chore(release): 0.5.64 [skip ci]

## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)

### Bug Fixes

* **openproject:** Switch to release container and set home url link ([e67ab8f](e67ab8f430))

.gitlab-ci.yml

@@ -620,4 +620,6 @@ release:
       }
       EOF
     - "semantic-release"
+  needs:
+    - "generate-release-assets"
 ...

CHANGELOG.md

@@ -1,3 +1,72 @@
+## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
+
+
+### Bug Fixes
+
+* **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
+
+## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
+
+
+### Bug Fixes
+
+* **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
+
+## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
+
+
+### Bug Fixes
+
+* **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
+* **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
+
+## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
+
+
+### Bug Fixes
+
+* **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
+
+## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
+
+
+### Bug Fixes
+
+* **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
+
+## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
+
+
+### Bug Fixes
+
+* **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
+
+## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
+
+
+### Bug Fixes
+
+* **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
+* **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
+* **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
+* **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
+* **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
+* **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
+
+## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
+
+
+### Bug Fixes
+
+* **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
+
+## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
+
+
+### Bug Fixes
+
+* **element:** Raise treshold for login rate limit to avoid too early barrier hitting normal users ([466e741](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/466e7414942837fdb1aecabfb08eae49f9dab272))
+
 ## [0.5.55](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.54...v0.5.55) (2023-11-30)
 
 

README.md

@@ -9,14 +9,15 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 
 It features:
-- Fully integrated Identity Management (Univention, Keycloak)
+- Fully integrated Identity Management (Univention)
 - File storage (Nextcloud)
 - Weboffice (Collabora)
-- Videoconference (Jitsi)
-- Encrypted Chat (Synapse, Element)
+- Videoconference (Nordeck w/ Jitsi)
+- Chat and Collaboration (Element w/ Nordeck)
 - Groupware (OX Appsuite)
 - Wiki (XWiki)
-- Notes and Diagrams (Cryptpad, Draw.io)
+- Project Management (OpenProject)
+- Notes and Diagrams (Cryptpad)
 
 openDesk integrates these components and is working towards a seamless user experience.
 
@@ -40,7 +41,7 @@ Basic knowledge of Kubernetes and Devops is required though.
 
 # Active development notice
 openDesk will face breaking changes in the near future without upgrade paths before
-[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases
+[technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.
 
 While most components support upgrades, major configuration or component changes may occur, therefore we recommend

docs/external-services.md

@@ -9,6 +9,7 @@ This document will cover the additional configuration to use external services l
 
 <!-- TOC -->
   * [Database](#database)
+  * [Objectstore](#objectstore)
   * [Cache](#cache)
 <!-- TOC -->
 
@@ -17,53 +18,76 @@ This document will cover the additional configuration to use external services l
 When deploying this suite to production, you need to configure the applications to use your production grade database
 service.
 
-| Component   | Name               | Type       | Parameter | Key                                    | Default                    |
-|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
-| Element     | Synapse            | PostgreSQL |           |                                        |                            |
-|             |                    |            | Name      | `databases.synapse.name`               | `matrix`                   |
-|             |                    |            | Host      | `databases.synapse.host`               | `postgresql`               |
-|             |                    |            | Port      | `databases.synapse.port`               | `5432`                     |
-|             |                    |            | Username  | `databases.synapse.username`           | `matrix_user`              |
-|             |                    |            | Password  | `databases.synapse.password`           |                            |
-| Keycloak    | Keycloak           | PostgreSQL |           |                                        |                            |
-|             |                    |            | Name      | `databases.keycloak.name`              | `keycloak`                 |
-|             |                    |            | Host      | `databases.keycloak.host`              | `postgresql`               |
-|             |                    |            | Port      | `databases.keycloak.port`              | `5432`                     |
-|             |                    |            | Username  | `databases.keycloak.username`          | `keycloak_user`            |
-|             |                    |            | Password  | `databases.keycloak.password`          |                            |
-|             | Keycloak Extension | PostgreSQL |           |                                        |                            |
-|             |                    |            | Name      | `databases.keycloakExtension.name`     | `keycloak_extensions`      |
-|             |                    |            | Host      | `databases.keycloakExtension.host`     | `postgresql`               |
-|             |                    |            | Port      | `databases.keycloakExtension.port`     | `5432`                     |
-|             |                    |            | Username  | `databases.keycloakExtension.username` | `keycloak_extensions_user` |
-|             |                    |            | Password  | `databases.keycloakExtension.password` |                            |
-| UMS         | Notifications API  | PostgreSQL |           |                                        |                            |
-|             |                    |            | Name      | `databases.notificationsApi.name`      | `notificationsapi`         |
-|             |                    |            | Host      | `databases.notificationsApi.host`      | `postgresql`               |
-|             |                    |            | Port      | `databases.notificationsApi.port`      | `5432`                     |
-|             |                    |            | Username  | `databases.notificationsApi.username`  | `notificationsapi_user`    |
-|             |                    |            | Password  | `databases.notificationsApi.password`  |                            |
-| Nextcloud   | Nextcloud          | MariaDB    |           |                                        |                            |
-|             |                    |            | Name      | `databases.nextcloud.name`             | `nextcloud`                |
-|             |                    |            | Host      | `databases.nextcloud.host`             | `mariadb`                  |
-|             |                    |            | Username  | `databases.nextcloud.username`         | `nextcloud_user`           |
-|             |                    |            | Password  | `databases.nextcloud.password`         |                            |
-| OpenProject | OpenProject        | PostgreSQL |           |                                        |                            |
-|             |                    |            | Name      | `databases.openproject.name`           | `openproject`              |
-|             |                    |            | Host      | `databases.openproject.host`           | `postgresql`               |
-|             |                    |            | Port      | `databases.openproject.port`           | `5432`                     |
-|             |                    |            | Username  | `databases.openproject.username`       | `openproject_user`         |
-|             |                    |            | Password  | `databases.openproject.password`       |                            |
-| OX Appsuite | OX Appsuite        | MariaDB    |           |                                        |                            |
-|             |                    |            | Name      | `databases.oxAppsuite.name`            | `CONFIGDB`                 |
-|             |                    |            | Host      | `databases.oxAppsuite.host`            | `mariadb`                  |
-|             |                    |            | Username  | `databases.oxAppsuite.username`        | `root`                     |
-|             |                    |            | Password  | `databases.oxAppsuite.password`        |                            |
-| XWiki       | XWiki              | MariaDB    |           |                                        |                            |
-|             |                    |            | Name      | `databases.xwiki.name`                 | `xwiki`                    |
-|             |                    |            | Host      | `databases.xwiki.host`                 | `mariadb`                  |
-|             |                    |            | Username  | `databases.xwiki.username`             | `xwiki_user`               |
-|             |                    |            | Password  | `databases.xwiki.password`             |                            |
+| Component   | Name               | Type       | Parameter | Key                                      | Default                    |
+|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
+| Element     | Synapse            | PostgreSQL |           |                                          |                            |
+|             |                    |            | Name      | `databases.synapse.name`                 | `matrix`                   |
+|             |                    |            | Host      | `databases.synapse.host`                 | `postgresql`               |
+|             |                    |            | Port      | `databases.synapse.port`                 | `5432`                     |
+|             |                    |            | Username  | `databases.synapse.username`             | `matrix_user`              |
+|             |                    |            | Password  | `databases.synapse.password`             |                            |
+| Keycloak    | Keycloak           | PostgreSQL |           |                                          |                            |
+|             |                    |            | Name      | `databases.keycloak.name`                | `keycloak`                 |
+|             |                    |            | Host      | `databases.keycloak.host`                | `postgresql`               |
+|             |                    |            | Port      | `databases.keycloak.port`                | `5432`                     |
+|             |                    |            | Username  | `databases.keycloak.username`            | `keycloak_user`            |
+|             |                    |            | Password  | `databases.keycloak.password`            |                            |
+|             | Keycloak Extension | PostgreSQL |           |                                          |                            |
+|             |                    |            | Name      | `databases.keycloakExtension.name`       | `keycloak_extensions`      |
+|             |                    |            | Host      | `databases.keycloakExtension.host`       | `postgresql`               |
+|             |                    |            | Port      | `databases.keycloakExtension.port`       | `5432`                     |
+|             |                    |            | Username  | `databases.keycloakExtension.username`   | `keycloak_extensions_user` |
+|             |                    |            | Password  | `databases.keycloakExtension.password`   |                            |
+| UMS         | Notifications API  | PostgreSQL |           |                                          |                            |
+|             |                    |            | Name      | `databases.umsNotificationsApi.name`     | `notificationsapi`         |
+|             |                    |            | Host      | `databases.umsNotificationsApi.host`     | `postgresql`               |
+|             |                    |            | Port      | `databases.umsNotificationsApi.port`     | `5432`                     |
+|             |                    |            | Username  | `databases.umsNotificationsApi.username` | `notificationsapi_user`    |
+|             |                    |            | Password  | `databases.umsNotificationsApi.password` |                            |
+|             | Self Service       | PostgreSQL |           |                                          |                            |
+|             |                    |            | Name      | `databases.umsSelfservice.name`          | `selfservice`              |
+|             |                    |            | Host      | `databases.umsSelfservice.host`          | `postgresql`               |
+|             |                    |            | Port      | `databases.umsSelfservice.port`          | `5432`                     |
+|             |                    |            | Username  | `databases.umsSelfservice.username`      | `selfservice_user`         |
+|             |                    |            | Password  | `databases.umsSelfservice.password`      |                            |
+| Nextcloud   | Nextcloud          | MariaDB    |           |                                          |                            |
+|             |                    |            | Name      | `databases.nextcloud.name`               | `nextcloud`                |
+|             |                    |            | Host      | `databases.nextcloud.host`               | `mariadb`                  |
+|             |                    |            | Username  | `databases.nextcloud.username`           | `nextcloud_user`           |
+|             |                    |            | Password  | `databases.nextcloud.password`           |                            |
+| OpenProject | OpenProject        | PostgreSQL |           |                                          |                            |
+|             |                    |            | Name      | `databases.openproject.name`             | `openproject`              |
+|             |                    |            | Host      | `databases.openproject.host`             | `postgresql`               |
+|             |                    |            | Port      | `databases.openproject.port`             | `5432`                     |
+|             |                    |            | Username  | `databases.openproject.username`         | `openproject_user`         |
+|             |                    |            | Password  | `databases.openproject.password`         |                            |
+| OX Appsuite | OX Appsuite        | MariaDB    |           |                                          |                            |
+|             |                    |            | Name      | `databases.oxAppsuite.name`              | `CONFIGDB`                 |
+|             |                    |            | Host      | `databases.oxAppsuite.host`              | `mariadb`                  |
+|             |                    |            | Username  | `databases.oxAppsuite.username`          | `root`                     |
+|             |                    |            | Password  | `databases.oxAppsuite.password`          |                            |
+| XWiki       | XWiki              | MariaDB    |           |                                          |                            |
+|             |                    |            | Name      | `databases.xwiki.name`                   | `xwiki`                    |
+|             |                    |            | Host      | `databases.xwiki.host`                   | `mariadb`                  |
+|             |                    |            | Username  | `databases.xwiki.username`               | `xwiki_user`               |
+|             |                    |            | Password  | `databases.xwiki.password`               |                            |
+
+## Objectstore
+
+When deploying this suite to production, you need to configure the applications to use your production grade objectstore
+service.
+
+| Component   | Name        | Parameter       | Key                                      | Default            |
+|-------------|-------------|-----------------|------------------------------------------|--------------------|
+| OpenProject | OpenProject |                 |                                          |                    |
+|             |             | Backend         | `objectstores.openproject.backend`       | `minio`            |
+|             |             | Bucket          | `objectstores.openproject.bucket`        | `openproject`      |
+|             |             | Endpoint        | `objectstores.openproject.endpoint`      |                    |
+|             |             | Provider        | `objectstores.openproject.provider`      | `AWS`              |
+|             |             | Region          | `objectstores.openproject.region`        |                    |
+|             |             | Secret          | `objectstores.openproject.secret`        |                    |
+|             |             | Username        | `objectstores.openproject.username`      | `openproject_user` |
+|             |             | Use IAM profile | `objectstores.openproject.useIAMProfile` |                    |
 
 ## Cache
 
@@ -81,3 +105,6 @@ service.
 | OpenProject      | OpenProject      | Memcached |           |                              |                  |
 |                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
 |                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
+| UMS              | Self Service     | Memcached |           |                              |                  |
+|                  |                  |           | Host      | `cache.umsSelfservice.host`  | `memcached`      |
+|                  |                  |           | Port      | `cache.umsSelfservice.port`  | `11211`          |

docs/security.md

@@ -10,6 +10,7 @@ This document should cover the current status of security measurements.
 <!-- TOC -->
   * [Helm Chart Trust Chain](#helm-chart-trust-chain)
   * [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
+  * [NetworkPolicies](#networkpolicies)
 <!-- TOC -->
 
 ## Helm Chart Trust Chain
@@ -99,3 +100,22 @@ This list gives you an overview of default security settings and if they comply
 | UCC             | univention-corporate-container |        :x:         |                :x:                 |                                                                      :x:                                                                       |               :x:                 |               :x:               |          :x:          |     -     |     -      |    -    |
 | XWiki           | xwiki                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
 |                 | xwiki initContainers           |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   | 
+
+## NetworkPolicies
+
+Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
+When applied, they restrict the traffic to your services.
+This protects other deployments in your cluster or other services in your deployment to get compromised when one
+component is compromised.
+
+We ship a default set of Otterize ClientIntents via
+[Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
+(IBAC) into kubernetes native NetworkPolicies.
+
+This requires the Otterize intents operator to be installed.
+
+```yaml
+security:
+  otterizeIntents:
+    enabled: true
+```

helmfile/apps/cryptpad/values.yaml

@@ -22,6 +22,10 @@ enableEmbedding: true
 
 fullnameOverride: "cryptpad"
 
+ingress:
+  annotations:
+    nginx.org/websocket-services: "cryptpad"
+
 persistence:
   enabled: false
 

helmfile/apps/element/values-synapse.yaml

@@ -11,6 +11,16 @@ configuration:
         - "m.space.parent"
         - "net.nordeck.meetings.metadata"
         - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
 
   homeserver:
     guestModule:

helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl

@@ -27,4 +27,8 @@ image:
 
 resources:
   {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
+
+additionalAnnotations:
+  annotations:
+    intents.otterize.com/service-name: "keycloak-bootstrap"
 ...

helmfile/apps/nextcloud/helmfile.yaml

@@ -33,7 +33,7 @@ releases:
   # dependencyType=vendor
   - name: "opendesk-nextcloud-bootstrap"
     chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
-    version: "3.2.4"
+    version: "3.2.6"
     wait: true
     waitForJobs: true
     values:

helmfile/apps/openproject/helmfile.yaml

@@ -12,6 +12,8 @@ repositories:
     url: >-
       {{ env "PRIVATE_CHART_REPOSITORY_URL" |
          default "https://charts.openproject.org" }}
+    verify: true
+    keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
 
 releases:
   # renovate:
@@ -21,7 +23,7 @@ releases:
   # dependencyType=vendor
   - name: "openproject"
     chart: "openproject-repo/openproject"
-    version: "2.4.0"
+    version: "2.6.2"
     wait: true
     waitForJobs: true
     values:

helmfile/apps/openproject/values.gotmpl

@@ -77,9 +77,17 @@ environment:
   OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
-  OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
+  {{ if ne .Values.objectstores.openproject.backend "aws" }}
+  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
+  {{ end }}
+  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
+  OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
+  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
 
 replicaCount: {{ .Values.replicas.openproject }}
 

helmfile/apps/openproject/values.yaml

@@ -75,11 +75,12 @@ environment:
   OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
   # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
   OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
-  OPENPROJECT_FOG_DIRECTORY: "openproject"
-  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
   OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
-  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
   # Define an admin mapping from the claim
   # The attribute mapping cannot currently be defined in the value
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
+
+seederJob:
+  annotations:
+    intents.otterize.com/service-name: "openproject-seeder"
 ...

helmfile/apps/services/helmfile.yaml

@@ -6,6 +6,17 @@ bases:
 
 ---
 repositories:
+  # openDesk Otterize
+  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
+  - name: "opendesk-otterize-repo"
+    oci: true
+    # yamllint disable rule:line-length
+    url: >-
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-otterize" }}
+    # yamllint enable rule:line-length
+    verify: true
+    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
   - name: "opendesk-certificates-repo"
@@ -40,7 +51,7 @@ repositories:
   - name: "postfix-repo"
     oci: true
     url: >-
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
          default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
     verify: true
     keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
@@ -75,6 +86,17 @@ repositories:
 releases:
   # renovate:
   # registryUrl=https://registry.souvap-univention.de
+  # packageName=souvap/tooling/charts/opendesk-otterize/opendesk-otterize
+  # dataSource=docker
+  # dependencyType=service
+  - name: "opendesk-otterize"
+    chart: "opendesk-otterize-repo/opendesk-otterize"
+    version: "1.1.3"
+    values:
+      - "values-otterize.gotmpl"
+    installed: {{ .Values.security.otterizeIntents.enabled }}
+  # renovate:
+  # registryUrl=https://registry.souvap-univention.de
   # packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
   # dataSource=docker
   # dependencyType=service

helmfile/apps/services/values-otterize.gotmpl

@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+apps:
+  clamavDistributed:
+    enabled: {{ .Values.clamavDistributed.enabled }}
+  clamavSimple:
+    enabled: {{ .Values.clamavSimple.enabled }}
+  collabora:
+    enabled: {{ .Values.collabora.enabled }}
+  cryptpad:
+    enabled: {{ .Values.cryptpad.enabled }}
+  dovecot:
+    enabled: {{ .Values.dovecot.enabled }}
+  element:
+    enabled: {{ .Values.element.enabled }}
+  intercom:
+    enabled: {{ .Values.intercom.enabled }}
+  jitsi:
+    enabled: {{ .Values.jitsi.enabled }}
+  keycloak:
+    enabled: {{ .Values.keycloak.enabled }}
+  mariadb:
+    enabled: {{ .Values.mariadb.enabled }}
+  memcached:
+    enabled: {{ .Values.memcached.enabled }}
+  minio:
+    enabled: {{ .Values.minio.enabled }}
+  nextcloud:
+    enabled: {{ .Values.nextcloud.enabled }}
+  openproject:
+    enabled: {{ .Values.openproject.enabled }}
+  oxAppsuite:
+    enabled: {{ .Values.oxAppsuite.enabled }}
+  oxConnector:
+    enabled: {{ .Values.oxConnector.enabled }}
+  postfix:
+    enabled: {{ .Values.postfix.enabled }}
+  postgresql:
+    enabled: {{ .Values.postgresql.enabled }}
+  redis:
+    enabled: {{ .Values.redis.enabled }}
+  univentionCorporateServer:
+    enabled: {{ .Values.univentionCorporateServer.enabled }}
+  univentionManagementStack:
+    enabled: {{ .Values.univentionManagementStack.enabled }}
+  xwiki:
+    enabled: {{ .Values.xwiki.enabled }}
+
+extraApps:
+  clusterPostfix:
+    enabled: {{ .Values.security.clusterPostfix.enabled }}
+    namespace: {{ .Values.security.clusterPostfix.namespace }}
+...

helmfile/apps/services/values-postfix.gotmpl

@@ -24,7 +24,7 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  relayHost: {{ printf "[%s]:[%d]" .Values.smtp.host .Values.smtp.port | quote }}
+  relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
   relayNets: {{ .Values.cluster.networking.cidr | quote}}
   virtualTransport: "lmtps:dovecot:24"
   smtpdSASLPath: "inet:dovecot:3659"

helmfile/apps/services/values-postgresql.gotmpl

@@ -24,7 +24,9 @@ job:
     - username: "matrix_user"
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
     - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
+      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+    - username: "selfservice_user"
+      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
   databases:
     - name: "keycloak"
       user: "keycloak_user"
@@ -37,6 +39,8 @@ job:
       additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
     - name: "notificationsapi"
       user: "notificationsapi_user"
+    - name: "selfservice"
+      user: "selfservice_user"
 
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -42,7 +42,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-store-dav"
     chart: "ums-repo/store-dav"
-    version: "0.5.2"
+    version: "0.7.0"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -101,7 +101,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-stack-data-ums"
     chart: "ums-repo/stack-data-ums"
-    version: "0.36.0"
+    version: "0.38.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -116,7 +116,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-stack-data-swp"
     chart: "ums-repo/stack-data-swp"
-    version: "0.36.0"
+    version: "0.38.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -131,7 +131,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-portal-server"
     chart: "ums-repo/portal-server"
-    version: "0.5.0"
+    version: "0.6.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -146,7 +146,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-notifications-api"
     chart: "ums-repo/notifications-api"
-    version: "0.5.0"
+    version: "0.6.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -161,7 +161,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-portal-listener"
     chart: "ums-repo/portal-listener"
-    version: "0.5.0"
+    version: "0.6.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"
@@ -176,7 +176,7 @@ releases:
   # dependencyType=vendor
   - name: "ums-portal-frontend"
     chart: "ums-repo/portal-frontend"
-    version: "0.5.0"
+    version: "0.6.1"
     values:
       - "values-common.gotmpl"
       - "values-common.yaml"

helmfile/apps/univention-management-stack/values-notifications-api.gotmpl

@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
 postgresql:
   bundled: false
   connection:
-    host: {{ .Values.databases.notificationsApi.host | quote }}
-    port: {{ .Values.databases.notificationsApi.port | quote }}
+    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
+    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
   auth:
-    username: {{ .Values.databases.notificationsApi.username | quote }}
-    database: {{ .Values.databases.notificationsApi.name | quote }}
-    password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
+    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
+    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
+    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 
 image:
   registry: {{ .Values.global.imageRegistry }}

helmfile/apps/univention-management-stack/values-portal-listener.gotmpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 portalListener:
   adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
   assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data/" | quote }}
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
 
   ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
   ldapHost: {{ .Values.ldap.host | quote }}

helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl

@@ -31,6 +31,9 @@ stackDataContext:
   userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
   adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
 
+  userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
+  adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
+
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
   repository: {{ .Values.images.umsDataLoader.repository | quote }}

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml

@@ -11,4 +11,6 @@ stackDataContext:
   oxDefaultContext: "10"
   smtpStartTls: true
 
+additionalAnnotations:
+  intents.otterize.com/service-name: "ums-stack-data-swp"
 ...

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml

@@ -12,4 +12,6 @@ stackDataContext:
   # The openDesk configuration brings its own UMC policies.
   installUmcPolicies: false
 
+additionalAnnotations:
+  intents.otterize.com/service-name: "ums-stack-data-ums"
 ...

helmfile/apps/univention-management-stack/values-umc-server.gotmpl

@@ -11,6 +11,19 @@ umcServer:
 
   smtpSecret: {{ .Values.smtp.password | quote }}
 
+postgresql:
+  connection:
+    host: {{ .Values.databases.umsSelfservice.host | quote }}
+    port: {{ .Values.databases.umsSelfservice.port | quote }}
+  auth:
+    username: {{ .Values.databases.umsSelfservice.username | quote }}
+    database: {{ .Values.databases.umsSelfservice.name | quote }}
+    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+
+memcached:
+  server: {{ .Values.cache.umsSelfservice.host | quote }}
+
 image:
   registry: {{ .Values.global.imageRegistry | quote }}
   repository: {{ .Values.images.umsUmcServer.repository | quote }}

helmfile/apps/univention-management-stack/values-umc-server.yaml

@@ -43,11 +43,12 @@ extraVolumeMounts:
     mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
     subPath: "udm-portals-announcement.xml"
 
+postgresql:
+  bundled: false
+
 memcached:
   bundled: false
-  server: "memcached"
   auth:
     username: null
     password: null
-
 ...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl

@@ -10,3 +10,4 @@ ingress:
     - hosts:
         - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
       secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml

@@ -7,6 +7,8 @@ ingress:
 service:
   type: "ClusterIP"
 
+fullnameOverride: "ums-stack-gateway"
+
 # The content of the "serverBlock" does resemble the Ingress configuration of
 # the UMS components. The "location" entries do intentionally reflect precisely
 # the respective paths which are configured.
@@ -15,7 +17,8 @@ serverBlock: |
     listen 8080;
 
     ## portal-frontend
-    # The frontend does not own "/univention/portal", only these two bits
+    # The frontend does not own "/univention/portal" nor
+    # "/univention/selfservice", only these two bits
     location = /univention/portal/ {
       rewrite ^/univention/portal(/.*)$ $1 break;
       proxy_pass http://ums-portal-frontend:80/;
@@ -24,6 +27,10 @@ serverBlock: |
       rewrite ^/univention/portal(/.*)$ $1 break;
       proxy_pass http://ums-portal-frontend:80/;
     }
+    location = /univention/selfservice/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80/;
+    }
 
     # The following prefixes are owned by the frontend
     location /univention/portal/css/ {
@@ -50,6 +57,30 @@ serverBlock: |
       rewrite ^/univention/portal(/.*)$ $1 break;
       proxy_pass http://ums-portal-frontend:80;
     }
+    location /univention/selfservice/css/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/fonts/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/i18n/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/media/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/js/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
+    location /univention/selfservice/oidc/ {
+      rewrite ^/univention/selfservice(/.*)$ $1 break;
+      proxy_pass http://ums-portal-frontend:80;
+    }
 
 
     ## frontend redirects
@@ -69,12 +100,19 @@ serverBlock: |
        absolute_redirect off;
        return 302 /univention/portal/;
     }
+    location = /univention/selfservice {
+       absolute_redirect off;
+       return 302 /univention/selfservice/;
+    }
 
 
     ## portal-server
     location = /univention/portal/portal.json {
       proxy_pass http://ums-portal-server:80;
     }
+    location = /univention/selfservice/portal.json {
+      proxy_pass http://ums-portal-server:80;
+    }
     location = /univention/portal/navigation.json {
       proxy_pass http://ums-portal-server:80;
     }
@@ -89,6 +127,14 @@ serverBlock: |
       rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
       proxy_pass http://ums-store-dav:80;
     }
+    location /univention/selfservice/icons/entries/ {
+      rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
+    location /univention/selfservice/icons/logos/ {
+      rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
+      proxy_pass http://ums-store-dav:80;
+    }
 
 
     ## udm-rest-api
@@ -128,27 +174,27 @@ serverBlock: |
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }
-    location /univention/logout/ {
+    location /univention/logout {
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }
-    location /univention/saml/ {
+    location /univention/saml {
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }
-    location /univention/get/ {
+    location /univention/get {
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }
-    location /univention/set/ {
+    location /univention/set {
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }
-    location /univention/command/ {
+    location /univention/command {
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }
-    location /univention/upload/ {
+    location /univention/upload {
       rewrite ^/univention(/.*)$ $1 break;
       proxy_pass http://ums-umc-server:80;
     }

helmfile/environments/default/cache.yaml

@@ -13,4 +13,7 @@ cache:
   openproject:
     host: "memcached"
     port: 11211
+  umsSelfservice:
+    host: "memcached"
+    port: 11211
 ...

helmfile/environments/default/database.yaml

@@ -19,12 +19,6 @@ databases:
     host: "mariadb"
     username: "nextcloud_user"
     password: ""
-  notificationsApi:
-    name: "notificationsapi"
-    host: "postgresql"
-    port: 5432
-    username: "notificationsapi_user"
-    password: ""
   openproject:
     name: "openproject"
     host: "postgresql"
@@ -42,6 +36,18 @@ databases:
     username: "matrix_user"
     password: ""
     port: 5432
+  umsNotificationsApi:
+    name: "notificationsapi"
+    host: "postgresql"
+    port: 5432
+    username: "notificationsapi_user"
+    password: ""
+  umsSelfservice:
+    name: "selfservice"
+    host: "postgresql"
+    port: 5432
+    username: "selfservice_user"
+    password: ""
   xwiki:
     name: "xwiki"
     host: "mariadb"

helmfile/environments/default/images.yaml

@@ -205,7 +205,7 @@ images:
     # registryUrl=https://docker.io
     # dependencyType=vendor
     repository: "nextcloud"
-    tag: "27.1.3-apache@sha256:ec46e99164ee7fa5d49e84784833e022be47f9f54f401bcb5a2d789f8c0bc149"
+    tag: "27.1.4-apache@sha256:bd277bec9a8cf7cc009865e15410c05e0f66ccb6269ed96841cc95dd37c214fe"
     # @supplier: "Nextcloud Community"
   nextcloudExporter:
     # renovate:
@@ -219,7 +219,7 @@ images:
     # registryUrl=https://docker.io
     # dependencyType=vendor
     repository: "openproject/open_desk"
-    tag: "dev@sha256:3c9d110c0221621530a431b5899ba16956db8253f491a55a220ec642473cb61f"
+    tag: "release-13.1@sha256:1dc528de7e38d9c461188e53b2153b1a5ede374f83dde7b32d9c7c057c802178"
     # @supplier: "OpenProject"
   openprojectInitDb:
     # renovate:
@@ -396,7 +396,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "0.5.2@sha256:c8627e0b73ee1d92f74d2ae8b06e4593ac93b6bbde55d56d0497f3510912924c"
+    tag: "0.7.0@sha256:8ffa8ce61fc55f67cdf740b3cd30e21d979506a1796028f5c6329da344b2e5db"
     # @supplier: "Univention"
   umsDataLoader:
     # renovate:
@@ -404,7 +404,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/data-loader"
-    tag: "0.36.0@sha256:045e0e524cbdc93e174ce803a12e67dbb341211f3abbc0029200ee638a0a1eb7"
+    tag: "0.38.1@sha256:cef20b0224571eeda29f19e78340ab7d943e46b02275f9b9497605357be70e61"
     # @supplier: "Univention"
   umsLdapNotifier:
     # renovate:
@@ -428,7 +428,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "0.5.2@sha256:192f0ebb77ec6191d1df1edb2427739c4a69a3733c7d423f55045db5b9209c64"
+    tag: "0.6.1@sha256:bdf0c5ba8b15c2e7f4daaf470254b13837bdc5fbaa98d9f441f33abd565acfc3"
     # @supplier: "Univention"
   umsPortalListener:
     # renovate:
@@ -436,7 +436,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "0.5.2@sha256:a1834a98cf4f4686a74077cb6c2b094429a49875d05801745de7ee13eee38a07"
+    tag: "0.6.1@sha256:c418be054dfb2c6fe0e2e8870553c3b27269ae77b88a59cd6d790201cf7c3d17"
     # @supplier: "Univention"
   umsPortalFrontend:
     # renovate:
@@ -444,7 +444,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "0.5.2@sha256:aca1d481e23cbba7a33d5f261be6196690a6b7f1e593f7ff96fc6f22edab2c6b"
+    tag: "0.6.1@sha256:0a4dc8ed47fd86eedd7bfd826b4538564194fe951000cff016eaa271382ed822"
     # @supplier: "Univention"
   umsPortalServer:
     # renovate:
@@ -452,7 +452,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/portal-server"
-    tag: "0.5.2@sha256:ed982e41ac5b0b81946272acf00f76463901da4f4b3ad50282ec4c73fd4b5833"
+    tag: "0.6.1@sha256:dd9431c8a82e6fca89ef871de90947db2f594a349d634f0b1aa9669d0b3d5715"
     # @supplier: "Univention"
   umsWaitForDependency:
     # renovate:
@@ -460,7 +460,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "0.5.0@sha256:78cfcc52b81f620374c4b827f0055be5339a7dd469d9b8df67e3bed547abd6bc"
+    tag: "0.6.1@sha256:e83fe2d7535167d1d1effe443fca0be431aa551ab31f172a84073b7d9ffec54b"
     # @supplier: "Univention"
   umsStoreDav:
     # renovate:
@@ -468,7 +468,7 @@ images:
     # dependencyType=vendor
     # This is a preview and not part of the standard deployment.
     repository: "souvap/tooling/images/univention/store-dav"
-    tag: "0.5.2@sha256:1bc01b883a5ccd2612925e123da10f9d216389701d743f1cea4050633770639f"
+    tag: "0.7.0@sha256:732b0d2fdf320209de04403753d3bc80f9c73a46b237202a95305a332805f305"
     # @supplier: "Univention"
   umsUdmRestApi:
     # renovate:

helmfile/environments/default/objectstore.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+objectstores:
+  openproject:
+    backend: "minio"
+    bucket: "openproject"
+    endpoint: ""
+    provider: "AWS"
+    region: ""
+    secret: ""
+    username: "openproject_user"
+    useIAMProfile: ""
+...

helmfile/environments/default/secrets.gotmpl

@@ -38,7 +38,8 @@ secrets:
     keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
     matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
     openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
-    notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+    umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+    umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
   mariadb:
     rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
     xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}

helmfile/environments/default/security.yaml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+security:
+  otterizeIntents:
+    enabled: false
+  clusterPostfix:
+    enabled: false
+    namespace: ""
+...

helmfile/files/gpg-pubkeys/openproject-com.gpg

@@ -0,0 +1,53 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGVSG3cBEACftfIFs1EO29wSL9kNN057w6S8qSKNRI6DNrGkgYxB/C3JsdTH
+iNtpv1g1pBbze6Efz/SxaeQ43eqEPkqa9nHBE8ypSWBEzu0EzrDt5bhjpvL4yK1A
+14T6A7cYm6Qtu+AvMDaJ6UVp1JS+1h4o52zmSvup0bD1xoUnpuhPa7WE0XQOgl3v
+2X/YBSrQpVV6hwoTWuag9z4qyfsyP/jzTrYtw8e39ff1Fm7jUeKEvmoOuxdH/fD7
+hGPDcpvDq+5uTXAlWPEMtCoN3uFRqg9BybeKo4VMzFhim334i8x+8vp3kQyT7xi8
+b72UluDPQur9zwv1T+knQw5T33nP3xqc8BAWo7fy7Co+x7snwprzTWyDq8kIJxyA
+l3jg/4WNUEdoJkesPtcQUl2lWIP62UZAwIINfOtjzJP7pNNnZrW21Bs/xwPB6lo/
+TyeLEYQcx6SZH1rPTCE3TlGfXSGI/UpAlMbmxPf4LxcE9J8d4ixUtTxGeMftWceb
+enn9SX15DIyHC1uO4E0QfUCtwmBTnfOiG7U042zRFD8fZhegq2ZuAxPDvON8sFEC
+v1y8YlR/j9IYFtgRCsaCuqMlE9VIQSADWHsKTr7l+W4ne5kDzIClzlh+kV0ViJLt
+SpzGlddHo5GViHmgDeOikRbAji5+jACqh6d5boNWGvflSFQX8FFyOW5rkQARAQAB
+tGxPcGVuUHJvamVjdCBPcGVyYXRpb25zIFRlYW0gKE9wZW5Qcm9qZWN0IE9wZXJh
+dGlvbnMgRGVwbG95bWVudCBhbmQgU2lnbmluZyBrZXkpIDxvcGVyYXRpb25zQG9w
+ZW5wcm9qZWN0LmNvbT6JAk4EEwEIADgWIQTLHKBIinW3Rx6hsIfPVt1qCuJg5QUC
+ZVIbdwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDPVt1qCuJg5fwwD/wO
+hTZtfSTmWs+/lgspHtfd+FADCn4yq8eCwEWgtG1YCGjyU0yffAsOaDYaeQtujLk4
+GYIZypugM9BkclZNhtSRWDQhq0kH9bZLTbD5HqZjaVw8zje3SnmqlrKNXt4R4Emp
+EHhiQMlJDbjHdTHQQ3xoUqPSwhvW5icFkKO0TdM/DbF7X9CRUBo8Lp2oL6Bfd3Ji
+TvlLiVVQ3xPPLkH8zN83VsdgYl3oy1TfyOQTLfh3Ws+osf748WQDHbipmuo/dnXs
+8McNixeHuUaOUK78eSXMcEAesbweHG6hQcpfyMcHdB1Q/2eoqUGpTvvLLQ+ChOmJ
+rNNiZAUC8GpD2dxVtODr81vSS7FJNQfXIC4pOJGPXqoZBXajuD95zbRQUO/ndG4i
+CETkkcSY1m7BAbPV1uWDOpnMhxG+lzoVraQjKkXJQByakRnTyQWeZW96iLp/2E3H
+vYJ54wfw1DdpnaB8c/x4izwODjTQpMVDXzJ6I/snL5Yd/GJJplDqz4d031dbcwHR
+eHPUKerI8WLjj6+MF1j34gsd9pvWGPoR69RaYDrA3Hnq+DJL4omMpr7GrSr2KJ8N
+/RmYP4Y4dJ5N0sNuEt096AHx1aAduYGnQv67M4d6v9E7ZqugfifTvF4Aq68Vp4Pv
+eOgG5oVLLZU/h7EO6t7uHJgWw+ozJq/nTVb698nK2rkCDQRlUht3ARAAuvNrUSAA
+8Dqzi98RRhQ52KUGzub9OKZ/VfsaD1AINiG0CNYNXgUcCzWqXIs+wXRfyziS+x8G
+WGkqN4MCPe6k3KYuKw94t//aZZ8T1iN8QyjMCfn5VGnwq36rXLcmfvlec5r6opZe
+I0I+SzSbR2gXNWbU4on4fCVP8ZJc8luNC+mD0qUqP9KGJA6moCbc4eDwKi3sdyh7
+4wNdDNq0WbTPFoxuJUAlcZjrJhwgjMe+tvRTVyJl3Yi8hth83R8PKic8S84lDZxR
+KTydu7zl2yFTBi+3jQS+UUIze2Gdfj4Mh5ClLQj55bIPOzHxSAakITo5RNzmiQTV
+pVGTrO2XYiygO6XgvLOhsumO37nsXOR0zPldbXUrLTY1J4srcn9MB1UikWLGqKqj
+fgdhyv/I9t3ARBMmj8VASOBjgKN4juNir+AAm1lg/5NZf1YGVTsCVRhwF56kQLyl
+D3TXkIJPnWvNminknvgpPMzWmR+alh2+Fh16FC53zfXHp5d2Ggk6gcWh2bvD87AQ
+avNiQtEGv84qEEAqAyiy03OFWeYnxh2BC+J/XWsvP8ZlCSICtEqOnNCqErabB1na
+0Lb6gOmxuY4Mk4N+TK+975iYDYmAH0o7Z58x/YAfUpSWqrx4C6Jz/F6GYtV2cl9B
+v3FyU0230LrMssb9XDsP6YU7SoJDaonWNPMAEQEAAYkCNgQYAQgAIBYhBMscoEiK
+dbdHHqGwh89W3WoK4mDlBQJlUht3AhsMAAoJEM9W3WoK4mDlrVcP/ind6InjSM61
+E3CUCrS0ahZgYGZL2lPJopnPzvB662IUWMjG8f5rfDoOweI9WiWoJkkg5XvVvt2V
+RkMoG3FIpGzh760olcNhhIKxgU2IRl2a+uo8QMXakgFFdN+X7uHgro1uu0ftzas4
+YFyQyBDJYobCZlHlGiF1b/z7JDpY2zQWqBR8bNXlphtDIC6pk5haaJdy8WDG3Yns
+JT0R74S1xTIKXjU5YK3QE1kulMJFDB+b+c9RkqVsAmuOZyPqfU7I+KlemuxKgZgI
+5rzoFzkDVcWmaozogOLOM2VSSBiTXxIhHYK9uPYuCttIF4biRjWzaVvfTJjf+KPn
+6oq0+u7vLfWRomMa+y4na5vrcVifivPNqQphPVU6F6v3f3GK4FpbrQmXli2L5rUL
+lIDiKDTUtoHP/BnOvz2zXHEY7hfWh4xrEskMXhIiJNIr+UmG/PSjbY/rbPFA1o5b
+Ln/i8y2UMmSRGvK5i2n9OhaLkMUiL0qLyRnzPXk+2cjvNdp2q1spiz107EigHqKq
+UXUdRUNX7RtW3gAZRrMple6AHTrQhZhdO2uksMg4YaP/KjKx/GqFty1qwSPF4Zum
+gfslJ6EB53uJJt9awcGFdFLHHci5ClEH9aGrboWlhx0erFKEcfjCnh8dAA/1UQ0R
+Ecu2CcmkBOHGAnMirYCSEZqu9Uz+9g7P
+=nG7D
+-----END PGP PUBLIC KEY BLOCK-----

helmfile/files/gpg-pubkeys/openproject-com.gpg.license

@@ -0,0 +1,2 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0