chore(release): 0.5.11 [skip ci]

## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)

### Bug Fixes

* **helmfile:** Quote all password template strings ([fb7dba7](fb7dba787c))
* **services:** Add memcached service ([72e3afd](72e3afdffd))

.gitignore

@@ -5,4 +5,8 @@
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml
+helmfile/environments/dev/values.gotmpl
+helmfile/environments/test/values.yaml
+helmfile/environments/test/values.gotmpl
 helmfile/environments/prod/values.yaml
+helmfile/environments/prod/values.gotmpl

.gitlab-ci.yml

@@ -183,8 +183,16 @@ env-cleanup:
           $ENV_STOP_BEFORE != "no"
       when: "always"
   script:
-    - "helmfile destroy --namespace ${NAMESPACE}"
+    - |
-    - "kubectl delete pvc --all --namespace ${NAMESPACE}"
+      if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
+        for OPENDESK_RELEASE in $(helm ls -n ${NAMESPACE} -aq); do
+          helm uninstall -n ${NAMESPACE} ${OPENDESK_RELEASE};
+        done
+        kubectl delete pvc --all --namespace ${NAMESPACE};
+        kubectl delete jobs --all --namespace ${NAMESPACE};
+      else
+        helmfile destroy --namespace ${NAMESPACE};
+      fi
   stage: "env-cleanup"
 
 env-start:

CHANGELOG.md

@@ -1,3 +1,75 @@
+## [0.5.11](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.10...v0.5.11) (2023-10-11)
+
+
+### Bug Fixes
+
+* **helmfile:** Quote all password template strings ([fb7dba7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/fb7dba787c232c402aa9c989c0e8ace51869d534))
+* **services:** Add memcached service ([72e3afd](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/72e3afdffdeb6f88f8e926426dbc26adf4b54e7a))
+
+## [0.5.10](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.9...v0.5.10) (2023-10-11)
+
+
+### Bug Fixes
+
+* **intercom-service:** Update intercom-service chart to v2.0.0 ([c3129f1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c3129f14437728be890187bb7c4a1bfc42d90958))
+
+## [0.5.9](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.8...v0.5.9) (2023-10-10)
+
+
+### Bug Fixes
+
+* **element:** Enable the guest module in Synapse ([da1bf35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/da1bf3581c5790786601948cabcef8a1d1c680ad))
+
+## [0.5.8](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.7...v0.5.8) (2023-10-10)
+
+
+### Bug Fixes
+
+* **helmfile:** Add default port for SMTP in environment ([74f9ec2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/74f9ec28e401f7caeefc4e50ac0a7e95fea41a53))
+
+## [0.5.7](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.6...v0.5.7) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Mail sender address ([711d29e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/711d29e374d13a3c8b7bcdf3e8440d03e0ef2b7d))
+
+## [0.5.6](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.5...v0.5.6) (2023-10-09)
+
+
+### Bug Fixes
+
+* **helmfile:** Use signed bitnami charts from openDesk Mirror Builds ([70744d0](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/70744d04c66f32d65dc968c8570ed7a397f4efcc))
+* **services:** Bump redis chart to 18.1.2 ([d4c751d](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d4c751d29f15c718957f6bc388a99347e2923c87))
+
+## [0.5.5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.4...v0.5.5) (2023-10-09)
+
+
+### Bug Fixes
+
+* **openproject:** Switch image to fix central navigation; set email sender address ([e42feb4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e42feb4c260fc24692bc2742c97754230f8e2857))
+
+## [0.5.4](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.3...v0.5.4) (2023-10-02)
+
+
+### Bug Fixes
+
+* **helmfile:** Add third environment (test) ([7dbcbfe](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7dbcbfe7237b365cf53f4c850b149e8b95149901))
+
+## [0.5.3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.2...v0.5.3) (2023-09-28)
+
+
+### Bug Fixes
+
+* **open-xchange:** Rollback MariaDB version to fix OX Guard initialization ([e33acd3](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/e33acd33e79740144e8fe318fe34dc705834ddf3))
+
+## [0.5.2](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.1...v0.5.2) (2023-09-28)
+
+
+### Bug Fixes
+
+* **ci:** Add Gitlab-CI sledgehammer deployment removal ([6fd655a](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/6fd655a0b1afd40303ac11130692202146bab215))
+
 ## [0.5.1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.0...v0.5.1) (2023-09-28)
 
 
@@ -395,3 +467,8 @@
 * **open-xchange:** OX AppSuite 8 within SWP is now publicly available ([6dc470f](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/6dc470fd67edbb9711e406acb067569ca357b989))
 * **services:** Add clamav-simple deployment ([505f25c](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/505f25c5493ebb9e0181233ed5b7d8018e3a315d))
 * **sovereign-workplace:** Initial commit ([533c504](https://gitlab.souvap-univention.de/souvap/devops/sovereign-workplace/commit/533c5040faebd91f4012b604d0f4779ea1510424))
+
+<!--
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+-->

README.md

@@ -156,6 +156,12 @@ and wait a little. After the deployment is finished some bootstrapping is
 executed which might take some more minutes before you can log in your new
 instance.
 
+Deployments can be removed with:
+
+```shell
+helmfile destroy -n <NAMESPACE>
+```
+
 ## Offline deployment
 
 Before executing a [local deployment](#local-deployment), you can set following
@@ -209,6 +215,7 @@ subdirectory `/helmfile/apps/services`.
 | Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              | Functional |
 | Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
 | MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
+| Memcached                   | `memcached.enabled`                 | `true`  | Cache Database                 | Eval       |
 | Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
 | OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
 | OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |
@@ -232,8 +239,8 @@ subdirectory `/helmfile/apps/services`.
 
 #### Databases
 
-In case you don't got for a develop or evaluation environment you want to point
+When deploying this suite to production, you need to configure the applications to use your production grade database
-the application to your own database instances.
+service.
 
 | Component   | Name               | Type       | Parameter | Key                                    | Default                    |
 |-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
@@ -277,6 +284,24 @@ the application to your own database instances.
 |             |                    |            | Username  | `databases.xwiki.username`             | `xwiki_user`               |
 |             |                    |            | Password  | `databases.xwiki.password`             |                            |
 
+#### Cache
+
+When deploying this suite to production, you need to configure the applications to use your production grade cache
+service.
+
+| Component        | Name             | Type      | Parameter | Key                          | Default          |
+|------------------|------------------|-----------|-----------|------------------------------|------------------|
+| Intercom Service | Intercom Service | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.intercomService.host` | `redis-headless` |
+|                  |                  |           | Port      | `cache.intercomService.port` | `6379`           |
+| Nextcloud        | Nextcloud        | Redis     |           |                              |                  |
+|                  |                  |           | Host      | `cache.nextcloud.host`       | `redis-headless` |
+|                  |                  |           | Port      | `cache.nextcloud.port`       | `6379`           |
+| OpenProject      | OpenProject      | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
+|                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
+
+
 ### Scaling
 
 The Replicas of components can be increased, while we still have to look in the
@@ -344,30 +369,32 @@ This section summarizes various aspects of security and compliance aspects.
 This list gives you an overview of default security settings and if they comply with security standards:
 
 
-| Component  | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+| Component   | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV     | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| ClamAV      | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|            | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| Collabora  | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| Element    | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+| Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
-|            | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
+|             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  | 
-|            | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
-|            | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
+|             | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   | 
-| Jitsi      | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| Jitsi       | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|             | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
-|            | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|            | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|             | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| Keycloak   | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Keycloak    | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|            | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|             | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|            | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|             | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-|            | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|             | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-| MariaDB    | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| MariaDB     | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-| Postfix    | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| Memcached   | memcached                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
-| PostgreSQL | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Postfix     | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| OpenProject | openproject              |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| PostgreSQL  | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 
 
 ### Helm Chart Trust Chain
@@ -377,7 +404,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 
 | Repository                           | OCI |     Verifiable     |
 |--------------------------------------|:---:|:------------------:|
-| bitnami-repo                         | yes |        :x:         |
+| bitnami-repo (openDesk build)        | yes | :white_check_mark: |
 | clamav-repo                          | yes | :white_check_mark: |
 | collabora-online-repo                | no  |        :x:         |
 | intercom-service-repo                | yes | :white_check_mark: |

helmfile.yaml

@@ -29,6 +29,7 @@ missingFileHandler: "Error"
 # - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
 # - Installing a single release from app directory via helmfile apply
 # Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
+
 environments:
   default:
     values:
@@ -39,9 +40,17 @@ environments:
       - "helmfile/environments/default/*.gotmpl"
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/dev/values.yaml"
+      - "helmfile/environments/dev/values.gotmpl"
+  test:
+    values:
+      - "helmfile/environments/default/*.gotmpl"
+      - "helmfile/environments/default/*.yaml"
+      - "helmfile/environments/test/values.yaml"
+      - "helmfile/environments/test/values.gotmpl"
   prod:
     values:
       - "helmfile/environments/default/*.gotmpl"
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/prod/values.yaml"
+      - "helmfile/environments/prod/values.gotmpl"
 ...

helmfile/apps/collabora/values.gotmpl

@@ -29,7 +29,7 @@ ingress:
 collabora:
   # Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
   username: "collabora-internal-admin"
-  password: {{ .Values.secrets.collabora.adminPassword }}
+  password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 

helmfile/apps/element/values-synapse.gotmpl

@@ -22,7 +22,7 @@ configuration:
     host: "{{ .Values.databases.synapse.host }}"
     name: "{{ .Values.databases.synapse.name }}"
     user: "{{ .Values.databases.synapse.username }}"
-    password: "{{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser }}"
+    password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
     oidc:
@@ -41,7 +41,7 @@ configuration:
           port: {{ .Values.turn.server.port }}
           transport: {{ .Values.turn.transport }}
         {{- end }}
-    
+
     guestModule:
       image:
         imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"

helmfile/apps/element/values-synapse.yaml

@@ -4,7 +4,7 @@
 configuration:
   homeserver:
     guestModule:
-      enabled: false
+      enabled: true
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/intercom-service/helmfile.yaml

@@ -15,9 +15,8 @@ repositories:
 releases:
   - name: "intercom-service"
     chart: "intercom-service-repo/intercom-service"
-    version: "1.1.3"
+    version: "2.0.0"
     values:
-      - "values.yaml"
       - "values.gotmpl"
     condition: "intercom.enabled"
 

helmfile/apps/intercom-service/values.gotmpl

@@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
   domain: "{{ .Values.global.domain }}"
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
@@ -24,13 +25,14 @@ ics:
   portal:
     apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
   redis:
-    password: {{ .Values.secrets.redis.password }}
+    host: {{ .Values.cache.intercomService.host }}
+    port: {{ .Values.cache.intercomService.port }}
+    password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
   imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
-  registry: "{{ .Values.global.imageRegistry }}"
   repository: "{{ .Values.images.intercom.repository }}"
   tag: "{{ .Values.images.intercom.tag }}"
 

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -86,7 +86,7 @@ jitsi:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
       tag: "{{ .Values.images.jicofo.tag }}"
     xmpp:
-      password: "{{ .Values.secrets.jitsi.jicofoAuthPassword }}"
+      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
       componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -17,7 +17,7 @@ cleanup:
 
 config:
   administrator:
-    password: "{{ .Values.secrets.keycloak.adminPassword }}"
+    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/keycloak/helmfile.yaml

@@ -7,10 +7,10 @@ repositories:
   - name: "bitnami-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
-    # Bitnami charts are not signed, see https://github.com/bitnami/charts/issues/14491
+    verify: true
-    verify: false
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
   # openDesk Keycloak Theme
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
   - name: "keycloak-theme-repo"
@@ -35,7 +35,7 @@ releases:
     condition: "keycloak.enabled"
   - name: "keycloak"
     chart: "bitnami-repo/keycloak"
-    version: "12.2.0"
+    version: "12.1.5"
     values:
       - "values-keycloak.gotmpl"
       - "values-keycloak.yaml"

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   keycloak:
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
+    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
   postgresql:
     connection:
       host: "{{ .Values.databases.keycloakExtension.host }}"
@@ -13,7 +13,7 @@ global:
     auth:
       database: "{{ .Values.databases.keycloakExtension.name }}"
       username: "{{ .Values.databases.keycloakExtension.username }}"
-      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser }}
+      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
 handler:
   image:
     registry: "{{ .Values.global.imageRegistry }}"
@@ -21,7 +21,7 @@ handler:
     tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
     imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
   appConfig:
-    smtpPassword: "{{ .Values.smtp.password }}"
+    smtpPassword: {{ .Values.smtp.password | quote }}
     smtpHost: "{{ .Values.smtp.host }}"
     smtpUsername: "{{ .Values.smtp.username }}"
     mailFrom: "noreply@{{ .Values.global.domain }}"

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -20,10 +20,10 @@ externalDatabase:
   port: {{ .Values.databases.keycloak.port }}
   user: "{{ .Values.databases.keycloak.username }}"
   database: "{{ .Values.databases.keycloak.name }}"
-  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser }}
+  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
 
 auth:
-  adminPassword: {{ .Values.secrets.keycloak.adminPassword }}
+  adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 replicaCount: {{ .Values.replicas.keycloak }}
 

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -14,7 +14,7 @@ global:
 
 config:
   administrator:
-    password: {{ .Values.secrets.nextcloud.adminPassword }}
+    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 
   antivirus:
     {{- if .Values.clamavDistributed.enabled }}
@@ -25,15 +25,15 @@ config:
 
   apps:
     integrationSwp:
-      password: {{ .Values.secrets.centralnavigation.apiKey }}
+      password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     userOidc:
-      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
+      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
 
   database:
     host: "{{ .Values.databases.nextcloud.host }}"
     name: "{{ .Values.databases.nextcloud.name }}"
     user: "{{ .Values.databases.nextcloud.username }}"
-    password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
+    password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 
   ldapSearch:
     password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -6,16 +6,20 @@ SPDX-License-Identifier: Apache-2.0
 nextcloud:
   host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
   username: "nextcloud"
-  password: {{ .Values.secrets.nextcloud.adminPassword }}
+  password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 externalDatabase:
   database: "{{ .Values.databases.nextcloud.name }}"
   user: "{{ .Values.databases.nextcloud.username }}"
   host: "{{ .Values.databases.nextcloud.host }}"
-  password: "{{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser }}"
+  password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+extraEnv:
+  REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
+  REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
+  REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 redis:
   auth:
     enabled: true
-    password: {{ .Values.secrets.redis.password }}
+    password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 ingress:
   enabled: {{ .Values.ingress.enabled }}
   className: {{ .Values.ingress.ingressClassName }}

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -16,10 +16,10 @@ imagePullSecrets:
 
 dovecot:
   mailDomain: "{{ .Values.global.domain }}"
-  password: {{ .Values.secrets.dovecot.doveadm }}
+  password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
+    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   oidc:
     introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
     clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -11,8 +11,8 @@ global:
     database: "{{ .Values.databases.oxAppsuite.name }}"
     auth:
       user: "{{ .Values.databases.oxAppsuite.username }}"
-      password: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
+      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
-      rootPassword: "{{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword }}"
+      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 
 istio:
   enabled: {{ .Values.istio.enabled }}

helmfile/apps/openproject/values.gotmpl

@@ -14,6 +14,9 @@ image:
   tag: "{{ .Values.images.openproject.tag }}"
 
 memcached:
+  connection:
+    host: "{{ .Values.cache.openproject.host }}"
+    port: {{ .Values.cache.openproject.port }}
   image:
     registry: "{{ .Values.global.imageRegistry }}"
     repository: "{{ .Values.images.memcached.repository }}"
@@ -21,7 +24,7 @@ memcached:
 
 postgresql:
   auth:
-    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser }}
+    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
     username: "{{ .Values.databases.openproject.username }}"
     database: "{{ .Values.databases.openproject.name }}"
   connection:
@@ -35,7 +38,7 @@ openproject:
     name: "OpenProject Interal Admin"
     mail: "openproject-admin@swp-domain.internal"
     password_reset: "false"
-    password: "{{ .Values.secrets.openproject.adminPassword }}"
+    password: {{ .Values.secrets.openproject.adminPassword | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
@@ -51,14 +54,15 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey }}
+  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
   OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
-  OPENPROJECT_SMTP__PORT: "587" # (default=587)
+  OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
   OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
 

helmfile/apps/openproject/values.yaml

@@ -4,6 +4,9 @@
 image:
   registry: "registry.souvap-univention.de"
 
+memcached:
+  bundled: false
+
 probes:
   liveness:
     initialDelaySeconds: 300
@@ -27,6 +30,12 @@ openproject:
   # seed will only be executed on initial installation
   seed_locale: "de"
 
+securityContext:
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -21,7 +21,7 @@ oxConnector:
   domainName: "{{ .Values.global.domain }}"
   #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
   oxMasterAdmin: "admin"
-  oxMasterPassword: "{{ .Values.secrets.oxAppsuite.adminPassword }}"
+  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   oxDefaultContext: "1"
 

helmfile/apps/services/helmfile.yaml

@@ -64,9 +64,9 @@ repositories:
     oci: true
     url: >-
       {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "registry-1.docker.io/bitnamicharts" }}
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
-    # Bitnami charts are not signed, see https://github.com/bitnami/charts/issues/14491
+    verify: true
-    verify: false
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
   - name: "opendesk-certificates"
@@ -77,11 +77,18 @@ releases:
     condition: "certificates.enabled"
   - name: "redis"
     chart: "bitnami-repo/redis"
-    version: "18.0.4"
+    version: "18.1.2"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     condition: "redis.enabled"
+  - name: "memcached"
+    chart: "bitnami-repo/memcached"
+    version: "6.6.2"
+    values:
+      - "values-memcached.yaml"
+      - "values-memcached.gotmpl"
+    condition: "memcached.enabled"
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
     version: "2.0.2"
@@ -92,7 +99,7 @@ releases:
     timeout: 900
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
-    version: "2.1.0"
+    version: "2.0.2"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"

helmfile/apps/services/values-mariadb.gotmpl

@@ -18,11 +18,11 @@ image:
 job:
   users:
     - username: "xwiki_user"
-      password: "{{ .Values.secrets.mariadb.xwikiUser }}"
+      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
     - username: "openxchange_user"
-      password: "{{ .Values.secrets.mariadb.openxchangeUser }}"
+      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
     - username: "nextcloud_user"
-      password: "{{ .Values.secrets.mariadb.nextcloudUser }}"
+      password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
   databases:
     - name: "xwiki"
       user: "xwiki_user"
@@ -32,7 +32,7 @@ job:
       user: "openxchange_user"
 
 mariadb:
-  rootPassword: "{{ .Values.secrets.mariadb.rootPassword }}"
+  rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
 
 persistence:
   storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"

helmfile/apps/services/values-memcached.gotmpl

@@ -0,0 +1,19 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.memcached.repository }}"
+  tag: "{{ .Values.images.memcached.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+resources:
+  {{ .Values.resources.memcached | toYaml | nindent 2 }}
+...

helmfile/apps/services/values-memcached.yaml

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+
+serviceAccount:
+  create: true
+...

helmfile/apps/services/values-postgresql.gotmpl

@@ -16,15 +16,15 @@ image:
 job:
   users:
     - username: "keycloak_user"
-      password: {{ .Values.secrets.postgresql.keycloakUser }}
+      password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
     - username: "openproject_user"
-      password: {{ .Values.secrets.postgresql.openprojectUser }}
+      password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
     - username: "keycloak_extensions_user"
-      password: {{ .Values.secrets.postgresql.keycloakExtensionUser }}
+      password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
     - username: "matrix_user"
-      password: {{ .Values.secrets.postgresql.matrixUser }}
+      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+      password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"
@@ -43,7 +43,7 @@ persistence:
   size: "{{ .Values.persistence.size.postgresql }}"
 
 postgres:
-  password: {{ .Values.secrets.postgresql.postgresUser }}
+  password: {{ .Values.secrets.postgresql.postgresUser | quote }}
 
 resources:
   {{ .Values.resources.postgresql | toYaml | nindent 2 }}

helmfile/apps/services/values-redis.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 auth:
-  password: {{ .Values.secrets.redis.password }}
+  password: {{ .Values.secrets.redis.password | quote }}
 
 global:
   imageRegistry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -37,31 +37,31 @@ extraEnvVars:
   - name: LDAPSEARCH_OX_USERNAME
     value: "ldapsearch_ox"
   - name: LDAPSEARCH_OX_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
   - name: LDAPSEARCH_DOVECOT_USERNAME
     value: "ldapsearch_dovecot"
   - name: LDAPSEARCH_DOVECOT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   - name: LDAPSEARCH_KEYCLOAK_USERNAME
     value: "ldapsearch_keycloak"
   - name: LDAPSEARCH_KEYCLOAK_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
   - name: LDAPSEARCH_NEXTCLOUD_USERNAME
     value: "ldapsearch_nextcloud"
   - name: LDAPSEARCH_NEXTCLOUD_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
   - name: LDAPSEARCH_OPENPROJECT_USERNAME
     value: "ldapsearch_openproject"
   - name: LDAPSEARCH_OPENPROJECT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
   - name: LDAPSEARCH_XWIKI_USERNAME
     value: "ldapsearch_xwiki"
   - name: LDAPSEARCH_XWIKI_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}
+    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
   - name: DEFAULT_ACCOUNT_USER_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword }}
+    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
   - name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword }}
+    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
 
 resources:
   {{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -11,7 +11,7 @@ postgresql:
   auth:
     username: "notificationsapi_user"
     database: "notificationsapi"
-    password: {{ .Values.secrets.postgresql.notificationsapiUser }}
+    password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 stackDataSwp:
   udmApiUsername: "cn=admin"
-  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -5,13 +5,13 @@ SPDX-License-Identifier: Apache-2.0
 ---
 stackDataUms:
   udmApiUser: "cn=admin"
-  udmApiPassword: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
 stackDataContext:
   ldapBase: "dc=swp-ldap,dc=internal"
-  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
 
   # The SWP configuration brings its own UMC policies.
   installUmcPolicies: false

helmfile/apps/xwiki/values.gotmpl

@@ -9,7 +9,7 @@ image:
   pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 externalDB:
-  password: "{{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword }}"
+  password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
   database: "{{ .Values.databases.xwiki.name }}"
   user: "{{ .Values.databases.xwiki.username }}"
   host: "{{ .Values.databases.xwiki.host }}"

helmfile/bases/environments.yaml

@@ -11,9 +11,17 @@ environments:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
       - "../../environments/dev/values.yaml"
+      - "../../environments/dev/values.gotmpl"
+  test:
+    values:
+      - "../../environments/default/*.gotmpl"
+      - "../../environments/default/*.yaml"
+      - "../../environments/test/values.yaml"
+      - "../../environments/test/values.gotmpl"
   prod:
     values:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
       - "../../environments/prod/values.yaml"
+      - "../../environments/prod/values.gotmpl"
 ...

helmfile/environments/default/cache.yaml

@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+cache:
+  intercomService:
+    host: "redis-headless"
+    port: 6379
+    password: ""
+  nextcloud:
+    host: "redis-headless"
+    port: 6379
+    password: ""
+  openproject:
+    host: "memcached"
+    port: 11211
+...

helmfile/environments/default/images.yaml

@@ -72,12 +72,13 @@ images:
     # @supplier: "Univention"
   mariadb:
     repository: "mariadb"
-    tag: "11.1.2-jammy@sha256:b6440c4f4e1471bdcee202e4c4e21c1f93af87421f6d33028363dd224e54f481"
+    # For upgrades at least confirm compatibility of target version with OX (regarding AS Guard)
+    tag: "10.5@sha256:aa1ccc18000c32d1f39ac0b055117b27bffd93e622ec961d682de40fe2a1a95f"
     # @supplier: "openDesk DevSecOps"
   memcached:
     repository: "bitnami/memcached"
-    tag: "1.6.21-debian-11-r84@sha256:81747acd297d3fcd05706ea771d441a6f01b28d722c366a06f922b6b7d4033dd"
+    tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
-    # @supplier: "OpenProject"
+    # @supplier: "openDesk DevSecOps"
   milter:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
@@ -87,8 +88,8 @@ images:
     tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
     # @supplier: "Nextcloud Community"
   openproject:
-    repository: "souvap/tooling/images/openproject/souvap"
+    repository: "souvap/tooling/images/openproject/opendesk"
-    tag: "dev@sha256:03eb1eacc0c0c4e9e7d0f0c3d265fd0c15fd01cda33bc4f89cbc487ad53474a8"
+    tag: "fat-dev@sha256:e5d0fb5125df968ba98cb3005b7051ddff25b05da54922c94bb2ee61e6ec842c"
     # @supplier: "OpenProject"
   openxchangeBootstrap:
     repository: "alpine/k8s"
@@ -170,55 +171,55 @@ images:
     # @supplier: "Univention"
   umsConfigHtpasswd:
     repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "latest@sha256:24c5e218baa62b169e7222d8ee4d3951ddc8622cd359def6b660bb23a1052f9e"
+    tag: "latest"
     # @supplier: "Univention"
   umsDataLoader:
     repository: "souvap/tooling/images/univention/data-loader"
-    tag: "latest@sha256:857837c1810f82362d441544dc32bd2c1d6fe358bbb5ae0e2c60b7f8f4092190"
+    tag: "latest"
     # @supplier: "Univention"
   umsLdapNotifier:
     repository: "souvap/tooling/images/univention/ldap-notifier"
-    tag: "latest@sha256:6eccf86fe78926247ec9b59d7ba83c53271bc3ca7d0195863c0489e22c836002"
+    tag: "latest"
     # @supplier: "Univention"
   umsLdapServer:
     repository: "souvap/tooling/images/univention/ldap-server"
-    tag: "latest@sha256:4a7c44b37c727cdc03e4043c88e3dbf6b1f119772c5c1904eaed3298bdd49a3d"
+    tag: "latest"
     # @supplier: "Univention"
   umsNotificationsApi:
     repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "latest@sha256:87a047c2d0669fcbb3501ef94192812e17e09aecabc1edd2e4b92afbb7ea4b20"
+    tag: "latest"
     # @supplier: "Univention"
   umsPortalListener:
     repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "latest@sha256:bcf48d108bc2f1afd745659a1d4f11f1dd0d8ada034899aa401dfea32a29c87a"
+    tag: "latest"
     # @supplier: "Univention"
   umsPortalFrontend:
     repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "latest@sha256:a1b11db009e992d91cfef2bc60a5022cd4498c38908194020c881ef6dd325bae"
+    tag: "latest"
     # @supplier: "Univention"
   umsPortalServer:
     repository: "souvap/tooling/images/univention/portal-server"
-    tag: "latest@sha256:eb0b032c4cf4b207f78b80c69f3e593e01e577779d877e16908902f19b4fc2ee"
+    tag: "latest"
     # @supplier: "Univention"
   umsWaitForDependency:
     repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "latest@sha256:5d8d5e9ed55af2d12fef25856e5e61c7d13081458e4b14e6a01b10488b8067d3"
+    tag: "latest"
     # @supplier: "Univention"
   umsStoreDav:
     repository: "souvap/tooling/images/univention/store-dav"
-    tag: "latest@sha256:d65f705e46a497ba58e7373f19973835f731796baeace16a32d6331469bf0068"
+    tag: "latest"
     # @supplier: "Univention"
   umsUdmRestApi:
     repository: "souvap/tooling/images/univention/udm-rest-api"
-    tag: "latest@sha256:dce4322646749692c5d4692ccd7ff55df080a4af3485585a50c82871715e0cae"
+    tag: "latest"
     # @supplier: "Univention"
   umsUmcGateway:
     repository: "souvap/tooling/images/univention/umc-gateway"
-    tag: "latest@sha256:18172ee4317a9259291f251c0cc1d2be05e003558cbd18d6dc062098a127cc8d"
+    tag: "latest"
     # @supplier: "Univention"
   umsUmcServer:
     repository: "souvap/tooling/images/univention/umc-server"
-    tag: "latest@sha256:6cbb1708109c5a0c13f3ee433989094d04cecfb8b32975e723d0f5a2e526f8db"
+    tag: "latest"
     # @supplier: "Univention"
   wellKnown:
     repository: "library/nginx"

helmfile/environments/default/resources.yaml

@@ -114,6 +114,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "500Mi"
+  memcached:
+    limits:
+      cpu: 1
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "32Mi"
   milter:
     limits:
       cpu: 4

helmfile/environments/default/smtp.gotmpl

@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 smtp:
   host: ""
+  port: 587
   username: ""
   password: "{{ env "SMTP_PASSWORD" }}"
 ...

helmfile/environments/default/workplace.yaml

@@ -21,6 +21,8 @@ keycloak:
   enabled: true
 mariadb:
   enabled: true
+memcached:
+  enabled: true
 nextcloud:
   enabled: true
 openproject:

helmfile/environments/dev/values.gotmpl.sample

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+
+...

helmfile/environments/prod/values.gotmpl.sample

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+
+...

helmfile/environments/test/values.gotmpl.sample

@@ -0,0 +1,8 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+sampleWithTemplating: {{ env "YOUR_ENV_VARIABLE_FOR_TEMPLATING" | quote }}
+
+...

helmfile/environments/test/values.yaml.sample

@@ -1,8 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-istio:
+# This a sample file and could be filled with proper variable overload.
-  enabled: false
+sample: true
-  virtualService:
-    enabled: false
 ...