chore(release): 0.5.71 [skip ci]

## [0.5.71](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.70...v0.5.71) (2023-12-15)

### Bug Fixes

* **docs:** Security.md ([36bbbae](36bbbae579))
* **univention-management-stack:** Switch to Univention Keycloak ([902076c](902076c629))

.gitlab-ci.yml

@@ -5,6 +5,7 @@ include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
     ref: "main"
     file:
+      - "ci/common/automr.yml"
       - "ci/common/lint.yml"
       - "ci/release-automation/semantic-release.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
@@ -14,6 +15,7 @@ include:
 
 stages:
   - ".pre"
+  - "automr"
   - "lint"
   - "env-cleanup"
   - "env"
@@ -54,14 +56,11 @@ variables:
     options:
       - "yes"
       - "no"
-  DEPLOY_UCS:
+  DEPLOY_UMS:
-    description: >-
+    description: "Enable Univention Management Stack deployment."
-      Enable Univention Corporate Server deployment.
-      "ums-eval" does deploy the Univention Management Stack instead of the UCS container.
     value: "no"
     options:
       - "yes"
-      - "ums-eval"
       - "no"
   DEPLOY_PROVISIONING:
     description: "Enable Provisioning Components."
@@ -87,12 +86,6 @@ variables:
     options:
       - "yes"
       - "no"
-  DEPLOY_KEYCLOAK:
-    description: "Enable Keycloak deployment."
-    value: "no"
-    options:
-      - "yes"
-      - "no"
   DEPLOY_OX:
     description: "Enable OX AppSuite8 deployment."
     value: "no"
@@ -152,7 +145,8 @@ variables:
   cache: {}
   dependencies: []
   extends: ".environments"
-  image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
+  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
+          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
     # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -231,18 +225,6 @@ services-deploy:
   variables:
     COMPONENT: "services"
 
-ucs-deploy:
-  stage: "component-deploy-stage-1"
-  extends: ".deploy-common"
-  rules:
-    - if: >
-          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
-          $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
-      when: "always"
-  variables:
-    COMPONENT: "univention-corporate-container"
-
 provisioning-deploy:
   stage: "component-deploy-stage-2"
   extends: ".deploy-common"
@@ -250,7 +232,7 @@ provisioning-deploy:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
           $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no" || $DEPLOY_PROVISIONING != "no")
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
       when: "always"
   variables:
     COMPONENT: "provisioning"
@@ -262,36 +244,11 @@ ums-deploy:
     - if: >
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
           $NAMESPACE =~ /.+/ &&
-          $DEPLOY_UCS == "ums-eval"
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
       when: "always"
   variables:
     COMPONENT: "univention-management-stack"
 
-keycloak-deploy:
-  stage: "component-deploy-stage-1"
-  extends: ".deploy-common"
-  rules:
-    - if: >
-          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
-          $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
-      when: "always"
-  variables:
-    COMPONENT: "keycloak"
-
-keycloak-bootstrap-deploy:
-  stage: "component-deploy-stage-1"
-  extends: ".deploy-common"
-  timeout: "30m"
-  rules:
-    - if: >
-          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
-          $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_KEYCLOAK != "no")
-      when: "always"
-  variables:
-    COMPONENT: "keycloak-bootstrap"
-
 ox-deploy:
   stage: "component-deploy-stage-1"
   extends: ".deploy-common"
@@ -432,6 +389,19 @@ env-stop:
   variables:
     GIT_STRATEGY: "none"
 
+.ums-default-password: &ums-default-password
+  - |
+    UMS_PASSWORDS=$( \
+      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+      | yq '.properties.password' > passwords.txt \
+    )
+    DEFAULT_USER_PASSWORD=$( \
+      awk 'NR==1{print $1}' passwords.txt \
+    )
+    DEFAULT_ADMIN_PASSWORD=$(
+      awk 'NR==3{print $1}' passwords.txt \
+    )
+
 run-tests:
   extends: ".deploy-common"
   environment:
@@ -442,24 +412,8 @@ run-tests:
           $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
       when: "always"
   script:
+    - *ums-default-password
     - |
-      UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
-          'app.kubernetes.io/instance=univention-corporate-container' \
-        | grep Running \
-        | awk '{print $1}' \
-      )
-      DEFAULT_USER_PASSWORD=$( \
-        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
-        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
-        | awk '{print $2}' \
-      )
-      DEFAULT_ADMIN_PASSWORD=$(
-        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
-        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
-        | awk '{print $2}' \
-      )
-
       curl --request POST \
       --header "Content-Type: application/json" \
       --data "{ \
@@ -476,12 +430,12 @@ run-tests:
           \"DEPLOY_ELEMENT\": \"${DEPLOY_ELEMENT}\", \
           \"DEPLOY_ICS\": \"${DEPLOY_ICS}\", \
           \"DEPLOY_JITSI\": \"${DEPLOY_JITSI}\", \
-          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_KEYCLOAK}\", \
+          \"DEPLOY_KEYCLOAK\": \"${DEPLOY_UMS}\", \
           \"DEPLOY_NEXTCLOUD\": \"${DEPLOY_NEXTCLOUD}\", \
           \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
           \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
           \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
-          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
           \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
           \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
         } \
@@ -498,24 +452,8 @@ run-souvap-dev-tests:
         $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
       when: "always"
   script:
+    - *ums-default-password
     - |
-      UCS_CONTAINER_NAME=$( \
-        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
-          'app.kubernetes.io/instance=univention-corporate-container' \
-        | grep Running \
-        | awk '{print $1}' \
-      )
-      DEFAULT_USER_PASSWORD=$( \
-        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
-        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
-        | awk '{print $2}' \
-      )
-      DEFAULT_ADMIN_PASSWORD=$(
-        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
-        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
-        | awk '{print $2}' \
-      )
-
       curl --request POST \
       --header "Content-Type: application/json" \
       --data "{ \
@@ -555,7 +493,7 @@ generate-release-assets:
       - "./build_artefacts/image-index.json"
   tags: []
   variables:
-    ASSET_GENERATOR_REPO_PATH: "bmi/souveraener_arbeitsplatz/tooling/opendesk-asset-generator"
+    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
 
 
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
@@ -568,6 +506,14 @@ generate-release-assets:
   image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
   tags: []
 
+
+conventional-commits-linter:
+  rules:
+    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+      when: "never"
+    - when: "always"
+
+
 common-yaml-linter:
   rules:
     - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -618,4 +564,6 @@ release:
       }
       EOF
     - "semantic-release"
+  needs:
+    - "generate-release-assets"
 ...

CHANGELOG.md

@@ -1,3 +1,217 @@
+## [0.5.71](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.70...v0.5.71) (2023-12-15)
+
+
+### Bug Fixes
+
+* **docs:** Security.md ([36bbbae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36bbbae57918036f44ddb23e47b550b2f46e5f35))
+* **univention-management-stack:** Switch to Univention Keycloak ([902076c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/902076c62909889f8ffcf90328bc06ebb908b9b8))
+
+## [0.5.70](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.69...v0.5.70) (2023-12-14)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Remove UCS container monolith and make UMS standard IAM ([450c434](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/450c434ed08120ad0757d672dc269a78362e780d))
+
+## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/ce38714a81ea3b0e1377e6ea2d640fb65f317396))
+
+## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)
+
+
+### Bug Fixes
+
+* **jitsi:** Disable IP Blacklist ([6a649cb](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a649cb7f0d04736ccabcd27c035ef6d051f6fd5))
+* **open-xchange:** Update to latest version ([db4bfa4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db4bfa488401f10bad111ce03c20a60473c64837))
+
+## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)
+
+
+### Bug Fixes
+
+* **services:** Use Charts from openCoDE registry ([cc0daa2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cc0daa2a22837c00583038ffd9df7e669004e84e))
+
+## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)
+
+
+### Bug Fixes
+
+* **element:** Update Element and Widgets ([6a26299](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a26299a7507ae749ffcf25288d2cf5b24d220db))
+
+## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)
+
+
+### Bug Fixes
+
+* **univention-management-stack:** Bump OX Connector ([83192b7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/83192b78345c62465e2979195d9a1c882ddbf0ea))
+
+## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
+
+
+### Bug Fixes
+
+* **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
+
+## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
+
+
+### Bug Fixes
+
+* **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
+
+## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
+* **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
+
+## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
+
+
+### Bug Fixes
+
+* **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
+
+## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
+
+
+### Bug Fixes
+
+* **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
+
+## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
+
+
+### Bug Fixes
+
+* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
+
+## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
+* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
+* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
+* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
+* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
+* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
+
+## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
+
+
+### Bug Fixes
+
+* **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
+
+## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
+
+
+### Bug Fixes
+
+* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
+
+## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
+
+
+### Bug Fixes
+
+* **cryptpad:** Update Helm chart to enable readiness and liveness probes ([6d3e484](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6d3e484855540569be53130e133e0821a04b2ca5))
+
+## [0.5.54](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.53...v0.5.54) (2023-11-29)
+
+
+### Bug Fixes
+
+* **helmfile:** Add and document security context for components ([519db51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/519db51be2be3ce292a88965ac0ec049b4c8bb8e))
+
+## [0.5.53](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.52...v0.5.53) (2023-11-29)
+
+
+### Bug Fixes
+
+* **univention-managemen-stack:** Integrate Attribute to Group Mapper into the containerized stack ([7bbab22](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7bbab229396075c7d10f94f42bef14551faefe26))
+* **univention-management-stack:** Add Announcements icon into "umc-gateway" ([7a9ecf7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a9ecf7b8595edf0949d9c200d01b3409f25b9a7))
+* **univention-management-stack:** Add Announcements module into "umc-server" ([4c52a5a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/4c52a5aaa83ffb6f4c49faa039c94cb1855987bb))
+* **univention-management-stack:** Add branding related configuration to stack-gateway ([a5f263c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a5f263ce489f88b90cf1151de249f36616a51632))
+* **univention-management-stack:** Apply styling ([b3d45c4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3d45c45e1b754e14ab0519efcb6b6a359f0ad1e))
+* **univention-management-stack:** Configure openDesk branding in frontend chart ([cbe8fb2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cbe8fb2d65e6ce73f9da95ef9b0ed3ffbb16d367))
+* **univention-management-stack:** Document database of UMS Notifications API ([3cf348c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3cf348c7ae8f438daf3e64addbf839230816f3d2))
+* **univention-management-stack:** Move static settings from gotmpl into yaml for umc-gateway ([b3ac0ae](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b3ac0ae6d91a058265fcd26c6653bb8a13d3e780))
+* **univention-management-stack:** Quote all composed strings ([1c35ca6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c35ca67ce0673e1b2f9a350bd07c82c22a05354))
+* **univention-management-stack:** Remove frontend-custom ([8b6a4b2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8b6a4b2e88e8be1d299af91ed1ffff4405db88e6))
+* **univention-management-stack:** Set SMTP host for self-service notifications ([0c7a77c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0c7a77c4b6f20c6d83e977dabfc4e555b652f6ac))
+* **univention-management-stack:** UMC uses external memcached ([211bee9](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/211bee94bb7675860f867f0335fec9f14fc96875))
+* **univention-management-stack:** Update ums-dependencies ([e0c6c14](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e0c6c14dcaefc0755495270bbf45898721e27985))
+* **univention-management-stack:** Update ums-dependencies ([c246edd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c246edd8f9753e37bc9c32683faf41f5b46d7675))
+* **univention-management-stack:** Update ums-dependencies ([86b4818](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/86b48188e160c1f7d15f2c33f1f3cd0cc0e68bf2))
+* **univention-management-stack:** Use "stack-gateway" in all deployments ([c19bca2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c19bca2be0d14750bbef661e45c5c424f7da8e77))
+
+## [0.5.52](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.51...v0.5.52) (2023-11-28)
+
+
+### Bug Fixes
+
+* **ci:** Open automatic MRs for new branches ([735fec3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/735fec3b4ccd33ba63e5fa6482526efb6853c64a))
+
+## [0.5.51](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.50...v0.5.51) (2023-11-28)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump chart to fix central navigation ([cac6abe](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cac6abe2510b6793963633077543684a6a4e7cbc))
+* **openproject:** Update container and prepare for OIDC based user admin role setting ([6dc92df](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6dc92df2ebcae435e3b3609cc163dc6c33fb1b83))
+
+## [0.5.50](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.49...v0.5.50) (2023-11-27)
+
+
+### Bug Fixes
+
+* **ci:** Add metadata for renovate processing ([36aa3ed](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/36aa3ed7c9f9a6d0ffe23dc3ca2174d5f2741dfa))
+
+## [0.5.49](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.48...v0.5.49) (2023-11-27)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump image to incorporate fix for https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 ([efbd814](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/efbd81496868c5d4274f09805a1e771f47d548be))
+
+## [0.5.48](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.47...v0.5.48) (2023-11-24)
+
+
+### Bug Fixes
+
+* **services:** Update resource requests and remove cpu limits ([f86a74b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f86a74ba100c7f08f6538b58a713bbc87c00e814))
+
+## [0.5.47](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.46...v0.5.47) (2023-11-24)
+
+
+### Bug Fixes
+
+* **helmfile:** Rename absolute paths on OpenCoDE to new 'opendesk' base group name ([7ac2e0f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7ac2e0f9de2a8386a7f5809ba40db4ed7164a857))
+* **xwiki:** Enable the sync of user profile picture from LDAP ([6aa3d38](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6aa3d386afe8b3f22e47f9971fd719089006b54e))
+
+## [0.5.46](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.45...v0.5.46) (2023-11-23)
+
+
+### Bug Fixes
+
+* **element:** Fix quotes in element chart ([a447c13](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/a447c137fe58be343e7ada55afb7f6891a5cde74))
+
+## [0.5.45](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.44...v0.5.45) (2023-11-22)
+
+
+### Bug Fixes
+
+* **open-xchange:** Add security context ([db48140](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/commit/db48140f3ae6576b21e93ac0f10f40765efd608d))
+
 ## [0.5.44](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/compare/v0.5.43...v0.5.44) (2023-11-21)
 
 

COMPONENTS-SERVICE.md

@@ -21,7 +21,9 @@ This services is used by:
 ## Database - PostgreSQL
 
 This services is used by:
-- Keycloak
+- Univention Management Stack
+  - Self Service
+  - Keycloak
 - OpenProject
 
 ## Redis
@@ -33,11 +35,12 @@ This service is used by:
 ## Postfix
 
 This service is used by:
-- Keycloak (e.g. new device login notification)
 - Nextcloud (e.g. share file notifictions)
 - Open-Xchange (emails)
 - OpenProject (general notifications)
-- UCS (e.g. password reset emails)
+- Univention Management Stack
+  - Self Service (e.g. password reset emails)
+  - Keycloak (e.g. new device login notification)
 - XWiki (e.g. change notifications)
 
 ## TURN Server

CONTRIBUTING.md

@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 
 # Read me first
 
-Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/CONTRIBUTING.md) first.
+Please read the [project's overall CONTRIBUTING.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/CONTRIBUTING.md) first.
 
 # How to contribute?
 
@@ -52,14 +52,12 @@ Valid commit scopes:
 - `collabora`
 - `ìntercom-service`
 - `jitsi`
-- `keycloak`
-- `keycloak-bootstrap`
 - `nextcloud`
 - `open-xchange`
 - `openproject`
 - `provisioning`
 - `services`
-- `univention-corporate-container`
+- `univention-management-stack`
 - `xwiki`
 
 ## Semantic Release

README.md

@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 
 It features:
-- Fully integrated Identity Management (Univention, Keycloak)
+- Fully integrated Identity Management (Univention)
 - File storage (Nextcloud)
 - Weboffice (Collabora)
-- Videoconference (Jitsi)
+- Videoconference (Nordeck w/ Jitsi)
-- Encrypted Chat (Synapse, Element)
+- Chat and Collaboration (Element w/ Nordeck)
 - Groupware (OX Appsuite)
 - Wiki (XWiki)
-- Notes and Diagrams (Cryptpad, Draw.io)
+- Project Management (OpenProject)
+- Notes and Diagrams (Cryptpad)
 
 openDesk integrates these components and is working towards a seamless user experience.
 
@@ -40,14 +41,13 @@ Basic knowledge of Kubernetes and Devops is required though.
 
 # Active development notice
 openDesk will face breaking changes in the near future without upgrade paths before
-[technical release](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases
+[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.
 
 While most components support upgrades, major configuration or component changes may occur, therefore we recommend
 at the moment always installing from scratch.
 
 Components that are going to be replaced soon are:
-- the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
 - the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
 - Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
 
@@ -60,33 +60,33 @@ Of course, further development also includes enhancing the documentation.
 
 We love to get feedback from you!
 Related to the deployment / contents of this repository,
-please use the [issues within this project](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues).
+please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
 
 If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 
 # Requirements
 
-⟶ Visit our detailed [Requirements](docs/requirements.md) overview.
+⟶ Visit our detailed [Requirements](./docs/requirements.md) overview.
 
 # Getting started
 
-⟶ Visit our detailed [Getting started](docs/getting-started.md) guide.
+⟶ Visit our detailed [Getting started](./docs/getting-started.md) guide.
 
 # Advanced customization
 
-- [External services](docs/external-services.md)
+- [External services](./docs/external-services.md)
-- [Security](docs/security.md)
+- [Security](./docs/security.md)
-- [Scaling](docs/scaling.md)
+- [Scaling](./docs/scaling.md)
-- [Monitoring](docs/monitoring.md)
+- [Monitoring](./docs/monitoring.md)
-- [Theming](docs/theming.md)
+- [Theming](./docs/theming.md)
 
 # Releases
 
 All technical releases are created using [Semantic Versioning](https://semver.org/lang/de/).
 
 Gitlab provides an
-[overview on the releases](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/releases)
+[overview on the releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 of this project.
 
 The following release artefacts are provided beside the default source code assets:
@@ -95,7 +95,7 @@ The following release artefacts are provided beside the default source code asse
 
 # Components
 
-⟶ Visit our detailed [Component](docs/getting-started.md) docs.
+⟶ Visit our detailed [Component](./docs/components.md) docs.
 
 
 # License

docs/ci.md

@@ -7,11 +7,11 @@ SPDX-License-Identifier: Apache-2.0
 This page will cover openDesk automation via Gitlab CI.
 
 <!-- TOC -->
-  * [Deployment](#deployment)
+* [Deployment](#deployment)
-  * [Tests](#tests)
+* [Tests](#tests)
 <!-- TOC -->
 
-## Deployment
+# Deployment
 
 The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
 
@@ -30,8 +30,7 @@ Based on your input, the following variables will be set:
 
 You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
 
-
+# Tests
-## Tests
 
 The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.

docs/components.md

@@ -7,20 +7,20 @@ SPDX-License-Identifier: Apache-2.0
 This section covers the internal system requirements as well as external service requirements for productive use.
 
 <!-- TOC -->
-  * [Overview](#overview)
+* [Overview](#overview)
-  * [Component integration](#component-integration)
+* [Component integration](#component-integration)
-    * [Intercom Service (ICS)](#intercom-service-ics)
+  * [Intercom Service (ICS)](#intercom-service-ics)
-    * [Filepicker](#filepicker)
+  * [Filepicker](#filepicker)
-    * [Central Navigation](#central-navigation)
+  * [Central Navigation](#central-navigation)
-    * [(Read & write) Central contacts](#read--write-central-contacts)
+  * [(Read \& write) Central contacts](#read--write-central-contacts)
-    * [OpenProject Filestore](#openproject-filestore)
+  * [OpenProject Filestore](#openproject-filestore)
-  * [Identity data flows](#identity-data-flows)
+* [Identity data flows](#identity-data-flows)
-  * [Provisioning](#provisioning)
+* [Provisioning](#provisioning)
-  * [Component specific documentation](#component-specific-documentation)
+* [Component specific documentation](#component-specific-documentation)
-  * [Links to component docs](#links-to-component-docs)
+* [Links to component docs](#links-to-component-docs)
 <!-- TOC -->
 
-## Overview
+# Overview
 
 openDesk consists out of a variety of open-source projects. Here is a list with the description and type.
 
@@ -38,7 +38,6 @@ they need to be replaced in production deployments.
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
-| Keycloak                    | Identity Provider              | Functional |
 | MariaDB                     | Database                       | Eval       |
 | Memcached                   | Cache Database                 | Eval       |
 | MinIO                       | Object Storage                 | Eval       |
@@ -49,18 +48,17 @@ they need to be replaced in production deployments.
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
-| Univention Corporate Server | Identity Management & Portal   | Functional |
+| Univention Management Stack | Identity Management & Portal   | Functional |
-| Univention Management Stack | Identity Management & Portal   | Eval       |
 | XWiki                       | Knowledgebase                  | Functional |
 
-## Component integration
+# Component integration
 
 Some use cases require inter component integration.
 
 ```mermaid
 flowchart TD
   OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
-  IntercomService-->|SilentLogin, TokenExchange|Keycloak
+  IntercomService-->|SilentLogin, TokenExchange|IdP
   IntercomService-->|Filepicker|Nextcloud
   IntercomService-->|CentralNavigation|Portal
   OXAppSuiteBackend-->|Filepicker|Nextcloud
@@ -71,7 +69,7 @@ flowchart TD
   OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
 ```
 
-### Intercom Service (ICS)
+## Intercom Service (ICS)
 
 The UCS Intercom Service's role is to enable cross-application integration based on browser interaction.
 Handling authentication when the frontend of an application is using the API from another application is often a
@@ -84,7 +82,7 @@ login.
 Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
 the ICS API.
 
-### Filepicker
+## Filepicker
 
 The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
 and saving attachments to Nextcloud.
@@ -94,34 +92,33 @@ Frontend-based integration means that OX AppSuite in the browser is communicatin
 While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
 when adding a file to an email or storing a file into Nextcloud.
 
-### Central Navigation
+## Central Navigation
 
 Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
 allow components to render the menu showing all available SWP applications for the user.
 
-### (Read & write) Central contacts
+## (Read & write) Central contacts
 
 Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
 Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
 available personal contact.
 
-### OpenProject Filestore
+## OpenProject Filestore
 
 By default, Nextcloud is a configured option for storing attachments in OpenProject.
 The Filestore can be enabled on a per-project level in OpenProject's project admin section.
 
-
+# Identity data flows
-## Identity data flows
 
 An overview of
 - components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
-- components using Keycloak as identity provider. If not otherwise denoted based on the OAuth2 / OIDC flows.
+- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
 
 Some components trust others to handle authentication for them.
 
 ```mermaid
 flowchart TD
-    K[Keycloak]-->L[LDAP]
+    K[IdP]-->L[LDAP]
     N[Nextcloud]-->L
     O[OpenProject] --> L
     A[OX AppSuite]-->L
@@ -142,7 +139,7 @@ flowchart TD
     F[Postfix]-->D
 ```
 
-## Provisioning
+# Provisioning
 
 Currently, active provisioning is only done for OX AppSuite. The OX-Connector is synchronizing, creating, modifying and
 deleting activities for the following objects to the OX AppSuite using the AppSuite's SOAP API:
@@ -153,7 +150,7 @@ deleting activities for the following objects to the OX AppSuite using the AppSu
 - Functional Mailboxes
 - Resources
 
-## Component specific documentation
+# Component specific documentation
 
 We want to provide more information per component in separate, component-specific markdown file.
 To establish a common view on the components, we are going to cover various aspects:
@@ -173,6 +170,6 @@ To establish a common view on the components, we are going to cover various aspe
   - **Uninstall**: Documented and working complete uninstallation of the component.
 - **Debugging**: Some helpful information when it comes to debugging a component, e.g. setting log level.
 
-## Links to component docs
+# Links to component docs
 
 - [Intercom-Service](./components/intercom-service.md)

docs/external-services.md

@@ -8,58 +8,88 @@ SPDX-License-Identifier: Apache-2.0
 This document will cover the additional configuration to use external services like databases, caches or buckets.
 
 <!-- TOC -->
-  * [Database](#database)
+* [Database](#database)
-  * [Cache](#cache)
+* [Objectstore](#objectstore)
+* [Cache](#cache)
 <!-- TOC -->
 
-## Database
+# Database
 
 When deploying this suite to production, you need to configure the applications to use your production grade database
 service.
 
-| Component   | Name               | Type       | Parameter | Key                                    | Default                    |
+| Component   | Name               | Type       | Parameter | Key                                      | Default                    |
-|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
-| Element     | Synapse            | PostgreSQL |           |                                        |                            |
+| Element     | Synapse            | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
+|             |                    |            | Name      | `databases.synapse.name`                 | `matrix`                   |
-|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
+|             |                    |            | Host      | `databases.synapse.host`                 | `postgresql`               |
-|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
+|             |                    |            | Port      | `databases.synapse.port`                 | `5432`                     |
-|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
+|             |                    |            | Username  | `databases.synapse.username`             | `matrix_user`              |
-|             |                    |            | Password  | `databases.synapse.password`           |                            |
+|             |                    |            | Password  | `databases.synapse.password`             |                            |
-| Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
+| Keycloak    | Keycloak           | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
+|             |                    |            | Name      | `databases.keycloak.name`                | `keycloak`                 |
-|             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
+|             |                    |            | Host      | `databases.keycloak.host`                | `postgresql`               |
-|             |                    |            | Port      | `databases.keycloak.port`              | `5432`                     |
+|             |                    |            | Port      | `databases.keycloak.port`                | `5432`                     |
-|             |                    |            | Username  | `databases.keycloak.username`          | `keycloak_user`            |
+|             |                    |            | Username  | `databases.keycloak.username`            | `keycloak_user`            |
-|             |                    |            | Password  | `databases.keycloak.password`          |                            |
+|             |                    |            | Password  | `databases.keycloak.password`            |                            |
-|             | Keycloak Extension | PostgreSQL |           |                                        |                            |
+|             | Keycloak Extension | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.keycloakExtension.name`     | `keycloak_extensions`      |
+|             |                    |            | Name      | `databases.keycloakExtension.name`       | `keycloak_extensions`      |
-|             |                    |            | Host      | `databases.keycloakExtension.host`     | `postgresql`               |
+|             |                    |            | Host      | `databases.keycloakExtension.host`       | `postgresql`               |
-|             |                    |            | Port      | `databases.keycloakExtension.port`     | `5432`                     |
+|             |                    |            | Port      | `databases.keycloakExtension.port`       | `5432`                     |
-|             |                    |            | Username  | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
+|             |                    |            | Username  | `databases.keycloakExtension.username`   | `keycloak_extensions_user` |
-|             |                    |            | Password  | `databases.keycloakExtension.password` |                            |
+|             |                    |            | Password  | `databases.keycloakExtension.password`   |                            |
-| Nextcloud   | Nextcloud          | MariaDB    |           |                                        |                            |
+| UMS         | Notifications API  | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.nextcloud.name`             | `nextcloud`                |
+|             |                    |            | Name      | `databases.umsNotificationsApi.name`     | `notificationsapi`         |
-|             |                    |            | Host      | `databases.nextcloud.host`             | `mariadb`                  |
+|             |                    |            | Host      | `databases.umsNotificationsApi.host`     | `postgresql`               |
-|             |                    |            | Username  | `databases.nextcloud.username`         | `nextcloud_user`           |
+|             |                    |            | Port      | `databases.umsNotificationsApi.port`     | `5432`                     |
-|             |                    |            | Password  | `databases.nextcloud.password`         |                            |
+|             |                    |            | Username  | `databases.umsNotificationsApi.username` | `notificationsapi_user`    |
-| OpenProject | OpenProject        | PostgreSQL |           |                                        |                            |
+|             |                    |            | Password  | `databases.umsNotificationsApi.password` |                            |
-|             |                    |            | Name      | `databases.openproject.name`           | `openproject`              |
+|             | Self Service       | PostgreSQL |           |                                          |                            |
-|             |                    |            | Host      | `databases.openproject.host`           | `postgresql`               |
+|             |                    |            | Name      | `databases.umsSelfservice.name`          | `selfservice`              |
-|             |                    |            | Port      | `databases.openproject.port`           | `5432`                     |
+|             |                    |            | Host      | `databases.umsSelfservice.host`          | `postgresql`               |
-|             |                    |            | Username  | `databases.openproject.username`       | `openproject_user`         |
+|             |                    |            | Port      | `databases.umsSelfservice.port`          | `5432`                     |
-|             |                    |            | Password  | `databases.openproject.password`       |                            |
+|             |                    |            | Username  | `databases.umsSelfservice.username`      | `selfservice_user`         |
-| OX Appsuite | OX Appsuite        | MariaDB    |           |                                        |                            |
+|             |                    |            | Password  | `databases.umsSelfservice.password`      |                            |
-|             |                    |            | Name      | `databases.oxAppsuite.name`            | `CONFIGDB`                 |
+| Nextcloud   | Nextcloud          | MariaDB    |           |                                          |                            |
-|             |                    |            | Host      | `databases.oxAppsuite.host`            | `mariadb`                  |
+|             |                    |            | Name      | `databases.nextcloud.name`               | `nextcloud`                |
-|             |                    |            | Username  | `databases.oxAppsuite.username`        | `root`                     |
+|             |                    |            | Host      | `databases.nextcloud.host`               | `mariadb`                  |
-|             |                    |            | Password  | `databases.oxAppsuite.password`        |                            |
+|             |                    |            | Username  | `databases.nextcloud.username`           | `nextcloud_user`           |
-| XWiki       | XWiki              | MariaDB    |           |                                        |                            |
+|             |                    |            | Password  | `databases.nextcloud.password`           |                            |
-|             |                    |            | Name      | `databases.xwiki.name`                 | `xwiki`                    |
+| OpenProject | OpenProject        | PostgreSQL |           |                                          |                            |
-|             |                    |            | Host      | `databases.xwiki.host`                 | `mariadb`                  |
+|             |                    |            | Name      | `databases.openproject.name`             | `openproject`              |
-|             |                    |            | Username  | `databases.xwiki.username`             | `xwiki_user`               |
+|             |                    |            | Host      | `databases.openproject.host`             | `postgresql`               |
-|             |                    |            | Password  | `databases.xwiki.password`             |                            |
+|             |                    |            | Port      | `databases.openproject.port`             | `5432`                     |
+|             |                    |            | Username  | `databases.openproject.username`         | `openproject_user`         |
+|             |                    |            | Password  | `databases.openproject.password`         |                            |
+| OX Appsuite | OX Appsuite        | MariaDB    |           |                                          |                            |
+|             |                    |            | Name      | `databases.oxAppsuite.name`              | `CONFIGDB`                 |
+|             |                    |            | Host      | `databases.oxAppsuite.host`              | `mariadb`                  |
+|             |                    |            | Username  | `databases.oxAppsuite.username`          | `root`                     |
+|             |                    |            | Password  | `databases.oxAppsuite.password`          |                            |
+| XWiki       | XWiki              | MariaDB    |           |                                          |                            |
+|             |                    |            | Name      | `databases.xwiki.name`                   | `xwiki`                    |
+|             |                    |            | Host      | `databases.xwiki.host`                   | `mariadb`                  |
+|             |                    |            | Username  | `databases.xwiki.username`               | `xwiki_user`               |
+|             |                    |            | Password  | `databases.xwiki.password`               |                            |
 
-## Cache
+# Objectstore
+
+When deploying this suite to production, you need to configure the applications to use your production grade objectstore
+service.
+
+| Component   | Name        | Parameter       | Key                                      | Default            |
+|-------------|-------------|-----------------|------------------------------------------|--------------------|
+| OpenProject | OpenProject |                 |                                          |                    |
+|             |             | Backend         | `objectstores.openproject.backend`       | `minio`            |
+|             |             | Bucket          | `objectstores.openproject.bucket`        | `openproject`      |
+|             |             | Endpoint        | `objectstores.openproject.endpoint`      |                    |
+|             |             | Provider        | `objectstores.openproject.provider`      | `AWS`              |
+|             |             | Region          | `objectstores.openproject.region`        |                    |
+|             |             | Secret          | `objectstores.openproject.secret`        |                    |
+|             |             | Username        | `objectstores.openproject.username`      | `openproject_user` |
+|             |             | Use IAM profile | `objectstores.openproject.useIAMProfile` |                    |
+
+# Cache
 
 When deploying this suite to production, you need to configure the applications to use your production grade cache
 service.
@@ -75,3 +105,6 @@ service.
 | OpenProject      | OpenProject      | Memcached |           |                              |                  |
 |                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
 |                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
+| UMS              | Self Service     | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.umsSelfservice.host`  | `memcached`      |
+|                  |                  |           | Port      | `cache.umsSelfservice.port`  | `11211`          |

docs/getting-started.md

@@ -8,38 +8,38 @@ SPDX-License-Identifier: Apache-2.0
 This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
 
 <!-- TOC -->
-  * [Requirements](#requirements)
+* [Requirements](#requirements)
-  * [Customize environment](#customize-environment)
+* [Customize environment](#customize-environment)
-    * [Domain](#domain)
+  * [Domain](#domain)
     * [Apps](#apps)
-    * [Private OCI registry](#private-oci-registry)
+  * [Private Image registry](#private-image-registry)
-    * [Private Helm registry](#private-helm-registry)
+  * [Private Helm registry](#private-helm-registry)
-    * [Cluster capabilities](#cluster-capabilities)
+  * [Cluster capabilities](#cluster-capabilities)
-      * [Service](#service)
+    * [Service](#service)
-      * [Networking](#networking)
+    * [Networking](#networking)
-      * [Ingress](#ingress)
+    * [Ingress](#ingress)
-      * [Container runtime](#container-runtime)
+    * [Container runtime](#container-runtime)
-      * [Volumes](#volumes)
+    * [Volumes](#volumes)
-    * [Connectivity](#connectivity)
+  * [Connectivity](#connectivity)
-      * [Mail/SMTP configuration](#mailsmtp-configuration)
+    * [Mail/SMTP configuration](#mailsmtp-configuration)
-      * [TURN configuration](#turn-configuration)
+    * [TURN configuration](#turn-configuration)
-      * [Certificate issuer](#certificate-issuer)
+    * [Certificate issuer](#certificate-issuer)
-    * [Password seed](#password-seed)
+  * [Password seed](#password-seed)
   * [Install](#install)
-    * [Install single app](#install-single-app)
+  * [Install single app](#install-single-app)
-    * [Install single release/chart](#install-single-releasechart)
+  * [Install single release/chart](#install-single-releasechart)
-  * [Access deployment](#access-deployment)
+* [Access deployment](#access-deployment)
-  * [Uninstall](#uninstall)
+* [Uninstall](#uninstall)
 <!-- TOC -->
 
 Thanks for looking into the openDesk Getting started guide. This documents covers essentials configuration steps to
 deploy openDesk onto your kubernetes infrastructure.
 
-## Requirements
+# Requirements
 
 Detailed system requirements are covered on [requirements](requirements.md) page.
 
-## Customize environment
+# Customize environment
 
 Before deploying openDesk, you have to configure the deployment to suit your environment.
 To keep your deployment up to date, we recommend customizing in `dev`, `test` or `prod` and not in `default` environment
@@ -50,9 +50,9 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 
-### Domain
+## Domain
 
-The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a 
+The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
 `*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
 
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
@@ -107,7 +107,6 @@ All available apps and their default value can be found in `helmfile/environment
 | Element                     | `element.enabled`                   | `true`  | Secure communications platform |
 | Intercom Service            | `intercom.enabled`                  | `true`  | Cross service data exchange    |
 | Jitsi                       | `jitsi.enabled`                     | `true`  | Videoconferencing              |
-| Keycloak                    | `keycloak.enabled`                  | `true`  | Identity Provider              |
 | MariaDB                     | `mariadb.enabled`                   | `true`  | Database                       |
 | Memcached                   | `memcached.enabled`                 | `true`  | Cache Database                 |
 | MinIO                       | `minio.enabled`                     | `true`  | Object Storage                 |
@@ -118,8 +117,7 @@ All available apps and their default value can be found in `helmfile/environment
 | Postfix                     | `postfix.enabled`                   | `true`  | MTA                            |
 | PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       |
 | Redis                       | `redis.enabled`                     | `true`  | Cache Database                 |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   |
+| Univention Management Stack | `univentionManagementStack.enabled` | `true`  | Identity Management & Portal   |
-| Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal   |
 | XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  |
 
 Exemplary, Jitsi can be disabled like:
@@ -129,9 +127,9 @@ jitsi:
   enabled: false
 ```
 
-### Private OCI registry
+## Private Image registry
 
-By default, all OCI artifacts are proxied via the project's container registry, which should get replaced soon by the
+By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
 OCI registries provided by Open CoDE.
 
 You also can set your own registry by:
@@ -154,17 +152,36 @@ global:
     - "external-registry"
 ```
 
-### Private Helm registry
+## Private Helm registry
 
-Some apps use Chart Museum style helm registries. You can use your own registry by setting this environment variable:
+Some apps use OCI style registry and some use Helm chart museum style registries.
+In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
+or version.
 
-```shell
+As an example, you can also use helmfile methods to use just a single environment variable to set registry and
-export PRIVATE_CHART_REPOSITORY_URL=charts.open.desk
+authentication for all OCI helm charts.
+
+```yaml
+charts:
+  certificates:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ```
 
-### Cluster capabilities
+There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
+The following environment variables have to be exposed when using the example:
 
-#### Service
+| Environment variable                | Description                                                                                |
+|-------------------------------------|--------------------------------------------------------------------------------------------|
+| `OD_PRIVATE_HELM_OCI_REGISTRY`      | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de`     |
+| `OD_PRIVATE_HELM_HTTP_REGISTRY`     | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
+| `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username                                                                                   |
+| `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password                                                                                   |
+
+## Cluster capabilities
+
+### Service
 
 Some apps, like Jitsi or Dovecot, require HTTP and external TCP connections.
 These apps create a Kubernetes service object.
@@ -177,7 +194,7 @@ cluster:
     type: "NodePort"
 ```
 
-#### Networking
+### Networking
 
 If your cluster has not the default `cluster.local` domain configured, you need to provide the domain via:
 
@@ -195,7 +212,7 @@ cluster:
     cidr: "127.0.0.0/8"
 ```
 
-#### Ingress
+### Ingress
 
 By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
 setting:
@@ -205,7 +222,7 @@ ingress:
   ingressClassName: "cilium"
 ```
 
-#### Container runtime
+### Container runtime
 
 Some apps require specific configuration for container runtimes. You can set your container runtime like `cri-o`,
 `containerd` or `docker` by:
@@ -216,7 +233,7 @@ cluster:
     engine: "containerd"
 ```
 
-#### Volumes
+### Volumes
 
 When your cluster has a `ReadWriteMany` volume provisioner, you can benefit from distributed or scaling of apps. By
 default, only `ReadWriteOnce` is enabled. To enable `ReadWriteMany` you can set:
@@ -236,9 +253,9 @@ persistence:
     RWO: "my-read-write-once-class"
 ```
 
-### Connectivity
+## Connectivity
 
-#### Mail/SMTP configuration
+### Mail/SMTP configuration
 
 To use the full potential of the openDesk, you need to set up an SMTP Smarthost/Relay which allows to send emails from
 the whole subdomain.
@@ -250,7 +267,7 @@ smtp:
   password: "secret"
 ```
 
-#### TURN configuration
+### TURN configuration
 
 Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
 these options:
@@ -267,7 +284,7 @@ turn:
     port: "5349"
 ```
 
-#### Certificate issuer
+### Certificate issuer
 
 As mentioned in [requirements](requirements.md#certificate-management) you can provide your own valid certificate. A TLS
 secret with name `opendesk-certificates-tls` needs to be present in application namespace. For deployment, you can
@@ -294,9 +311,9 @@ certificate:
   wildcard: true
 ```
 
-### Password seed
+## Password seed
 
-All secrets are generated from a single master password via Master Password (algorithm). 
+All secrets are generated from a single master password via Master Password (algorithm).
 To prevent others from using your openDesk instance, we highly recommend setting an individual master password via:
 
 ```shell
@@ -318,7 +335,7 @@ helmfile apply -e dev -n <NAMESPACE> [-l <label>] [--suppress-diff]
 - `-l <label>`: Label selector
 - `--suppress-diff`: Disable diff printing
 
-### Install single app
+## Install single app
 
 You can also install or upgrade only a single app like Collabora, either by label selector:
 
@@ -333,7 +350,7 @@ cd helmfile/apps/collabora
 helmfile apply -e dev -n <NAMESPACE>
 ```
 
-### Install single release/chart
+## Install single release/chart
 
 Instead of iteration through all services, you can also deploy a single release like mariadb by:
 
@@ -341,7 +358,7 @@ Instead of iteration through all services, you can also deploy a single release
 helmfile apply -e dev -n <NAMESPACE> -l name=mariadb
 ```
 
-## Access deployment
+# Access deployment
 
 When all apps are successfully deployed and pod status' went to `Running` or `Succeeded`, you can navigate to
 
@@ -349,7 +366,7 @@ When all apps are successfully deployed and pod status' went to `Running` or `Su
 https://portal.domain.tld
 ```
 
-If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal`
+If you change the subdomain of `univentionManagementStack`, you need to replace `portal`
 by your specified subdomain.
 
 **Credentials:**
@@ -358,20 +375,13 @@ by your specified subdomain.
 # Replace with your namespace
 NAMESPACE=your-namespace
 
-# Get UCS container, which contains passwords as env var.
+# Get credentials from ConfigMap
-CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}')
+kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
-# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container
+  | yq '.properties.username,.properties.password'
-#
+# default.user
-# NAME                                              READY   STATUS    RESTARTS   AGE
-# univention-corporate-container-8665c6f8b7-nlhc6   1/1     Running   0          10m
-
-
-# Password of `default.user`
-kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
 # 40615..............................e9e2f
-
+# ---
-# Password of `default.admin`
+# default.admin
-kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
 # bdbbb..............................04db6
 ```
 
@@ -382,7 +392,7 @@ Now you can log in with obtained credentials:
 | `default.user`  | `40615..............................e9e2f` | Application user |
 | `default.admin` | `bdbbb..............................04db6` | Administrator    |
 
-## Uninstall
+# Uninstall
 
 You can uninstall the deployment by:
 

docs/monitoring.md

@@ -9,15 +9,15 @@ This document will cover how you can enable observability with Prometheus based
 well as the overall status of monitoring integration.
 
 <!-- TOC -->
-  * [Technology](#technology)
+* [Technology](#technology)
-  * [Defaults](#defaults)
+* [Defaults](#defaults)
-  * [Metrics](#metrics)
+* [Metrics](#metrics)
-  * [Alerts](#alerts)
+* [Alerts](#alerts)
-  * [Dashboards for Grafana](#dashboards-for-grafana)
+* [Dashboards for Grafana](#dashboards-for-grafana)
-  * [Components](#components)
+* [Components](#components)
 <!-- TOC -->
 
-## Technology
+# Technology
 
 We provide integration into the Prometheus based monitoring.
 Together with
@@ -27,12 +27,12 @@ easily leverage the full potential of open-source cloud-native observability sta
 Before enabling the following options, you need to install the respective CRDs from the kube-prometheus-stack
 repository or prometheus operator.
 
-## Defaults
+# Defaults
 
 All configurable options and their defaults can be found in
 [`monitoring.yaml`](../helmfile/environments/default/monitoring.yaml).
 
-## Metrics
+# Metrics
 
 To deploy podMonitor and serviceMonitor custom resources, enable it by:
 
@@ -44,7 +44,7 @@ prometheus:
     enabled: true
 ```
 
-## Alerts
+# Alerts
 
 Some helm-charts provide a default set of prometheusRules for alerting, enable it by:
 
@@ -54,7 +54,7 @@ prometheus:
     enabled: true
 ```
 
-## Dashboards for Grafana
+# Dashboards for Grafana
 
 To deploy optional ConfigMaps with Grafana dashboards, enable it by:
 
@@ -64,7 +64,8 @@ grafana:
     enabled: true
 ```
 
-## Components
+# Components
+
 | Component | Metrics (pod- or serviceMonitor)  | Alerts (prometheusRule) | Dashboard (Grafana) |
 |:----------|-----------------------------------|-------------------------|---------------------|
 | Collabora | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |

docs/requirements.md

@@ -7,17 +7,17 @@ SPDX-License-Identifier: Apache-2.0
 This section covers the internal system requirements as well as external service requirements for productive use.
 
 <!-- TOC -->
-  * [TL;DR;](#tldr)
+* [TL;DR;](#tldr)
-  * [Hardware](#hardware)
+* [Hardware](#hardware)
-  * [Kubernetes](#kubernetes)
+* [Kubernetes](#kubernetes)
-  * [Ingress controller](#ingress-controller)
+* [Ingress controller](#ingress-controller)
-  * [Volume provisioner](#volume-provisioner)
+* [Volume provisioner](#volume-provisioner)
-  * [Certificate management](#certificate-management)
+* [Certificate management](#certificate-management)
-  * [External services](#external-services)
+* [External services](#external-services)
-  * [Deployment](#deployment)
+* [Deployment](#deployment)
 <!-- TOC -->
 
-## TL;DR;
+# TL;DR;
 openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
 
 - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
@@ -30,7 +30,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 - [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
 
-## Hardware
+# Hardware
 
 The following minimal requirements are thought for initial evaluation deployment:
 
@@ -40,7 +40,7 @@ The following minimal requirements are thought for initial evaluation deployment
 | RAM  | 16 GB, recommended 32 GB                             |
 | Disk | HDD or SSD, >10 GB                                   |
 
-## Kubernetes
+# Kubernetes
 
 Any self-hosted or managed K8s cluster >= 1.24 listed in
 [CNCF Certified Kubernetes Distros](https://www.cncf.io/certification/software-conformance/) should be supported.
@@ -49,7 +49,7 @@ The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/
 
 > **Note:** The deployment is not tested against OpenShift.
 
-## Ingress controller
+# Ingress controller
 
 The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
 configured ingress controller deployed.
@@ -63,14 +63,14 @@ configured ingress controller deployed.
 
 When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
 
-## Volume provisioner
+# Volume provisioner
 
 Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
 provisioner is sufficient.
 
 > **Note:** Some components requiring a `ReadWriteMany` volume provisioner for distributed mode or scaling.
 
-## Certificate management
+# Certificate management
 
 This deployment leverages [cert-manager](https://cert-manager.io/) to generate valid certificates. This is **optional**,
 but a secret containing a valid TLS certificate is required.
@@ -78,16 +78,16 @@ but a secret containing a valid TLS certificate is required.
 Only `Certificate` resources will be deployed, the `cert-manager` including its CRD must be installed prior to this or
 openDesk certificate management disabled.
 
-## External services
+# External services
 
 Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
 
 
-| Group    | Type                | Version | Tested against        | 
+| Group    | Type                | Version | Tested against        |
-|----------|---------------------|---------|-----------------------| 
+|----------|---------------------|---------|-----------------------|
-| Cache    | Memached            | `1.6.x` | Memached              | 
+| Cache    | Memached            | `1.6.x` | Memached              |
-|          | Redis               | `7.x.x` | Redis                 | 
+|          | Redis               | `7.x.x` | Redis                 |
-| Database | MariaDB             | `10.x`  | MariaDB               | 
+| Database | MariaDB             | `10.x`  | MariaDB               |
 |          | PostgreSQL          | `15.x`  | PostgreSQL            |
 | Mail     | Mail Transfer Agent |         | Postfix               |
 |          | PKI/CI (SMIME)      |         |                       |
@@ -97,7 +97,7 @@ Evaluation the openDesk deployment does not require any external service to star
 |          | Object Storage      |         | MinIO                 |
 | Voice    | TURN                |         | Coturn                |
 
-## Deployment
+# Deployment
 
 The deployment of each individual component is [Helm](https://helm.sh/) based. The 35+ Helm charts are configured and
 templated via [Helmfile](https://helmfile.readthedocs.io/en/latest/) to provide a streamlined deployment experience.

docs/scaling.md

@@ -8,10 +8,10 @@ SPDX-License-Identifier: Apache-2.0
 This document should cover the abilities to scale apps.
 
 <!-- TOC -->
-  * [Replicas](#replicas)
+* [Replicas](#replicas)
 <!-- TOC -->
 
-## Replicas
+# Replicas
 
 The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
 apps with a check-mark in `Scaling (effective)` column.

docs/security.md

@@ -8,11 +8,12 @@ SPDX-License-Identifier: Apache-2.0
 This document should cover the current status of security measurements.
 
 <!-- TOC -->
-  * [Helm Chart Trust Chain](#helm-chart-trust-chain)
+* [Helm Chart Trust Chain](#helm-chart-trust-chain)
-  * [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
+* [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
+* [NetworkPolicies](#networkpolicies)
 <!-- TOC -->
 
-## Helm Chart Trust Chain
+# Helm Chart Trust Chain
 
 Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
 `pubkey.gpg` file and are validated during helmfile installation.
@@ -27,7 +28,6 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | istio-resources-repo                 | yes | :white_check_mark: |
 | jitsi-repo                           | yes | :white_check_mark: |
 | keycloak-extensions-repo             | no  |        :x:         |
-| keycloak-theme-repo                  | yes | :white_check_mark: |
 | mariadb-repo                         | yes | :white_check_mark: |
 | nextcloud-repo                       | no  |        :x:         |
 | opendesk-certificates-repo           | yes | :white_check_mark: |
@@ -36,44 +36,99 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
 | opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
 | opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
-| openproject-repo                     | no  |        :x:         |
+| openproject-repo                     | yes | :white_check_mark: |
 | openxchange-repo                     | yes |        :x:         |
 | ox-connector-repo                    | no  |        :x:         |
 | postfix-repo                         | yes | :white_check_mark: |
 | postgresql-repo                      | yes | :white_check_mark: |
-| univention-corporate-container-repo  | yes | :white_check_mark: |
 | ums-repo                             | no  |        :x:         |
+| univention-keycloak-repo             | yes | :white_check_mark: |
+| univention-keycloak-bootstrap-repo   | yes | :white_check_mark: |
 | xwiki-repo                           | no  |        :x:         |
 
-## Kubernetes Security Enforcements
+# Kubernetes Security Enforcements
 
 This list gives you an overview of default security settings and if they comply with security standards:
 
 
-| Component   | Process                  |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+| Component                   | Process                      |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|-------------|--------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+|-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
-| ClamAV      | clamd                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| ClamAV                      | clamd                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|             | freshclam                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | freshclam                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|             | icap                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | icap                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-|             | milter                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | milter                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
-| Collabora   | collabora                |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| Collabora                   | collabora                    |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| CryptPad    | cryptpad                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |   4001     |  4001   |
+| CryptPad                    | npm                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
-| Element     | element                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+| Dovecot                     | dovecot                      |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
-|             | synapse                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
+| Element                     | element                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|             | synapseWeb               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|                             | synapse                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
-|             | wellKnown                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|                             | synapseWeb                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-| Jitsi       | jibri                    |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | wellKnown                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
-|             | jicofo                   |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| IntercomService             | intercom-service             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-|             | jitsiKeycloakAdapter     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+| Jitsi                       | jibri                        |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|             | jvb                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | jicofo                       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|             | prosody                  |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | jitsiKeycloakAdapter         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
-|             | web                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | jvb                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-| Keycloak    | keycloak                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|                             | prosody                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|             | keycloakConfigCli        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|                             | web                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|             | keycloakExtensionHandler | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| MariaDB                     | mariadb                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
-|             | keycloakExtensionProxy   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| Memcached                   | memcached                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
-| MariaDB     | mariadb                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Minio                       | minio                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Memcached   | memcached                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
+| Nextcloud                   | nextcloud                    |        :x:         |         :white_check_mark:         |                                                  :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`)                                                  |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
-| Postfix     | postfix                  |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+|                             | nextcloud-cron               |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
-| OpenProject | openproject              |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | opendesk-nextcloud-bootstrap |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
-| PostgreSQL  | postgresql               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Open-Xchange                | core-documentconverter       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
+|                             | core-guidedtours             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-imageconverter          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
+|                             | core-mw-default              |        :x:         |                :x:                 |                                                                      :x:                                                                       |                :x:                |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | core-ui                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-ui-middleware           | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-ui-middleware-updater   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-user-guide              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | gotenberg                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | guard-ui                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | nextlcoud-integration-ui     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | public-sector-ui             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| OpenProject                 | openproject                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | opendeskOpenprojectBootstrap | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+| Postfix                     | postfix                      |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL                  | postgresql                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Redis                       | redis                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
+| Univention Management Stack | keycloak                     |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | keycloakBootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | keycloakExtensionHandler     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | keycloakExtensionProxy       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | ldap-notifier                |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | ldap-server                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | notifications-api            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | opendeskKeycloakBootstrap    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | portal-frontend              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | portal-listener              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | portal-server                |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | selfservice-listener         |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | stack-gateway                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|                             | store-dav                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | udm-rest-api                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | umc-gateway                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | umc-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| XWiki                       | xwiki                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | xwiki initContainers         |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+
+# NetworkPolicies
+
+Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
+When applied, they restrict the traffic to your services.
+This protects other deployments in your cluster or other services in your deployment to get compromised when one
+component is compromised.
+
+We ship a default set of Otterize ClientIntents via
+[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
+(IBAC) into kubernetes native NetworkPolicies.
+
+This requires the Otterize intents operator to be installed.
+
+```yaml
+security:
+  otterizeIntents:
+    enabled: true
+```

docs/theming.md

@@ -8,13 +8,13 @@ SPDX-License-Identifier: Apache-2.0
 This document will cover the theming and customization of your openDesk deployment.
 
 <!-- TOC -->
-  * [Strings and texts](#strings-and-texts)
+* [Strings and texts](#strings-and-texts)
-  * [Colors](#colors)
+* [Colors](#colors)
   * [Images and Logos](#images-and-logos)
-  * [Known limits](#known-limits)
+* [Known limits](#known-limits)
 <!-- TOC -->
 
-## Strings and texts
+# Strings and texts
 
 The deployment name can be changed by:
 
@@ -24,7 +24,7 @@ theme:
     productName: "openDesk Cloud"
 ```
 
-## Colors
+# Colors
 
 The primary color and their derivates with lesser opacity be customized by:
 
@@ -50,10 +50,10 @@ theme:
     faviconIco: "..."
 ```
 
-## Known limits
+# Known limits
 
 Not all applications support theming. Known exceptions are:
-  - Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support 
+  - Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
     for theming through the deployment).
   - OpenProject
   - Jitsi

examples/private-helm-registry.yaml.gotmpl

@@ -0,0 +1,261 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+charts:
+  certificates:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  clamav:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  clamavSimple:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  collabora:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  cryptpad:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  dovecot:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  element:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  elementWellKnown:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  intercomService:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  istioResources:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  jitsi:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsKeycloak:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsKeycloakBootstrap:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  opendeskKeycloakBootstrap:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsKeycloakExtensions:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  mariadb:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  matrixNeoboardWidget:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  matrixNeochoiseWidget:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  matrixNeodatefixBot:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  matrixNeodatefixWidget:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  matrixUserVerificationService:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  memcached:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  minio:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  nextcloud:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  nextcloudBootstrap:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  nginx:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  openproject:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  openprojectBootstrap:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  openXchangeAppSuite:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  openXchangeAppSuiteBootstrap:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  otterize:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  oxConnector:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  postfix:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  postgresql:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  redis:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  synapse:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  synapseCreateAccount:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  synapseWeb:
+   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsLdapNotifier:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsLdapServer:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsNotificationsApi:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsPortalFrontend:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsPortalListener:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsPortalServer:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsStackDataSwp:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsStackDataUms:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsStoreDav:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsUdmRestApi:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsUmcGateway:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  umsUmcServer:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+
+  xwiki:
+    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
+...

helmfile.yaml

@@ -7,10 +7,7 @@
 helmfiles:
   # Path to the helmfile state file being processed BEFORE releases in this state file
   - path: "helmfile/apps/services/helmfile.yaml"
-  - path: "helmfile/apps/keycloak/helmfile.yaml"
-  - path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
   - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
-  - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
   - path: "helmfile/apps/intercom-service/helmfile.yaml"
   - path: "helmfile/apps/open-xchange/helmfile.yaml"
   - path: "helmfile/apps/nextcloud/helmfile.yaml"
@@ -29,7 +26,7 @@ missingFileHandler: "Error"
 # - Installing all releases from root via helmfile apply
 # - Installing a single release from root via helmfile apply -f helmfile/apps/<app>/helmfile.yaml
 # - Installing a single release from app directory via helmfile apply
-# Issue: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace/-/issues/2
+# Issue: https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues/2
 
 environments:
   default:

helmfile/apps/collabora/helmfile.yaml

@@ -3,20 +3,20 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # Collabora Online
   # Source: https://github.com/CollaboraOnline/online
   - name: "collabora-online-repo"
-    url: >-
+    username: {{ .Values.charts.collabora.username | quote }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    password: {{ .Values.charts.collabora.password | quote }}
-         default "https://collaboraonline.github.io/online" }}
+    oci: {{ .Values.charts.collabora.oci }}
+    url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
 
 releases:
   - name: "collabora-online"
-    chart: "collabora-online-repo/collabora-online"
+    chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
-    version: "1.0.2"
+    version: "{{ .Values.charts.collabora.version }}"
     values:
       - "values.yaml"
       - "values.gotmpl"

helmfile/apps/cryptpad/helmfile.yaml

@@ -3,20 +3,20 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # CryptPad
   # Source: https://github.com/cryptpad/helm
-  - name: "cryptpad-online-repo"
+  - name: "cryptpad-repo"
-    url: >-
+    username: {{ .Values.charts.cryptpad.username | quote }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    password: {{ .Values.charts.cryptpad.password | quote }}
-         default "https://cryptpad.github.io/helm" }}
+    oci: {{ .Values.charts.cryptpad.oci }}
+    url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 
 releases:
   - name: "cryptpad"
-    chart: "cryptpad-online-repo/cryptpad"
+    chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
-    version: "0.0.13"
+    version: "{{ .Values.charts.cryptpad.version }}"
     values:
       - "values.yaml"
       - "values.gotmpl"

helmfile/apps/cryptpad/values.yaml

@@ -22,6 +22,10 @@ enableEmbedding: true
 
 fullnameOverride: "cryptpad"
 
+ingress:
+  annotations:
+    nginx.org/websocket-services: "cryptpad"
+
 persistence:
   enabled: false
 

helmfile/apps/element/helmfile.yaml

@@ -3,37 +3,90 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # openDesk Element
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
-  - name: "opendesk-element-repo"
+  - name: "element-repo"
-    oci: true
+    oci: {{ .Values.charts.element.oci }}
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
-    # yamllint enable rule:line-length
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.element.verify }}
+    username: {{ .Values.charts.element.username | quote }}
+    password: {{ .Values.charts.element.password | quote }}
+    url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+  - name: "element-well-known-repo"
+    oci: {{ .Values.charts.elementWellKnown.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.elementWellKnown.verify }}
+    username: {{ .Values.charts.elementWellKnown.username | quote }}
+    password: {{ .Values.charts.elementWellKnown.password | quote }}
+    url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+  - name: "synapse-web-repo"
+    oci: {{ .Values.charts.synapseWeb.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.synapseWeb.verify }}
+    username: {{ .Values.charts.synapseWeb.username | quote }}
+    password: {{ .Values.charts.synapseWeb.password | quote }}
+    url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+  - name: "synapse-repo"
+    oci: {{ .Values.charts.synapse.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.synapse.verify }}
+    username: {{ .Values.charts.synapse.username | quote }}
+    password: {{ .Values.charts.synapse.password | quote }}
+    url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+  - name: "synapse-create-account-repo"
+    oci: {{ .Values.charts.synapseCreateAccount.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.synapseCreateAccount.verify }}
+    username: {{ .Values.charts.synapseCreateAccount.username | quote }}
+    password: {{ .Values.charts.synapseCreateAccount.password | quote }}
+    url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
 
   # openDesk Matrix Widgets
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
-  - name: "opendesk-matrix-widgets-repo"
+  - name: "matrix-user-verification-service-repo"
-    oci: true
+    oci: {{ .Values.charts.matrixUserVerificationService.oci }}
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
-    # yamllint enable rule:line-length
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
+    username: {{ .Values.charts.matrixUserVerificationService.username | quote }}
+    password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
+    url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
+      {{ .Values.charts.matrixUserVerificationService.repository }}"
+  - name: "matrix-neoboard-widget-repo"
+    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
+    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
+    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
+    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+  - name: "matrix-neochoice-widget-repo"
+    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
+    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
+    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
+    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+  - name: "matrix-neodatefix-widget-repo"
+    oci: {{ .Values.charts.matrixNeodatefixWidget.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
+    username: {{ .Values.charts.matrixNeodatefixWidget.username | quote }}
+    password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
+    url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+  - name: "matrix-neodatefix-bot-repo"
+    oci: {{ .Values.charts.matrixNeodatefixBot.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
+    username: {{ .Values.charts.matrixNeodatefixBot.username | quote }}
+    password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
+    url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+
 
 releases:
   - name: "opendesk-element"
-    chart: "opendesk-element-repo/opendesk-element"
+    chart: "element-repo/{{ .Values.charts.element.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.element.version }}"
     values:
       - "values-element.yaml"
       - "values-element.gotmpl"
@@ -41,8 +94,8 @@ releases:
     timeout: 900
 
   - name: "opendesk-well-known"
-    chart: "opendesk-element-repo/opendesk-well-known"
+    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.elementWellKnown.version }}"
     values:
       - "values-well-known.yaml"
       - "values-well-known.gotmpl"
@@ -50,8 +103,8 @@ releases:
     timeout: 900
 
   - name: "opendesk-synapse-web"
-    chart: "opendesk-element-repo/opendesk-synapse-web"
+    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.synapseWeb.version }}"
     values:
       - "values-synapse-web.yaml"
       - "values-synapse-web.gotmpl"
@@ -59,8 +112,8 @@ releases:
     timeout: 900
 
   - name: "opendesk-synapse"
-    chart: "opendesk-element-repo/opendesk-synapse"
+    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.synapse.version }}"
     values:
       - "values-synapse.yaml"
       - "values-synapse.gotmpl"
@@ -68,8 +121,8 @@ releases:
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service-bootstrap"
-    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-user-verification-service-bootstrap.yaml"
       - "values-matrix-user-verification-service-bootstrap.gotmpl"
@@ -77,8 +130,8 @@ releases:
     timeout: 900
 
   - name: "opendesk-matrix-user-verification-service"
-    chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
+    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
     values:
       - "values-matrix-user-verification-service.yaml"
       - "values-matrix-user-verification-service.gotmpl"
@@ -86,8 +139,8 @@ releases:
     timeout: 900
 
   - name: "matrix-neoboard-widget"
-    chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
+    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
     values:
       - "values-matrix-neoboard-widget.yaml"
       - "values-matrix-neoboard-widget.gotmpl"
@@ -95,8 +148,8 @@ releases:
     timeout: 900
 
   - name: "matrix-neochoice-widget"
-    chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
     values:
       - "values-matrix-neochoice-widget.yaml"
       - "values-matrix-neochoice-widget.gotmpl"
@@ -104,8 +157,8 @@ releases:
     timeout: 900
 
   - name: "matrix-neodatefix-widget"
-    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
+    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
     values:
       - "values-matrix-neodatefix-widget.yaml"
       - "values-matrix-neodatefix-widget.gotmpl"
@@ -113,8 +166,8 @@ releases:
     timeout: 900
 
   - name: "matrix-neodatefix-bot-bootstrap"
-    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
-    version: "2.5.0"
+    version: "{{ .Values.charts.synapseCreateAccount.version }}"
     values:
       - "values-matrix-neodatefix-bot-bootstrap.yaml"
       - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
@@ -122,8 +175,8 @@ releases:
     timeout: 900
 
   - name: "matrix-neodatefix-bot"
-    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
+    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
     values:
       - "values-matrix-neodatefix-bot.yaml"
       - "values-matrix-neodatefix-bot.gotmpl"

helmfile/apps/element/values-element.gotmpl

@@ -13,15 +13,15 @@ global:
 
 configuration:
   additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":
       config:
         banner:
           ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
           ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
-          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
-          portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
+          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
         widget_types:

helmfile/apps/element/values-matrix-user-verification-service.yaml

@@ -22,6 +22,8 @@ extraEnvVars:
       secretKeyRef:
         name: "opendesk-matrix-user-verification-service-account"
         key: "access_token"
+  - name: "UVS_DISABLE_IP_BLACKLIST"
+    value: "true"
 
 podSecurityContext:
   enabled: true

helmfile/apps/element/values-synapse.gotmpl

@@ -38,7 +38,7 @@ configuration:
 
     oidc:
       clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
-      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
 
     turn:
       sharedSecret: {{ .Values.turn.credentials | quote }}

helmfile/apps/element/values-synapse.yaml

@@ -11,10 +11,22 @@ configuration:
         - "m.space.parent"
         - "net.nordeck.meetings.metadata"
         - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
 
   homeserver:
     guestModule:
       enabled: true
+    oidc:
+      clientId: "opendesk-matrix"
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/intercom-service/helmfile.yaml

@@ -3,24 +3,24 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # Intercom Service
   # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
   - name: "intercom-service-repo"
-    oci: true
+    oci: {{ .Values.charts.intercomService.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.intercomService.verify }}
+    username: {{ .Values.charts.intercomService.username | quote }}
+    password: {{ .Values.charts.intercomService.password | quote }}
+    url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
 
 releases:
   - name: "intercom-service"
-    chart: "intercom-service-repo/intercom-service"
+    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
-    version: "2.0.1"
+    version: "{{ .Values.charts.intercomService.version }}"
     values:
+      - "values.yaml"
       - "values.gotmpl"
     installed: {{ .Values.intercom.enabled }}
 

helmfile/apps/intercom-service/values.gotmpl

@@ -13,8 +13,10 @@ global:
 
 ics:
   secret: {{ .Values.secrets.intercom.secret | quote }}
-  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
+  keycloak:
+    realm: {{ .Values.platform.realm | quote }}
   default:
     domain: {{ .Values.global.domain | quote }}
   oidc:
@@ -33,7 +35,9 @@ ics:
     password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
   openxchange:
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-
+    audience: "opendesk-oxappsuite"
+  nextcloud:
+    audience: "opendesk-nextcloud"
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   repository: {{ .Values.images.intercom.repository | quote }}
@@ -46,4 +50,7 @@ ingress:
   tls:
     enabled: {{ .Values.ingress.tls.enabled }}
     secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+resources:
+  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
 ...

helmfile/apps/intercom-service/values.yaml

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ics:
+  oidc:
+    id: "opendesk-intercom"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+...

helmfile/apps/jitsi/helmfile.yaml

@@ -3,23 +3,22 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # openDesk Jitsi
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
   - name: "jitsi-repo"
-    oci: true
+    oci: {{ .Values.charts.jitsi.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.jitsi.verify }}
+    username: {{ .Values.charts.jitsi.username | quote }}
+    password: {{ .Values.charts.jitsi.password | quote }}
+    url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 
 releases:
   - name: "jitsi"
-    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
-    version: "1.7.1"
+    version: "{{ .Values.charts.jitsi.version }}"
     values:
       - "values-jitsi.gotmpl"
     installed: {{ .Values.jitsi.enabled }}

helmfile/apps/jitsi/values-jitsi.gotmpl

@@ -22,6 +22,8 @@ image:
 
 settings:
   jwtAppSecret: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
+  keycloakRealm: {{ .Values.platform.realm | quote }}
+  keycloakClientId: "opendesk-jitsi"
 
 theme:
   {{ .Values.theme | toYaml | nindent 2 }}
@@ -60,7 +62,7 @@ jitsi:
       - name: "AUTH_TYPE"
         value: "hybrid_matrix_token"
       - name: "JWT_APP_ID"
-        value: "myappid"
+        value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
       - name: "JWT_APP_SECRET"
         value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
       - name: "MATRIX_UVS_SYNC_POWER_LEVELS"

helmfile/apps/keycloak-bootstrap/helmfile.yaml

@@ -1,35 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
-
----
-repositories:
-  # openDesk Keycloak Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
-  - name: "opendesk-keycloak-bootstrap-repo"
-    oci: true
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
-    # yamllint enable rule:line-length
-    verify: true
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-
-releases:
-  - name: "opendesk-keycloak-bootstrap"
-    chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
-    version: "1.1.12"
-    values:
-      - "values-bootstrap.gotmpl"
-      - "values-bootstrap.yaml"
-    installed: {{ .Values.keycloak.enabled }}
-    # as we have seen some slow clusters we want to ensure we not just fail due to a timeout.
-    timeout: 1800
-
-commonLabels:
-  deploy-stage: "component-1"
-  component: "keycloak-bootstrap"
-...

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -1,30 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
-
-config:
-  administrator:
-    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: {{ .Values.images.keycloakBootstrap.repository | quote }}
-  tag: {{ .Values.images.keycloakBootstrap.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-resources:
-  {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
-...

helmfile/apps/keycloak/helmfile.yaml

@@ -1,62 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
-
----
-repositories:
-  # VMWare Bitnami
-  # Source: https://github.com/bitnami/charts/
-  - name: "bitnami-repo"
-    oci: true
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
-    verify: true
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-  # openDesk Keycloak Theme
-  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-theme
-  - name: "keycloak-theme-repo"
-    oci: true
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
-    verify: true
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-  # openDesk Keycloak Extensions
-  - name: "keycloak-extensions-repo"
-    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
-
-releases:
-  - name: "keycloak-theme"
-    chart: "keycloak-theme-repo/opendesk-keycloak-theme"
-    version: "2.0.0"
-    values:
-      - "values-theme.gotmpl"
-    installed: {{ .Values.keycloak.enabled }}
-  - name: "keycloak"
-    chart: "bitnami-repo/keycloak"
-    version: "12.1.5"
-    values:
-      - "values-keycloak.gotmpl"
-      - "values-keycloak.yaml"
-      - "values-keycloak-idp.yaml"
-    wait: true
-    installed: {{ .Values.keycloak.enabled }}
-  - name: "keycloak-extensions"
-    chart: "keycloak-extensions-repo/keycloak-extensions"
-    version: "0.1.0"
-    needs:
-      - "keycloak"
-    values:
-      - "values-extensions.yaml"
-      - "values-extensions.gotmpl"
-    installed: {{ .Values.keycloak.enabled }}
-
-commonLabels:
-  deploy-stage: "component-1"
-  component: "keycloak"
-...

helmfile/apps/keycloak/values-extensions.yaml

@@ -1,45 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-global:
-  keycloak:
-    host: "keycloak"
-    adminUsername: "kcadmin"
-    adminRealm: "master"
-    realm: "souvap"
-
-handler:
-  appConfig:
-    captchaProtectionEnable: "False"
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-
-postgresql:
-  enabled: false
-
-proxy:
-  ingress:
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
-      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-...

helmfile/apps/keycloak/values-keycloak.gotmpl

@@ -1,89 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  imageRegistry: {{ .Values.global.imageRegistry | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | quote }}
-  repository: {{ .Values.images.keycloak.repository | quote }}
-  tag: {{ .Values.images.keycloak.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-externalDatabase:
-  host: {{ .Values.databases.keycloak.host | quote }}
-  port: {{ .Values.databases.keycloak.port }}
-  user: {{ .Values.databases.keycloak.username | quote }}
-  database: {{ .Values.databases.keycloak.name | quote }}
-  password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-
-auth:
-  adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-
-replicaCount: {{ .Values.replicas.keycloak }}
-
-keycloakConfigCli:
-  extraEnvVars:
-    - name: "LDAP_GROUPS_DN"
-      value: "cn=groups,dc=swp-ldap,dc=internal"
-    - name: "LDAP_USERS_DN"
-      value: "cn=users,dc=swp-ldap,dc=internal"
-    - name: "LDAP_SERVER_URL"
-      value: {{ .Values.ldap.host | quote }}
-    - name: "IDENTIFIER"
-      value: "souvap"
-    - name: "THEME"
-      value: "souvap"
-    - name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT"
-      value: "600s"
-    - name: "UNIVENTION_CORPORATE_SERVER_DOMAIN"
-      value: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-    - name: "KEYCLOAK_DOMAIN"
-      value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    - name: "OPENXCHANGE_8_DOMAIN"
-      value: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-    - name: "XWIKI_DOMAIN"
-      value: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
-    - name: "OPENPROJECT_DOMAIN"
-      value: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
-    - name: "NEXTCLOUD_DOMAIN"
-      value: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
-    - name: "MATRIX_DOMAIN"
-      value: "{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}"
-    - name: "JITSI_DOMAIN"
-      value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    - name: "ELEMENT_DOMAIN"
-      value: "{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
-    - name: "INTERCOM_SERVICE_DOMAIN"
-      value: "{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
-    - name: "CLIENT_SECRET_INTERCOM_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
-    - name: "CLIENT_SECRET_MATRIX_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
-    - name: "CLIENT_SECRET_JITSI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.jitsi | quote }}
-    - name: "CLIENT_SECRET_NCOIDC_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
-    - name: "CLIENT_SECRET_OPENPROJECT_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
-    - name: "CLIENT_SECRET_XWIKI_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
-    - name: "CLIENT_SECRET_AS8OIDC_PASSWORD"
-      value: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
-    - name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
-      value: "storage_provider_ucsldap"
-    - name: "LDAPSEARCH_PASSWORD"
-      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
-    - name: "LDAPSEARCH_USERNAME"
-      value: "ldapsearch_keycloak"
-  resources:
-    {{ .Values.resources.keycloak | toYaml | nindent 4 }}
-
-resources:
-  {{ .Values.resources.keycloak | toYaml | nindent 2 }}
-...

helmfile/apps/keycloak/values-keycloak.yaml

@@ -1,85 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-postgresql:
-  enabled: false
-externalDatabase:
-  existingSecret: ""
-  existingSecretPasswordKey: ""
-auth:
-  adminUser: "kcadmin"
-# not working as expected with older helm chart, check if it works with most recent one.
-# meanwhile we set the loglevel using the extraEnvVars a bit below.
-# logging:
-#   level: "DEBUG"
-extraEnvVars:
-  - name: "KC_LOG_LEVEL"
-    value: "INFO"
-extraStartupArgs: >
-  -Dkeycloak.profile.feature.token_exchange=enabled
-  -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
-
-service:
-  type: "ClusterIP"
-ingress:
-  enabled: false
-extraVolumes:
-  - name: "keycloak-theme"
-    configMap:
-      name: "keycloak-theme"
-      items:
-        - key: "theme.properties"
-          path: "souvap/login/theme.properties"
-        - key: "messages_de.properties"
-          path: "souvap/login/messages/messages_de.properties"
-        - key: "messages_en.properties"
-          path: "souvap/login/messages/messages_en.properties"
-        - key: "styles.css"
-          path: "souvap/login/resources/css/styles.css"
-        - key: "logo.svg"
-          path: "souvap/login/resources/img/logo_phoenix.svg"
-        - key: "login.ftl"
-          path: "souvap/login/login.ftl"
-extraVolumeMounts:
-  - name: "keycloak-theme"
-    mountPath: "/opt/bitnami/keycloak/themes"
-
-keycloakConfigCli:
-  enabled: true
-  command:
-    - "java"
-    - "-jar"
-    - "/opt/bitnami/keycloak-config-cli/keycloak-config-cli-19.0.3.jar"
-  args:
-    - "--import.var-substitution.enabled=true"
-  cache:
-    enabled: false
-  containerSecurityContext:
-    enabled: true
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsUser: 1001
-    runAsGroup: 1001
-    runAsNonRoot: true
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  runAsNonRoot: true
-
-podSecurityContext:
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-...

helmfile/apps/keycloak/values-theme.gotmpl

@@ -1,13 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-...

helmfile/apps/nextcloud/helmfile.yaml

@@ -3,32 +3,30 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # openDesk Keycloak Bootstrap
-  # Source:
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
-  #  https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/sovereign-workplace-nextcloud-bootstrap
+  - name: "nextcloud-bootstrap-repo"
-  - name: "opendesk-nextcloud-bootstrap-repo"
+    oci: {{ .Values.charts.nextcloudBootstrap.oci }}
-    oci: true
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
-    # yamllint enable rule:line-length
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.nextcloudBootstrap.verify }}
+    username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
+    password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
+    url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
+
   # Nextcloud
   # Source: https://github.com/nextcloud/helm/
   - name: "nextcloud-repo"
-    url: >-
+    oci: {{ .Values.charts.nextcloud.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.nextcloud.username | quote }}
-         default "https://nextcloud.github.io/helm/" }}
+    password: {{ .Values.charts.nextcloud.password | quote }}
+    url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 
 releases:
   - name: "opendesk-nextcloud-bootstrap"
-    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
+    chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
-    version: "3.2.3"
+    version: "{{ .Values.charts.nextcloudBootstrap.version }}"
     wait: true
     waitForJobs: true
     values:
@@ -38,8 +36,8 @@ releases:
     timeout: 900
 
   - name: "nextcloud"
-    chart: "nextcloud-repo/nextcloud"
+    chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
-    version: "3.5.19"
+    version: "{{ .Values.charts.nextcloud.version }}"
     needs:
       - "opendesk-nextcloud-bootstrap"
     values:

helmfile/apps/nextcloud/values-bootstrap.gotmpl

@@ -28,6 +28,7 @@ config:
       password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
     userOidc:
       password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
+      realm: {{ .Values.platform.realm }}
 
   database:
     host: {{ .Values.databases.nextcloud.host | quote }}
@@ -37,13 +38,14 @@ config:
 
   ldapSearch:
     host: {{ .Values.ldap.host | quote }}
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
+    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
 
   serverinfo:
     token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
   smtp:
     host: {{ .Values.smtp.host | quote }}
+    port: {{ .Values.smtp.port | quote }}
     username: {{ .Values.smtp.username | quote }}
     password: {{ .Values.smtp.password | quote }}
 

helmfile/apps/nextcloud/values-bootstrap.yaml

@@ -7,10 +7,24 @@ config:
 
   apps:
     integrationSwp:
-      username: "phoenixusername"
+      username: "opendesk_username"
     userOidc:
-      username: "ncoidc"
+      username: "opendesk-nextcloud"
+      userIdAttribute: "opendesk_useruuid"
 
   cryptpad:
     enabled: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 33
+  fsGroupChangePolicy: "Always"
 ...

helmfile/apps/nextcloud/values-nextcloud.gotmpl

@@ -49,6 +49,8 @@ metrics:
     enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
     labels:
       {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
+  resources:
+    {{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
 
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.nextcloud }}

helmfile/apps/nextcloud/values-nextcloud.yaml

@@ -20,6 +20,11 @@ cronjob:
       - >
         sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
         \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
 
 ingress:
   annotations:
@@ -52,6 +57,20 @@ nextcloud:
       {
         "drawio": ["application/x-drawio"]
       }
+  podSecurityContext:
+    fsGroup: 33
+    seccompProfile:
+      type: "RuntimeDefault"
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+      add:
+        - "NET_BIND_SERVICE"
+        - "SETGID"
+        - "SETUID"
 
 # this is not documented but can be found in values.yaml
 service:

helmfile/apps/open-xchange/helmfile.yaml

@@ -3,39 +3,40 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
-  - name: "opendesk-dovecot-repo"
+  - name: "dovecot-repo"
-    oci: true
+    oci: {{ .Values.charts.dovecot.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.dovecot.verify }}
+    username: {{ .Values.charts.dovecot.username | quote }}
+    password: {{ .Values.charts.dovecot.password | quote }}
+    url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+
   # Open-Xchange
-  - name: "openxchange-repo"
+  - name: "open-xchange-repo"
-    oci: true
+    oci: {{ .Values.charts.openXchangeAppSuite.oci }}
-    url: >-
+    username: {{ .Values.charts.openXchangeAppSuite.username | quote }}
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
+    password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
+    url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+
   # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-open-xchange-bootstrap
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
-  - name: "opendesk-open-xchange-bootstrap-repo"
+  - name: "open-xchange-bootstrap-repo"
-    oci: true
+    oci: {{ .Values.charts.openXchangeAppSuiteBootstrap.oci }}
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
-    # yamllint enable rule:line-length
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
+    username: {{ .Values.charts.openXchangeAppSuiteBootstrap.username | quote }}
+    password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
+    url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 
 releases:
   - name: "dovecot"
-    chart: "opendesk-dovecot-repo/dovecot"
+    chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
-    version: "1.3.5"
+    version: "{{ .Values.charts.dovecot.version }}"
     values:
       - "values-dovecot.yaml"
       - "values-dovecot.gotmpl"
@@ -43,8 +44,8 @@ releases:
     timeout: 900
 
   - name: "open-xchange"
-    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
-    version: "2.1.1"
+    version: "{{ .Values.charts.openXchangeAppSuite.version }}"
     values:
       - "values-openxchange.yaml"
       - "values-openxchange.gotmpl"
@@ -54,8 +55,8 @@ releases:
     timeout: 900
 
   - name: "opendesk-open-xchange-bootstrap"
-    chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+    chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
-    version: "1.3.1"
+    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
     values:
       - "values-openxchange-bootstrap.gotmpl"
     installed: {{ .Values.oxAppsuite.enabled }}

helmfile/apps/open-xchange/values-dovecot.gotmpl

@@ -20,12 +20,12 @@ dovecot:
   ldap:
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
     host: {{ .Values.ldap.host | quote }}
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
+    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
   oidc:
     introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
-    introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"
+    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
-    clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+    clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
-    clientID: "as8oidc"
+    clientID: "opendesk-dovecot"
   loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
 
 certificate:

helmfile/apps/open-xchange/values-dovecot.yaml

@@ -1,6 +1,24 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "KILL"
+      - "NET_BIND_SERVICE"
+      - "SETGID"
+      - "SETUID"
+      - "SYS_CHROOT"
+  enabled: true
+  readOnlyRootFilesystem: true
+  seccompProfile:
+    type: "RuntimeDefault"
+
 dovecot:
   ldap:
     enabled: true
@@ -9,11 +27,15 @@ dovecot:
 
   oidc:
     enabled: true
-    clientID: "as8oidc"
+    clientID: "opendesk-dovecot"
-    usernameAttribute: "phoenixusername"
+    usernameAttribute: "opendesk_username"
 
   submission:
     enabled: true
     ssl: "no"
     host: "postfix:25"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
 ...

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl

@@ -14,5 +14,5 @@ appsuite:
               port: 389
           auth:
             adminDN:
-              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
 ...

helmfile/apps/open-xchange/values-openxchange.gotmpl

@@ -25,6 +25,8 @@ nextcloud-integration-ui:
   {{- range .Values.global.imagePullSecrets }}
     - name: {{ . | quote }}
   {{- end }}
+  resources:
+    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
 
 public-sector-ui:
   image:
@@ -35,6 +37,8 @@ public-sector-ui:
     - name: {{ . | quote }}
   {{- end }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
 
 appsuite:
   istio:
@@ -62,34 +66,36 @@ appsuite:
         repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
         tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
         pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+      resources:
+        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
     properties:
-      "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
+      "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
-      "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+      "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-      "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
+      "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
       "com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
       "com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
-      "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
+      "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
-      "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
+      "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+      "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-      "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/certs"
+      "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
       "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
       "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
-      "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
+      "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
-      "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+      "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
     secretProperties:
       com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
       com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
       com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
     propertiesFiles:
       "/opt/open-xchange/etc/ldapauth.properties":
-        bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
         java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
     uiSettings:
       "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
       "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
       # Dynamic theme
       io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
-      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
       io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
       io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
       io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
@@ -119,6 +125,8 @@ appsuite:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
     {{- end }}
+    resources:
+      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
 
   core-ui:
     imagePullSecrets:
@@ -129,6 +137,8 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
       tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    resources:
+      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
 
   core-ui-middleware:
     ingress:
@@ -146,13 +156,18 @@ appsuite:
     redis:
       auth:
         password: {{ .Values.secrets.redis.password | quote }}
+    resources:
+      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
+      updater:
+      resources:
+        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
 
   core-documentconverter:
     image:
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
     resources:
-      {{- .Values.resources.oxDocumentConverter | toYaml | nindent 6 }}
+      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
 
   core-guidedtours:
     imagePullSecrets:
@@ -163,11 +178,15 @@ appsuite:
       repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
       tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    resources:
+      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
 
   core-imageconverter:
     image:
       repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
+    resources:
+      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
 
   guard-ui:
     imagePullSecrets:
@@ -178,6 +197,8 @@ appsuite:
       repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
       tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    resources:
+      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
 
   core-user-guide:
     image:
@@ -188,4 +209,6 @@ appsuite:
     {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
     {{- end }}
+    resources:
+      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
 ...

helmfile/apps/open-xchange/values-openxchange.yaml

@@ -14,6 +14,17 @@ appsuite:
     masterAdmin: "admin"
     gotenberg:
       enabled: true
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop:
+            - "ALL"
+        privileged: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 1001
+        seccompProfile:
+          type: "RuntimeDefault"
     features:
       status:
         # enable admin pack
@@ -27,6 +38,7 @@ appsuite:
         open-xchange-authentication-oauth: "enabled"
     properties:
       com.openexchange.UIWebPath: "/appsuite/"
+      com.openexchange.showAdmin: "false"
       # PDF Export
       com.openexchange.capability.mail_export_pdf: "true"
       com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
@@ -43,16 +55,16 @@ appsuite:
       com.openexchange.oidc.startDefaultBackend: "true"
       com.openexchange.oidc.ssoLogout: "true"
       com.openexchange.oidc.userLookupNamePart: "full"
-      com.openexchange.oidc.userLookupClaim: "phoenixusername"
+      com.openexchange.oidc.userLookupClaim: "opendesk_username"
-      com.openexchange.oidc.clientId: "as8oidc"
+      com.openexchange.oidc.clientId: "opendesk-oxappsuite"
       # OAUTH
       com.openexchange.oauth.provider.enabled: "true"
       com.openexchange.oauth.provider.contextLookupClaim: "context"
       com.openexchange.oauth.provider.contextLookupNamePart: "full"
       com.openexchange.oauth.provider.mode: "expect_jwt"
       com.openexchange.oauth.provider.userLookupNamePart: "full"
-      com.openexchange.oauth.provider.userLookupClaim: "phoenixusername"
+      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
-      com.openexchange.authentication.oauth.clientId: "as8oidc"
+      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
       # MAIL
       com.openexchange.mail.authType: "xoauth2"
       com.openexchange.mail.loginSource: "mail"
@@ -138,6 +150,9 @@ appsuite:
       io.ox/core//coloredIcons: "false"
       # Mail templates
       io.ox/core//features/templates: "true"
+      # Contact Collector
+      io.ox/mail//contactCollectOnMailTransport: "true"
+      # io.ox/mail//contactCollectOnMailAccess: "true"
 
     asConfig:
       default:
@@ -158,8 +173,23 @@ appsuite:
           mkdir -p /opt/open-xchange/guard-files
           chown open-xchange:open-xchange /opt/open-xchange/guard-files
 
+    # Security context for core-mw has no effect yet
+    # podSecurityContext: {}
+    # securityContext: {}
+
   core-ui:
     enabled: true
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: "RuntimeDefault"
 
   core-ui-middleware:
     enabled: true
@@ -170,15 +200,62 @@ appsuite:
         - "redis-master:6379"
       auth:
         enabled: true
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: "RuntimeDefault"
 
   core-guidedtours:
     enabled: true
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: "RuntimeDefault"
+
   guard-ui:
     enabled: true
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: "RuntimeDefault"
+
   core-cacheservice:
     enabled: false
+
   core-user-guide:
     enabled: true
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 1000
+      seccompProfile:
+        type: "RuntimeDefault"
 
   core-imageconverter:
     enabled: true
@@ -188,6 +265,19 @@ appsuite:
           endpoint: "."
           accessKey: "."
           secretKey: "."
+    podSecurityContext:
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 987
+      seccompProfile:
+        type: "RuntimeDefault"
+    securityContext:
+      # missing:
+      # readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
 
   core-spellcheck:
     enabled: false
@@ -198,6 +288,19 @@ appsuite:
       cache:
         remoteCache:
           enabled: false
+    podSecurityContext:
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 987
+      seccompProfile:
+        type: "RuntimeDefault"
+    securityContext:
+      # missing:
+      # readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - "ALL"
 
   core-documents-collaboration:
     enabled: false
@@ -213,3 +316,30 @@ appsuite:
     enabled: false
   core-drive-help:
     enabled: false
+
+nextcloud-integration-ui:
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    readOnlyRootFilesystem: true
+    runAsGroup: 1000
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: "RuntimeDefault"
+
+public-sector-ui:
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    readOnlyRootFilesystem: true
+    runAsGroup: 1000
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: "RuntimeDefault"
+...

helmfile/apps/openproject-bootstrap/helmfile.yaml

@@ -3,25 +3,22 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # openDesk OpenProject Bootstrap
   # Source: Set when repo is managed on Open CoDE
-  - name: "opendesk-openproject-bootstrap-repo"
+  - name: "openproject-bootstrap-repo"
-    oci: true
+    oci: {{ .Values.charts.openprojectBootstrap.oci }}
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
-    # yamllint enable rule:line-length
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.openprojectBootstrap.verify }}
+    username: {{ .Values.charts.openprojectBootstrap.username | quote }}
+    password: {{ .Values.charts.openprojectBootstrap.password | quote }}
+    url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 
 releases:
   - name: "opendesk-openproject-bootstrap"
-    chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
+    chart: "openproject-bootstrap-repo/{{ .Values.charts.openprojectBootstrap.name }}"
-    version: "1.2.1"
+    version: "{{ .Values.charts.openprojectBootstrap.version }}"
     wait: true
     waitForJobs: true
     values:

helmfile/apps/openproject-bootstrap/values.gotmpl

@@ -4,18 +4,18 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  domain: "{{ .Values.global.domain }}"
+  domain: {{ .Values.global.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | quote }}
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 image:
   registry: {{ .Values.global.imageRegistry }}
-  repository: "{{ .Values.images.openprojectBootstrap.repository }}"
+  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
-  tag: "{{ .Values.images.openprojectBootstrap.tag }}"
+  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 
 cleanup:
   deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}

helmfile/apps/openproject/helmfile.yaml

@@ -3,20 +3,22 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # OpenProject
   # Source: https://github.com/opf/helm-charts
   - name: "openproject-repo"
-    url: >-
+    oci: {{ .Values.charts.openproject.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
-         default "https://charts.openproject.org" }}
+    verify: {{ .Values.charts.openproject.verify }}
+    username: {{ .Values.charts.openproject.username | quote }}
+    password: {{ .Values.charts.openproject.password | quote }}
+    url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 
 releases:
   - name: "openproject"
-    chart: "openproject-repo/openproject"
+    chart: "openproject-repo/{{ .Values.charts.openproject.name }}"
-    version: "2.4.0"
+    version: "{{ .Values.charts.openproject.version }}"
     wait: true
     waitForJobs: true
     values:

helmfile/apps/openproject/values.gotmpl

@@ -46,7 +46,10 @@ openproject:
     mail: "openproject-admin@swp-domain.internal"
     password_reset: "false"
     password: {{ .Values.secrets.openproject.adminPassword | quote }}
-
+  oidc:
+    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
+    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
+    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
 ingress:
   host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
   enabled: {{ .Values.ingress.enabled }}
@@ -56,18 +59,18 @@ ingress:
     secretName: {{ .Values.ingress.tls.secretName | quote }}
 
 environment:
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
   OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
   OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
   OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
@@ -76,10 +79,18 @@ environment:
   OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
   OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
-  OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  {{ if ne .Values.objectstores.openproject.backend "aws" }}
-  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
+  {{ end }}
+  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
+  OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
+  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
 
 replicaCount: {{ .Values.replicas.openproject }}
 

helmfile/apps/openproject/values.yaml

@@ -22,19 +22,23 @@ openproject:
   oidc:
     enabled: true
     provider: "keycloak"
-    identifier: "openproject"
+    identifier: "opendesk-openproject"
-    authorizationEndpoint: "/realms/souvap/protocol/openid-connect/auth"
+    scope: "[openid,opendesk]"
-    tokenEndpoint: "/realms/souvap/protocol/openid-connect/token"
-    userinfoEndpoint: "/realms/souvap/protocol/openid-connect/userinfo"
-    scope: "[openid,phoenix]"
   # seed will only be executed on initial installation
   seed_locale: "de"
 
-securityContext:
+containerSecurityContext:
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
   allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
   seccompProfile:
     type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
 
 persistence:
   enabled: false
@@ -46,7 +50,7 @@ s3:
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:
   OPENPROJECT_LOG__LEVEL: "info"
-  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "phoenixusername"
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
   OPENPROJECT_LOGIN__REQUIRED: "true"
   OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -75,8 +79,12 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
   # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
   OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
-  OPENPROJECT_FOG_DIRECTORY: "openproject"
-  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
   OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
-  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
+  # Define an admin mapping from the claim
+  # The attribute mapping cannot currently be defined in the value
+  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
+
+seederJob:
+  annotations:
+    intents.otterize.com/service-name: "openproject-seeder"
 ...

helmfile/apps/provisioning/helmfile.yaml

@@ -3,19 +3,19 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # OX Connector
   - name: "ox-connector-repo"
-    url: >-
+    oci: {{ .Values.charts.oxConnector.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.oxConnector.username | quote }}
-         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
+    password: {{ .Values.charts.oxConnector.password | quote }}
+    url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 
 releases:
   - name: "ox-connector"
-    chart: "ox-connector-repo/ox-connector"
+    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
-    version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
+    version: "{{ .Values.charts.oxConnector.version }}"
     values:
       - "values-oxconnector.yaml"
       - "values-oxconnector.gotmpl"

helmfile/apps/provisioning/values-oxconnector.gotmpl

@@ -26,7 +26,7 @@ oxConnector:
   oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
   oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
   oxDefaultContext: "1"
-  ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
 
 resources:
   {{ .Values.resources.oxConnector | toYaml | nindent 2 }}

helmfile/apps/services/helmfile.yaml

@@ -3,143 +3,194 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
+  # openDesk Otterize
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
+  - name: "otterize-repo"
+    oci: {{ .Values.charts.otterize.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.otterize.verify }}
+    username: {{ .Values.charts.otterize.username | quote }}
+    password: {{ .Values.charts.otterize.password | quote }}
+    url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
-  - name: "opendesk-certificates-repo"
+  - name: "certificates-repo"
-    oci: true
+    oci: {{ .Values.charts.certificates.oci }}
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
-    # yamllint enable rule:line-length
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.certificates.verify }}
+    username: {{ .Values.charts.certificates.username | quote }}
+    password: {{ .Values.charts.certificates.password | quote }}
+    url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+
   # openDesk PostgreSQL
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
   - name: "postgresql-repo"
-    oci: true
+    oci: {{ .Values.charts.postgresql.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.postgresql.verify }}
+    username: {{ .Values.charts.postgresql.username | quote }}
+    password: {{ .Values.charts.postgresql.password | quote }}
+    url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+
   # openDesk MariaDB
-  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb
   - name: "mariadb-repo"
-    oci: true
+    oci: {{ .Values.charts.mariadb.oci }}
-    url: >-
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+    verify: {{ .Values.charts.mariadb.verify }}
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+    username: {{ .Values.charts.mariadb.username | quote }}
-    verify: true
+    password: {{ .Values.charts.mariadb.password | quote }}
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
   - name: "postfix-repo"
-    oci: true
+    oci: {{ .Values.charts.postfix.oci }}
-    url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.postfix.verify }}
+    username: {{ .Values.charts.postfix.username | quote }}
+    password: {{ .Values.charts.postfix.password | quote }}
+    url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+
   # openDesk Istio Resources
   # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
   - name: "istio-resources-repo"
-    oci: true
+    oci: {{ .Values.charts.istioResources.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.istioResources.verify }}
+    username: {{ .Values.charts.istioResources.username | quote }}
+    password: {{ .Values.charts.istioResources.password | quote }}
+    url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
+
   # openDesk ClamAV
   # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
   - name: "clamav-repo"
-    oci: true
+    oci: {{ .Values.charts.clamav.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.clamav.verify }}
+    username: {{ .Values.charts.clamav.username | quote }}
+    password: {{ .Values.charts.clamav.password | quote }}
+    url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+  - name: "clamav-simple-repo"
+    oci: {{ .Values.charts.clamavSimple.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.clamavSimple.verify }}
+    username: {{ .Values.charts.clamavSimple.username | quote }}
+    password: {{ .Values.charts.clamavSimple.password | quote }}
+    url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
-  - name: "bitnami-repo"
+  - name: "memcached-repo"
-    oci: true
+    oci: {{ .Values.charts.memcached.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.memcached.verify }}
+    username: {{ .Values.charts.memcached.username | quote }}
+    password: {{ .Values.charts.memcached.password | quote }}
+    url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+  - name: "redis-repo"
+    oci: {{ .Values.charts.redis.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.redis.verify }}
+    username: {{ .Values.charts.redis.username | quote }}
+    password: {{ .Values.charts.redis.password | quote }}
+    url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+  - name: "minio-repo"
+    oci: {{ .Values.charts.minio.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.minio.verify }}
+    username: {{ .Values.charts.minio.username | quote }}
+    password: {{ .Values.charts.minio.password | quote }}
+    url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+
 
 releases:
+  - name: "opendesk-otterize"
+    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
+    version: "{{ .Values.charts.otterize.version }}"
+    values:
+      - "values-otterize.gotmpl"
+    installed: {{ .Values.security.otterizeIntents.enabled }}
+
   - name: "opendesk-certificates"
-    chart: "opendesk-certificates-repo/opendesk-certificates"
+    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
-    version: "2.1.0"
+    version: "{{ .Values.charts.certificates.version }}"
     values:
       - "values-certificates.gotmpl"
     installed: {{ .Values.certificates.enabled }}
+
   - name: "redis"
-    chart: "bitnami-repo/redis"
+    chart: "redis-repo/{{ .Values.charts.redis.name }}"
-    version: "18.1.2"
+    version: "{{ .Values.charts.redis.version }}"
     values:
       - "values-redis.gotmpl"
       - "values-redis.yaml"
     installed: {{ .Values.redis.enabled }}
+
   - name: "memcached"
-    chart: "bitnami-repo/memcached"
+    chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
-    version: "6.6.2"
+    version: "{{ .Values.charts.memcached.version }}"
     values:
       - "values-memcached.yaml"
       - "values-memcached.gotmpl"
     installed: {{ .Values.memcached.enabled }}
+
   - name: "postgresql"
-    chart: "postgresql-repo/postgresql"
+    chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
-    version: "2.0.3"
+    version: "{{ .Values.charts.postgresql.version }}"
     values:
       - "values-postgresql.yaml"
       - "values-postgresql.gotmpl"
     installed: {{ .Values.postgresql.enabled }}
     timeout: 900
+
   - name: "mariadb"
-    chart: "mariadb-repo/mariadb"
+    chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
-    version: "2.1.1"
+    version: "{{ .Values.charts.mariadb.version }}"
     values:
       - "values-mariadb.yaml"
       - "values-mariadb.gotmpl"
     installed: {{ .Values.mariadb.enabled }}
     timeout: 900
+
   - name: "postfix"
-    chart: "postfix-repo/postfix"
+    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
-    version: "2.0.4"
+    version: "{{ .Values.charts.postfix.version }}"
     values:
       - "values-postfix.yaml"
       - "values-postfix.gotmpl"
     installed: {{ .Values.postfix.enabled }}
+
   - name: "clamav"
-    chart: "clamav-repo/opendesk-clamav"
+    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
-    version: "4.0.0"
+    version: "{{ .Values.charts.clamav.version }}"
     values:
       - "values-clamav-distributed.yaml"
       - "values-clamav-distributed.gotmpl"
     installed: {{ .Values.clamavDistributed.enabled }}
+
   - name: "clamav-simple"
-    chart: "clamav-repo/clamav-simple"
+    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
-    version: "4.0.0"
+    version: "{{ .Values.charts.clamavSimple.version }}"
     values:
       - "values-clamav-simple.yaml"
       - "values-clamav-simple.gotmpl"
     installed: {{ .Values.clamavSimple.enabled }}
+
   - name: "opendesk-gateway"
-    chart: "istio-resources-repo/istio-gateway"
+    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
-    version: "2.0.0"
+    version: "{{ .Values.charts.istioResources.version }}"
     values:
       - "values-istio-gateway.yaml"
       - "values-istio-gateway.gotmpl"
     installed: {{ .Values.istio.enabled }}
+
   - name: "minio"
-    chart: "bitnami-repo/minio"
+    chart: "minio-repo/{{ .Values.charts.minio.name }}"
-    version: "12.8.19"
+    version: "{{ .Values.charts.minio.version }}"
     values:
       - "values-minio.yaml"
       - "values-minio.gotmpl"

helmfile/apps/services/values-mariadb.gotmpl

@@ -8,6 +8,9 @@ global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 image:
   repository: {{ .Values.images.mariadb.repository | quote }}
   tag: {{ .Values.images.mariadb.tag | quote }}

helmfile/apps/services/values-otterize.gotmpl

@@ -0,0 +1,54 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apps:
+  clamavDistributed:
+    enabled: {{ .Values.clamavDistributed.enabled }}
+  clamavSimple:
+    enabled: {{ .Values.clamavSimple.enabled }}
+  collabora:
+    enabled: {{ .Values.collabora.enabled }}
+  cryptpad:
+    enabled: {{ .Values.cryptpad.enabled }}
+  dovecot:
+    enabled: {{ .Values.dovecot.enabled }}
+  element:
+    enabled: {{ .Values.element.enabled }}
+  intercom:
+    enabled: {{ .Values.intercom.enabled }}
+  jitsi:
+    enabled: {{ .Values.jitsi.enabled }}
+  keycloak:
+    enabled: {{ .Values.keycloak.enabled }}
+  mariadb:
+    enabled: {{ .Values.mariadb.enabled }}
+  memcached:
+    enabled: {{ .Values.memcached.enabled }}
+  minio:
+    enabled: {{ .Values.minio.enabled }}
+  nextcloud:
+    enabled: {{ .Values.nextcloud.enabled }}
+  openproject:
+    enabled: {{ .Values.openproject.enabled }}
+  oxAppsuite:
+    enabled: {{ .Values.oxAppsuite.enabled }}
+  oxConnector:
+    enabled: {{ .Values.oxConnector.enabled }}
+  postfix:
+    enabled: {{ .Values.postfix.enabled }}
+  postgresql:
+    enabled: {{ .Values.postgresql.enabled }}
+  redis:
+    enabled: {{ .Values.redis.enabled }}
+  univentionManagementStack:
+    enabled: {{ .Values.univentionManagementStack.enabled }}
+  xwiki:
+    enabled: {{ .Values.xwiki.enabled }}
+
+extraApps:
+  clusterPostfix:
+    enabled: {{ .Values.security.clusterPostfix.enabled }}
+    namespace: {{ .Values.security.clusterPostfix.namespace }}
+...

helmfile/apps/services/values-postfix.gotmpl

@@ -24,7 +24,7 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  relayHost: {{ printf "[%s]:587" .Values.smtp.host | quote }}
+  relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
   relayNets: {{ .Values.cluster.networking.cidr | quote}}
   virtualTransport: "lmtps:dovecot:24"
   smtpdSASLPath: "inet:dovecot:3659"

helmfile/apps/services/values-postgresql.gotmpl

@@ -24,7 +24,9 @@ job:
     - username: "matrix_user"
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+    - username: "selfservice_user"
+      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"
@@ -37,6 +39,8 @@ job:
       additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
     - name: "notificationsapi"
       user: "notificationsapi_user"
+    - name: "selfservice"
+      user: "selfservice_user"
 
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/univention-corporate-container/helmfile.yaml

@@ -1,32 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-bases:
-  - "../../bases/environments.yaml"
-
----
-repositories:
-  # openDesk Univention Corporate Server (as eval Container)
-  - name: "univention-corporate-container-repo"
-    oci: true
-    # yamllint disable rule:line-length
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
-         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
-    # yamllint enable rule:line-length
-    verify: true
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-
-releases:
-  - name: "univention-corporate-container"
-    chart: "univention-corporate-container-repo/univention-corporate-container"
-    version: "1.0.10"
-    values:
-      - "values.yaml"
-      - "values.gotmpl"
-    installed: {{ .Values.univentionCorporateServer.enabled }}
-
-commonLabels:
-  deploy-stage: "component-1"
-  component: "univention-corporate-container"
-...

helmfile/apps/univention-corporate-container/values.gotmpl

@@ -1,68 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
-  tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
-
-ingress:
-  host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
-
-extraEnvVars:
-  - name: ISTIO_DOMAIN
-    value: {{ .Values.istio.domain | quote }}
-  - name: CENTRALNAVIGATION_API_SECRET
-    value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  - name: LDAPSEARCH_OX_USERNAME
-    value: "ldapsearch_ox"
-  - name: LDAPSEARCH_OX_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
-  - name: LDAPSEARCH_DOVECOT_USERNAME
-    value: "ldapsearch_dovecot"
-  - name: LDAPSEARCH_DOVECOT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
-  - name: LDAPSEARCH_KEYCLOAK_USERNAME
-    value: "ldapsearch_keycloak"
-  - name: LDAPSEARCH_KEYCLOAK_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
-  - name: LDAPSEARCH_NEXTCLOUD_USERNAME
-    value: "ldapsearch_nextcloud"
-  - name: LDAPSEARCH_NEXTCLOUD_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
-  - name: LDAPSEARCH_OPENPROJECT_USERNAME
-    value: "ldapsearch_openproject"
-  - name: LDAPSEARCH_OPENPROJECT_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
-  - name: LDAPSEARCH_XWIKI_USERNAME
-    value: "ldapsearch_xwiki"
-  - name: LDAPSEARCH_XWIKI_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
-  - name: DEFAULT_ACCOUNT_USER_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
-  - name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
-    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
-
-resources:
-  {{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
-...

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -3,137 +3,270 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # Univention Management Stack
-  - name: "ums-repo"
+  - name: "ums-store-dav-repo"
-    url: >-
+    oci: {{ .Values.charts.umsStoreDav.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.umsStoreDav.username | quote }}
-         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+    password: {{ .Values.charts.umsStoreDav.password | quote }}
+    url: "{{ .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
+  - name: "ums-ldap-server-repo"
+    oci: {{ .Values.charts.umsLdapServer.oci }}
+    username: {{ .Values.charts.umsLdapServer.username | quote }}
+    password: {{ .Values.charts.umsLdapServer.password | quote }}
+    url: "{{ .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
+  - name: "ums-ldap-notifier-repo"
+    oci: {{ .Values.charts.umsLdapNotifier.oci }}
+    username: {{ .Values.charts.umsLdapNotifier.username | quote }}
+    password: {{ .Values.charts.umsLdapNotifier.password | quote }}
+    url: "{{ .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
+  - name: "ums-udm-rest-api-repo"
+    oci: {{ .Values.charts.umsUdmRestApi.oci }}
+    username: {{ .Values.charts.umsUdmRestApi.username | quote }}
+    password: {{ .Values.charts.umsUdmRestApi.password | quote }}
+    url: "{{ .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
+  - name: "ums-stack-data-ums-repo"
+    oci: {{ .Values.charts.umsStackDataUms.oci }}
+    username: {{ .Values.charts.umsStackDataUms.username | quote }}
+    password: {{ .Values.charts.umsStackDataUms.password | quote }}
+    url: "{{ .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
+  - name: "ums-stack-data-swp-repo"
+    oci: {{ .Values.charts.umsStackDataSwp.oci }}
+    username: {{ .Values.charts.umsStackDataSwp.username | quote }}
+    password: {{ .Values.charts.umsStackDataSwp.password | quote }}
+    url: "{{ .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
+  - name: "ums-portal-server-repo"
+    oci: {{ .Values.charts.umsPortalServer.oci }}
+    username: {{ .Values.charts.umsPortalServer.username | quote }}
+    password: {{ .Values.charts.umsPortalServer.password | quote }}
+    url: "{{ .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
+  - name: "ums-notifications-api-repo"
+    oci: {{ .Values.charts.umsNotificationsApi.oci }}
+    username: {{ .Values.charts.umsNotificationsApi.username | quote }}
+    password: {{ .Values.charts.umsNotificationsApi.password | quote }}
+    url: "{{ .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
+  - name: "ums-portal-listener-repo"
+    oci: {{ .Values.charts.umsPortalListener.oci }}
+    username: {{ .Values.charts.umsPortalListener.username | quote }}
+    password: {{ .Values.charts.umsPortalListener.password | quote }}
+    url: "{{ .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
+  - name: "ums-portal-frontend-repo"
+    oci: {{ .Values.charts.umsPortalFrontend.oci }}
+    username: {{ .Values.charts.umsPortalFrontend.username | quote }}
+    password: {{ .Values.charts.umsPortalFrontend.password | quote }}
+    url: "{{ .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
+  - name: "ums-umc-gateway-repo"
+    oci: {{ .Values.charts.umsUmcGateway.oci }}
+    username: {{ .Values.charts.umsUmcGateway.username | quote }}
+    password: {{ .Values.charts.umsUmcGateway.password | quote }}
+    url: "{{ .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
+  - name: "ums-umc-server-repo"
+    oci: {{ .Values.charts.umsUmcServer.oci }}
+    username: {{ .Values.charts.umsUmcServer.username | quote }}
+    password: {{ .Values.charts.umsUmcServer.password | quote }}
+    url: "{{ .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
+  - name: "ums-selfservice-listener-repo"
+    oci: {{ .Values.charts.umsSelfserviceListener.oci }}
+    username: {{ .Values.charts.umsSelfserviceListener.username | quote }}
+    password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
+    url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
+
+  # Univention Keycloak Extensions
+  - name: "ums-keycloak-extensions-repo"
+    oci: {{ .Values.charts.umsKeycloakExtensions.oci }}
+    username: {{ .Values.charts.umsKeycloakExtensions.username | quote }}
+    password: {{ .Values.charts.umsKeycloakExtensions.password | quote }}
+    url: "{{ .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
+  # Univention Keycloak
+  - name: "ums-keycloak-repo"
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.umsKeycloak.verify }}
+    oci: {{ .Values.charts.umsKeycloak.oci }}
+    username: {{ .Values.charts.umsKeycloak.username | quote }}
+    password: {{ .Values.charts.umsKeycloak.password | quote }}
+    url: "{{ .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
+  - name: "ums-keycloak-bootstrap-repo"
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
+    oci: {{ .Values.charts.umsKeycloakBootstrap.oci }}
+    username: {{ .Values.charts.umsKeycloakBootstrap.username | quote }}
+    password: {{ .Values.charts.umsKeycloakBootstrap.password | quote }}
+    url: "{{ .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
+  - name: "opendesk-keycloak-bootstrap-repo"
+    oci: {{ .Values.charts.opendeskKeycloakBootstrap.oci }}
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
+    username: {{ .Values.charts.opendeskKeycloakBootstrap.username | quote }}
+    password: {{ .Values.charts.opendeskKeycloakBootstrap.password | quote }}
+    url: "{{ .Values.charts.opendeskKeycloakBootstrap.registry }}/\
+      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
   # VMWare Bitnami
   # Source: https://github.com/bitnami/charts/
-  - name: "bitnami-repo"
+  - name: "nginx-repo"
-    oci: true
+    oci: {{ .Values.charts.nginx.oci }}
-    url: >-
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
-    verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    verify: {{ .Values.charts.nginx.verify }}
+    username: {{ .Values.charts.nginx.username | quote }}
+    password: {{ .Values.charts.nginx.password | quote }}
+    url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
 
 releases:
-  # TODO: Interim, until the UMS stack has a stack umbrella chart and provides a solution
+  - name: "ums-keycloak"
-  # {{- if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}
+    chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}"
+    version: "{{ .Values.charts.umsKeycloak.version }}"
+    values:
+      - "values-ums-keycloak.yaml.gotmpl"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
+  - name: "ums-keycloak-extensions"
+    chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}"
+    version: "{{ .Values.charts.umsKeycloakExtensions.version }}"
+    values:
+      - "values-ums-keycloak-extensions.yaml.gotmpl"
+    needs:
+      - "ums-keycloak"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
+  - name: "ums-keycloak-bootstrap"
+    chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
+    version: "{{ .Values.charts.umsKeycloakBootstrap.version }}"
+    values:
+      - "values-ums-keycloak-bootstrap.yaml.gotmpl"
+    needs:
+      - "ums-keycloak"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
+  - name: "opendesk-keycloak-bootstrap"
+    chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
+    version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
+    values:
+      - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
+    needs:
+      - "ums-keycloak-bootstrap"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-stack-gateway"
-    chart: "bitnami-repo/nginx"
+    chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
-    version: "15.3.5"
+    version: "{{ .Values.charts.nginx.version }}"
     values:
       - "values-ums-stack-gateway.gotmpl"
+      - "values-ums-stack-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
-  # {{- end }}
+
   - name: "ums-store-dav"
-    chart: "ums-repo/store-dav"
+    chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
-    version: "0.5.2"
+    version: "{{ .Values.charts.umsStoreDav.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-store-dav.gotmpl"
+      - "values-store-dav.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-ldap-server"
-    chart: "ums-repo/ldap-server"
+    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
-    version: "0.7.0"
+    version: "{{ .Values.charts.umsLdapServer.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-ldap-server.gotmpl"
       - "values-ldap-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-ldap-notifier"
-    chart: "ums-repo/ldap-notifier"
+    chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
-    version: "0.7.0"
+    version: "{{ .Values.charts.umsLdapNotifier.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-ldap-notifier.gotmpl"
       - "values-ldap-notifier.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-udm-rest-api"
-    chart: "ums-repo/udm-rest-api"
+    chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
-    version: "0.3.5"
+    version: "{{ .Values.charts.umsUdmRestApi.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-udm-rest-api.gotmpl"
+      - "values-udm-rest-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-stack-data-ums"
-    chart: "ums-repo/stack-data-ums"
+    chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
-    version: "0.33.0"
+    version: "{{ .Values.charts.umsStackDataUms.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-ums.gotmpl"
+      - "values-stack-data-ums.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-stack-data-swp"
-    chart: "ums-repo/stack-data-swp"
+    chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
-    version: "0.33.0"
+    version: "{{ .Values.charts.umsStackDataSwp.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-stack-data-swp.gotmpl"
+      - "values-stack-data-swp.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-portal-server"
-    chart: "ums-repo/portal-server"
+    chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
-    version: "0.4.3"
+    version: "{{ .Values.charts.umsPortalServer.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-server.gotmpl"
+      - "values-portal-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-notifications-api"
-    chart: "ums-repo/notifications-api"
+    chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
-    version: "0.4.3"
+    version: "{{ .Values.charts.umsNotificationsApi.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-notifications-api.gotmpl"
       - "values-notifications-api.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-portal-listener"
-    chart: "ums-repo/portal-listener"
+    chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
-    version: "0.4.3"
+    version: "{{ .Values.charts.umsPortalListener.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-listener.gotmpl"
       - "values-portal-listener.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-portal-frontend"
-    chart: "ums-repo/portal-frontend"
+    chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
-    version: "0.4.3"
+    version: "{{ .Values.charts.umsPortalFrontend.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-portal-frontend.gotmpl"
+      - "values-portal-frontend.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
-  - name: "ums-portal-frontend-custom"
+
-    # TODO: Replace with our own Nginx chart.
-    chart: "bitnami-repo/nginx"
-    version: "15.3.5"
-    values:
-      - "values-portal-frontend-custom.yaml"
-      - "values-portal-frontend-custom.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
   - name: "ums-umc-gateway"
-    chart: "ums-repo/umc-gateway"
+    chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
-    version: "0.5.1"
+    version: "{{ .Values.charts.umsUmcGateway.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
       - "values-umc-gateway.gotmpl"
+      - "values-umc-gateway.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
+
   - name: "ums-umc-server"
-    chart: "ums-repo/umc-server"
+    chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
-    version: "0.5.1"
+    version: "{{ .Values.charts.umsUmcServer.version }}"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -141,6 +274,16 @@ releases:
       - "values-umc-server.yaml"
     installed: {{ .Values.univentionManagementStack.enabled }}
 
+  - name: "ums-selfservice-listener"
+    chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
+    version: "{{ .Values.charts.umsSelfserviceListener.version }}"
+    values:
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-selfservice-listener.gotmpl"
+      - "values-selfservice-listener.yaml"
+    installed: {{ .Values.univentionManagementStack.enabled }}
+
 commonLabels:
   deploy-stage: "component-1"
   component: "univention-management-stack"

helmfile/apps/univention-management-stack/values-common.gotmpl

@@ -4,11 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ingress:
-  enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
+  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  host: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
+
-    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
-    enabled: false
-    secretName: ""
 ...

helmfile/apps/univention-management-stack/values-common.yaml

@@ -6,5 +6,18 @@ global:
   configMapUcr: "ums-stack-data-swp-ucr"
   configMapUcrForced: null
 
+ingress:
+  # Intentionally not using the Ingress configuration of the UMS stack at the
+  # moment, since it does depend on rewriting capabilities of the ingress
+  # controller. Those are encapsulated into the release "stack-gateway" so that
+  # the compatibility with all ingress controllers is increased.
+  enabled: false
+  tls:
+    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
+    enabled: false
+    secretName: ""
+
 istio:
   enabled: false
+
+...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml

@@ -7,4 +7,12 @@ volumes:
     shared-data: "shared-data-ums-ldap-server-0"
     shared-run: "shared-run-ums-ldap-server-0"
 
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-ldap-server.gotmpl

@@ -5,15 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 ldapServer:
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-  waitForSamlMetadata: true
-
-  # TODO: Certificates handling
-  # caCert: ""
-  # certPem: ""
-  # privateKey: ""
-  # dhParam: ""
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
@@ -26,12 +18,11 @@ image:
     {{- end }}
 
   waitForDependency:
-    registry: "{{ .Values.global.imageRegistry }}"
+    registry: {{ .Values.global.imageRegistry | quote }}
-    repository: "{{ .Values.images.umsWaitForDependency.repository }}"
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: "{{ .Values.images.umsWaitForDependency.tag }}"
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
-# TODO: Pending upstream support, #199
 persistence:
   data:
     storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/univention-management-stack/values-ldap-server.yaml

@@ -2,6 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
+ldapServer:
+  waitForSamlMetadata: true
+
 service:
   type: "ClusterIP"
 
@@ -27,4 +30,25 @@ extraVolumeMounts:
     mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
     subPath: "opendeskProjectmanagement.schema"
 
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
 postgresql:
   bundled: false
   connection:
-    host: "postgresql"
+    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
-    port: 5432
+    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
   auth:
-    username: "notificationsapi_user"
+    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-    database: "notificationsapi"
+    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
-    password: {{ .Values.secrets.postgresql.notificationsapiUser | quote }}
+    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry }}

helmfile/apps/univention-management-stack/values-notifications-api.yaml

@@ -9,4 +9,12 @@ notificationsapi:
   sql_echo: "False"
   api_prefix: "/univention/portal/notifications-api"
 
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -0,0 +1,320 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: "{{ .Values.global.domain }}"
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  registry: "{{ .Values.global.imageRegistry }}"
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: "{{ .Values.global.imageRegistry }}"
+  repository: "{{ .Values.images.opendeskKeycloakBootstrap.repository }}"
+  tag: "{{ .Values.images.opendeskKeycloakBootstrap.tag }}"
+  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
+config:
+  keycloak:
+    adminUser: "kcadmin"
+    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    realm: {{ .Values.platform.realm | quote }}
+    intraCluster:
+      enabled: true
+      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  custom:
+    clientScopes:
+      - name: "read_contacts"
+        protocol: "openid-connect"
+      - name: "write_contacts"
+        protocol: "openid-connect"
+      - name: "opendesk"
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+    clients:
+      - name: "opendesk-dovecot"
+        clientId: "opendesk-dovecot"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          backchannel.logout.session.required: false
+        defaultClientScopes:
+          - "opendesk"
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
+          # it to `opendesk_useruuid` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
+          - name: "entryuuid_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "entryuuid"
+              jsonType.label: "String"
+          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
+          # set it to `opendesk_username` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
+          - name: "phoenixusername_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "phoenixusername"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "opendesk"
+          - "offline_access"
+      - name: "opendesk-jitsi"
+        clientId: "opendesk-jitsi"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        redirectUris:
+          - "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: true
+        fullScopeAllowed: true
+        defaultClientScopes:
+          - "opendesk"
+          - "profile"
+      - name: "opendesk-matrix"
+        clientId: "opendesk-matrix"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        standardFlowEnabled: true
+        directAccessGrantsEnabled: true
+        serviceAccountsEnabled: true
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk"
+        optionalClientScopes:
+          - "email"
+          - "profile"
+        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
+        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
+      - name: "matrix"
+        clientId: "matrix"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        standardFlowEnabled: true
+        directAccessGrantsEnabled: true
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+      - name: "opendesk-nextcloud"
+        clientId: "opendesk-nextcloud"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        protocolMappers:
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "opendesk"
+          - "email"
+          - "read_contacts"
+          - "write_contacts"
+      - name: "opendesk-openproject"
+        clientId: "opendesk-openproject"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        serviceAccountsEnabled: true
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        protocolMappers:
+          - name: "opendeskProjectmanagementAdmin"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "opendeskProjectmanagementAdmin"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "openproject_admin"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "opendesk"
+          - "email"
+          - "profile"
+      - name: "opendesk-oxappsuite"
+        clientId: "opendesk-oxappsuite"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        protocolMappers:
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "opendesk"
+          - "read_contacts"
+          - "write_contacts"
+      - name: "opendesk-xwiki"
+        clientId: "opendesk-xwiki"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        attributes:
+          backchannel.logout.session.required: false
+          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes:
+          - "opendesk"
+          - "address"
+          - "email"
+          - "profile"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+podAnnotations:
+  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+resources:
+  {{ .Values.resources.opendeskKeycloakBootstrap | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-portal-frontend-custom.gotmpl

@@ -1,53 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-ingress:
-  enabled: true
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  ingressClassName: "nginx"
-  annotations:
-    nginx.org/mergeable-ingress-type: "minion"
-  tls: false
-
-  pathType: Exact
-  path: /favicon.ico
-
-  extraPaths:
-    - pathType: Exact
-      path: /univention/portal/css/custom.css
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/icons/logo.svg
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/icons/logo_small_border.svg
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/custom/portal_background_image.png
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-    - pathType: Exact
-      path: /univention/portal/custom/portal_background_image.svg
-      backend:
-        service:
-          name: ums-portal-frontend-custom-nginx
-          port:
-            name: http
-
-...

helmfile/apps/univention-management-stack/values-portal-frontend-custom.yaml

@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-service:
-  type: "ClusterIP"
-
-extraVolumes:
-  - name: "opendesk-branding"
-    configMap:
-      name: "ums-stack-data-swp-branding"
-
-extraVolumeMounts:
-  - name: "opendesk-branding"
-    mountPath: "/app/favicon.ico"
-    subPath: "favicon.ico"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/css/custom.css"
-    subPath: "custom.css"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/icons/logo.svg"
-    subPath: "logo.svg"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/icons/logo_small_border.svg"
-    subPath: "logo_small_border.svg"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/custom/portal_background_image.png"
-    subPath: "portal_background_image.png"
-  - name: "opendesk-branding"
-    mountPath: "/app/univention/portal/custom/portal_background_image.svg"
-    subPath: "portal_background_image.svg"
-
-...

helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl

@@ -14,13 +14,7 @@ image:
     {{- end }}
 
 extraIngresses:
-  redirects:
-    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
-    # The TLS configuration is on the "master" Ingress, see below.
-    tls:
-      enabled: false
   master:
-    enabled: {{ if eq .Values.ingress.ingressClassName "dedicated-haproxy-external" }}false{{ else }}{{ .Values.ingress.enabled }}{{ end }}
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/univention-management-stack/values-portal-frontend.yaml

@@ -0,0 +1,93 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+extraIngresses:
+  redirects:
+    # Using "stack-gateway" currently.
+    enabled: false
+    # The TLS configuration is on the "master" Ingress, see below.
+    tls:
+      enabled: false
+  master:
+    # Using "stack-gateway" currently.
+    enabled: false
+
+  # See "extraVolumeMounts" below
+  custom-favicon:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      - pathType: "Exact"
+        path: "/favicon.ico"
+    tls: {}
+
+  # See "extraVolumeMounts" below
+  custom-branding:
+    # Using "stack-gateway" at the moment
+    enabled: false
+    annotations:
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/location-snippets: |
+        rewrite ^/univention/portal(/.*)$ $1 break;
+      nginx.org/mergeable-ingress-type: "minion"
+    paths:
+      # This relies on the correct implementation of the matching for paths of
+      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
+      # store-dav.
+      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
+      - pathType: "Prefix"
+        path: "/univention/portal/icons/"
+      - pathType: "Prefix"
+        path: "/univention/portal/custom/"
+    tls: {}
+
+extraVolumes:
+  - name: "opendesk-branding"
+    configMap:
+      name: "ums-stack-data-swp-branding"
+
+extraVolumeMounts:
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/favicon.ico"
+    subPath: "favicon.ico"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/css/custom.css"
+    subPath: "custom.css"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/icons/logo.svg"
+    subPath: "logo.svg"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/icons/logo_small_border.svg"
+    subPath: "logo_small_border.svg"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/custom/portal_background_image.png"
+    subPath: "portal_background_image.png"
+  - name: "opendesk-branding"
+    mountPath: "/var/www/html/custom/portal_background_image.svg"
+    subPath: "portal_background_image.svg"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -4,25 +4,20 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalListener:
-  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  environment: "staging"
+  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
-  debugLevel: "4"
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
-  assetsRoot: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-assets/"
-  ucsInternalUrl: "http://portal-listener:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener }}@ums-store-dav/portal-data/"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
 
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: "{{ .Values.ldap.host }}"
+  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
   notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  portalDefaultDn: "cn=domain,cn=portal,cn=portals,cn=univention,dc=swp-ldap,dc=internal"
+  portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
   udmApiUrl: "http://ums-udm-rest-api/udm/"
   udmApiUsername: "cn=admin"
 
-  tlsMode: "off"
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
@@ -37,10 +32,9 @@ image:
   waitForDependency:
     registry: {{ .Values.global.imageRegistry | quote }}
     repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: "Always"
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 
-# TODO: Pending upstream support, #200
 persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}

helmfile/apps/univention-management-stack/values-portal-listener.yaml

@@ -2,7 +2,35 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 
+portalListener:
+  debugLevel: "4"
+  tlsMode: "off"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUsername: "cn=admin"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+
 store-dav:
   bundled: false
 
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-portal-server.gotmpl

@@ -4,16 +4,9 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalServer:
-  adminGroup: "cn=Domain Admins,cn=groups,dc=swp-ldap,dc=internal"
+  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  authMode: "saml"
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
-  environment: "staging"
-  editable: "false"
-  logLevel: "DEBUG"
-  ucsInternalUrl: "http://portal-server:{{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer }}@ums-store-dav/portal-data"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
   centralNavigation:
-    enabled: true
     authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
 
 image:

helmfile/apps/univention-management-stack/values-portal-server.yaml

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+portalServer:
+  authMode: "saml"
+  editable: "false"
+  logLevel: "DEBUG"
+  umcGetUrl: "http://ums-umc-server/get"
+  umcSessionUrl: "http://ums-umc-server/get/session-info"
+  centralNavigation:
+    enabled: true
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl

@@ -0,0 +1,48 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+selfserviceListener:
+
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
+
+image:
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+  selfserviceListener:
+    registry: {{ .Values.global.imageRegistry | quote }}
+    repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
+    tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
+
+  selfserviceInvitation:
+    registry: {{ .Values.global.imageRegistry | quote }}
+    repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
+    tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
+
+  waitForDependency:
+    registry: {{ .Values.global.imageRegistry | quote }}
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
+
+persistence:
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
+
+resources:
+  {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
+
+resourcesDependencyWaiter:
+  {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
+...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+selfserviceListener:
+  debugLevel: "4"
+  tlsMode: "off"
+  umcServerUrl: "http://ums-umc-server"
+  umcAdminUser: "default.admin"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -4,31 +4,31 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataSwp:
-  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
 
 stackDataContext:
-  ldapBase: "dc=swp-ldap,dc=internal"
   ldapSearchUsers:
-    {{- range $k, $v := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
-    - username: {{ printf "ldapsearch_%s" $k | quote }}
+    - username: {{ printf "ldapsearch_%s" $username | quote }}
-      password: {{ $v | quote }}
+      password: {{ $password | quote }}
-      lastname: {{ "LDAP-Search-User" }}
+      lastname: "LDAP-Search-User"
     {{- end }}
 
-  externalDomainName: "{{ .Values.global.domain }}"
+  externalDomainName: {{ .Values.global.domain | quote }}
-  externalMailDomain: "{{ .Values.global.domain }}"
+  externalMailDomain: {{ .Values.global.domain | quote }}
 
-  portalGroupwareLinkBase: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
-  portalFileshareLinkBase: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
-  portalRealtimeCollaborationLinkBase: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}"
+  portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
-  portalRealtimeVideoconferenceLinkBase: "https://{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
+  portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
-  portalManagementProjectLinkBase: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
+  portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
-  portalManagementKnowledgeLinkBase: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
+  portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
+  portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
 
-  oxDefaultContext: "10"
+  smtpHost: {{ .Values.smtp.host | quote }}
+  smtpPort: {{ .Values.smtp.port | quote }}
+  smtpUser: {{ .Values.smtp.username | quote }}
 
   userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
   adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+stackDataSwp:
+  udmApiUser: "cn=admin"
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  loadDevData: true
+
+stackDataContext:
+  ldapBase: "dc=swp-ldap,dc=internal"
+  oxDefaultContext: "1"
+  smtpStartTls: true
+
+additionalAnnotations:
+  intents.otterize.com/service-name: "ums-stack-data-swp"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl

@@ -4,32 +4,22 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 stackDataUms:
-  udmApiUser: "cn=admin"
   udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
 
 stackDataContext:
-  domainname: "{{ .Values.global.domain }}"
+  domainname: {{ .Values.global.domain | quote }}
-  externalMailDomain: "{{ .Values.global.domain }}"
+  externalMailDomain: {{ .Values.global.domain | quote }}
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}"
+  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
-  ldapHost: "{{ .Values.ldap.host }}"
+  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapBase: "dc=swp-ldap,dc=internal"
+  ldapBase: {{ .Values.ldap.baseDn | quote }}
-  # TODO: This should not be required, the machine account is not there
+  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  # ldapHostDn: cn=stub-value,cn=dc,cn=computers,dc=swp-ldap,dc=internal
-  ldapHostDn: cn=admin,dc=swp-ldap,dc=internal
 
-  idpSamlMetadataUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/saml/descriptor"
+  idpSamlMetadataUrl: {{ printf "https://%s.%s/%s/%s/%s" .Values.global.hosts.keycloak .Values.global.domain "realms" .Values.platform.realm "protocol/saml/descriptor" | quote }}
-  idpSamlMetadataUrlInternal: null
+  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  umcSamlSpFqdn: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
-  umcSamlSchemes: "https"
+  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-  idpFqdn: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-  ldapSamlSpUrls: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/saml/metadata"
 
-  initialPasswordAdministrator: "{{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword }}"
+  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
-
-  # The SWP configuration brings its own UMC policies.
-  installUmcPolicies: false
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+stackDataUms:
+  loadDevData: true
+  udmApiUrl: "http://ums-udm-rest-api/udm/"
+  udmApiUser: "cn=admin"
+
+stackDataContext:
+  idpSamlMetadataUrlInternal: null
+  umcSamlSchemes: "https"
+  # The openDesk configuration brings its own UMC policies.
+  installUmcPolicies: false
+
+additionalAnnotations:
+  intents.otterize.com/service-name: "ums-stack-data-ums"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-store-dav.gotmpl

@@ -21,7 +21,6 @@ image:
   configHtpasswd:
     registry: {{ .Values.global.imageRegistry | quote }}
     repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
-    pullPolicy: "Always"
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
     pullSecrets:
@@ -29,7 +28,6 @@ image:
       - name: {{ . | quote }}
       {{- end }}
 
-# TODO: Pending upstream support, #201
 persistence:
   storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
   size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}

helmfile/apps/univention-management-stack/values-store-dav.yaml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl

@@ -7,12 +7,7 @@ udmRestApi:
   # TODO: Secret should be entered without b64enc
   ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
   # TODO: Secret should be entered without b64enc
-  machineSecret: "{{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc }}"
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Stub value currently
-  caCert: ""
-  # TODO: This should not be part of the udm-rest-api anymore
-  loadJoinData:
-    enabled: true
 
 image:
   registry: {{ .Values.global.imageRegistry | quote }}

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml

@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+udmRestApi:
+  # TODO: Stub value currently
+  caCert: ""
+
+extraVolumes:
+  - name: "attribute-to-group-mapper-hook"
+    configMap:
+      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
+
+extraVolumeMounts:
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
+    subPath: "AttributeToGroupMapper.py"
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
+    subPath: "flag_to_group_mapping.json"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl

@@ -3,19 +3,6 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-umcGateway:
-
-extraVolumes:
-  - name: "entrypoint-swp-patches"
-    configMap:
-      name: "ums-stack-data-swp-umc-gateway-entrypoint"
-      defaultMode: 0555
-
-extraVolumeMounts:
-  - name: "entrypoint-swp-patches"
-    mountPath: "/entrypoint.d/90-swp.sh"
-    subPath: "90-swp.sh"
-
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
   repository: {{ .Values.images.umsUmcGateway.repository | quote }}

helmfile/apps/univention-management-stack/values-umc-gateway.yaml

@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+extraVolumes:
+  - name: "entrypoint-swp-patches"
+    configMap:
+      name: "ums-stack-data-swp-umc-gateway-entrypoint"
+      defaultMode: 0555
+  - name: "announcements-customization"
+    configMap:
+      name: "ums-stack-data-swp-umc-server-announcements"
+      defaultMode: 0444
+
+extraVolumeMounts:
+  - name: "entrypoint-swp-patches"
+    mountPath: "/entrypoint.d/90-swp.sh"
+    subPath: "90-swp.sh"
+  - name: "announcements-customization"
+    mountPath:
+      "/usr/share/univention-management-console-frontend/js/dijit/themes\
+      /umc/icons/16x16/udm-portals-announcement.png"
+    subPath: "udm-portals-announcement.png"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -9,6 +9,21 @@ umcServer:
   # TODO: Secret should be entered without b64enc
   machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 
+  smtpSecret: {{ .Values.smtp.password | quote }}
+
+postgresql:
+  connection:
+    host: {{ .Values.databases.umsSelfservice.host | quote }}
+    port: {{ .Values.databases.umsSelfservice.port | quote }}
+  auth:
+    username: {{ .Values.databases.umsSelfservice.username | quote }}
+    database: {{ .Values.databases.umsSelfservice.name | quote }}
+    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+
+memcached:
+  server: {{ .Values.cache.umsSelfservice.host | quote }}
+
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
   repository: {{ .Values.images.umsUmcServer.repository | quote }}

helmfile/apps/univention-management-stack/values-umc-server.yaml

@@ -17,6 +17,13 @@ extraVolumes:
     configMap:
       name: "ums-stack-data-swp-self-service-emails"
       defaultMode: 0444
+  - name: "attribute-to-group-mapper-hook"
+    configMap:
+      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
+  - name: "announcements-customization"
+    configMap:
+      name: "ums-stack-data-swp-umc-server-announcements"
+      defaultMode: 0444
 
 extraVolumeMounts:
   - name: "certificates"
@@ -26,5 +33,43 @@ extraVolumeMounts:
     subPath: "90-customization.sh"
   - name: "self-service-emails"
     mountPath: "/usr/share/univention-self-service/email_bodies"
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
+    subPath: "AttributeToGroupMapper.py"
+  - name: "attribute-to-group-mapper-hook"
+    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
+    subPath: "flag_to_group_mapping.json"
+  - name: "announcements-customization"
+    mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
+    subPath: "udm-portals-announcement.xml"
 
+postgresql:
+  bundled: false
+
+memcached:
+  bundled: false
+  auth:
+    username: null
+    password: null
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
 ...

helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl

@@ -0,0 +1,80 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  registry: {{ .Values.global.imageRegistry | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | quote }}
+  repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
+  tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+
+config:
+  keycloak:
+    adminUser: "kcadmin"
+    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    realm: {{ .Values.platform.realm | quote }}
+    intraCluster:
+      enabled: true
+      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    loginLinks:
+      - link_number: 1
+        language: "de"
+        description: "Passwort vergessen?"
+        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
+      - link_number: 1
+        language: "en"
+        description: "Forgot password?"
+        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
+  ums:
+    ldap:
+      internalHostname: {{ .Values.ldap.host | quote }}
+      baseDN: {{ .Values.ldap.baseDn | quote }}
+      readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
+      readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
+      mappers:
+        - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
+        - ldapAndUserModelAttributeName: "oxContextIDNum"
+    saml:
+      serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  twoFactorAuthentication:
+    enabled: true
+    group: "2fa-users"
+
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  readOnlyRootFilesystem: false
+  runAsGroup: 1000
+  runAsNonRoot: true
+  runAsUser: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podAnnotations:
+  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+
+resources:
+  {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -5,7 +5,11 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   keycloak:
+    host: "ums-keycloak:8080"
+    adminUsername: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    adminRealm: "master"
+    realm: {{ .Values.platform.realm | quote }}
   postgresql:
     connection:
       host: {{ .Values.databases.keycloakExtension.host | quote }}
@@ -17,29 +21,65 @@ global:
 handler:
   image:
     registry: {{ .Values.global.imageRegistry | quote }}
-    repository: {{ .Values.images.keycloakExtensionHandler.repository | quote }}
+    repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
-    tag: {{ .Values.images.keycloakExtensionHandler.tag | quote }}
+    tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   appConfig:
+    captchaProtectionEnable: false
     smtpPassword: {{ .Values.smtp.password | quote }}
     smtpHost: {{ .Values.smtp.host | quote }}
+    smtpPort: {{ .Values.smtp.port | quote }}
     smtpUsername: {{ .Values.smtp.username | quote }}
     mailFrom: "noreply@{{ .Values.global.domain }}"
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
   resources:
-    {{ .Values.resources.keycloakExtension | toYaml | nindent 4 }}
+    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
+postgresql:
+  enabled: false
 proxy:
   image:
     registry: {{ .Values.global.imageRegistry | quote }}
-    repository: {{ .Values.images.keycloakExtensionProxy.repository | quote }}
+    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
-    tag: {{ .Values.images.keycloakExtensionProxy.tag | quote }}
+    tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
     imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   ingress:
+    annotations:
+      nginx.org/proxy-buffer-size: "8k"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+    paths:
+      - pathType: "Prefix"
+        path: "/realms"
+      - pathType: "Prefix"
+        path: "/resources"
+      - pathType: "Prefix"
+        path: "/fingerprintjs"
     enabled: {{ .Values.ingress.enabled }}
     ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     tls:
       enabled: {{ .Values.ingress.tls.enabled }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
   resources:
-    {{ .Values.resources.keycloakProxy | toYaml | nindent 4 }}
+    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
 ...

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imageRegistry: {{ .Values.global.imageRegistry | quote }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | quote }}
+  repository: {{ .Values.images.umsKeycloak.repository | quote }}
+  tag: {{ .Values.images.umsKeycloak.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+config:
+  admin:
+    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  database:
+    host: {{ .Values.databases.keycloak.host | quote }}
+    port: {{ .Values.databases.keycloak.port }}
+    user: {{ .Values.databases.keycloak.username | quote }}
+    database: {{ .Values.databases.keycloak.name | quote }}
+    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: true
+
+podSecurityContext:
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+theme:
+  univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
+  univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
+  favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
+
+replicaCount: {{ .Values.replicas.keycloak }}
+
+resources:
+  {{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
+
+...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -3,171 +3,11 @@
 ---
 
 ingress:
-  enabled: true
+  enabled: {{ .Values.ingress.enabled }}
-  hostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls: false
   extraTls:
     - hosts:
-        - "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-      secretName: "{{ .Values.ingress.tls.secretName }}"
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
-
+...
-service:
-  type: "ClusterIP"
-
-# The content of the "serverBlock" does resemble the Ingress configuration of
-# the UMS components. The "location" entries do intentionally reflect precisely
-# the respective paths which are configured.
-serverBlock: |
-  server {
-    listen 8080;
-
-    ## portal-frontend
-    # The frontend does not own "/univention/portal", only these two bits
-    location = /univention/portal/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/portal/index.html {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    # The following prefixes are owned by the frontend
-    location /univention/portal/css/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/fonts/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/i18n/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/media/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/js/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/oidc/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-
-
-    ## frontend redirects
-
-    location = / {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/ {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/portal {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-
-
-    ## portal-server
-    location = /univention/portal/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/portal/navigation.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-
-
-    ## store-dav
-    location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
-    }
-    location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
-      proxy_pass http://ums-store-dav:80;
-    }
-
-
-    ## udm-rest-api
-    location /univention/udm/ {
-      rewrite ^/univention(/udm/.*)$ $1 break;
-      proxy_pass http://ums-udm-rest-api:80;
-      proxy_set_header X-Forwarded-Host $host;
-    }
-
-
-    ## umc-gateway
-    location = /univention/languages.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/meta.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/theme.css {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/js/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/login/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/management/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/themes/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-
-
-    ## umc-server
-    location = /univention/auth {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/logout/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/saml/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/get/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/set/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/command/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/upload/ {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-
-
-    ## notifications-api
-
-    location /univention/portal/notifications-api/ {
-      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
-      proxy_pass http://ums-notifications-api:80;
-    }
-
-  }

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml

@@ -0,0 +1,258 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  annotations:
+    # Ensure that the ingress controller can handle responses with plenty of
+    # headers. This is a requirement from the UDM Rest API.
+    nginx.org/proxy-buffer-size: "64k"
+    nginx.org/proxy-buffers: "4 128k"
+  tls: false
+
+service:
+  type: "ClusterIP"
+
+fullnameOverride: "ums-stack-gateway"
+
+# The content of the "serverBlock" does resemble the Ingress configuration of
+# the UMS components. The "location" entries do intentionally reflect precisely
+# the respective paths which are configured.
+serverBlock: |
+  server {
+    listen 8080;
+
+    proxy_http_version 1.1;
+
+    proxy_set_header Host $http_host;
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
+    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+
+    ## portal-frontend
+    # The frontend does not own "/univention/portal" nor
+    # "/univention/selfservice", only these two bits
+    location = /univention/portal/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/portal/index.html {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location = /univention/selfservice/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+    # The following prefixes are owned by the frontend
+    location /univention/portal/css/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/fonts/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/i18n/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/media/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/js/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/portal/oidc/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/css/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/fonts/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/i18n/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/media/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/js/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/oidc/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+
+
+    ## frontend redirects
+    location = / {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/ {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/portal {
+       absolute_redirect off;
+       return 302 /univention/portal/;
+    }
+    location = /univention/selfservice {
+       absolute_redirect off;
+       return 302 /univention/selfservice/;
+    }
+
+
+    ## portal-server
+    location = /univention/portal/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/selfservice/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+    location = /univention/portal/navigation.json {
+      proxy_pass http://ums-portal-server:80;
+    }
+
+
+    ## store-dav
+    location /univention/portal/icons/entries/ {
+      rewrite ^/univention/portal(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/portal/icons/logos/ {
+      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/selfservice/icons/entries/ {
+      rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/selfservice/icons/logos/ {
+      rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+
+
+    ## udm-rest-api
+    location /univention/udm/ {
+      # The UDM Rest API does return on some endpoints a lot of headers
+      proxy_busy_buffers_size 128k;
+      proxy_buffers 4 128k;
+      proxy_buffer_size 64k;
+
+      rewrite ^/univention(/udm/.*)$ $1 break;
+      proxy_pass http://ums-udm-rest-api:80;
+    }
+
+
+    ## umc-gateway
+    location = /univention/languages.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/meta.json {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location = /univention/theme.css {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/js/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/login/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/management/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+    location /univention/themes/ {
+      proxy_pass http://ums-umc-gateway:80;
+    }
+
+
+    ## umc-server
+    location = /univention/auth {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/logout {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/saml {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/get {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/set {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/command {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+    location /univention/upload {
+      rewrite ^/univention(/.*)$ $1 break;
+      proxy_pass http://ums-umc-server:80;
+    }
+
+
+    ## notifications-api
+    location /univention/portal/notifications-api/ {
+      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
+      proxy_pass http://ums-notifications-api:80;
+    }
+
+    ## openDesk branding
+    location = /favicon.ico {
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location /univention/portal/custom/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+    location /univention/portal/icons/ {
+      rewrite ^/univention/portal(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
+
+  }
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+...

helmfile/apps/xwiki/helmfile.yaml

@@ -3,20 +3,20 @@
 ---
 bases:
   - "../../bases/environments.yaml"
-
 ---
 repositories:
   # XWiki
   # Source: https://github.com/xwiki-contrib/xwiki-helm
   - name: "xwiki-repo"
-    url: >-
+    oci: {{ .Values.charts.xwiki.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.xwiki.username | quote }}
-         default "https://xwiki-contrib.github.io/xwiki-helm" }}
+    password: {{ .Values.charts.xwiki.password | quote }}
+    url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
 
 releases:
   - name: "xwiki"
-    chart: "xwiki-repo/xwiki"
+    chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
-    version: "1.2.3"
+    version: "{{ .Values.charts.xwiki.version }}"
     wait: true
     values:
       - "values.yaml"

helmfile/apps/xwiki/values.gotmpl

@@ -16,25 +16,27 @@ externalDB:
 
 customConfigs:
   "xwiki.cfg":
-    "xwiki.superadminpassword": {{ .Values.secrets.xwiki.superadminpassword | quote }}
+    xwiki.superadminpassword: {{ .Values.secrets.xwiki.superadminpassword | quote }}
     ## LDAP Server configuration
     xwiki.authentication.ldap.server: {{ .Values.ldap.host | quote }}
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionManagementStack.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
     xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
+    ## Allow short update cycles of the LDAP group cache
+    xwiki.authentication.ldap.groupcache_expiration: 300
 
   "xwiki.properties":
-    "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/auth"
+    "oidc.endpoint.authorization": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
-    "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/token"
+    "oidc.endpoint.token": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-    "oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/userinfo"
+    "oidc.endpoint.userinfo": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
-    "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
+    "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
     "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
+    "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
-    "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+    "workplaceServices.base": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
     "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
 
 properties:
@@ -44,7 +46,7 @@ properties:
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.navbar-default-link-hover-bg": {{ .Values.theme.colors.secondaryGreyLight | quote }}
   ## Link LDAP users and users authenticated through OIDC
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
-  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap"
+  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}