chore(release): 0.5.38 [skip ci]

## [0.5.38](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.37...v0.5.38) (2023-11-13)

### Bug Fixes

* **collabora:** Update image to 23.05.5.4.1 ([c460467](c460467d74))

.gitignore

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 .vscode
 .idea
+.yamllint
 
 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml

.gitlab-ci.yml

@@ -384,6 +384,18 @@ openproject-deploy:
   variables:
     COMPONENT: "openproject"
 
+openproject-bootstrap-deploy:
+  stage: "component-deploy-stage-2"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
+      when: "always"
+  variables:
+    COMPONENT: "openproject-bootstrap"
+
 jitsi-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"

CHANGELOG.md

@@ -1,3 +1,41 @@
+## [0.5.38](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.37...v0.5.38) (2023-11-13)
+
+
+### Bug Fixes
+
+* **collabora:** Update image to 23.05.5.4.1 ([c460467](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/c460467d7449b107134562b785e95f6280e3473d))
+
+## [0.5.37](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.36...v0.5.37) (2023-11-12)
+
+
+### Bug Fixes
+
+* **openproject:** Add bootstrapping of Nextcloud filestore ([1971dfb](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1971dfbded21d16909e889ba6d19ff9cf3e4cb20))
+
+## [0.5.36](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.35...v0.5.36) (2023-11-10)
+
+
+### Bug Fixes
+
+* **element:** Update Element and Widgets ([97034a5](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/97034a556f4cdcc447f61003ad9cd036c186bc3b))
+
+## [0.5.35](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.34...v0.5.35) (2023-11-10)
+
+
+### Bug Fixes
+
+* **helmfile:** Eliminate some yamllint errors ([1d03a6e](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/1d03a6e11f368fd81dd10b91b0d9d7fc29c0cb24))
+* **helmfile:** Move ldap host variable into helpers ([08811de](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/08811decd92e7fd7802d0eba2644046512ec58a4))
+* **helmfile:** Update charts to use proper quoting ([69ea840](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/69ea84051721f3aaf36a5dbafdfb37dd86b66dbb))
+* **services:** Add minio as service and consume by OpenProject ([baa5827](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/baa5827de3e1e368abf238a932a5849f169af723))
+
+## [0.5.34](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.33...v0.5.34) (2023-11-09)
+
+
+### Bug Fixes
+
+* **openproject:** Bump helmchart and properly template OP's initdb image ([0d8e92f](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/0d8e92fc5a4729ff7649e5a10e629b962a9b671b))
+
 ## [0.5.33](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.32...v0.5.33) (2023-11-09)
 
 

COMPONENTS-SERVICE.md

@@ -60,3 +60,6 @@ This service is used by
 - Open-Xchange
 
 ## Objectstore - MinIO
+
+This services is used by:
+- OpenProject (attachment storage)

README.md

@@ -224,6 +224,7 @@ subdirectory `/helmfile/apps/services`.
 | Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              | Functional |
 | MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       | Eval       |
 | Memcached                   | `memcached.enabled`                 | `true`  | Cache Database                 | Eval       |
+| MinIO                       | `minio.enabled`                     | `true`  | Object Storage                 | Eval       |
 | Nextcloud                   | `nextcloud.enabled`                 | `true`  | File share                     | Functional |
 | OpenProject                 | `openproject.enabled`               | `true`  | Project management             | Functional |
 | OX Appsuite                 | `oxAppsuite.enabled`                | `true`  | Groupware                      | Functional |

helmfile.yaml

@@ -20,6 +20,7 @@ helmfiles:
   - path: "helmfile/apps/openproject/helmfile.yaml"
   - path: "helmfile/apps/xwiki/helmfile.yaml"
   - path: "helmfile/apps/provisioning/helmfile.yaml"
+  - path: "helmfile/apps/openproject-bootstrap/helmfile.yaml"
 
 missingFileHandler: "Error"
 

helmfile/apps/collabora/values.gotmpl

@@ -5,24 +5,24 @@ SPDX-License-Identifier: Apache-2.0
 ---
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
-  tag: "{{ .Values.images.collabora.tag }}"
+  tag: {{ .Values.images.collabora.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
-  className: "{{ .Values.ingress.ingressClassName }}"
+  className: {{ .Values.ingress.ingressClassName | quote }}
   hosts:
     - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
       paths:
         - path: "/"
           pathType: "Prefix"
   tls:
-    - secretName: "{{ .Values.ingress.tls.secretName }}"
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
       hosts:
         - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 
@@ -33,7 +33,6 @@ collabora:
   aliasgroups:
     - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 
-
 replicaCount: {{ .Values.replicas.collabora }}
 
 resources:

helmfile/apps/element/helmfile.yaml

@@ -87,7 +87,7 @@ releases:
 
   - name: "matrix-neoboard-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
-    version: "3.1.0"
+    version: "3.2.0"
     values:
       - "values-matrix-neoboard-widget.yaml"
       - "values-matrix-neoboard-widget.gotmpl"
@@ -96,7 +96,7 @@ releases:
 
   - name: "matrix-neochoice-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
-    version: "3.1.0"
+    version: "3.2.0"
     values:
       - "values-matrix-neochoice-widget.yaml"
       - "values-matrix-neochoice-widget.gotmpl"
@@ -105,7 +105,7 @@ releases:
 
   - name: "matrix-neodatefix-widget"
     chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
-    version: "3.1.0"
+    version: "3.2.0"
     values:
       - "values-matrix-neodatefix-widget.yaml"
       - "values-matrix-neodatefix-widget.gotmpl"
@@ -123,7 +123,7 @@ releases:
 
   - name: "matrix-neodatefix-bot"
     chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
-    version: "3.1.0"
+    version: "3.2.0"
     values:
       - "values-matrix-neodatefix-bot.yaml"
       - "values-matrix-neodatefix-bot.gotmpl"

helmfile/apps/element/values-element.gotmpl

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
@@ -17,12 +17,16 @@ configuration:
 
     "net.nordeck.element_web.module.opendesk":
       config:
-        ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
+        banner:
-        ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
+          ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
-        portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+          ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
-        portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
+          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+          portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
+        widget_types:
+          - jitsi
+          - net.nordeck
 
     "net.nordeck.element_web.module.widget_lifecycle":
       widget_permissions:
@@ -103,18 +107,18 @@ configuration:
   welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.element.repository }}"
+  repository: {{ .Values.images.element.repository | quote }}
-  tag: "{{ .Values.images.element.tag }}"
+  tag: {{ .Values.images.element.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}

helmfile/apps/element/values-matrix-neoboard-widget.gotmpl

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.matrixNeoBoardWidget.repository }}"
+  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
-  tag: "{{ .Values.images.matrixNeoBoardWidget.tag }}"
+  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
 
 ingress:
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}

helmfile/apps/element/values-matrix-neochoice-widget.gotmpl

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.matrixNeoChoiceWidget.repository }}"
+  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
-  tag: "{{ .Values.images.matrixNeoChoiceWidget.tag }}"
+  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
 
 ingress:
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
@@ -16,8 +16,8 @@ configuration:
   password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  url: "{{ .Values.images.synapseCreateUser.repository }}"
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: "{{ .Values.images.synapseCreateUser.tag }}"
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ...

helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
@@ -15,20 +15,20 @@ configuration:
   openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.matrixNeoDateFixBot.repository }}"
+  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
-  tag: "{{ .Values.images.matrixNeoDateFixBot.tag }}"
+  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
 
 ingress:
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 persistence:
-  size: "{{ .Values.persistence.size.matrixNeoDateFixBot }}"
+  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
 

helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.matrixNeoDateFixWidget.repository }}"
+  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
-  tag: "{{ .Values.images.matrixNeoDateFixWidget.tag }}"
+  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
 
 ingress:
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
@@ -13,11 +13,11 @@ cleanup:
   deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
-  password: {{ .Values.secrets.matrixUserVerificationService.password }}
+  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  url: "{{ .Values.images.synapseCreateUser.repository }}"
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: "{{ .Values.images.synapseCreateUser.tag }}"
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ...

helmfile/apps/element/values-matrix-user-verification-service.gotmpl

@@ -4,17 +4,17 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.matrixUserVerificationService.repository }}"
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
-  tag: "{{ .Values.images.matrixUserVerificationService.tag }}"
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
 
 replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
 

helmfile/apps/element/values-synapse-web.gotmpl

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.synapseWeb.repository }}"
+  repository: {{ .Values.images.synapseWeb.repository | quote }}
-  tag: "{{ .Values.images.synapseWeb.tag }}"
+  tag: {{ .Values.images.synapseWeb.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 replicaCount: {{ .Values.replicas.synapseWeb }}
 

helmfile/apps/element/values-synapse.gotmpl

@@ -4,24 +4,24 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.synapse.repository }}"
+  repository: {{ .Values.images.synapse.repository | quote }}
-  tag: "{{ .Values.images.synapse.tag }}"
+  tag: {{ .Values.images.synapse.tag | quote }}
 
 configuration:
   database:
-    host: "{{ .Values.databases.synapse.host }}"
+    host: {{ .Values.databases.synapse.host | quote }}
-    name: "{{ .Values.databases.synapse.name }}"
+    name: {{ .Values.databases.synapse.name | quote }}
-    user: "{{ .Values.databases.synapse.username }}"
+    user: {{ .Values.databases.synapse.username | quote }}
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
@@ -37,32 +37,32 @@ configuration:
         sender_localpart: intercom-service
 
     oidc:
-      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
       issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
     turn:
-      sharedSecret: {{ .Values.turn.credentials }}
+      sharedSecret: {{ .Values.turn.credentials | quote }}
       servers:
         {{- if .Values.turn.tls.host }}
-        - server: {{ .Values.turn.tls.host }}
+        - server: {{ .Values.turn.tls.host | quote }}
           port: {{ .Values.turn.tls.port }}
-          transport: {{ .Values.turn.transport }}
+          transport: {{ .Values.turn.transport | quote }}
         {{- else if .Values.turn.server.host }}
-        - server: {{ .Values.turn.server.host }}
+        - server: {{ .Values.turn.server.host | quote }}
           port: {{ .Values.turn.server.port }}
-          transport: {{ .Values.turn.transport }}
+          transport: {{ .Values.turn.transport | quote }}
         {{- end }}
 
     guestModule:
       image:
-        imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-        registry: "{{ .Values.global.imageRegistry }}"
+        registry: {{ .Values.global.imageRegistry | quote }}
-        repository: "{{ .Values.images.synapseGuestModule.repository }}"
+        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
-        tag: "{{ .Values.images.synapseGuestModule.tag }}"
+        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
 
 persistence:
-  size: "{{ .Values.persistence.size.synapse }}"
+  size: {{ .Values.persistence.size.synapse | quote }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 replicaCount: {{ .Values.replicas.synapse }}
 

helmfile/apps/element/values-well-known.gotmpl

@@ -4,26 +4,26 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.wellKnown.repository }}"
+  repository: {{ .Values.images.wellKnown.repository | quote }}
-  tag: "{{ .Values.images.wellKnown.tag }}"
+  tag: {{ .Values.images.wellKnown.tag | quote }}
 
 ingress:
-  host: "{{ .Values.global.domain }}"
+  host: {{ .Values.global.domain | quote }}
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 replicaCount: {{ .Values.replicas.wellKnown }}
 

helmfile/apps/intercom-service/helmfile.yaml

@@ -19,7 +19,7 @@ repositories:
 releases:
   - name: "intercom-service"
     chart: "intercom-service-repo/intercom-service"
-    version: "2.0.0"
+    version: "2.0.1"
     values:
       - "values.gotmpl"
     installed: {{ .Values.intercom.enabled }}

helmfile/apps/intercom-service/values.gotmpl

@@ -4,46 +4,46 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 ics:
-  secret: {{ .Values.secrets.intercom.secret }}
+  secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
   originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
   default:
-    domain: "{{ .Values.global.domain }}"
+    domain: {{ .Values.global.domain | quote }}
   oidc:
-    secret: {{ .Values.secrets.keycloak.clientSecret.intercom }}
+    secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
   matrix:
     asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
-    subdomain: {{ .Values.global.hosts.synapse }}
+    subdomain: {{ .Values.global.hosts.synapse | quote }}
     serverName: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
   nordeck:
-    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot }}
+    subdomain: {{ .Values.global.hosts.matrixNeoDateFixBot | quote }}
   portal:
-    apiKey: {{ .Values.secrets.centralnavigation.apiKey }}
+    apiKey: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   redis:
-    host: {{ .Values.cache.intercomService.host }}
+    host: {{ .Values.cache.intercomService.host | quote }}
     port: {{ .Values.cache.intercomService.port }}
     password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.intercom.repository }}"
+  repository: {{ .Values.images.intercom.repository | quote }}
-  tag: "{{ .Values.images.intercom.tag }}"
+  tag: {{ .Values.images.intercom.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
-  enabled: "{{ .Values.ingress.enabled }}"
+  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    enabled: "{{ .Values.ingress.tls.enabled }}"
+    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:
@@ -15,13 +15,13 @@ cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.jitsiKeycloakAdapter.repository }}"
+  repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
-  tag: "{{ .Values.images.jitsiKeycloakAdapter.tag }}"
+  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
 
 settings:
-  jwtAppSecret: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+  jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}
@@ -32,16 +32,16 @@ jitsi:
     replicaCount: {{ .Values.replicas.jitsi }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
-      tag: "{{ .Values.images.jitsi.tag }}"
+      tag: {{ .Values.images.jitsi.tag | quote }}
     ingress:
-      enabled: "{{ .Values.ingress.enabled }}"
+      enabled: {{ .Values.ingress.enabled }}
-      ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+      ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
       hosts:
         - host: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
           paths:
             - "/"
       tls:
-        - secretName: "{{ .Values.ingress.tls.secretName }}"
+        - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
     extraEnvs:
@@ -51,10 +51,10 @@ jitsi:
   prosody:
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
-      tag: "{{ .Values.images.prosody.tag }}"
+      tag: {{ .Values.images.prosody.tag | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     extraEnvs:
       - name: "AUTH_TYPE"
@@ -62,74 +62,74 @@ jitsi:
       - name: "JWT_APP_ID"
         value: "myappid"
       - name: "JWT_APP_SECRET"
-        value: "{{ .Values.secrets.jitsi.jwtAppSecret }}"
+        value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
       - name: "MATRIX_UVS_SYNC_POWER_LEVELS"
         value: "true"
       - name: "MATRIX_UVS_URL"
         value: "http://opendesk-matrix-user-verification-service.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
       - name: TURNS_HOST
-        value: "{{ .Values.turn.tls.host }}"
+        value: {{ .Values.turn.tls.host | quote }}
       - name: TURNS_PORT
-        value: "{{ .Values.turn.tls.port }}"
+        value: {{ .Values.turn.tls.port | quote }}
       - name: TURN_HOST
-        value: "{{ .Values.turn.server.host }}"
+        value: {{ .Values.turn.server.host | quote }}
       - name: TURN_PORT
-        value: "{{ .Values.turn.server.port }}"
+        value: {{ .Values.turn.server.port | quote }}
       - name: TURN_TRANSPORT
-        value: "{{ .Values.turn.transport }}"
+        value: {{ .Values.turn.transport | quote }}
       - name: TURN_CREDENTIALS
-        value: "{{ .Values.turn.credentials }}"
+        value: {{ .Values.turn.credentials | quote }}
     resources:
       {{ .Values.resources.prosody | toYaml | nindent 6 }}
     persistence:
-      size: "{{ .Values.persistence.size.prosody }}"
+      size: {{ .Values.persistence.size.prosody | quote }}
-      storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   jicofo:
     replicaCount: {{ .Values.replicas.jicofo }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
-      tag: "{{ .Values.images.jicofo.tag }}"
+      tag: {{ .Values.images.jicofo.tag | quote }}
     xmpp:
       password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
-      componentSecret: "{{ .Values.secrets.jitsi.jicofoComponentPassword }}"
+      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
     resources:
       {{ .Values.resources.jicofo | toYaml | nindent 6 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
-      tag: "{{ .Values.images.jvb.tag }}"
+      tag: {{ .Values.images.jvb.tag | quote }}
     xmpp:
-      password: "{{ .Values.secrets.jitsi.jvbAuthPassword }}"
+      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
     resources:
       {{ .Values.resources.jvb | toYaml | nindent 6 }}
     service:
-      type: "{{ .Values.cluster.service.type }}"
+      type: {{ .Values.cluster.service.type | quote }}
   jibri:
     replicaCount: {{ .Values.replicas.jibri }}
     image:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
-      tag: "{{ .Values.images.jibri.tag }}"
+      tag: {{ .Values.images.jibri.tag | quote }}
     recorder:
-      password: "{{ .Values.secrets.jitsi.jibriRecorderPassword }}"
+      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
     xmpp:
-      password: "{{ .Values.secrets.jitsi.jibriXmppPassword }}"
+      password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
     resources:
       {{ .Values.resources.jibri | toYaml | nindent 6 }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
   {{- end }}
 
 patchJVB:
   configuration:
-    staticLoadbalancerIP: "{{ .Values.cluster.networking.ingressGatewayIP }}"
+    staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
-    loadbalancerStatusField: "{{ .Values.cluster.networking.loadBalancerStatusField }}"
+    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
   image:
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.jitsiPatchJVB.repository }}"
+    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
-    tag: "{{ .Values.images.jitsiPatchJVB.tag }}"
+    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
 
 resources:

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -21,7 +21,7 @@ repositories:
 releases:
   - name: "opendesk-keycloak-bootstrap"
     chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
-    version: "1.1.11"
+    version: "1.1.12"
     values:
       - "values-bootstrap.gotmpl"
       - "values-bootstrap.yaml"

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -4,10 +4,10 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
@@ -20,10 +20,10 @@ config:
     password: {{ .Values.secrets.keycloak.adminPassword | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.keycloakBootstrap.repository }}"
+  repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
-  tag: "{{ .Values.images.keycloakBootstrap.tag }}"
+  tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}

helmfile/apps/keycloak/values-extensions.gotmpl

@@ -8,39 +8,38 @@ global:
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
   postgresql:
     connection:
-      host: "{{ .Values.databases.keycloakExtension.host }}"
+      host: {{ .Values.databases.keycloakExtension.host | quote }}
-      port: "{{ .Values.databases.keycloakExtension.port }}"
+      port: {{ .Values.databases.keycloakExtension.port }}
     auth:
-      database: "{{ .Values.databases.keycloakExtension.name }}"
+      database: {{ .Values.databases.keycloakExtension.name | quote }}
-      username: "{{ .Values.databases.keycloakExtension.username }}"
+      username: {{ .Values.databases.keycloakExtension.username | quote }}
       password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
 handler:
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.keycloakExtensionHandler.repository }}"
+    repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
-    tag: "{{ .Values.images.keycloakExtensionHandler.tag }}"
+    tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   appConfig:
     smtpPassword: {{ .Values.smtp.password | quote }}
-    smtpHost: "{{ .Values.smtp.host }}"
+    smtpHost: {{ .Values.smtp.host | quote }}
-    smtpUsername: "{{ .Values.smtp.username }}"
+    smtpUsername: {{ .Values.smtp.username | quote }}
     mailFrom: "noreply@{{ .Values.global.domain }}"
   resources:
     {{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
 proxy:
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.keycloakExtensionProxy.repository }}"
+    repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
-    tag: "{{ .Values.images.keycloakExtensionProxy.tag }}"
+    tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   ingress:
-    enabled: "{{ .Values.ingress.enabled }}"
+    enabled: {{ .Values.ingress.enabled }}
-    ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
-      enabled: "{{ .Values.ingress.tls.enabled }}"
+      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: "{{ .Values.ingress.tls.secretName }}"
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
   resources:
     {{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
-
 ...

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -4,22 +4,22 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.keycloak.repository }}"
+  repository: {{ .Values.images.keycloak.repository | quote }}
-  tag: "{{ .Values.images.keycloak.tag }}"
+  tag: {{ .Values.images.keycloak.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 externalDatabase:
-  host: "{{ .Values.databases.keycloak.host }}"
+  host: {{ .Values.databases.keycloak.host | quote }}
   port: {{ .Values.databases.keycloak.port }}
-  user: "{{ .Values.databases.keycloak.username }}"
+  user: {{ .Values.databases.keycloak.username | quote }}
-  database: "{{ .Values.databases.keycloak.name }}"
+  database: {{ .Values.databases.keycloak.name | quote }}
   password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
 
 auth:
@@ -34,7 +34,7 @@ keycloakConfigCli:
     - name: "LDAP_USERS_DN"
       value: "cn=users,dc=swp-ldap,dc=internal"
     - name: "LDAP_SERVER_URL"
-      value: "{{ .Values.global.ldap.host }}"
+      value: {{ .Values.ldap.host | quote }}
     - name: "IDENTIFIER"
       value: "souvap"
     - name: "THEME"
@@ -62,23 +62,23 @@ keycloakConfigCli:
     - name: "INTERCOM_SERVICE_DOMAIN"
       value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
     - name: "CLIENT_SECRET_INTERCOM_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.intercom }}
+      value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
     - name: "CLIENT_SECRET_MATRIX_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.matrix }}
+      value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
     - name: "CLIENT_SECRET_JITSI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsi }}
+      value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
     - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc }}
+      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
     - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.openproject }}
+      value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
     - name: "CLIENT_SECRET_XWIKI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.xwiki }}
+      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     - name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
+      value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
     - name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
       value: "storage_provider_ucsldap"
     - name: "LDAPSEARCH_PASSWORD"
-      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak }}
+      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
     - name: "LDAPSEARCH_USERNAME"
       value: "ldapsearch_keycloak"
   resources:

helmfile/apps/keycloak/values-theme.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
 

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -4,11 +4,11 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  istioDomain: "{{ .Values.istio.domain }}"
+  istioDomain: {{ .Values.istio.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
@@ -30,19 +30,19 @@ config:
       password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
 
   database:
-    host: "{{ .Values.databases.nextcloud.host }}"
+    host: {{ .Values.databases.nextcloud.host | quote }}
-    name: "{{ .Values.databases.nextcloud.name }}"
+    name: {{ .Values.databases.nextcloud.name | quote }}
-    user: "{{ .Values.databases.nextcloud.username }}"
+    user: {{ .Values.databases.nextcloud.username | quote }}
     password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 
   ldapSearch:
-    host: "{{ .Values.global.ldap.host }}"
+    host: {{ .Values.ldap.host | quote }}
-    password: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud }}"
+    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
 
   smtp:
-    host: "{{ .Values.smtp.host }}"
+    host: {{ .Values.smtp.host | quote }}
-    username: "{{ .Values.smtp.username }}"
+    username: {{ .Values.smtp.username | quote }}
-    password: "{{ .Values.smtp.password }}"
+    password: {{ .Values.smtp.password | quote }}
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -50,24 +50,24 @@ cleanup:
   keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 
 image:
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.nextcloud.repository }}"
+  repository: {{ .Values.images.nextcloud.repository | quote }}
-  tag: "{{ .Values.images.nextcloud.tag }}"
+  tag: {{ .Values.images.nextcloud.tag | quote }}
 
 persistence:
   {{- if .Values.cluster.persistence.readWriteMany.enabled }}
   accessModes:
     - "ReadWriteMany"
-  storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
   {{- else }}
   accessModes:
     - "ReadWriteOnce"
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
   {{- end }}
   size:
-    main: "{{ .Values.persistence.size.nextcloud.main }}"
+    main: {{ .Values.persistence.size.nextcloud.main | quote }}
-    data: "{{ .Values.persistence.size.nextcloud.data }}"
+    data: {{ .Values.persistence.size.nextcloud.data | quote }}
 
 resources:
   {{ .Values.resources.nextcloud | toYaml | nindent 2 }}

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -8,9 +8,9 @@ nextcloud:
   username: "nextcloud"
   password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 externalDatabase:
-  database: "{{ .Values.databases.nextcloud.name }}"
+  database: {{ .Values.databases.nextcloud.name | quote }}
-  user: "{{ .Values.databases.nextcloud.username }}"
+  user: {{ .Values.databases.nextcloud.username | quote }}
-  host: "{{ .Values.databases.nextcloud.host }}"
+  host: {{ .Values.databases.nextcloud.host | quote }}
   password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 extraEnv:
   REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
@@ -22,20 +22,20 @@ redis:
     password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 ingress:
   enabled: {{ .Values.ingress.enabled }}
-  className: {{ .Values.ingress.ingressClassName }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
   tls:
-    - secretName: "{{ .Values.ingress.tls.secretName }}"
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
       hosts:
         - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
   repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.nextcloud.tag }}"
+  tag: {{ .Values.images.nextcloud.tag | quote }}
   pullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 metrics:
-  token: "{{ .Values.secrets.nextcloud.metricsToken }}"
+  token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.nextcloud }}

helmfile/apps/open-xchange/helmfile.yaml

@@ -35,7 +35,7 @@ repositories:
 releases:
   - name: "dovecot"
     chart: "opendesk-dovecot-repo/dovecot"
-    version: "1.3.1"
+    version: "1.3.4"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -4,31 +4,31 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  url: "{{ .Values.images.dovecot.repository }}"
+  url: {{ .Values.images.dovecot.repository | quote }}
-  tag: "{{ .Values.images.dovecot.tag }}"
+  tag: {{ .Values.images.dovecot.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 
 dovecot:
-  mailDomain: "{{ .Values.global.domain }}"
+  mailDomain: {{ .Values.global.domain | quote }}
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
-    host: "{{ .Values.global.ldap.host }}"
+    host: {{ .Values.ldap.host | quote }}
     password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
   oidc:
     introspectionURL: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token/introspect"
-    clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc }}
+    clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
     clientID: "as8oidc"
-  loginTrustedNetworks: "{{ .Values.cluster.networking.cidr }}"
+  loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
 
 certificate:
-  secretName: "{{ .Values.ingress.tls.secretName }}"
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.dovecot }}
@@ -38,15 +38,15 @@ replicaCount: 1
 
 persistence:
   {{- if .Values.cluster.persistence.readWriteMany.enabled }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
   accessModes:
     - "ReadWriteMany"
   {{- else }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   accessModes:
     - "ReadWriteOnce"
   {{- end }}
-  size: "{{ .Values.persistence.size.dovecot }}"
+  size: {{ .Values.persistence.size.dovecot | quote }}
 
 resources:
   {{ .Values.resources.dovecot | toYaml | nindent 2 }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.gotmpl

@@ -8,13 +8,13 @@ cleanup:
   deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  url: "{{ .Values.images.openxchangeBootstrap.repository }}"
+  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
-  tag: "{{ .Values.images.openxchangeBootstrap.tag }}"
+  tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 ...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -10,7 +10,7 @@ appsuite:
         contactsLdapClient:
           pool:
             host:
-              address: "{{ .Values.global.ldap.host }}"
+              address: {{ .Values.ldap.host | quote }}
               port: 389
           auth:
             adminDN:

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -4,13 +4,13 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   mysql:
-    host: "{{ .Values.databases.oxAppsuite.host }}"
+    host: {{ .Values.databases.oxAppsuite.host | quote }}
-    database: "{{ .Values.databases.oxAppsuite.name }}"
+    database: {{ .Values.databases.oxAppsuite.name | quote }}
     auth:
-      user: "{{ .Values.databases.oxAppsuite.username }}"
+      user: {{ .Values.databases.oxAppsuite.username | quote }}
       password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
       rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 
@@ -19,22 +19,22 @@ istio:
 
 nextcloud-integration-ui:
   image:
-    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository }}
+    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
-    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag }}
+    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
   {{- end }}
 
 public-sector-ui:
   image:
-    repository: {{ .Values.images.openxchangePublicSectorUI.repository }}
+    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
-    tag: {{ .Values.images.openxchangePublicSectorUI.tag }}
+    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
   imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
   {{- end }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 appsuite:
   istio:
@@ -56,12 +56,12 @@ appsuite:
     gotenberg:
       imagePullSecrets:
       {{- range .Values.global.imagePullSecrets }}
-        - name: {{ . }}
+        - name: {{ . | quote }}
       {{- end }}
       image:
-        repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}
+        repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
-        tag: {{ .Values.images.openxchangeGotenberg.tag }}
+        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
-        pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     properties:
       "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
       "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
@@ -83,20 +83,20 @@ appsuite:
     propertiesFiles:
       "/opt/open-xchange/etc/ldapauth.properties":
         bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
-        java.naming.provider.url: "ldap://{{ .Values.global.ldap.host }}:389/dc=swp-ldap,dc=internal"
+        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
       # Dynamic theme
-      io.ox/dynamic-theme//mainColor: "{{ .Values.theme.colors.primary }}"
+      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
       io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
-      io.ox/dynamic-theme//topbarBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
-      io.ox/dynamic-theme//topbarColor: "{{ .Values.theme.colors.black }}"
+      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
-      io.ox/dynamic-theme//listSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
-      io.ox/dynamic-theme//listHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
-      io.ox/dynamic-theme//folderBackground: "{{ .Values.theme.colors.white }}"
+      io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
-      io.ox/dynamic-theme//folderSelected: "{{ .Values.theme.colors.primary15 }}"
+      io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
-      io.ox/dynamic-theme//folderHover: "{{ .Values.theme.colors.secondaryGreyLight }}"
+      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
     secretETCFiles:
       # Format of the OX Guard master key:
       # MC+base64(20 random bytes)
@@ -108,27 +108,27 @@ appsuite:
       auth:
         password: {{ .Values.secrets.redis.password | quote }}
     image:
-      repository: {{ .Values.images.openxchangeCoreMW.repository }}
+      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreMW.tag }}
+      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     update:
       image:
-        repository: {{ .Values.images.openxchangeCoreMW.repository }}
+        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
-        tag: {{ .Values.images.openxchangeCoreMW.tag }}
+        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
 
   core-ui:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.images.openxchangeCoreUI.repository }}
+      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreUI.tag }}
+      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
   core-ui-middleware:
     ingress:
@@ -137,55 +137,55 @@ appsuite:
       enabled: false
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository }}
+      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag }}
+      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     redis:
       auth:
         password: {{ .Values.secrets.redis.password | quote }}
 
   core-documentconverter:
     image:
-      repository: {{ .Values.images.openxchangeDocumentConverter.repository }}
+      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
-      tag: {{ .Values.images.openxchangeDocumentConverter.tag }}
+      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
     resources:
       {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository }}
+      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag }}
+      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
   core-imageconverter:
     image:
-      repository: {{ .Values.images.openxchangeImageConverter.repository }}
+      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
-      tag: {{ .Values.images.openxchangeImageConverter.tag }}
+      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
 
   guard-ui:
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: {{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}
+      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
-      tag: {{ .Values.images.openxchangeGuardUI.tag }}
+      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
   core-user-guide:
     image:
-      repository: {{ .Values.images.openxchangeCoreUserGuide.repository }}
+      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
-      tag: {{ .Values.images.openxchangeCoreUserGuide.tag }}
+      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
-      pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     imagePullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
     {{- end }}
 ...

helmfile/apps/openproject-bootstrap/helmfile.yaml

@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+
+---
+repositories:
+  # openDesk OpenProject Bootstrap
+  # Source: Set when repo is managed on Open CoDE
+  - name: "opendesk-openproject-bootstrap-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+
+releases:
+  - name: "opendesk-openproject-bootstrap"
+    chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
+    version: "1.2.1"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml"
+      - "values.gotmpl"
+    installed: {{ .Values.openproject.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-2"
+  component: "opendesk-openproject-bootstrap"
+...

helmfile/apps/openproject-bootstrap/values.gotmpl

@@ -0,0 +1,34 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry }}
+  repository: "{{ .Values.images.openprojectBootstrap.repository }}"
+  tag: "{{ .Values.images.openprojectBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
+config:
+  openproject:
+    fileshareName: "Nextcloud at {{ .Values.global.domain }}"
+    admin:
+      username: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+      password: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
+  nextcloud:
+    admin:
+      username: "nextcloud"
+      password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
+...

helmfile/apps/openproject-bootstrap/values.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+...

helmfile/apps/openproject/helmfile.yaml

@@ -16,7 +16,7 @@ repositories:
 releases:
   - name: "openproject"
     chart: "openproject-repo/openproject"
-    version: "2.0.4"
+    version: "2.4.0"
     wait: true
     waitForJobs: true
     values:

helmfile/apps/openproject/values.gotmpl

@@ -8,34 +8,41 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.openproject.repository }}"
+  repository: {{ .Values.images.openproject.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.openproject.tag }}"
+  tag: {{ .Values.images.openproject.tag | quote }}
+
+initdb:
+  image:
+    registry: "{{ .Values.global.imageRegistry }}"
+    repository: "{{ .Values.images.openprojectInitDb.repository }}"
+    tag: "{{ .Values.images.openprojectInitDb.tag }}"
+    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 
 memcached:
   connection:
-    host: "{{ .Values.cache.openproject.host }}"
+    host: {{ .Values.cache.openproject.host | quote }}
     port: {{ .Values.cache.openproject.port }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.memcached.repository }}"
+    repository: {{ .Values.images.memcached.repository | quote }}
-    tag: "{{ .Values.images.memcached.tag }}"
+    tag: {{ .Values.images.memcached.tag | quote }}
 
 postgresql:
   auth:
     password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
-    username: "{{ .Values.databases.openproject.username }}"
+    username: {{ .Values.databases.openproject.username | quote }}
-    database: "{{ .Values.databases.openproject.name }}"
+    database: {{ .Values.databases.openproject.name | quote }}
   connection:
-    host: "{{ .Values.databases.openproject.host }}"
+    host: {{ .Values.databases.openproject.host | quote }}
-    port: "{{ .Values.databases.openproject.port }}"
+    port: {{ .Values.databases.openproject.port }}
 
 openproject:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   # Will only be set on initial seed / installation
   admin_user:
-    name: "OpenProject Interal Admin"
+    name: "OpenProject Internal Admin"
     mail: "openproject-admin@swp-domain.internal"
     password_reset: "false"
     password: {{ .Values.secrets.openproject.adminPassword | quote }}
@@ -43,39 +50,39 @@ openproject:
 ingress:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 environment:
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject }}
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
+  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: "{{ .Values.global.ldap.host }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-  OPENPROJECT_SMTP__DOMAIN: "{{ .Values.global.domain }}"
+  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: "{{ .Values.smtp.username }}"
+  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
-  OPENPROJECT_SMTP__PASSWORD: "{{ .Values.smtp.password }}"
+  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
-  OPENPROJECT_SMTP__PORT: "{{ .Values.smtp.port }}"
+  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: "{{ .Values.smtp.host }}"
+  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
   OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject }}"
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
-
+  OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-persistence:
+  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-  size: "{{ .Values.persistence.size.openproject }}"
+  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWX }}"
 
 replicaCount: {{ .Values.replicas.openproject }}
 
 resources:
   {{ .Values.resources.openproject | toYaml | nindent 2 }}
-
 ...

helmfile/apps/openproject/values.yaml

@@ -37,8 +37,10 @@ securityContext:
   readOnlyRootFilesystem: false
 
 persistence:
-  accessModes:
+  enabled: false
-    - "ReadWriteMany"
+
+s3:
+  enabled: true
 
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
@@ -71,5 +73,10 @@ environment:
     "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
-
+  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
+  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
+  OPENPROJECT_FOG_DIRECTORY: "openproject"
+  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
+  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
 ...

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -4,23 +4,23 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.oxConnector.repository }}"
+  repository: {{ .Values.images.oxConnector.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.oxConnector.tag }}"
+  tag: {{ .Values.images.oxConnector.tag | quote }}
 
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
-  - name: {{ . }}
+  - name: {{ . | quote }}
 {{- end }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 oxConnector:
-  domainName: "{{ .Values.global.domain }}"
+  domainName: {{ .Values.global.domain | quote }}
-  ldapHost: "{{ .Values.global.ldap.host }}"
+  ldapHost: {{ .Values.ldap.host | quote }}
-  notifierServer: "{{ .Values.global.ldap.notifierHost }}"
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
   #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
   oxMasterAdmin: "admin"
   oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}

helmfile/apps/services/helmfile.yaml

@@ -95,7 +95,7 @@ releases:
     installed: {{ .Values.memcached.enabled }}
   - name: "postgresql"
     chart: "postgresql-repo/postgresql"
-    version: "2.0.2"
+    version: "2.0.3"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
@@ -103,7 +103,7 @@ releases:
     timeout: 900
   - name: "mariadb"
     chart: "mariadb-repo/mariadb"
-    version: "2.0.2"
+    version: "2.1.1"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
@@ -111,7 +111,7 @@ releases:
     timeout: 900
   - name: "postfix"
     chart: "postfix-repo/postfix"
-    version: "2.0.3"
+    version: "2.0.4"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
@@ -137,6 +137,13 @@ releases:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     installed: {{ .Values.istio.enabled }}
+  - name: "minio"
+    chart: "bitnami-repo/minio"
+    version: "12.8.19"
+    values:
+      - "values-minio.yaml"
+      - "values-minio.gotmpl"
+    installed: {{ .Values.minio.enabled }}
 
 commonLabels:
   deploy-stage: "services"

helmfile/apps/services/values-certificates.gotmpl

@@ -4,19 +4,19 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
 
 issuerRef:
-  name: "{{ .Values.certificate.issuerRef.name }}"
+  name: {{ .Values.certificate.issuerRef.name | quote }}
 
 {{- if .Values.istio.enabled }}
 istio:
   enabled: {{ .Values.istio.enabled }}
-  domain: {{ .Values.istio.domain }}
+  domain: {{ .Values.istio.domain | quote }}
   issuerRef:
-    name: "{{ .Values.istio.issuerRef.name }}"
+    name: {{ .Values.istio.issuerRef.name | quote }}
 {{- end }}
 
 cleanup:

helmfile/apps/services/values-clamav-distributed.gotmpl

@@ -7,10 +7,10 @@ clamd:
   podSecurityContext:
   replicaCount: {{ .Values.replicas.clamd }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.clamd.repository }}"
+    repository: {{ .Values.images.clamd.repository | quote }}
-    tag: "{{ .Values.images.clamd.tag }}"
+    tag: {{ .Values.images.clamd.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.clamd | toYaml | nindent 4 }}
 
@@ -18,10 +18,10 @@ freshclam:
   podSecurityContext:
   replicaCount: {{ .Values.replicas.freshclam }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.freshclam.repository }}"
+    repository: {{ .Values.images.freshclam.repository | quote }}
-    tag: "{{ .Values.images.freshclam.tag }}"
+    tag: {{ .Values.images.freshclam.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.freshclam | toYaml | nindent 4 }}
 
@@ -32,10 +32,10 @@ global:
 icap:
   replicaCount: {{ .Values.replicas.icap }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.icap.repository }}"
+    repository: {{ .Values.images.icap.repository | quote }}
-    tag: "{{ .Values.images.icap.tag }}"
+    tag: {{ .Values.images.icap.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.icap | toYaml | nindent 4 }}
 
@@ -43,14 +43,14 @@ milter:
   podSecurityContext:
   replicaCount: {{ .Values.replicas.milter }}
   image:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.milter.repository }}"
+    repository: {{ .Values.images.milter.repository | quote }}
-    tag: "{{ .Values.images.milter.tag }}"
+    tag: {{ .Values.images.milter.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   resources:
     {{ .Values.resources.milter | toYaml | nindent 4 }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWX }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
-  size: "{{ .Values.persistence.size.clamav }}"
+  size: {{ .Values.persistence.size.clamav | quote }}
 ...

helmfile/apps/services/values-clamav-simple.gotmpl

@@ -7,15 +7,15 @@ replicaCount: {{ .Values.replicas.clamav }}
 
 image:
   clamav:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.clamd.repository }}"
+    repository: {{ .Values.images.clamd.repository | quote }}
-    tag: "{{ .Values.images.clamd.tag }}"
+    tag: {{ .Values.images.clamd.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   icap:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.icap.repository }}"
+    repository: {{ .Values.images.icap.repository | quote }}
-    tag: "{{ .Values.images.icap.tag }}"
+    tag: {{ .Values.images.icap.tag | quote }}
-    imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 resources:
   {{ .Values.resources.clamd | toYaml | nindent 4 }}
@@ -25,6 +25,6 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.clamav }}"
+  size: {{ .Values.persistence.size.clamav | quote }}
 ...

helmfile/apps/services/values-istio-gateway.gotmpl

@@ -4,9 +4,9 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.istio.domain }}"
+  domain: {{ .Values.istio.domain | quote }}
   hosts:
-    openxchange: "{{ .Values.global.hosts.openxchange }}"
+    openxchange: {{ .Values.global.hosts.openxchange | quote }}
 
 tls:
   secretName: "{{ .Values.istio.domain }}-tls"

helmfile/apps/services/values-mariadb.gotmpl

@@ -4,14 +4,14 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  repository: "{{ .Values.images.mariadb.repository }}"
+  repository: {{ .Values.images.mariadb.repository | quote }}
-  tag: "{{ .Values.images.mariadb.tag }}"
+  tag: {{ .Values.images.mariadb.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
@@ -35,8 +35,8 @@ mariadb:
   rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.mariadb }}"
+  size: {{ .Values.persistence.size.mariadb | quote }}
 
 resources:
   {{ .Values.resources.mariadb | toYaml | nindent 2 }}

helmfile/apps/services/values-memcached.gotmpl

@@ -4,15 +4,15 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.memcached.repository }}"
+  repository: {{ .Values.images.memcached.repository | quote }}
-  tag: "{{ .Values.images.memcached.tag }}"
+  tag: {{ .Values.images.memcached.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 resources:
   {{ .Values.resources.memcached | toYaml | nindent 2 }}

helmfile/apps/services/values-minio.gotmpl

@@ -0,0 +1,80 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.minio.repository }}"
+  tag: "{{ .Values.images.minio.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+auth:
+  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+
+statefulset:
+  replicaCount: {{ .Values.replicas.minioDistributed }}
+
+resources:
+  {{ .Values.resources.minio | toYaml | nindent 2 }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+apiIngress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  prometheusRule:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+
+persistence:
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.minio }}"
+
+provisioning:
+  users:
+    - username: "openproject_user"
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+      disabled: false
+      policies:
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
+    - username: "ums_user"
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
+...

helmfile/apps/services/values-minio.yaml

@@ -0,0 +1,114 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+mode: "standalone"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  runAsUser: 1000
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+
+ingress:
+  annotations:
+    nginx.org/websocket-services: "minio"
+
+networkPolicy:
+  enabled: false
+
+defaultBuckets: "openproject,openxchange,ums,nextcloud"
+
+provisioning:
+  enabled: true
+  cleanupAfterFinished:
+    enabled: true
+  buckets:
+    - name: "openproject"
+      versioning: true
+      withLock: false
+    - name: "openxchange"
+      versioning: true
+      withLock: false
+    - name: "ums"
+      versioning: true
+      withLock: false
+    - name: "nextcloud"
+      versioning: true
+      withLock: false
+  policies:
+    - name: "openproject-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openproject"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openproject/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "openxchange-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::openxchange"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::openxchange/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "ums-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::ums"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::ums/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "nextcloud-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::nextcloud"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::nextcloud/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10
+
+startupProbe:
+  enabled: true
+  periodSeconds: 10
+  timeoutSeconds: 10
+...

helmfile/apps/services/values-postfix.gotmpl

@@ -4,28 +4,28 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.postfix.repository }}"
+  repository: {{ .Values.images.postfix.repository | quote }}
-  tag: "{{ .Values.images.postfix.tag }}"
+  tag: {{ .Values.images.postfix.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 certificate:
-  secretName: "{{ .Values.ingress.tls.secretName }}"
+  secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 postfix:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
-  virtualMailboxDomains: "{{ .Values.global.domain }}"
+  virtualMailboxDomains: {{ .Values.global.domain | quote }}
   overrides:
     - fileName: "sasl_passwd.map"
       content:
-        - "{{ .Values.smtp.host }} {{ .Values.smtp.username }}:{{ .Values.smtp.password }}"
+        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  relayHost: "[{{ .Values.smtp.host }}]:587"
+  relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
-  relayNets: {{ .Values.cluster.networking.cidr }}
+  relayNets: {{ .Values.cluster.networking.cidr | quote}}
   virtualTransport: "lmtps:dovecot:24"
   smtpdSASLPath: "inet:dovecot:3659"
   {{- if .Values.clamavDistributed.enabled }}
@@ -35,8 +35,8 @@ postfix:
   {{- end }}
 
 persistence:
-  size: "{{ .Values.persistence.size.postfix }}"
+  size: {{ .Values.persistence.size.postfix | quote }}
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
 
 replicaCount: {{ .Values.replicas.postfix }}
 

helmfile/apps/services/values-postgresql.gotmpl

@@ -4,14 +4,14 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  repository: "{{ .Values.images.postgresql.repository }}"
+  repository: {{ .Values.images.postgresql.repository | quote }}
-  tag: "{{ .Values.images.postgresql.tag }}"
+  tag: {{ .Values.images.postgresql.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 job:
   users:
@@ -39,8 +39,8 @@ job:
       user: "notificationsapi_user"
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.postgresql }}"
+  size: {{ .Values.persistence.size.postgresql | quote }}
 
 postgres:
   password: {{ .Values.secrets.postgresql.postgresUser | quote }}

helmfile/apps/services/values-redis.gotmpl

@@ -7,20 +7,20 @@ auth:
   password: {{ .Values.secrets.redis.password | quote }}
 
 global:
-  imageRegistry: "{{ .Values.global.imageRegistry }}"
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.redis.repository }}"
+  repository: {{ .Values.images.redis.repository | quote }}
-  tag: "{{ .Values.images.redis.tag }}"
+  tag: {{ .Values.images.redis.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 master:
   persistence:
-    size: "{{ .Values.persistence.size.redis }}"
+    size: {{ .Values.persistence.size.redis | quote }}
 
   resources:
     {{ .Values.resources.redis | toYaml | nindent 4 }}

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -4,36 +4,36 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: "{{ .Values.images.univentionCorporateServer.repository }}"
+  repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
-  tag: "{{ .Values.images.univentionCorporateServer.tag }}"
+  tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
 
 ingress:
   host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
   enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: "{{ .Values.ingress.tls.secretName }}"
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.univentionCorporateServer }}"
+  size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
 
 extraEnvVars:
   - name: ISTIO_DOMAIN
-    value: {{ .Values.istio.domain }}
+    value: {{ .Values.istio.domain | quote }}
   - name: CENTRALNAVIGATION_API_SECRET
-    value: {{ .Values.secrets.centralnavigation.apiKey }}
+    value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   - name: LDAPSEARCH_OX_USERNAME
     value: "ldapsearch_ox"
   - name: LDAPSEARCH_OX_PASSWORD

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -23,14 +23,14 @@ repositories:
 
 releases:
   # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
-  {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
+  # {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
   - name: "ums-stack-gateway"
     chart: "bitnami-repo/nginx"
     version: "15.3.5"
     values:
       - "values-ums-stack-gateway.gotmpl"
-    condition: "univentionManagementStack.enabled"
+    installed: {{ .Values.univentionManagementStack.enabled }}
-  {{- end }}
+  # {{- end }}
   - name: "ums-store-dav"
     chart: "ums-repo/store-dav"
     version: "0.5.2"

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -3,12 +3,12 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
 ingress:
   enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
   host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
   tls:
     # The TLS configuration is on the "master" Ingress, see "portal-frontend"
     enabled: false
     secretName: ""
+...

helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl

@@ -3,18 +3,16 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsLdapNotifier.repository }}"
+  repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsLdapNotifier.tag }}"
+  tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:
   {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ldapServer:
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
 
   # TODO: Certificates handling
@@ -19,13 +19,13 @@ ldapServer:
   serviceProviders: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsLdapServer.repository }}"
+  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsLdapServer.tag }}"
+  tag: {{ .Values.images.umsLdapServer.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
   waitForDependency:
@@ -37,12 +37,11 @@ image:
 # TODO: Pending upstream support, #199
 persistence:
   data:
-    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerData }}"
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
   shared:
-    storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: "{{ .Values.persistence.size.univentionManagementStack.ldapServerShared }}"
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
 
 resources:
   {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -14,13 +14,13 @@ postgresql:
     password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry }}
-  repository: "{{ .Values.images.umsNotificationsApi.repository }}"
+  repository: {{ .Values.images.umsNotificationsApi.repository }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
-  tag: "{{ .Values.images.umsNotificationsApi.tag }}"
+  tag: {{ .Values.images.umsNotificationsApi.tag }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -3,15 +3,14 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsPortalFrontend.repository }}"
+  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsPortalFrontend.tag }}"
+  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 extraIngresses:
@@ -24,9 +23,8 @@ extraIngresses:
     enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: "{{ .Values.ingress.tls.secretName }}"
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 resources:
   {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -13,10 +13,10 @@ portalListener:
   umcSessionUrl: "http://ums-umc-server/get/session-info"
 
   ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHost: "{{ .Values.global.ldap.host }}"
+  ldapHost: "{{ .Values.ldap.host }}"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret }}"
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: "ums-ldap-notifier"
   portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
   udmApiUrl: "http://ums-udm-rest-api/udm/"
@@ -25,30 +25,29 @@ portalListener:
   tlsMode: "off"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsPortalListener.repository }}"
+  repository: {{ .Values.images.umsPortalListener.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsPortalListener.tag }}"
+  tag: {{ .Values.images.umsPortalListener.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
   waitForDependency:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
     imagePullPolicy: "Always"
-    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
 # TODO: Pending upstream support, #200
 persistence:
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.univentionManagementStack.portalListener }}"
+  size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
 
 resources:
   {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
 
 resourcesDependencyWaiter:
   {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -14,13 +14,13 @@ portalServer:
   umcSessionUrl: "http://ums-umc-server/get/session-info"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsPortalServer.repository }}"
+  repository: {{ .Values.images.umsPortalServer.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsPortalServer.tag }}"
+  tag: {{ .Values.images.umsPortalServer.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -31,13 +31,13 @@ stackDataContext:
   oxDefaultContext: "10"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  tag: {{ .Values.images.umsDataLoader.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -13,7 +13,7 @@ stackDataContext:
   domainname: "{{ .Values.global.domain }}"
   externalMailDomain: "{{ .Values.global.domain }}"
   hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
-  ldapHost: "{{ .Values.global.ldap.host }}"
+  ldapHost: "{{ .Values.ldap.host }}"
   ldapBase: "dc=swp-ldap,dc=internal"
   # TODO: This should not be required, the machine account is not there
   # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
@@ -31,13 +31,13 @@ stackDataContext:
   installUmcPolicies: false
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsDataLoader.repository }}"
+  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsDataLoader.tag }}"
+  tag: {{ .Values.images.umsDataLoader.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -6,33 +6,33 @@ SPDX-License-Identifier: Apache-2.0
 storeDav:
   auth:
     basicAuth:
-      portal-listener: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}"
+      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
-      portal-server: "{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}"
+      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsStoreDav.repository }}"
+  repository: {{ .Values.images.umsStoreDav.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsStoreDav.tag }}"
+  tag: {{ .Values.images.umsStoreDav.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
   configHtpasswd:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.umsConfigHtpasswd.repository }}"
+    repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
     pullPolicy: "Always"
-    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: "{{ .Values.images.umsConfigHtpasswd.tag }}"
+    tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
     pullSecrets:
       {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . }}
+      - name: {{ . | quote }}
       {{- end }}
 
 # TODO: Pending upstream support, #201
 persistence:
-  storageClassName: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: "{{ .Values.persistence.size.univentionManagementStack.storeDav }}"
+  size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
 
 resources:
   {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 udmRestApi:
   # TODO: Secret should be entered without b64enc
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
   machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
   # TODO: Stub value currently
@@ -15,16 +15,15 @@ udmRestApi:
     enabled: true
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsUdmRestApi.repository }}"
+  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsUdmRestApi.tag }}"
+  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:
   {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-
 ...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -17,13 +17,13 @@ extraVolumeMounts:
     subPath: "90-swp.sh"
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsUmcGateway.repository }}"
+  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsUmcGateway.tag }}"
+  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -5,18 +5,18 @@ SPDX-License-Identifier: Apache-2.0
 ---
 umcServer:
   # TODO: Secret should be entered without b64enc
-  ldapSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: "{{ .Values.images.umsUmcServer.repository }}"
+  repository: {{ .Values.images.umsUmcServer.repository | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: "{{ .Values.images.umsUmcServer.tag }}"
+  tag: {{ .Values.images.umsUmcServer.tag | quote }}
   pullSecrets:
     {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . }}
+    - name: {{ . | quote }}
     {{- end }}
 
 resources:

helmfile/apps/xwiki/values.gotmpl

@@ -5,24 +5,24 @@ SPDX-License-Identifier: Apache-2.0
 ---
 image:
   name: "{{ .Values.global.imageRegistry }}/{{ .Values.images.xwiki.repository }}"
-  tag: "{{ .Values.images.xwiki.tag }}"
+  tag: {{ .Values.images.xwiki.tag | quote }}
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 externalDB:
   password: {{ .Values.databases.xwiki.password | default .Values.secrets.mariadb.rootPassword | quote }}
-  database: "{{ .Values.databases.xwiki.name }}"
+  database: {{ .Values.databases.xwiki.name | quote }}
-  user: "{{ .Values.databases.xwiki.username }}"
+  user: {{ .Values.databases.xwiki.username | quote }}
-  host: "{{ .Values.databases.xwiki.host }}"
+  host: {{ .Values.databases.xwiki.host | quote }}
 
 customConfigs:
   "xwiki.cfg":
-    "xwiki.superadminpassword": "{{ .Values.secrets.xwiki.superadminpassword }}"
+    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
     ## LDAP Server configuration
-    xwiki.authentication.ldap.server: "{{ .Values.global.ldap.host }}"
+    xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    xwiki.authentication.ldap.bind_pass: "{{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki }}"
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
     xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
 
@@ -31,24 +31,24 @@ customConfigs:
     "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
     "oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo"
     "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-    "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki }}
+    "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    "workplaceServices.portalSecret": "{{ .Values.secrets.centralnavigation.apiKey }}"
+    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
 
 properties:
   "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": "{{ .Values.theme.colors.primary }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.brand-primary": {{ .Values.theme.colors.primary | quote }}
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": "{{ .Values.theme.colors.white }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-bg": {{ .Values.theme.colors.white | quote }}
-  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": "{{ .Values.theme.colors.secondaryGreyLight }}"
+  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
   ## Link LDAP users and users authenticated through OIDC
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
-  className: "{{ .Values.ingress.ingressClassName }}"
+  className: {{ .Values.ingress.ingressClassName | quote }}
   annotations:
     haproxy-ingress.github.io/headers: "X-Forwarded-Host {{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   hosts:
@@ -57,13 +57,13 @@ ingress:
         - path: /
           pathType: "ImplementationSpecific"
   tls:
-    - secretName: "{{ .Values.ingress.tls.secretName }}"
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
       hosts:
         - "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
 
 persistence:
-  size: "{{ .Values.persistence.size.xwiki }}"
+  size: {{ .Values.persistence.size.xwiki | quote }}
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 
 replicaCount: {{ .Values.replicas.xwiki }}
 

helmfile/apps/xwiki/values.yaml

@@ -67,15 +67,18 @@ properties:
 
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
-  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes": "sn,givenname,uid"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
+    "sn,givenname,uid"
   ## Restrict user import in the UI to global administrators
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
   ## Enable group and user synchronization
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupsUpdate": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.triggerGroupImport": 1
-  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate": 1
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.forceXWikiUsersGroupMembershipUpdate":
+    1
   ## Base DN under which groups should be searched for
-  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN": "dc=swp-ldap,dc=internal"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchDN":
+    "dc=swp-ldap,dc=internal"
   ## LDAP filter to only synchronize some groups
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapGroupImportSearchFilter":
     "(&(objectClass=opendeskKnowledgemanagementGroup)(opendeskKnowledgemanagementEnabled=TRUE))"

helmfile/environments/default/_helper.gotmpl

@@ -0,0 +1,10 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+## Define LDAP service (supports "ums_eval" from the CI pipeline)
+ldap:
+  host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
+  notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
+...

helmfile/environments/default/global.gotmpl

@@ -9,16 +9,9 @@ global:
 
   ## Define host
   #
-  domain: {{ env "DOMAIN" | default "souvap.cloud" }}
+  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
-
-
-  ## Define LDAP service (supports "ums_eval" from the CI pipeline)
-  ldap:
-    host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
-    notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
 
   ## Define docker registry address.
   #
-  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" }}
+  imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "external-registry.souvap-univention.de/sovereign-workplace" | quote }}
-
 ...

helmfile/environments/default/global.yaml

@@ -4,7 +4,6 @@
 ## The global properties are used to configure multiple charts at once.
 #
 global:
-
   ## Define ingress/virtualservice host.
   #
   hosts:
@@ -20,6 +19,8 @@ global:
     matrixNeoChoiceWidget: "matrix-neochoice-widget"
     matrixNeoDateFixBot: "matrix-neodatefix-bot"
     matrixNeoDateFixWidget: "matrix-neodatefix-widget"
+    minioApi: "minio"
+    minioConsole: "minio-console"
     nextcloud: "fs"
     openproject: "project"
     openxchange: "webmail"
@@ -30,7 +31,6 @@ global:
     whiteboard: "whiteboard"
     xwiki: "wiki"
 
-
   ## Define docker registry address.
   #
   imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"

helmfile/environments/default/images.yaml

@@ -8,7 +8,7 @@ images:
     # @supplier: "openDesk DevSecOps"
   collabora:
     repository: "souvap/tooling/images/collabora"
-    tag: "23.05.5.3.1@sha256:496c913527ce83feb3fe2383d710851aa3781ffa56d200c75def74904d32adc3"
+    tag: "23.05.5.4.1@sha256:ff48ec379f0d63e50b7714d1fa0f8f8de4247595dfa78754c44786a79c4968e4"
     # @supplier: "Collabora"
   cryptpad:
     repository: "cryptpad/cryptpad"
@@ -20,12 +20,20 @@ images:
     # @supplier: "Open-Xchange"
   element:
     repository: "souvap/tooling/images/element-web"
-    tag: "1.5.0@sha256:d690c485c971f52ba2ab8e1011aa039a2e32ec1ffb504826f4fa050aa989067a"
+    tag: "1.6.0@sha256:a71cbd75ee88471e3df59f26a2a37b9b8ff83d2f71f726053acd381ecd87e234"
     # @supplier: "Element"
   freshclam:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk DevSecOps"
+  icap:
+    repository: "souvap/tooling/images/c-icap"
+    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
+    # @supplier: "openDesk DevSecOps"
+  intercom:
+    repository: "univention/intercom-service"
+    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
+    # @supplier: "Univention"
   jibri:
     repository: "jitsi/jibri"
     tag: "stable-8922@sha256:87aa176b44b745b13769f13b8e2d22ddd6f6ba624244d5354c8dd3664787e936"
@@ -50,14 +58,6 @@ images:
     repository: "jitsi/jvb"
     tag: "stable-8922@sha256:75dd613807e19cbbd440d071b60609fa9e4ee50a1396b14deb0ed779d882a554"
     # @supplier: "Nordeck"
-  icap:
-    repository: "souvap/tooling/images/c-icap"
-    tag: "0.5.10@sha256:cd665e77a42460bb1e6df4282bc1d8737be241fc9f4143d43509e31de3a7993d"
-    # @supplier: "openDesk DevSecOps"
-  intercom:
-    repository: "univention/intercom-service"
-    tag: "1.4-kubernetes@sha256:e4fa2e0df49595bf9ba5bf73e36a50e8f1b44334a1a326a43488b8f9c8bbcb9c"
-    # @supplier: "Univention"
   keycloak:
     repository: "bitnami/keycloak"
     tag: "19.0.3-debian-11-r22@sha256:4ac04104d20d4861ecca24ff2d07d71b34a98ee1148c6e6b6e7969a6b2ad085e"
@@ -70,7 +70,7 @@ images:
   keycloakBootstrap:
     repository: "souvap/tooling/images/ansible"
     tag: "4.10.0@sha256:89d8212c20e03b0fd079e08afaf3247c1b96b380c4db1b572d68d0b4a6abc0ac"
-    # @supplier: "Univention"
+    # @supplier: "openDesk DevSecOps"
   keycloakExtensionHandler:
     repository: "souvap/tooling/images/keycloak-extensions/keycloak-handler"
     tag: "latest@sha256:e67bdfc655e43b7fb83b025e13f949b04fdd98e089b33401275d03e340e03e2e"
@@ -90,7 +90,7 @@ images:
     # @supplier: "Nordeck"
   matrixNeoChoiceWidget:
     repository: "nordeck/matrix-poll-widget"
-    tag: "1.2.0@sha256:0abcf7c368c91721413c96deaa1e87f095b6afbe864ea5f042c9a370c38fb07b"
+    tag: "1.3.0@sha256:19d2c8c7a15fe7d12c4a83a89310831da12323fd45ff0280cce808f1be0c7e0b"
     # @supplier: "Nordeck"
   matrixNeoDateFixBot:
     repository: "nordeck/matrix-meetings-bot"
@@ -98,7 +98,7 @@ images:
     # @supplier: "Nordeck"
   matrixNeoDateFixWidget:
     repository: "nordeck/matrix-meetings-widget"
-    tag: "1.5.2@sha256:cc9e2592c9159cc8f6bed96dae0be6e6fe599977dbef64cbdb1c1b84db85a2bb"
+    tag: "1.5.3@sha256:918b1eb28cefb08bfdaae57607f0889b454111f2ba80b5ec9bb3c750f8599913"
     # @supplier: "Nordeck"
   matrixUserVerificationService:
     repository: "matrixdotorg/matrix-user-verification-service"
@@ -112,14 +112,26 @@ images:
     repository: "clamav/clamav"
     tag: "1.1.1-10_base@sha256:aed8d5a3ef58352c862028fae44241215a50eae0b9acb7ba8892b1edc0a6598f"
     # @supplier: "openDesk DevSecOps"
+  minio:
+    repository: "bitnami/minio"
+    tag: "2023@sha256:bced4f2f9fc48b755ebb3e1b35e76195a978d4331bf2d0c6699dab412d3c0be7"
+    # @supplier: "openDesk DevSecOps"
   nextcloud:
     repository: "nextcloud"
     tag: "27.1.1-apache@sha256:47325758ffcd54563021e697905aaba6aac8c21bceefb245c67d40194813ce39"
     # @supplier: "Nextcloud Community"
   openproject:
     repository: "openproject/open_desk"
-    tag: "dev@sha256:ca5b843fd7f0687617ce3038a52fd6ac73fb4e9db7b762b8ac7d5090f168f0b1"
+    tag: "dev@sha256:732b5d0efe9fc64fe411c9d8143ec3f4a3c731d03c0caddb5fa4c614ff426e8d"
     # @supplier: "OpenProject"
+  openprojectInitDb:
+    repository: "postgres"
+    tag: "13@sha256:ced3ba927f4cf06e03eac7760f426a95367076fb31fe4e31b679f82d119a3519"
+    # @supplier: "OpenProject"
+  openprojectBootstrap:
+    repository: "souvap/tooling/images/opendesk-openproject-bootstrap"
+    tag: "1.1.1@sha256:09da76a9b645b3dbe5c181061f7829f82f239e7d17f7e115218a32870f7a955e"
+    # @supplier: "openDesk DevSecOps"
   openxchangeBootstrap:
     repository: "alpine/k8s"
     tag: "1.26.8@sha256:acde24d2a8ebaafda76f464591a5ddc7d0acd08bb38b12560961c1b1c4fc85ec"
@@ -169,11 +181,10 @@ images:
     tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
     # @supplier: "Open-Xchange"
   oxConnector:
-    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag:
-      "branch-jconde-listener-entrypoint-chaining\
-      @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
     # @supplier: "Univention"
+    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
+    tag: "branch-jconde-listener-entrypoint-chaining\
+      @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
   postfix:
     repository: "souvap/tooling/images/postfix"
     tag: "1.0.0@sha256:69e0c53ade77ffb89673672f5c8183ec2edfc81d4e990aca3ec594f33c55a7ac"

helmfile/environments/default/istio.gotmpl

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 istio:
   enabled: true
-  domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" }}
+  domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" | quote }}
   virtualService:
     enabled: false
   gateway:

helmfile/environments/default/persistence.yaml

@@ -10,10 +10,10 @@ persistence:
     dovecot: "1Gi"
     mariadb: "1Gi"
     matrixNeoDateFixBot: "1Gi"
+    minio: "1Gi"
     nextcloud:
-      main: "1.2Gi"
+      main: "2Gi"
       data: "10Gi"
-    openproject: "1Gi"
     postfix: "1Gi"
     postgresql: "1Gi"
     prosody: "1Gi"

helmfile/environments/default/replicas.yaml

@@ -27,6 +27,7 @@ replicas:
   matrixUserVerificationService: 1
   # clamav-distributed
   milter: 1
+  minioDistributed: 4
   nextcloud: 1
   openproject: 1
   postfix: 1

helmfile/environments/default/resources.yaml

@@ -170,6 +170,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "2Gi"
+  minio:
+    limits:
+      cpu: 2
+      memory: "4Gi"
+    requests:
+      cpu: 0.25
+      memory: "1Gi"
   nextcloud:
     limits:
       cpu: 2
@@ -352,5 +359,4 @@ resources:
     requests:
       cpu: 0.1
       memory: "6Gi"
-
 ...

helmfile/environments/default/secrets.gotmpl

@@ -5,84 +5,92 @@ SPDX-License-Identifier: Apache-2.0
 ---
 secrets:
   oxAppsuite:
-    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum) }}
+    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
-    cookieHashSalt: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum) }}
+    cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
-    sessiondEncryptionKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum) }}
+    sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
-    shareCryptKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum) }}
+    shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
     oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }}
     oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }}
   univentionCorporateServer:
-    authSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum) }}
+    authSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum | quote }}
     defaultAccounts:
-      userPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum) }}
+      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
-      adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum) }}
+      adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
     ldapSearch:
-      keycloak: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum) }}
+      keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum | quote }}
-      nextcloud: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum) }}
+      nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum | quote }}
-      dovecot: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum) }}
+      dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_dovecot" | sha1sum | quote }}
-      ox: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum) }}
+      ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum | quote }}
-      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum) }}
+      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum | quote }}
-      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum) }}
+      xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum | quote }}
   univentionManagementStack:
-    ldapSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum) }}
+    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
     defaultAccounts:
-      administratorPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum) }}
+      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
     storeDavUsers:
-      portalServer: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum) }}
+      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
-      portalListener: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum) }}
+      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
   postgresql:
-    postgresUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum) }}
+    postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
-    keycloakUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum) }}
+    keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
-    keycloakExtensionUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum) }}
+    keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
-    matrixUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum) }}
+    matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
-    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum) }}
+    openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
-    notificationsapiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum) }}
+    notificationsapiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
   mariadb:
-    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum) }}
+    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
-    xwikiUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum) }}
+    xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
-    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum) }}
+    openxchangeUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "openxchange_user" | sha1sum | quote }}
-    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum) }}
+    nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
+  minio:
+    rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
+    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
+    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
+    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
+    nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
   keycloak:
-    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum) }}
+    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
     clientSecret:
-      intercom: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum) }}
+      intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}
-      matrix: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum) }}
+      matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}
-      jitsi: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum) }}
+      jitsi: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum | quote }}
-      ncoidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum) }}
+      ncoidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum | quote }}
-      openproject: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum) }}
+      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum | quote }}
-      xwiki: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum) }}
+      xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "xwiki_client_secret" | sha1sum | quote }}
-      as8oidc: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum) }}
+      as8oidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "as8oidc_client_secret" | sha1sum | quote }}
   nextcloud:
-    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum) }}
+    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "nextcloud_admin_user" | sha1sum | quote }}
-    metricsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum) }}
+    metricsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nextcloud" "metricsToken" | sha1sum | quote }}
   openproject:
-    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum) }}
+    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_admin_user" | sha1sum | quote }}
+    apiAdminUsername: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_username" | sha1sum | quote }}
+    apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "openproject" "openproject_api_admin_password" | sha1sum | quote }}
   collabora:
-    adminPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum) }}
+    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "collabora" "collabora_admin_user" | sha1sum | quote }}
   jitsi:
-    jwtAppSecret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum) }}
+    jwtAppSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jwtAppSecret" | sha1sum | quote }}
-    jibriRecorderPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum) }}
+    jibriRecorderPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriRecorderPassword" | sha1sum | quote }}
-    jibriXmppPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum) }}
+    jibriXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum | quote }}
-    jicofoAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum) }}
+    jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
-    jicofoComponentPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum) }}
+    jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
-    jvbAuthPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum) }}
+    jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
   etherpad:
-    apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
   whiteboard:
-    apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum) }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
   centralnavigation:
-    apiKey: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum) }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
   redis:
-    password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum) }}
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "redis" "password" | sha1sum | quote }}
   dovecot:
-    doveadm: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum) }}
+    doveadm: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dovecot" "doveadm" | sha1sum | quote }}
   xwiki:
-    superadminpassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum) }}
+    superadminpassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "xwiki" "superadminpassword" | sha1sum | quote }}
   intercom:
-    secret: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum) }}
+    secret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "secret" | sha1sum | quote }}
-    synapseAsToken: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "as_token" | sha1sum) }}
+    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "intercom" "as_token" | sha1sum | quote }}
   matrixNeoDateFixBot:
-    password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum) }}
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-neodatefix-bot" "password" | sha1sum | quote }}
   matrixUserVerificationService:
-    password: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum) }}
+    password: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "matrix-user-verification-service" "password" | sha1sum | quote }}
 ...

helmfile/environments/default/smtp.gotmpl

@@ -7,5 +7,5 @@ smtp:
   host: ""
   port: 587
   username: ""
-  password: "{{ env "SMTP_PASSWORD" }}"
+  password: {{ env "SMTP_PASSWORD" | quote }}
 ...

helmfile/environments/default/turn.gotmpl

@@ -5,12 +5,11 @@ SPDX-License-Identifier: Apache-2.0
 ---
 turn:
   transport: "udp"
-  credentials: "{{ env "TURN_CREDENTIALS" }}"
+  credentials: {{ env "TURN_CREDENTIALS" | quote }}
   server:
     host: ""
     port: "3478"
   tls:
     host: ""
     port: "5349"
-
 ...

helmfile/environments/default/workplace.yaml

@@ -25,6 +25,8 @@ mariadb:
   enabled: true
 memcached:
   enabled: true
+minio:
+  enabled: true
 nextcloud:
   enabled: true
 openproject: