chore(release): 0.5.32 [skip ci]

## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)

### Bug Fixes

* **collabora:** Resource definitions ([65ce9a1](65ce9a171b))

CHANGELOG.md

@@ -1,3 +1,17 @@
+## [0.5.32](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.31...v0.5.32) (2023-11-09)
+
+
+### Bug Fixes
+
+* **collabora:** Resource definitions ([65ce9a1](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/65ce9a171b7c8ebc453fb6bbe96743c8516da2c6))
+
+## [0.5.31](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.30...v0.5.31) (2023-11-08)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Update optional UMS preview state ([d0a0799](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/d0a07997c12ddb9731a0dfed0d6fa71d9a3790e7))
+
 ## [0.5.30](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.29...v0.5.30) (2023-11-06)
 
 

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -34,7 +34,7 @@ keycloakConfigCli:
     - name: "LDAP_USERS_DN"
       value: "cn=users,dc=swp-ldap,dc=internal"
     - name: "LDAP_SERVER_URL"
-      value: "univention-corporate-container"
+      value: "{{ .Values.global.ldap.host }}"
     - name: "IDENTIFIER"
       value: "souvap"
     - name: "THEME"

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -36,6 +36,7 @@ config:
     password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 
   ldapSearch:
+    host: "{{ .Values.global.ldap.host }}"
     password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
 
   smtp:

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -13,7 +13,4 @@ config:
 
   cryptpad:
     enabled: true
-
-  ldapSearch:
-    host: "univention-corporate-container"
 ...

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -19,6 +19,7 @@ dovecot:
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    host: "{{ .Values.global.ldap.host }}"
     password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   oidc:
     introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"

helmfile/apps/open-xchange/values-dovecot.yaml

@@ -7,7 +7,6 @@ containerSecurityContext:
 dovecot:
   ldap:
     enabled: true
-    host: "univention-corporate-container"
     port: 389
     base: "dc=swp-ldap,dc=internal"
 

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -8,6 +8,10 @@ appsuite:
     secretYAMLFiles:
       ldap-client-config.yml:
         contactsLdapClient:
+          pool:
+            host:
+              address: "{{ .Values.global.ldap.host }}"
+              port: 389
           auth:
             adminDN:
               password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml

@@ -16,9 +16,6 @@ appsuite:
         contactsLdapClient:
           pool:
             type: "simple"
-            host:
-              address: "univention-corporate-container"
-              port: 389
           auth:
             type: "adminDN"
             adminDN:

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -83,6 +83,7 @@ appsuite:
     propertiesFiles:
       "/opt/open-xchange/etc/ldapauth.properties":
         bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+        java.naming.provider.url: "ldap://{{ .Values.global.ldap.host }}:389/dc=swp-ldap,dc=internal"
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -111,7 +111,6 @@ appsuite:
       /opt/open-xchange/etc/system.properties:
         SERVER_NAME: "oxserver"
       /opt/open-xchange/etc/ldapauth.properties:
-        java.naming.provider.url: "ldap://univention-corporate-container:389/dc=swp-ldap,dc=internal"
         bindOnly: "false"
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
 

helmfile/apps/openproject/values.gotmpl

@@ -54,6 +54,9 @@ environment:
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
+  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "{{ .Values.global.ldap.host }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"

helmfile/apps/openproject/values.yaml

@@ -55,9 +55,6 @@ environment:
   OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
   OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
   OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
-  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "univention-corporate-container"
-  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -19,6 +19,8 @@ persistence:
 
 oxConnector:
   domainName: "{{ .Values.global.domain }}"
+  ldapHost: "{{ .Values.global.ldap.host }}"
+  notifierServer: "{{ .Values.global.ldap.notifierHost }}"
   #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}

helmfile/apps/provisioning/values-oxconnector.yaml

@@ -5,11 +5,9 @@ ingress:
   enabled: false
 
 oxConnector:
-  ldapHost: "univention-corporate-container"
   # ldapHostIp: ""
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  notifierServer: "univention-corporate-container"
   tlsMode: "off"
   # current static password for UCC
   ldapPassword: "ucctempldapstring"

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -11,11 +11,29 @@ repositories:
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+  # VMWare Bitnami
+  # Source: https://github.com/bitnami/charts/
+  - name: "bitnami-repo"
+    oci: true
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 
 releases:
+  # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
+  {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
+  - name: "ums-stack-gateway"
+    chart: "bitnami-repo/nginx"
+    version: "15.3.5"
+    values:
+      - "values-ums-stack-gateway.gotmpl"
+    condition: "univentionManagementStack.enabled"
+  {{- end }}
   - name: "ums-store-dav"
     chart: "ums-repo/store-dav"
-    version: "0.2.0"
+    version: "0.5.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -23,7 +41,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-server"
     chart: "ums-repo/ldap-server"
-    version: "0.1.0"
+    version: "0.4.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -31,7 +49,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-ldap-notifier"
     chart: "ums-repo/ldap-notifier"
-    version: "0.1.0"
+    version: "0.4.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -40,7 +58,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-udm-rest-api"
     chart: "ums-repo/udm-rest-api"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -48,7 +66,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-ums"
     chart: "ums-repo/stack-data-ums"
-    version: "0.1.0"
+    version: "0.15.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -56,7 +74,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-stack-data-swp"
     chart: "ums-repo/stack-data-swp"
-    version: "0.1.0"
+    version: "0.15.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -64,7 +82,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-server"
     chart: "ums-repo/portal-server"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -72,7 +90,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-notifications-api"
     chart: "ums-repo/notifications-api"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -81,7 +99,7 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-listener"
     chart: "ums-repo/portal-listener"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -90,28 +108,36 @@ releases:
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-portal-frontend"
     chart: "ums-repo/portal-frontend"
-    version: "0.1.0"
+    version: "0.3.4"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
     installed: {{ .Values.univentionManagementStack.enabled }}
+  - name: "ums-portal-frontend-custom"
+    # TODO: Replace with our own Nginx chart.
+    chart: "bitnami-repo/nginx"
+    version: "15.3.5"
+    values:
+      - "values-portal-frontend-custom.yaml"
+      - "values-portal-frontend-custom.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-gateway"
     chart: "ums-repo/umc-gateway"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
-      - "values-umc-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-server"
     chart: "ums-repo/umc-server"
-    version: "0.1.0"
+    version: "0.3.2"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-server.gotmpl"
+      - "values-umc-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
 commonLabels:

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 
 ingress:
-  enabled: {{ .Values.ingress.enabled }}
+  enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
   host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
   ingressClassName: "{{ .Values.ingress.ingressClassName }}"
   tls:

helmfile/apps/univention-management-stack/values-common.yaml

@@ -1,6 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+global:
+  configMapUcrDefaults: "ums-stack-data-ums-ucr"
+  configMapUcr: "ums-stack-data-swp-ucr"
+  configMapUcrForced: null
 
 istio:
   enabled: false

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -14,10 +14,9 @@ ldapServer:
   # dhParam: ""
   tlsMode: "off"
 
-  # TODO: SAML integration
+  samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
-  # samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
+  samlMetadataUrlInternal: null
-  # samlMetadataUrlInternal: "http://keycloak.default/realms/ucs/protocol/saml/descriptor"
+  serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
-  # serviceProviders: "http://localhost:8000/univention/saml/metadata,http://localhost:8000/auth/realms/ucs"
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"
@@ -29,6 +28,12 @@ image:
     - name: {{ . }}
     {{- end }}
 
+  waitForDependency:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    imagePullPolicy: "Always"
+    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+
 # TODO: Pending upstream support, #199
 persistence:
   data:

helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ingress:
+  enabled: true
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "nginx"
+  annotations:
+    nginx.org/mergeable-ingress-type: "minion"
+  tls: false
+
+  pathType: Exact
+  path: /favicon.ico
+
+  extraPaths:
+    - pathType: Exact
+      path: /univention/portal/css/custom.css
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/icons/logo.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/icons/logo_small_border.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/custom/portal_background_image.png
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+    - pathType: Exact
+      path: /univention/portal/custom/portal_background_image.svg
+      backend:
+        service:
+          name: ums-portal-frontend-custom-nginx
+          port:
+            name: http
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+service:
+  type: "ClusterIP"
+
+extraVolumes:
+  - name: "opendesk-branding"
+    configMap:
+      name: "ums-stack-data-swp-branding"
+
+extraVolumeMounts:
+  - name: "opendesk-branding"
+    mountPath: "/app/favicon.ico"
+    subPath: "favicon.ico"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/css/custom.css"
+    subPath: "custom.css"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/icons/logo.svg"
+    subPath: "logo.svg"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/icons/logo_small_border.svg"
+    subPath: "logo_small_border.svg"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/custom/portal_background_image.png"
+    subPath: "portal_background_image.png"
+  - name: "opendesk-branding"
+    mountPath: "/app/univention/portal/custom/portal_background_image.svg"
+    subPath: "portal_background_image.svg"
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -16,11 +16,12 @@ image:
 
 extraIngresses:
   redirects:
+    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     # The TLS configuration is on the "master" Ingress, see below.
     tls:
       enabled: false
   master:
-    enabled: {{ .Values.ingress.enabled }}
+    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: "{{ .Values.ingress.tls.secretName }}"

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -13,7 +13,7 @@ portalListener:
   umcSessionUrl: "http://ums-umc-server/get/session-info"
 
   ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHost: "ums-ldap-server"
+  ldapHost: "{{ .Values.global.ldap.host }}"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -7,7 +7,7 @@ portalServer:
   adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
   authMode: "saml"
   environment: "staging"
-  editable: "true"
+  editable: "false"
   logLevel: "DEBUG"
   ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
   umcGetUrl: "http://ums-umc-server/get"

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -4,22 +4,29 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiUsername: "cn=admin"
+  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   loadDevData: true
 
 stackDataContext:
   ldapBase: "dc=swp-ldap,dc=internal"
+  ldapSearchUsers:
+    {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    - username: {{ printf "ldapsearch_%s" $k | quote }}
+      password: {{ $v | quote }}
+      lastname: {{ "LDAP-Search-User" }}
+    {{- end }}
+
   externalDomainName: "{{ .Values.global.domain }}"
   externalMailDomain: "{{ .Values.global.domain }}"
 
-  portalGroupwareLinkBase: "https://webmail.{{ .Values.istio.domain }}"
+  portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  portalFileshareLinkBase: "https://fs.{{ .Values.global.domain }}"
+  portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
-  portalRealtimeCollaborationLinkBase: "https://chat.{{ .Values.global.domain }}"
+  portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-  portalRealtimeVideoconferenceLinkBase: "https://meet.{{ .Values.global.domain }}"
+  portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-  portalManagementProjectLinkBase: "https://project.{{ .Values.global.domain }}"
+  portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-  portalManagementKnowledgeLinkBase: "https://wiki.{{ .Values.global.domain }}"
+  portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
 
   oxDefaultContext: "10"
 

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -10,8 +10,22 @@ stackDataUms:
   loadDevData: true
 
 stackDataContext:
+  domainname: "{{ .Values.global.domain }}"
+  externalMailDomain: "{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  ldapHost: "{{ .Values.global.ldap.host }}"
   ldapBase: "dc=swp-ldap,dc=internal"
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
+  # TODO: This should not be required, the machine account is not there
+  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
+  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
+
+  samlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
+  samlMetadataUrlInternal: null
+  samlSpServer: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  samlSchemes: "https"
+  ssoFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
+
+  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
 
   # The SWP configuration brings its own UMC policies.
   installUmcPolicies: false

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -4,29 +4,15 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 udmRestApi:
-  apiLogLevel: "4"
-  authGroups:
-    dcBackup: "cn=DC Backup Hosts,cn=groups,dc=swp-ldap,dc=internal"
-    dcSlaves: "cn=DC Slave Hosts,cn=groups,dc=swp-ldap,dc=internal"
-    domainAdmins: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
-  ldapHost: "ums-ldap-server"
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   # TODO: Secret should be entered without b64enc
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
   # TODO: Secret should be entered without b64enc
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
-  # TODO: why do we need this many subprocesses?
-  numberOfSubprocesses: 8
   # TODO: Stub value currently
   caCert: ""
   # TODO: This should not be part of the udm-rest-api anymore
   loadJoinData:
     enabled: true
-  # TODO: configurable
-  tlsMode: "off"
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -4,9 +4,17 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcGateway:
-  domainname: "{{ .Values.global.domain }}"
+
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+extraVolumes:
-  ssoFqdn: "localhost:8097"
+  - name: "entrypoint-swp-patches"
+    configMap:
+      name: "ums-stack-data-swp-umc-gateway-entrypoint"
+      defaultMode: 0555
+
+extraVolumeMounts:
+  - name: "entrypoint-swp-patches"
+    mountPath: "/entrypoint.d/90-swp.sh"
+    subPath: "90-swp.sh"
 
 image:
   registry: "{{ .Values.global.imageRegistry }}"

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -1,18 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-umcGateway:
-  showCookieBanner: true
-  cookieBannerTitleDE: "Cookie Zustimmung"
-  cookieBannerTitleEN: "Cookie Consent"
-  cookieBannerTextDE: >-
-    Die Nutzung dieses Angebots ist nur möglich, wenn Cookies gespeichert und
-    verarbeitet werden können (essenzielle Cookies). Dafür benötigen wir Ihre
-    Zustimmung. Bitte akzeptieren Sie um fortzufahren oder schließen Sie die
-    Seite.
-  cookieBannerTextEN: >-
-    Usage of this site is only possible by storing and processing cookie
-    information (essential cookies). We require your consent. Please accept to
-    continue or close the page.
-
-...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -4,24 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 umcServer:
-  domainname: "{{ .Values.global.domain }}"
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
-  ldapHost: "ums-ldap-server"
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  # TODO: This should not be required, the machine account is not there
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
-  enforceSessionCookie: "true"
-
-  # TODO: The keycloak integration is pending
-  samlEnabled: false
-  samlMetadataUrl: "http://localhost:8097/realms/ucs/protocol/saml/descriptor"
-  samlMetadataUrlInternal: "http://keycloak/realms/ucs/protocol/saml/descriptor"
-  samlSpServer: "localhost:8000"
-  samlSchemes: "http"
-
-  tlsMode: "off"
-
   # TODO: Secret should be entered without b64enc
   ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
   # TODO: Secret should be entered without b64enc

helmfile/apps/univention-management-stack/values-umc-server.yaml

@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+umcServer:
+  certPemFile: "/var/secrets/ssl/tls.crt"
+  privateKeyFile: "/var/secrets/ssl/tls.key"
+
+extraVolumes:
+  - name: "certificates"
+    secret:
+      secretName: "opendesk-certificates-tls"
+
+extraVolumeMounts:
+  - name: "certificates"
+    mountPath: "/var/secrets/ssl"
+
+...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ingress:
+  enabled: true
+  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  tls: false
+  extraTls:
+    - hosts:
+        - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+service:
+  type: "ClusterIP"
+
+# The content of the "serverBlock" does resemble the Ingress configuration of
+# the UMS components. The "location" entries do intentionally reflect precisely
+# the respective paths which are configured.
+serverBlock: |
+  server {
+    listen 8080;
+
+    ## portal-frontend
+    # The frontend does not own "/univention/portal", only these two bits
+    location = /univention/portal/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/portal/index.html {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+    # The following prefixes are owned by the frontend
+    location /univention/portal/css/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/fonts/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/i18n/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/media/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/js/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/oidc/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+
+
+    ## frontend redirects
+
+    location = / {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/ {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/portal {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+
+
+    ## portal-server
+    location = /univention/portal/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/portal/navigation.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+
+
+    ## store-dav
+    location /univention/portal/icons/entries/ {
+      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/portal/icons/logos/ {
+      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+
+
+    ## udm-rest-api
+    location /univention/udm/ {
+      rewrite ^/univention(/udm/.*)$ $1 break;
+      proxy_pass http://ums-udm-rest-api:80;
+      proxy_set_header X-Forwarded-Host $host;
+    }
+
+
+    ## umc-gateway
+    location = /univention/languages.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/meta.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/theme.css {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/js/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/login/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/management/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/themes/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+
+
+    ## umc-server
+    location = /univention/auth {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/logout/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/saml/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/get/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/set/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/command/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/upload/ {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+
+
+    ## notifications-api
+
+    location /univention/portal/notifications-api/ {
+      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
+      proxy_pass http://ums-notifications-api:80;
+    }
+
+  }

helmfile/apps/xwiki/values.gotmpl

@@ -18,7 +18,7 @@ customConfigs:
   "xwiki.cfg":
     "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
     ## LDAP Server configuration
-    xwiki.authentication.ldap.server: "univention-corporate-container"
+    xwiki.authentication.ldap.server: "{{ .Values.global.ldap.host }}"
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"

helmfile/environments/default/global.gotmpl

@@ -11,6 +11,12 @@ global:
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" }}
 
+
+  ## Define LDAP service (supports "ums_eval" from the CI pipeline)
+  ldap:
+    host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
+    notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
+
   ## Define docker registry address.
   #
   imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}

helmfile/environments/default/images.yaml

@@ -213,67 +213,67 @@ images:
   umsConfigHtpasswd:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "latest"
+    tag: "0.5.2"
     # @supplier: "Univention"
   umsDataLoader:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/data-loader"
-    tag: "latest"
+    tag: "0.15.2"
     # @supplier: "Univention"
   umsLdapNotifier:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-notifier"
-    tag: "latest"
+    tag: "0.4.1"
     # @supplier: "Univention"
   umsLdapServer:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/ldap-server"
-    tag: "latest"
+    tag: "0.4.1"
     # @supplier: "Univention"
   umsNotificationsApi:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsPortalListener:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsPortalFrontend:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "latest"
+    tag: "0.3.5"
     # @supplier: "Univention"
   umsPortalServer:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-server"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsWaitForDependency:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "latest"
+    tag: "0.3.4"
     # @supplier: "Univention"
   umsStoreDav:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/store-dav"
-    tag: "latest"
+    tag: "0.5.2"
     # @supplier: "Univention"
   umsUdmRestApi:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/udm-rest-api"
-    tag: "latest"
+    tag: "0.3.2"
     # @supplier: "Univention"
   umsUmcGateway:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-gateway"
-    tag: "latest"
+    tag: "0.3.2"
     # @supplier: "Univention"
   umsUmcServer:
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/umc-server"
-    tag: "latest"
+    tag: "0.3.2"
     # @supplier: "Univention"
   wellKnown:
     repository: "library/nginx"

helmfile/environments/default/resources.yaml

@@ -11,11 +11,11 @@ resources:
       memory: "2Gi"
   collabora:
     limits:
-      cpu: 1
+      cpu: 4
-      memory: "500Mi"
+      memory: "4Gi"
     requests:
-      cpu: 0.1
+      cpu: 0.5
-      memory: "16Mi"
+      memory: "1Gi"
   cryptpad:
     limits:
       cpu: 2