"
+      name: "opendesk-gateway-istio-gateway"
 
   core-mw:
     enabled: true

helmfile/apps/openproject/helmfile.yaml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # OpenProject
+  # Source: https://github.com/opf/helm-charts
   - name: "openproject-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |

helmfile/apps/openproject/values.gotmpl

@@ -51,14 +51,15 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
   OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
-  OPENPROJECT_SMTP__PORT: "587" # (default=587)
+  OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  OPENPROJECT_MAIL__FROM="do-not-reply@{{ .Values.global.domain }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 

helmfile/apps/openproject/values.yaml

@@ -34,12 +34,14 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
+  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
   OPENPROJECT_SMTP__AUTHENTICATION: "plain"
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
+  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"

helmfile/apps/provisioning/helmfile.yaml

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # OX Connector
   - name: "ox-connector-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |

helmfile/apps/services/helmfile.yaml

@@ -2,49 +2,82 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
-  - name: "sovereign-workplace-certificates-repo"
+  # openDesk Certificates
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
+  - name: "opendesk-certificates-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/133/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk PostgreSQL
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
   - name: "postgresql-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk MariaDB
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
   - name: "mariadb-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Postfix
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
   - name: "postfix-repo"
+    oci: true
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/85/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk Istio Resources
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
   - name: "istio-resources-repo"
+    oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/69/packages/helm/stable" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # openDesk ClamAV
+  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
   - name: "clamav-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
   - name: "bitnami-repo"
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
-  - name: "sovereign-workplace-certificates"
+  - name: "opendesk-certificates"
-    chart: "sovereign-workplace-certificates-repo/sovereign-workplace-certificates"
+    chart: "opendesk-certificates-repo/opendesk-certificates"
-    version: "1.2.2"
+    version: "2.1.0"
     values:
       - "values-certificates.gotmpl"
     condition: "certificates.enabled"
   - name: "redis"
     chart: "bitnami-repo/redis"
-    version: "18.0.4"
+    version: "18.1.2"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
@@ -56,13 +89,15 @@ releases:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     condition: "postgresql.enabled"
+    timeout: 900
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
-    version: "2.1.0"
+    version: "2.0.2"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     condition: "mariadb.enabled"
+    timeout: 900
   - name: "postfix"
     chart: "postfix-repo/postfix"
     version: "2.0.3"
@@ -84,9 +119,9 @@ releases:
       - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
     condition: "clamavSimple.enabled"
-  - name: "sovereign-workplace-gateway"
+  - name: "opendesk-gateway"
     chart: "istio-resources-repo/istio-gateway"
-    version: "1.1.2"
+    version: "2.0.0"
     values:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"

helmfile/apps/services/values-certificates.gotmpl

@@ -18,4 +18,9 @@ istio:
   issuerRef:
     name: "{{ .Values.istio.issuerRef.name }}"
 {{- end }}
+
+cleanup:
+  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+
+wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/services/values-istio-gateway.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 global:
   domain: "{{ .Values.istio.domain }}"
   hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
+    openxchange: "{{ .Values.global.hosts.openxchange }}"
 
 tls:
   secretName: "{{ .Values.istio.domain }}-tls"

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -2,10 +2,16 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # openDesk Univention Corporate Server (as eval Container)
   - name: "univention-corporate-container-repo"
+    oci: true
+    # yamllint disable rule:line-length
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         default "https://gitlab.souvap-univention.de/api/v4/projects/132/packages/helm/stable" }}
+         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "univention-corporate-container"

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -5,14 +5,15 @@ bases:
   - "../../bases/environments.yaml"
 
 repositories:
-  - name: "univention"
+  # Univention Management Stack
+  - name: "ums-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
 
 releases:
   - name: "ums-store-dav"
-    chart: "univention/store-dav"
+    chart: "ums-repo/store-dav"
     version: "0.2.0"
     values:
       - "values-common.gotmpl"
@@ -20,7 +21,7 @@ releases:
       - "values-store-dav.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-ldap-server"
-    chart: "univention/ldap-server"
+    chart: "ums-repo/ldap-server"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -28,7 +29,7 @@ releases:
       - "values-ldap-server.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-ldap-notifier"
-    chart: "univention/ldap-notifier"
+    chart: "ums-repo/ldap-notifier"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -37,7 +38,7 @@ releases:
       - "values-ldap-notifier.yaml"
     condition: "univentionManagementStack.enabled"
   - name: "ums-udm-rest-api"
-    chart: "univention/udm-rest-api"
+    chart: "ums-repo/udm-rest-api"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -45,7 +46,7 @@ releases:
       - "values-udm-rest-api.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-stack-data-ums"
-    chart: "univention/stack-data-ums"
+    chart: "ums-repo/stack-data-ums"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -53,7 +54,7 @@ releases:
       - "values-stack-data-ums.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-stack-data-swp"
-    chart: "univention/stack-data-swp"
+    chart: "ums-repo/stack-data-swp"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -61,7 +62,7 @@ releases:
       - "values-stack-data-swp.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-portal-server"
-    chart: "univention/portal-server"
+    chart: "ums-repo/portal-server"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -69,7 +70,7 @@ releases:
       - "values-portal-server.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-notifications-api"
-    chart: "univention/notifications-api"
+    chart: "ums-repo/notifications-api"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -78,7 +79,7 @@ releases:
       - "values-notifications-api.yaml"
     condition: "univentionManagementStack.enabled"
   - name: "ums-portal-listener"
-    chart: "univention/portal-listener"
+    chart: "ums-repo/portal-listener"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -87,7 +88,7 @@ releases:
       - "values-portal-listener.yaml"
     condition: "univentionManagementStack.enabled"
   - name: "ums-portal-frontend"
-    chart: "univention/portal-frontend"
+    chart: "ums-repo/portal-frontend"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -95,7 +96,7 @@ releases:
       - "values-portal-frontend.gotmpl"
     condition: "univentionManagementStack.enabled"
   - name: "ums-umc-gateway"
-    chart: "univention/umc-gateway"
+    chart: "ums-repo/umc-gateway"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"
@@ -104,7 +105,7 @@ releases:
       - "values-umc-gateway.yaml"
     condition: "univentionManagementStack.enabled"
   - name: "ums-umc-server"
-    chart: "univention/umc-server"
+    chart: "ums-repo/umc-server"
     version: "0.1.0"
     values:
       - "values-common.gotmpl"

helmfile/apps/xwiki/helmfile.yaml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 repositories:
+  # XWiki
+  # Source: https://github.com/xwiki-contrib/xwiki-helm
   - name: "xwiki-repo"
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
@@ -12,11 +14,11 @@ releases:
     chart: "xwiki-repo/xwiki"
     version: "1.1.3"
     wait: true
-    timeout: 600
     values:
       - "values.yaml"
       - "values.gotmpl"
     condition: "xwiki.enabled"
+    timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"

helmfile/bases/environments.yaml

@@ -11,9 +11,17 @@ environments:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
       - "../../environments/dev/values.yaml"
+      - "../../environments/dev/values.gotmpl"
+  test:
+    values:
+      - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
+      - "../../environments/test/values.yaml"
+      - "../../environments/test/values.gotmpl"
   prod:
     values:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
       - "../../environments/prod/values.yaml"
+      - "../../environments/prod/values.gotmpl"
 ...

helmfile/environments/default/certificate.yaml

@@ -4,4 +4,5 @@
 certificate:
   issuerRef:
     name: "letsencrypt-prod"
+  wildcard: false
 ...

helmfile/environments/default/debug.yaml

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cleanup:
+  # Keep Pods/Job logs after successful run.
+  deletePodsOnSuccess: true
+  # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
+  deletePodsOnSuccessTimeout: 60
+  # Keep persistence on deletion of this release.
+  keepPVCOnDelete: false
+  # Keep additional resources, like certificates on deletion of this release.
+  keepRessourceOnDelete: true
+...

helmfile/environments/default/images.yaml

@@ -16,7 +16,7 @@ images:
     # @supplier: "Open-Xchange"
   element:
     repository: "souvap/tooling/images/element-web"
-    tag: "latest@sha256:16506bba9da546b1bf5896892f6f4afefea3d0f1d8ed93eae511212627a029b9"
+    tag: "1.1.0@sha256:4fc2df523090cf012b50a681c92482f61231baf4cce67de467dd9f79c181bc93"
     # @supplier: "Element"
   freshclam:
     repository: "clamav/clamav"
@@ -72,7 +72,8 @@ images:
     # @supplier: "Univention"
   mariadb:
     repository: "mariadb"
-    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
+    # For upgrades at least confirm compatibility of target version with OX (regarding AS Guard)
+    tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
     # @supplier: "openDesk DevSecOps"
   memcached:
     repository: "bitnami/memcached"
@@ -87,8 +88,8 @@ images:
     tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
     # @supplier: "Nextcloud Community"
   openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
+    repository: "souvap/tooling/images/openproject/opendesk"
-    tag: "dev@sha256:03eb1eacc0c0c4e9e7d0f0c3d265fd0c15fd01cda33bc4f89cbc487ad53474a8"
+    tag: "fat-dev@sha256:e5d0fb5125df968ba98cb3005b7051ddff25b05da54922c94bb2ee61e6ec842c"
     # @supplier: "OpenProject"
   openxchangeBootstrap:
     repository: "alpine/k8s"
@@ -156,6 +157,10 @@ images:
     repository: "matrixdotorg/synapse"
     tag: "v1.91.2@sha256:1d19508db417bb2b911c8e086bd3dc3b719ee75c6f6194d58af59b4c32b11322"
     # @supplier: "Element"
+  synapseGuestModule:
+    repository: "nordeck/synapse-guest-module"
+    tag: "1.0.0@sha256:e9c736d84a77df93b2dbe3e3afa7b0ca3efcbc4457677adaac5df3cc79a85923"
+    # @supplier: "Nordeck"
   synapseWeb:
     repository: "rapidfort/haproxy-official"
     tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
@@ -166,55 +171,55 @@ images:
     # @supplier: "Univention"
   umsConfigHtpasswd:
     repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "latest@sha256:24c5e218baa62b169e7222d8ee4d3951ddc8622cd359def6b660bb23a1052f9e"
+    tag: "latest"
     # @supplier: "Univention"
   umsDataLoader:
     repository: "souvap/tooling/images/univention/data-loader"
-    tag: "latest@sha256:857837c1810f82362d441544dc32bd2c1d6fe358bbb5ae0e2c60b7f8f4092190"
+    tag: "latest"
     # @supplier: "Univention"
   umsLdapNotifier:
     repository: "souvap/tooling/images/univention/ldap-notifier"
-    tag: "latest@sha256:6eccf86fe78926247ec9b59d7ba83c53271bc3ca7d0195863c0489e22c836002"
+    tag: "latest"
     # @supplier: "Univention"
   umsLdapServer:
     repository: "souvap/tooling/images/univention/ldap-server"
-    tag: "latest@sha256:4a7c44b37c727cdc03e4043c88e3dbf6b1f119772c5c1904eaed3298bdd49a3d"
+    tag: "latest"
     # @supplier: "Univention"
   umsNotificationsApi:
     repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "latest@sha256:87a047c2d0669fcbb3501ef94192812e17e09aecabc1edd2e4b92afbb7ea4b20"
+    tag: "latest"
     # @supplier: "Univention"
   umsPortalListener:
     repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "latest@sha256:bcf48d108bc2f1afd745659a1d4f11f1dd0d8ada034899aa401dfea32a29c87a"
+    tag: "latest"
     # @supplier: "Univention"
   umsPortalFrontend:
     repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "latest@sha256:a1b11db009e992d91cfef2bc60a5022cd4498c38908194020c881ef6dd325bae"
+    tag: "latest"
     # @supplier: "Univention"
   umsPortalServer:
     repository: "souvap/tooling/images/univention/portal-server"
-    tag: "latest@sha256:eb0b032c4cf4b207f78b80c69f3e593e01e577779d877e16908902f19b4fc2ee"
+    tag: "latest"
     # @supplier: "Univention"
   umsWaitForDependency:
     repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "latest@sha256:5d8d5e9ed55af2d12fef25856e5e61c7d13081458e4b14e6a01b10488b8067d3"
+    tag: "latest"
     # @supplier: "Univention"
   umsStoreDav:
     repository: "souvap/tooling/images/univention/store-dav"
-    tag: "latest@sha256:d65f705e46a497ba58e7373f19973835f731796baeace16a32d6331469bf0068"
+    tag: "latest"
     # @supplier: "Univention"
   umsUdmRestApi:
     repository: "souvap/tooling/images/univention/udm-rest-api"
-    tag: "latest@sha256:dce4322646749692c5d4692ccd7ff55df080a4af3485585a50c82871715e0cae"
+    tag: "latest"
     # @supplier: "Univention"
   umsUmcGateway:
     repository: "souvap/tooling/images/univention/umc-gateway"
-    tag: "latest@sha256:18172ee4317a9259291f251c0cc1d2be05e003558cbd18d6dc062098a127cc8d"
+    tag: "latest"
     # @supplier: "Univention"
   umsUmcServer:
     repository: "souvap/tooling/images/univention/umc-server"
-    tag: "latest@sha256:6cbb1708109c5a0c13f3ee433989094d04cecfb8b32975e723d0f5a2e526f8db"
+    tag: "latest"
     # @supplier: "Univention"
   wellKnown:
     repository: "library/nginx"

helmfile/environments/default/ingress.yaml

@@ -6,5 +6,5 @@ ingress:
   ingressClassName: ""
   tls:
     enabled: true
-    secretName: "sovereign-workplace-certificates-tls"
+    secretName: "opendesk-certificates-tls"
 ...

helmfile/environments/dev/values.gotmpl.sample

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+
+...

helmfile/environments/prod/values.gotmpl.sample

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+
+...

helmfile/environments/test/values.gotmpl.sample

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+
+...

helmfile/environments/test/values.yaml.sample

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+# This a sample file and could be filled with proper variable overload.
+sample: true
+...

helmfile/files/gpg-pubkeys/souvap-univention-de.gpg.license

@@ -1,6 +1,2 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
----
-cleanup:
-  deletePodsOnSuccess: true
-...