chore(release): 0.5.31 [skip ci]

## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)

### Bug Fixes

* **univention-management-stack:** Update optional UMS preview state ([d0a0799](d0a07997c1))

CHANGELOG.md

@@ -1,3 +1,32 @@
+## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Update optional UMS preview state ([d0a0799](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d0a07997c12ddb9731a0dfed0d6fa71d9a3790e7))
+
+## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)
+
+
+### Bug Fixes
+
+* **collabora:** Init monitoring in defaults and in collabora (for prometheus-monitor, -rules and grafana dashboard) ([0ad0434](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0ad043406bef7bb10d561ef1418b58cbd8714d43))
+* **helmfile:** Add monitoring.yaml for optional monitoring ([385d81b](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/385d81b9a9e1ec319706493c51629c8e48822aa7))
+
+## [0.5.29](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.28...v0.5.29) (2023-11-06)
+
+
+### Bug Fixes
+
+* **xwiki:** Update XWiki Helm configuration to enable LDAP and OIDC user synchronization ([7c56c72](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/7c56c7244f3862b6b21627661430a94d804c6974))
+
+## [0.5.28](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.27...v0.5.28) (2023-11-06)
+
+
+### Bug Fixes
+
+* **open-xchange:** Add Document- and ImageConverter, improve LDAP address book filters ([899a8c5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/899a8c5af9052634b98d9876dfbaea517d89ad49))
+
 ## [0.5.27](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.26...v0.5.27) (2023-11-04)
 
 

README.md

@@ -441,6 +441,50 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | xwiki-repo                           | no  |        :x:         |
 
 
+## Monitoring
+Together with 
+[kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) into
+you can monitor openDesk components with Prometheus and Grafana.
+
+Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack 
+repository.
+
+
+### Metrics
+To deploy podMonitor and serviceMonitor custom resources, enable it by:
+
+```yaml
+prometheus:
+  serviceMonitors:
+    enabled: true
+  podMonitors:
+    enabled: true
+```
+
+### Alerts
+Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
+
+```yaml
+prometheus:
+  prometheusRules:
+    enabled: true
+```
+
+### Dashboards for Grafana
+To deploy optional ConfigMaps with Grafana dashboards, enable it by:
+
+```yaml
+grafana:
+  dashboards:
+    enabled: true
+```
+
+### Components
+| Component   | Metrics (pod- or serviceMonitor)  | Alerts (prometheusRule) | Dashboard (Grafana) |
+|:------------|-----------------------------------|-------------------------|---------------------|
+| Collabora   | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |
+
+
 # Component integration
 
 ## Functional use cases

helmfile/apps/collabora/values.gotmpl

@@ -38,4 +38,23 @@ replicaCount: {{ .Values.replicas.collabora }}
 
 resources:
   {{ .Values.resources.collabora | toYaml | nindent 2 }}
+
+prometheus:
+  servicemonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    labels:
+      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+  rules:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    additionalLabels:
+      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+
+grafana:
+  dashboards:
+    enabled: {{ .Values.grafana.dashboards.enabled }}
+    labels:
+      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
+    annotations:
+      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
+
 ...

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -34,7 +34,7 @@ keycloakConfigCli:
     - name: "LDAP_USERS_DN"
       value: "cn=users,dc=swp-ldap,dc=internal"
     - name: "LDAP_SERVER_URL"
-      value: "univention-corporate-container"
+      value: "{{ .Values.global.ldap.host }}"
     - name: "IDENTIFIER"
       value: "souvap"
     - name: "THEME"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -36,6 +36,7 @@ config:
     password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 
   ldapSearch:
+    host: "{{ .Values.global.ldap.host }}"
     password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
 
   smtp:

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -13,7 +13,4 @@ config:
 
   cryptpad:
     enabled: true
-
-  ldapSearch:
-    host: "univention-corporate-container"
 ...

helmfile/apps/open-xchange/helmfile.yaml

@@ -44,7 +44,7 @@ releases:
 
   - name: "open-xchange"
     chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
-    version: "2.0.4"
+    version: "2.1.1"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -19,6 +19,7 @@ dovecot:
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    host: "{{ .Values.global.ldap.host }}"
     password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   oidc:
     introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"

helmfile/apps/open-xchange/values-dovecot.yaml

@@ -7,7 +7,6 @@ containerSecurityContext:
 dovecot:
   ldap:
     enabled: true
-    host: "univention-corporate-container"
     port: 389
     base: "dc=swp-ldap,dc=internal"
 

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -8,6 +8,10 @@ appsuite:
     secretYAMLFiles:
       ldap-client-config.yml:
         contactsLdapClient:
+          pool:
+            host:
+              address: "{{ .Values.global.ldap.host }}"
+              port: 389
           auth:
             adminDN:
               password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -6,7 +6,7 @@ appsuite:
 
     properties:
       # Enterprise contact picker
-      com.openexchange.contacts.ldap.accounts: "opendesk"
+      com.openexchange.contacts.ldap.accounts: "opendesk,other,functional"
       com.openexchange.admin.bypassAccessCombinationChecks: "true"
       ENABLE_INTERNAL_USER_EDIT: "false"
 
@@ -16,9 +16,6 @@ appsuite:
         contactsLdapClient:
           pool:
             type: "simple"
-            host:
-              address: "univention-corporate-container"
-              port: 389
           auth:
             type: "adminDN"
             adminDN:
@@ -153,7 +150,7 @@ appsuite:
             # allows to sort the attributes lexicographically, either "ascending" or "descending".
             dynamicAttributes:
               attributeName: "o"
-              contactFilterTemplate: "(&(univentionObjectType=users/user)(o=[value]))"
+              contactFilterTemplate: "(&(univentionObjectType=users/user)(isOxUser=OK)(o=[value]))"
               contactSearchScope: "sub"
               # refreshInterval: 1h
               refreshInterval: "5m"
@@ -174,6 +171,48 @@ appsuite:
                 - "Management"
                 - "Human Resources"
 
+        other:
+          name: "Other contacts"
+          ldapClientId: "contactsLdapClient"
+          mappings: "ucs"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+              folders:
+                - name: "Ohne Organisation"
+                  contactFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(!(o=*)))"
+
+        functional:
+          name: "Functional mailboxes"
+          ldapClientId: "contactsLdapClient"
+          mappings: "functional"
+          folders:
+            mode: "static"
+            usedForSync:
+              protected: true
+              defaultValue: false
+            usedInPicker:
+              protected: false
+              defaultValue: true
+            shownInTree:
+              protected: false
+              defaultValue: true
+            static:
+              commonContactFilter: "(univentionObjectType=oxmail/functional_account)"
+              folders:
+                - name: "Funktionale Postfächer"
+                  contactFilter: "(univentionObjectType=oxmail/functional_account)"
+
       contacts-provider-ldap-mappings.yml:
         # Example definitions of contact property <-> LDAP attribute mappings.
         #
@@ -347,3 +386,9 @@ appsuite:
           # image_last_modified   :
           # Will be set automatically to "image/jpeg" if not defined.
           # image1_content_type   :
+
+        functional:
+          objectid: "mailPrimaryAddress"
+          displayname: "oxPersonal,cn,mailPrimaryAddress"
+          file_as: "oxPersonal,cn,mailPrimaryAddress"
+          email1: "mailPrimaryAddress"

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -83,6 +83,7 @@ appsuite:
     propertiesFiles:
       "/opt/open-xchange/etc/ldapauth.properties":
         bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+        java.naming.provider.url: "ldap://{{ .Values.global.ldap.host }}:389/dc=swp-ldap,dc=internal"
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
@@ -103,6 +104,9 @@ appsuite:
       oxguardpass: |
         {{ .Values.secrets.oxAppsuite.oxguardMC }}
         {{ .Values.secrets.oxAppsuite.oxguardRC }}
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
     image:
       repository: {{ .Values.images.openxchangeCoreMW.repository }}
       tag: {{ .Values.images.openxchangeCoreMW.tag }}
@@ -139,6 +143,16 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
       pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    redis:
+      auth:
+        password: {{ .Values.secrets.redis.password | quote }}
+
+  core-documentconverter:
+    image:
+      repository: {{ .Values.images.openxchangeDocumentConverter.repository }}
+      tag: {{ .Values.images.openxchangeDocumentConverter.tag }}
+    resources:
+      {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
@@ -150,6 +164,11 @@ appsuite:
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
       pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
+  core-imageconverter:
+    image:
+      repository: {{ .Values.images.openxchangeImageConverter.repository }}
+      tag: {{ .Values.images.openxchangeImageConverter.tag }}
+
   guard-ui:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -6,6 +6,9 @@ appsuite:
     ingressGateway:
       name: "opendesk-gateway-istio-gateway"
 
+  switchboard:
+    enabled: false
+
   core-mw:
     enabled: true
     masterAdmin: "admin"
@@ -63,6 +66,8 @@ appsuite:
       com.openexchange.mail.filter.credentialSource: "mail"
       com.openexchange.mail.filter.server: "dovecot"
       com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
+      # Dovecot
+      com.openexchange.imap.attachmentMarker.enabled: "true"
       # Capabilities
       # Old capability can be used to toggle all integrations with a single switch
       com.openexchange.capability.public-sector: "true"
@@ -78,6 +83,7 @@ appsuite:
       com.openexchange.capability.smime: "true"
       com.openexchange.capability.share_links: "false"
       com.openexchange.capability.invite_guests: "false"
+      com.openexchange.capability.document_preview: "true"
       # Secondary Accounts
       com.openexchange.mail.secondary.authType: "XOAUTH2"
       com.openexchange.mail.transport.secondary.authType: "xoauth2"
@@ -89,6 +95,8 @@ appsuite:
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
       # Guard
+      com.openexchange.guard.storage.file.fileStorageType: "file"
+      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
       com.openexchange.guard.guestSMTPServer: "postfix"
       # S/MIME
       # Usage (in browser console after login):
@@ -103,7 +111,6 @@ appsuite:
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
         bindOnly: "false"
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 
@@ -139,10 +146,31 @@ appsuite:
         oidcLogin: true
         oidcPath: "/oidc"
 
+    redis:
+      enabled: true
+      mode: "standalone"
+      hosts:
+        - "redis-master"
+
+    hooks:
+      beforeAppsuiteStart:
+        create-guard-dir.sh: |
+          mkdir -p /opt/open-xchange/guard-files
+          chown open-xchange:open-xchange /opt/open-xchange/guard-files
+
   core-ui:
     enabled: true
+
   core-ui-middleware:
     enabled: true
+    overrides: {}
+    redis:
+      mode: "standalone"
+      hosts:
+        - "redis-master:6379"
+      auth:
+        enabled: true
+
   core-guidedtours:
     enabled: true
   guard-ui:
@@ -151,12 +179,26 @@ appsuite:
     enabled: false
   core-user-guide:
     enabled: true
+
   core-imageconverter:
-    enabled: false
+    enabled: true
+    objectCache:
+      s3ObjectStores:
+        - id: -1
+          endpoint: "."
+          accessKey: "."
+          secretKey: "."
+
   core-spellcheck:
     enabled: false
+
   core-documentconverter:
-    enabled: false
+    enabled: true
+    documentConverter:
+      cache:
+        remoteCache:
+          enabled: false
+
   core-documents-collaboration:
     enabled: false
   office-web:

helmfile/apps/openproject/values.gotmpl

@@ -54,6 +54,9 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "{{ .Values.global.ldap.host }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"

helmfile/apps/openproject/values.yaml

@@ -55,9 +55,6 @@ environment:
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
   OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
-  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
-  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -19,6 +19,8 @@ persistence:
 
 oxConnector:
   domainName: "{{ .Values.global.domain }}"
+  ldapHost: "{{ .Values.global.ldap.host }}"
+  notifierServer: "{{ .Values.global.ldap.notifierHost }}"
   #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}

helmfile/apps/provisioning/values-oxconnector.yaml

@@ -5,11 +5,9 @@ ingress:
   enabled: false
 
 oxConnector:
-  ldapHost: "univention-corporate-container"
   # ldapHostIp: ""
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  notifierServer: "univention-corporate-container"
   tlsMode: "off"
   # current static password for UCC
   ldapPassword: "ucctempldapstring"

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -11,11 +11,29 @@ repositories:
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
+  {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
+  - name: "ums-stack-gateway"
+    chart: "bitnami-repo/nginx"
+    version: "15.3.5"
+    values:
+      - "values-ums-stack-gateway.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  {{- end }}
   - name: "ums-store-dav"
     chart: "ums-repo/store-dav"
-    version: "0.2.0"
+    version: "0.5.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -23,7 +41,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-server"
     chart: "ums-repo/ldap-server"
-    version: "0.1.0"
+    version: "0.4.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -31,7 +49,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-notifier"
     chart: "ums-repo/ldap-notifier"
-    version: "0.1.0"
+    version: "0.4.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -40,7 +58,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-udm-rest-api"
     chart: "ums-repo/udm-rest-api"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -48,7 +66,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-ums"
     chart: "ums-repo/stack-data-ums"
-    version: "0.1.0"
+    version: "0.15.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -56,7 +74,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-swp"
     chart: "ums-repo/stack-data-swp"
-    version: "0.1.0"
+    version: "0.15.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -64,7 +82,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-server"
     chart: "ums-repo/portal-server"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -72,7 +90,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-notifications-api"
     chart: "ums-repo/notifications-api"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -81,7 +99,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-listener"
     chart: "ums-repo/portal-listener"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -90,28 +108,36 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-frontend"
     chart: "ums-repo/portal-frontend"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
     installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-portal-frontend-custom"
+    # TODO: Replace with our own Nginx chart.
+    chart: "bitnami-repo/nginx"
+    version: "15.3.5"
+    values:
+      - "values-portal-frontend-custom.yaml"
+      - "values-portal-frontend-custom.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-gateway"
     chart: "ums-repo/umc-gateway"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
-      - "values-umc-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-server"
     chart: "ums-repo/umc-server"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-server.gotmpl"
+      - "values-umc-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
 commonLabels:

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 
 ingress:
-  enabled: {{ .Values.ingress.enabled }}
+  enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
   host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
   ingressClassName: "{{ .Values.ingress.ingressClassName }}"
   tls:

helmfile/apps/univention-management-stack/values-common.yaml

@@ -1,6 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  configMapUcrDefaults: "ums-stack-data-ums-ucr"
+  configMapUcr: "ums-stack-data-swp-ucr"
+  configMapUcrForced: null
 
 istio:
   enabled: false

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -14,10 +14,9 @@ ldapServer:
   # dhParam: ""
   tlsMode: "off"
 
-  # TODO: SAML integration
-  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
-  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
-  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
+  samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
+  samlMetadataUrlInternal: null
+  serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
@@ -29,6 +28,12 @@ image:
     - name: {{ . }}
     {{- end }}
 
+  waitForDependency:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    imagePullPolicy: "Always"
+    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+
 # TODO: Pending upstream support, #199
 persistence:
   data:

helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ingress:
+  enabled: true
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "nginx"
+  annotations:
+    nginx.org/mergeable-ingress-type: "minion"
+  tls: false
+
+  pathType: Exact
+  path: /favicon.ico
+
+  extraPaths:
+    - pathType: Exact
+      path: /univention/portal/css/custom.css
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/icons/logo.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/icons/logo_small_border.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/custom/portal_background_image.png
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/custom/portal_background_image.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+service:
+  type: "ClusterIP"
+
+extraVolumes:
+  - name: "opendesk-branding"
+    configMap:
+      name: "ums-stack-data-swp-branding"
+
+extraVolumeMounts:
+  - name: "opendesk-branding"
+    mountPath: "/app/favicon.ico"
+    subPath: "favicon.ico"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/css/custom.css"
+    subPath: "custom.css"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/icons/logo.svg"
+    subPath: "logo.svg"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/icons/logo_small_border.svg"
+    subPath: "logo_small_border.svg"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/custom/portal_background_image.png"
+    subPath: "portal_background_image.png"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/custom/portal_background_image.svg"
+    subPath: "portal_background_image.svg"
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -16,11 +16,12 @@ image:
 
 extraIngresses:
   redirects:
+    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     # The TLS configuration is on the "master" Ingress, see below.
     tls:
       enabled: false
   master:
-    enabled: {{ .Values.ingress.enabled }}
+    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -13,7 +13,7 @@ portalListener:
   umcSessionUrl: "http://ums-umc-server/get/session-info"
 
   ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHost: "ums-ldap-server"
+  ldapHost: "{{ .Values.global.ldap.host }}"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -7,7 +7,7 @@ portalServer:
   adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
   authMode: "saml"
   environment: "staging"
-  editable: "true"
+  editable: "false"
   logLevel: "DEBUG"
   ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
   umcGetUrl: "http://ums-umc-server/get"

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -4,22 +4,29 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiUsername: "cn=admin"
+  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
 stackDataContext:
   ldapBase: "dc=swp-ldap,dc=internal"
+  ldapSearchUsers:
+    {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    - username: {{ printf "ldapsearch_%s" $k | quote }}
+      password: {{ $v | quote }}
+      lastname: {{ "LDAP-Search-User" }}
+    {{- end }}
+
   externalDomainName: "{{ .Values.global.domain }}"
   externalMailDomain: "{{ .Values.global.domain }}"
 
-  portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
-  portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
-  portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
-  portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
-  portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
-  portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
+  portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
+  portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
 
   oxDefaultContext: "10"
 

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -10,8 +10,22 @@ stackDataUms:
   loadDevData: true
 
 stackDataContext:
+  domainname: "{{ .Values.global.domain }}"
+  externalMailDomain: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ldapHost: "{{ .Values.global.ldap.host }}"
   ldapBase: "dc=swp-ldap,dc=internal"
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+
+  samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
+  samlMetadataUrlInternal: null
+  samlSpServer: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  samlSchemes: "https"
+  ssoFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+
+  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
 
   # The SWP configuration brings its own UMC policies.
   installUmcPolicies: false

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -4,29 +4,15 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 udmRestApi:
-  apiLogLevel: "4"
-  authGroups:
-    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
-    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
-    domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
-  ldapHost: "ums-ldap-server"
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   # TODO: Secret should be entered without b64enc
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
   # TODO: Secret should be entered without b64enc
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: why do we need this many subprocesses?
-  numberOfSubprocesses: 8
   # TODO: Stub value currently
   caCert: ""
   # TODO: This should not be part of the udm-rest-api anymore
   loadJoinData:
     enabled: true
-  # TODO: configurable
-  tlsMode: "off"
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -4,9 +4,17 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcGateway:
-  domainname: "{{ .Values.global.domain }}"
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
-  ssoFqdn: "localhost:8097"
+
+extraVolumes:
+  - name: "entrypoint-swp-patches"
+    configMap:
+      name: "ums-stack-data-swp-umc-gateway-entrypoint"
+      defaultMode: 0555
+
+extraVolumeMounts:
+  - name: "entrypoint-swp-patches"
+    mountPath: "/entrypoint.d/90-swp.sh"
+    subPath: "90-swp.sh"
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-umcGateway:
-  showCookieBanner: true
-  cookieBannerTitleDE: "Cookie Zustimmung"
-  cookieBannerTitleEN: "Cookie Consent"
-  cookieBannerTextDE: >-
-    Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
-    verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
-    Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
-    Seite.
-  cookieBannerTextEN: >-
-    Usage of this site is only possible by storing and processing cookie
-    information (essential cookies). We require your consent. Please accept to
-    continue or close the page.
-
-...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -4,24 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcServer:
-  domainname: "{{ .Values.global.domain }}"
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
-  ldapHost: "ums-ldap-server"
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
-  enforceSessionCookie: "true"
-
-  # TODO: The keycloak integration is pending
-  samlEnabled: false
-  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
-  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
-  samlSpServer: "localhost:8000"
-  samlSchemes: "http"
-
-  tlsMode: "off"
-
   # TODO: Secret should be entered without b64enc
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
   # TODO: Secret should be entered without b64enc

helmfile/apps/univention-management-stack/values-umc-server.yaml

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+umcServer:
+  certPemFile: "/var/secrets/ssl/tls.crt"
+  privateKeyFile: "/var/secrets/ssl/tls.key"
+
+extraVolumes:
+  - name: "certificates"
+    secret:
+      secretName: "opendesk-certificates-tls"
+
+extraVolumeMounts:
+  - name: "certificates"
+    mountPath: "/var/secrets/ssl"
+
+...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ingress:
+  enabled: true
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls: false
+  extraTls:
+    - hosts:
+        - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+service:
+  type: "ClusterIP"
+
+# The content of the "serverBlock" does resemble the Ingress configuration of
+# the UMS components. The "location" entries do intentionally reflect precisely
+# the respective paths which are configured.
+serverBlock: |
+  server {
+    listen 8080;
+
+    ## portal-frontend
+    # The frontend does not own "/univention/portal", only these two bits
+    location = /univention/portal/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/portal/index.html {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+    # The following prefixes are owned by the frontend
+    location /univention/portal/css/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/fonts/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/i18n/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/media/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/js/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/oidc/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+
+
+    ## frontend redirects
+
+    location = / {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/ {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/portal {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+
+
+    ## portal-server
+    location = /univention/portal/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/portal/navigation.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+
+
+    ## store-dav
+    location /univention/portal/icons/entries/ {
+      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/portal/icons/logos/ {
+      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+
+
+    ## udm-rest-api
+    location /univention/udm/ {
+      rewrite ^/univention(/udm/.*)$ $1 break;
+      proxy_pass http://ums-udm-rest-api:80;
+      proxy_set_header X-Forwarded-Host $host;
+    }
+
+
+    ## umc-gateway
+    location = /univention/languages.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/meta.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/theme.css {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/js/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/login/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/management/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/themes/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+
+
+    ## umc-server
+    location = /univention/auth {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/logout/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/saml/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/get/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/set/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/command/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/upload/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+
+
+    ## notifications-api
+
+    location /univention/portal/notifications-api/ {
+      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
+      proxy_pass http://ums-notifications-api:80;
+    }
+
+  }

helmfile/apps/xwiki/values.gotmpl

@@ -18,13 +18,13 @@ customConfigs:
   "xwiki.cfg":
     "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
     ## LDAP Server configuration
-    # "xwiki.authentication.ldap.server": "univention-corporate-container"
-    # xwiki.authentication.ldap.port: 389
+    xwiki.authentication.ldap.server: "{{ .Values.global.ldap.host }}"
+    xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
-    # xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    # xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
     ## Base DN used for searching for users
-    # xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
 
   "xwiki.properties":
     "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
@@ -43,8 +43,8 @@ properties:
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
   ## Link LDAP users and users authenticated through OIDC
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}

helmfile/apps/xwiki/values.yaml

@@ -8,7 +8,7 @@ customConfigs:
   xwiki.cfg:
     xwiki.url.protocol: "https"
     ## Indicate the LDAP field defining the user UID
-    # xwiki.authentication.ldap.UID_attr: "uid"
+    xwiki.authentication.ldap.UID_attr: "uid"
     ## Indicate the LDAP field defining the user profile picture
     # xwiki.authentication.ldap.photo_attribute: "jpegPhoto"
     ## Enable the synchronization of the LDAP profile picture
@@ -17,8 +17,8 @@ customConfigs:
   xwiki.properties:
     oidc.scope: "openid,profile,email,address,phoenix"
     oidc.endpoint.userinfo.method: "GET"
-    oidc.user.nameFormater: "${oidc.user.phoenixusername._lowerCase}"
-    oidc.user.subjectFormater: "${oidc.user.subject}"
+    oidc.user.nameFormater: "${oidc.user.phoenixusername._clean._lowerCase}"
+    oidc.user.subjectFormater: "${oidc.user.phoenixusername._lowerCase}"
     # yamllint disable-line rule:line-length
     oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     oidc.clientid: "xwiki"
@@ -67,21 +67,18 @@ properties:
 
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-  #   "sn,givenname,uid"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes": "sn,givenname,uid"
   ## Restrict user import in the UI to global administrators
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
   ## Enable group and user synchronization
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
-  #   1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate": 1
   ## Base DN under which groups should be searched for
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
-  #  "dc=swp-ldap,dc=internal"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN": "dc=swp-ldap,dc=internal"
   ## LDAP filter to only synchronize some groups
-  # "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
-  #   "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
+    "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"
 
 securityContext:
   enabled: true

helmfile/environments/default/database.yaml

@@ -27,7 +27,7 @@ databases:
     password: ""
   oxAppsuite:
     host: "mariadb"
-    name: "CONFIGDB"
+    name: "configdb"
     username: "root"
     password: ""
   synapse:

helmfile/environments/default/global.gotmpl

@@ -11,6 +11,12 @@ global:
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" }}
 
+
+  ## Define LDAP service (supports "ums_eval" from the CI pipeline)
+  ldap:
+    host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
+    notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
+
   ## Define docker registry address.
   #
   imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}

helmfile/environments/default/images.yaml

@@ -126,39 +126,47 @@ images:
     # @supplier: "Open-Xchange"
   openxchangeCoreGuidedtours:
     repository: "appsuite-public-sector/core-guidedtours"
-    tag: "8.5.1@sha256:469457562a378cca50460e08d9437a954fc6f19622f18128fa74979f7905ecd9"
+    tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
     # @supplier: "Open-Xchange"
   openxchangeCoreMW:
     repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.16.60@sha256:269c5b72f380c49ba1888c4300c409745d2ce757ca0b269afe1e8ac9bb26f028"
+    tag: "8.19.33@sha256:369c44369d727e4172f10c25137dbb00d936d20dd844cdca3a34f7f31273ea05"
     # @supplier: "Open-Xchange"
   openxchangeCoreUI:
     repository: "appsuite-public-sector/core-ui"
-    tag: "8.16.5@sha256:4f4dd4e36fb8a1b493c195e38e2f13b87c9582bfcdc3d23b646698fce2ffef8c"
+    tag: "8.19.0@sha256:7fdd73f78fd7094f2968f6fcaaae175e60824f9ef68f9e7e70418de6a2b623e9"
     # @supplier: "Open-Xchange"
   openxchangeCoreUIMiddleware:
     repository: "appsuite-public-sector/core-ui-middleware"
-    tag: "1.8.4@sha256:c707fbd5496c894f201dab8f4e78aad98f1ad80c8058778f04dfa5e6e201ed64"
+    tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
     # @supplier: "Open-Xchange"
   openxchangeCoreUserGuide:
     repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.16.727397@sha256:5d8dbf9a91456dea59a235b495dcd002b971e2b23ef6c3a2ea5fd2071664e2a4"
+    tag: "8.19.771856@sha256:e00ed8f94c3c42cd288dd03f7fb18d228eb516b5e5ebd318825289b1c4ed17ab"
     # @supplier: "Open-Xchange"
-  openxchangeGuardUI:
-    repository: "appsuite-public-sector/guard-ui"
-    tag: "4.0.6@sha256:7bb8fdf944228dd78a5c33bbd8d0019d5a9e4ce1c35bda674166f2febc5d9a02"
-    # @supplier: "Open-Xchange"
-  openxchangeNextcloudIntegrationUI:
-    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.0.5@sha256:cad4ecba431f84b8627d2e541cfea773d5ef54b65d847fa8f7e3fd0d63156497"
-    # @supplier: "Open-Xchange"
-  openxchangePublicSectorUI:
-    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "2.0.1@sha256:8df90f6dfb59008567d8ded0dbd17b8f92f409c78ba2cf4ab2a39e1b23e34d3b"
+  openxchangeDocumentConverter:
+    repository: "appsuite-public-sector/documentconverter"
+    tag: "8.19.32@sha256:82354e858b6aeeae7f0ebaf66ad106f8e9ae46e605e97bb1d2d14e6ce1c3d708"
     # @supplier: "Open-Xchange"
   openxchangeGotenberg:
     repository: "appsuite-public-sector/3rdparty/gotenberg"
-    tag: "7.8.2@sha256:34af7b6d21c02b8183785177f5f3f1731633d72ec69e1f2ecdb8b43747887f62"
+    tag: "7.9.2@sha256:c97c1adb971d149222062ec46c5d749d710b38ad153c5c6ed954023e2401c9d0"
+    # @supplier: "Open-Xchange"
+  openxchangeGuardUI:
+    repository: "appsuite-public-sector/guard-ui"
+    tag: "4.0.7@sha256:8c9fa5d6aed055c0e84042ab28b3f0e9add94390362266ad440da4f90b8c93a8"
+    # @supplier: "Open-Xchange"
+  openxchangeImageConverter:
+    repository: "appsuite-public-sector/imageconverter"
+    tag: "8.19.33@sha256:9543c1409a129567bd6e4a657a353819842a4b1e1807ab86a1ea2e7f73f8c18e"
+    # @supplier: "Open-Xchange"
+  openxchangeNextcloudIntegrationUI:
+    repository: "appsuite-public-sector/nextcloud-integration-ui"
+    tag: "1.1.0@sha256:82cecb5adac63806ab41546e6b49090a93a5f4645750bb3967d87585b60df2e1"
+    # @supplier: "Open-Xchange"
+  openxchangePublicSectorUI:
+    repository: "appsuite-public-sector/public-sector-ui"
+    tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
     # @supplier: "Open-Xchange"
   oxConnector:
     repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
@@ -205,67 +213,67 @@ images:
   umsConfigHtpasswd:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "latest"
+    tag: "0.5.2"
     # @supplier: "Univention"
   umsDataLoader:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/data-loader"
-    tag: "latest"
+    tag: "0.15.2"
     # @supplier: "Univention"
   umsLdapNotifier:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-notifier"
-    tag: "latest"
+    tag: "0.4.1"
     # @supplier: "Univention"
   umsLdapServer:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-server"
-    tag: "latest"
+    tag: "0.4.1"
     # @supplier: "Univention"
   umsNotificationsApi:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsPortalListener:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsPortalFrontend:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "latest"
+    tag: "0.3.5"
     # @supplier: "Univention"
   umsPortalServer:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-server"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsWaitForDependency:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsStoreDav:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/store-dav"
-    tag: "latest"
+    tag: "0.5.2"
     # @supplier: "Univention"
   umsUdmRestApi:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/udm-rest-api"
-    tag: "latest"
+    tag: "0.3.2"
     # @supplier: "Univention"
   umsUmcGateway:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-gateway"
-    tag: "latest"
+    tag: "0.3.2"
     # @supplier: "Univention"
   umsUmcServer:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-server"
-    tag: "latest"
+    tag: "0.3.2"
     # @supplier: "Univention"
   wellKnown:
     repository: "library/nginx"
@@ -273,6 +281,6 @@ images:
     # @supplier: "Element"
   xwiki:
     repository: "xwikisas/swp/xwiki"
-    tag: "0.11-mariadb-jetty-alpine@sha256:a334e18d171458ed41ef356e82580561f48b0edf60b4979dc4ed9503eb497c59"
+    tag: "0.12-mariadb-jetty-alpine@sha256:c195d8baf38b6c6b0c533a3216e726cd863a6c2ba0e65f18036402592bb72896"
     # @supplier: "XWiki"
 ...

helmfile/environments/default/monitoring.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+prometheus:
+  serviceMonitors:
+    enabled: false
+    labels:
+      release: "kube-prometheus-stack"
+  podMonitors:
+    enabled: false
+    labels:
+      release: "kube-prometheus-stack"
+  prometheusRules:
+    enabled: false
+    labels:
+      release: "kube-prometheus-stack"
+
+
+grafana:
+  dashboards:
+    enabled: false
+    labels:
+      grafana_dashboard: "1"
+    annotations:
+...

helmfile/environments/default/resources.yaml

@@ -191,6 +191,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "250Mi"
+  oxDocumentConverter:
+    limits:
+      cpu: 2
+      memory: "2Gi"
+    requests:
+      cpu: 0.25
+      memory: "1Gi"
   postfix:
     limits:
       cpu: 0.5