chore(release): 0.5.70 [skip ci]

## [0.5.70](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.69...v0.5.70) (2023-12-14) ### Bug Fixes * **univention-management-stack:** Remove UCS container monolith and make UMS standard IAM ([450c434](450c434ed0))
fix(univention-management-stack): Remove UCS container monolith and make UMS standard IAM
2025-12-08 16:28:36 +01:00 · 2023-12-14 07:12:00 +00:00 · 2023-12-14 07:10:12 +00:00 · 2023-12-12 21:01:26 +00:00 · 2023-12-12 19:31:27 +00:00 · 2023-12-11 18:01:31 +00:00
82 changed files with 2410 additions and 921 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -56,14 +56,11 @@ variables:
    options:
      - "yes"
      - "no"
-  DEPLOY_UCS:
+  DEPLOY_UMS:
-    description: >-
+    description: "Enable Univention Management Stack deployment."
      Enable Univention Corporate Server deployment.
      "ums-eval" does deploy the Univention Management Stack instead of the UCS container.
    value: "no"
    options:
      - "yes"
      - "ums-eval"
      - "no"
  DEPLOY_PROVISIONING:
    description: "Enable Provisioning Components."
@@ -154,7 +151,8 @@ variables:
  cache: {}
  dependencies: []
  extends: ".environments"
-  image: "registry.souvap-univention.de/souvap/tooling/images/helm:latest"
+  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -233,18 +231,6 @@ services-deploy:
  variables:
    COMPONENT: "services"
 ucs-deploy:
  stage: "component-deploy-stage-1"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS == "yes")
      when: "always"
  variables:
    COMPONENT: "univention-corporate-container"
 provisioning-deploy:
  stage: "component-deploy-stage-2"
  extends: ".deploy-common"
@@ -252,7 +238,7 @@ provisioning-deploy:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
-          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UCS != "no" || $DEPLOY_PROVISIONING != "no")
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
      when: "always"
  variables:
    COMPONENT: "provisioning"
@@ -264,7 +250,7 @@ ums-deploy:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
-          $DEPLOY_UCS == "ums-eval"
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
      when: "always"
  variables:
    COMPONENT: "univention-management-stack"
@@ -434,6 +420,19 @@ env-stop:
  variables:
    GIT_STRATEGY: "none"
 .ums-default-password: &ums-default-password
  - |
    UMS_PASSWORDS=$( \
      kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
      | yq '.properties.password' > passwords.txt \
    )
    DEFAULT_USER_PASSWORD=$( \
      awk 'NR==1{print $1}' passwords.txt \
    )
    DEFAULT_ADMIN_PASSWORD=$(
      awk 'NR==3{print $1}' passwords.txt \
    )
 run-tests:
  extends: ".deploy-common"
  environment:
@@ -444,24 +443,8 @@ run-tests:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
      when: "always"
  script:
    - *ums-default-password
    - |
      UCS_CONTAINER_NAME=$( \
        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
          'app.kubernetes.io/instance=univention-corporate-container' \
        | grep Running \
        | awk '{print $1}' \
      )
      DEFAULT_USER_PASSWORD=$( \
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
        | awk '{print $2}' \
      )
      DEFAULT_ADMIN_PASSWORD=$(
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
        | awk '{print $2}' \
      )
      curl --request POST \
      --header "Content-Type: application/json" \
      --data "{ \
@@ -483,7 +466,7 @@ run-tests:
          \"DEPLOY_OPENPROJECT\": \"${DEPLOY_OPENPROJECT}\", \
          \"DEPLOY_OX\": \"${DEPLOY_OX}\", \
          \"DEPLOY_SERVICES\": \"${DEPLOY_SERVICES}\", \
-          \"DEPLOY_UCS\": \"${DEPLOY_UCS}\", \
+          \"DEPLOY_UCS\": \"${DEPLOY_UMS}\", \
          \"DEPLOY_XWIKI\": \"${DEPLOY_XWIKI}\", \
          \"DEPLOY_PROVISIONING\": \"${DEPLOY_PROVISIONING}\" \
        } \
@@ -500,24 +483,8 @@ run-souvap-dev-tests:
        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
      when: "always"
  script:
    - *ums-default-password
    - |
      UCS_CONTAINER_NAME=$( \
        kubectl -n ${NAMESPACE} get pods --no-headers --selector \
          'app.kubernetes.io/instance=univention-corporate-container' \
        | grep Running \
        | awk '{print $1}' \
      )
      DEFAULT_USER_PASSWORD=$( \
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_USER_PASSWORD \
        | awk '{print $2}' \
      )
      DEFAULT_ADMIN_PASSWORD=$(
        kubectl -n ${NAMESPACE} describe pod ${UCS_CONTAINER_NAME} \
        | grep DEFAULT_ACCOUNT_ADMIN_PASSWORD \
        | awk '{print $2}' \
      )
      curl --request POST \
      --header "Content-Type: application/json" \
      --data "{ \
@@ -570,6 +537,14 @@ generate-release-assets:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
  tags: []
 conventional-commits-linter:
  rules:
    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
      when: "never"
    - when: "always"
 common-yaml-linter:
  rules:
    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -620,4 +595,6 @@ release:
      }
      EOF
    - "semantic-release"
  needs:
    - "generate-release-assets"
 ...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,108 @@
 ## [0.5.70](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.69...v0.5.70) (2023-12-14)
 ### Bug Fixes
 * **univention-management-stack:** Remove UCS container monolith and make UMS standard IAM ([450c434](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/450c434ed08120ad0757d672dc269a78362e780d))
 ## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12)
 ### Bug Fixes
 * **univention-management-stack:** Functional replacement for UCS container monolith, still optional. ([ce38714](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/ce38714a81ea3b0e1377e6ea2d640fb65f317396))
 ## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11)
 ### Bug Fixes
 * **jitsi:** Disable IP Blacklist ([6a649cb](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a649cb7f0d04736ccabcd27c035ef6d051f6fd5))
 * **open-xchange:** Update to latest version ([db4bfa4](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db4bfa488401f10bad111ce03c20a60473c64837))
 ## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11)
 ### Bug Fixes
 * **services:** Use Charts from openCoDE registry ([cc0daa2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/cc0daa2a22837c00583038ffd9df7e669004e84e))
 ## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08)
 ### Bug Fixes
 * **element:** Update Element and Widgets ([6a26299](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6a26299a7507ae749ffcf25288d2cf5b24d220db))
 ## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08)
 ### Bug Fixes
 * **univention-management-stack:** Bump OX Connector ([83192b7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/83192b78345c62465e2979195d9a1c882ddbf0ea))
 ## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06)
 ### Bug Fixes
 * **openproject:** Switch to release container and set home url link ([e67ab8f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e67ab8f4304a525b50a3a723c86d1e610313c594))
 ## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06)
 ### Bug Fixes
 * **nextcloud:** Remove Talk folder ([0ea5856](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0ea585633b4bf72fe180ca744cc99d9e9f84998f))
 ## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06)
 ### Bug Fixes
 * **nextcloud:** Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([d04a603](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d04a60349dbbff2d64ca2b36b9c44b75526bf859))
 * **univention-management-stack:** Update optional UMS preview state ([94ae3da](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/94ae3da78bd79c61fd7a22db5a541d473eea6a2e))
 ## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05)
 ### Bug Fixes
 * **services:** Fix port declaration for Postfix ([bf5dcda](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bf5dcda3b59e1dc98cbee7e67f50a960d344b8e0))
 ## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05)
 ### Bug Fixes
 * **ci:** Ensure release creation with artifacts ([dc7ce0b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/dc7ce0bc4b9501b63274f68352e6d9e76b5424e8))
 ## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05)
 ### Bug Fixes
 * **helmfile:** Add configurable objectstore ([3b5493d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b5493d78dc027cd1f3206b26cf347dc6ce6e265))
 ## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01)
 ### Bug Fixes
 * **cryptpad:** Add websocket annotation ([c41643e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c41643ee3e5610ef27a63a0355804159030a7452))
 * **openproject:** Add seederJob intent ([05cc82d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/05cc82d7c5c5f93fb5de7df555a22e8e90279621))
 * **openproject:** Bump to 2.6.2 ([c8bc8b3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c8bc8b3172cfef3396379e3969dc087d67a228ee))
 * **services:** Add NetworkPolicy section to docs/security.md ([24812b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/24812b667cded720a0ac09b8b3eb89df39b02afb))
 * **services:** Add Otterize based security settings ([bec9a2d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bec9a2d46b2b563b7001ed8c6625c10111d5f151))
 * **univention-management-stack:** Add Otterize annotations for jobs ([2628a0e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2628a0e13e5957475ce81b12d4230400c9ffeafe))
 ## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01)
 ### Bug Fixes
 * **helmfile:** Using correct private registry for  postfix helm-chart ([d367739](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d367739248ed43b3bad6a00b059b2c949dde4cb7))
 ## [0.5.56](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.55...v0.5.56) (2023-11-30)
--- a/COMPONENTS-SERVICE.md
+++ b/COMPONENTS-SERVICE.md
@@ -37,7 +37,7 @@ This service is used by:
 - Nextcloud (e.g. share file notifictions)
 - Open-Xchange (emails)
 - OpenProject (general notifications)
- UCS (e.g. password reset emails)
+- UMS (e.g. password reset emails)
 - XWiki (e.g. change notifications)
 ## TURN Server
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -59,7 +59,7 @@ Valid commit scopes:
 - `openproject`
 - `provisioning`
 - `services`
- `univention-corporate-container`
+- `univention-management-stack`
 - `xwiki`
 ## Semantic Release
--- a/README.md
+++ b/README.md
@@ -48,7 +48,6 @@ While most components support upgrades, major configuration or component changes
 at the moment always installing from scratch.
 Components that are going to be replaced soon are:
 - the UCS dev container monolith will be substituted by multiple Univention Management Stack containers,
 - the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
 - Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
--- a/docs/external-services.md
+++ b/docs/external-services.md
@@ -9,6 +9,7 @@ This document will cover the additional configuration to use external services l
 <!-- TOC -->
  * [Database](#database)
  * [Objectstore](#objectstore)
  * [Cache](#cache)
 <!-- TOC -->
@@ -18,7 +19,7 @@ When deploying this suite to production, you need to configure the applications
 service.
 | Component   | Name               | Type       | Parameter | Key                                      | Default                    |
-|-------------|--------------------|------------|-----------|----------------------------------------|----------------------------|
+|-------------|--------------------|------------|-----------|------------------------------------------|----------------------------|
 | Element     | Synapse            | PostgreSQL |           |                                          |                            |
 |             |                    |            | Name      | `databases.synapse.name`                 | `matrix`                   |
 |             |                    |            | Host      | `databases.synapse.host`                 | `postgresql`               |
@@ -38,11 +39,17 @@ service.
 |             |                    |            | Username  | `databases.keycloakExtension.username`   | `keycloak_extensions_user` |
 |             |                    |            | Password  | `databases.keycloakExtension.password`   |                            |
 | UMS         | Notifications API  | PostgreSQL |           |                                          |                            |
-|             |                    |            | Name      | `databases.notificationsApi.name`      | `notificationsapi`         |
+|             |                    |            | Name      | `databases.umsNotificationsApi.name`     | `notificationsapi`         |
-|             |                    |            | Host      | `databases.notificationsApi.host`      | `postgresql`               |
+|             |                    |            | Host      | `databases.umsNotificationsApi.host`     | `postgresql`               |
-|             |                    |            | Port      | `databases.notificationsApi.port`      | `5432`                     |
+|             |                    |            | Port      | `databases.umsNotificationsApi.port`     | `5432`                     |
-|             |                    |            | Username  | `databases.notificationsApi.username`  | `notificationsapi_user`    |
+|             |                    |            | Username  | `databases.umsNotificationsApi.username` | `notificationsapi_user`    |
-|             |                    |            | Password  | `databases.notificationsApi.password`  |                            |
+|             |                    |            | Password  | `databases.umsNotificationsApi.password` |                            |
 |             | Self Service       | PostgreSQL |           |                                          |                            |
 |             |                    |            | Name      | `databases.umsSelfservice.name`          | `selfservice`              |
 |             |                    |            | Host      | `databases.umsSelfservice.host`          | `postgresql`               |
 |             |                    |            | Port      | `databases.umsSelfservice.port`          | `5432`                     |
 |             |                    |            | Username  | `databases.umsSelfservice.username`      | `selfservice_user`         |
 |             |                    |            | Password  | `databases.umsSelfservice.password`      |                            |
 | Nextcloud   | Nextcloud          | MariaDB    |           |                                          |                            |
 |             |                    |            | Name      | `databases.nextcloud.name`               | `nextcloud`                |
 |             |                    |            | Host      | `databases.nextcloud.host`               | `mariadb`                  |
@@ -65,6 +72,23 @@ service.
 |             |                    |            | Username  | `databases.xwiki.username`               | `xwiki_user`               |
 |             |                    |            | Password  | `databases.xwiki.password`               |                            |
 ## Objectstore
 When deploying this suite to production, you need to configure the applications to use your production grade objectstore
 service.
 | Component   | Name        | Parameter       | Key                                      | Default            |
 |-------------|-------------|-----------------|------------------------------------------|--------------------|
 | OpenProject | OpenProject |                 |                                          |                    |
 |             |             | Backend         | `objectstores.openproject.backend`       | `minio`            |
 |             |             | Bucket          | `objectstores.openproject.bucket`        | `openproject`      |
 |             |             | Endpoint        | `objectstores.openproject.endpoint`      |                    |
 |             |             | Provider        | `objectstores.openproject.provider`      | `AWS`              |
 |             |             | Region          | `objectstores.openproject.region`        |                    |
 |             |             | Secret          | `objectstores.openproject.secret`        |                    |
 |             |             | Username        | `objectstores.openproject.username`      | `openproject_user` |
 |             |             | Use IAM profile | `objectstores.openproject.useIAMProfile` |                    |
 ## Cache
 When deploying this suite to production, you need to configure the applications to use your production grade cache
@@ -81,3 +105,6 @@ service.
 | OpenProject      | OpenProject      | Memcached |           |                              |                  |
 |                  |                  |           | Host      | `cache.openproject.host`     | `memcached`      |
 |                  |                  |           | Port      | `cache.openproject.port`     | `11211`          |
 | UMS              | Self Service     | Memcached |           |                              |                  |
 |                  |                  |           | Host      | `cache.umsSelfservice.host`  | `memcached`      |
 |                  |                  |           | Port      | `cache.umsSelfservice.port`  | `11211`          |
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -12,7 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
  * [Customize environment](#customize-environment)
    * [Domain](#domain)
    * [Apps](#apps)
-    * [Private OCI registry](#private-oci-registry)
+    * [Private Image registry](#private-image-registry)
    * [Private Helm registry](#private-helm-registry)
    * [Cluster capabilities](#cluster-capabilities)
      * [Service](#service)
@@ -118,8 +118,7 @@ All available apps and their default value can be found in `helmfile/environment
 | Postfix                     | `postfix.enabled`                   | `true`  | MTA                            |
 | PostgreSQL                  | `postgresql.enabled`                | `true`  | Database                       |
 | Redis                       | `redis.enabled`                     | `true`  | Cache Database                 |
-| Univention Corporate Server | `univentionCorporateServer.enabled` | `true`  | Identity Management & Portal   |
+| Univention Management Stack | `univentionManagementStack.enabled` | `true`  | Identity Management & Portal   |
 | Univention Management Stack | `univentionManagementStack.enabled` | `false` | Identity Management & Portal   |
 | XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  |
 Exemplary, Jitsi can be disabled like:
@@ -129,9 +128,9 @@ jitsi:
  enabled: false
 ```
-### Private OCI registry
+### Private Image registry
-By default, all OCI artifacts are proxied via the project's container registry, which should get replaced soon by the
+By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
 OCI registries provided by Open CoDE.
 You also can set your own registry by:
@@ -156,12 +155,32 @@ global:
 ### Private Helm registry
-Some apps use Chart Museum style helm registries. You can use your own registry by setting this environment variable:
+Some apps use OCI style registry and some use Helm chart museum style registries.
 In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
 or version.
-```shell
+As an example, you can also use helmfile methods to use just a single environment variable to set registry and
-export PRIVATE_CHART_REPOSITORY_URL=charts.open.desk
+authentication for all OCI helm charts.
 ```yaml
 charts:
  certificates:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ```
 There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
 The following environment variables have to be exposed when using the example:
 | Environment variable                | Description                                                                                |
 |-------------------------------------|--------------------------------------------------------------------------------------------|
 | `OD_PRIVATE_HELM_OCI_REGISTRY`      | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de`     |
 | `OD_PRIVATE_HELM_HTTP_REGISTRY`     | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
 | `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username                                                                                   |
 | `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password                                                                                   |
 ### Cluster capabilities
 #### Service
@@ -349,7 +368,7 @@ When all apps are successfully deployed and pod status' went to `Running` or `Su
 https://portal.domain.tld
 ```
-If you change the subdomain of `univentionCorporateServer` or `univentionManagementStack`, you need to replace `portal`
+If you change the subdomain of `univentionManagementStack`, you need to replace `portal`
 by your specified subdomain.
 **Credentials:**
@@ -358,20 +377,13 @@ by your specified subdomain.
 # Replace with your namespace
 NAMESPACE=your-namespace
-# Get UCS container, which contains passwords as env var.
+# Get credentials from ConfigMap
-CONTAINER=$(kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container -o jsonpath='{.items[0].metadata.name}')
+kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
-# $ kubectl -n ${NAMESPACE} get po -l app.kubernetes.io/name=univention-corporate-container
+  | yq '.properties.username,.properties.password'
-#
+# default.user
 # NAME                                              READY   STATUS    RESTARTS   AGE
 # univention-corporate-container-8665c6f8b7-nlhc6   1/1     Running   0          10m
 # Password of `default.user`
 kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_USER_PASSWORD")].value}'
 # 40615..............................e9e2f
-
+# ---
-# Password of `default.admin`
+# default.admin
 kubectl -n ${NAMESPACE} get po ${CONTAINER} -o=jsonpath='{.spec.containers[0].env[?(@.name=="DEFAULT_ACCOUNT_ADMIN_PASSWORD")].value}'
 # bdbbb..............................04db6
 ```
--- a/docs/security.md
+++ b/docs/security.md
@@ -10,6 +10,7 @@ This document should cover the current status of security measurements.
 <!-- TOC -->
  * [Helm Chart Trust Chain](#helm-chart-trust-chain)
  * [Kubernetes Security Enforcements](#kubernetes-security-enforcements)
  * [NetworkPolicies](#networkpolicies)
 <!-- TOC -->
 ## Helm Chart Trust Chain
@@ -36,12 +37,11 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The
 | opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
 | opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
 | opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
-| openproject-repo                     | no  |        :x:         |
+| openproject-repo                     | yes | :white_check_mark: |
 | openxchange-repo                     | yes |        :x:         |
 | ox-connector-repo                    | no  |        :x:         |
 | postfix-repo                         | yes | :white_check_mark: |
 | postgresql-repo                      | yes | :white_check_mark: |
 | univention-corporate-container-repo  | yes | :white_check_mark: |
 | ums-repo                             | no  |        :x:         |
 | xwiki-repo                           | no  |        :x:         |
@@ -51,7 +51,7 @@ This list gives you an overview of default security settings and if they comply
 | Component                   | Process                      |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|-----------------|--------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+|-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV                      | clamd                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | freshclam                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | icap                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
@@ -92,10 +92,40 @@ This list gives you an overview of default security settings and if they comply
 |                             | guard-ui                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | nextlcoud-integration-ui     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | public-sector-ui             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
-| OpenProject     | openproject                    |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| OpenProject                 | openproject                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Postfix                     | postfix                      |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL                  | postgresql                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Redis                       | redis                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
-| UCC             | univention-corporate-container |        :x:         |                :x:                 |                                                                      :x:                                                                       |               :x:                 |               :x:               |          :x:          |     -     |     -      |    -    |
+| Univention Management Stack | ldap-notifier                |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | ldap-server                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | notifications-api            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-frontend              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-listener              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-server                |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | selfservice-listener         |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | stack-gateway                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |                             | store-dav                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | udm-rest-api                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | umc-gateway                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | umc-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | XWiki                       | xwiki                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | xwiki initContainers         |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   | 
 ## NetworkPolicies
 Kubernetes NetworkPolicies are an important measure to secure your kubernetes apps and clusters.
 When applied, they restrict the traffic to your services.
 This protects other deployments in your cluster or other services in your deployment to get compromised when one
 component is compromised.
 We ship a default set of Otterize ClientIntents via
 [Otterize intents operator](https://github.com/otterize/intents-operator) which translates intent-based access control
 (IBAC) into kubernetes native NetworkPolicies.
 This requires the Otterize intents operator to be installed.
 ```yaml
 security:
  otterizeIntents:
    enabled: true
 ```
--- a/examples/private-helm-registry.yaml.gotmpl
+++ b/examples/private-helm-registry.yaml.gotmpl
@@ -0,0 +1,261 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 charts:
  certificates:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  clamav:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  clamavSimple:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  collabora:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  cryptpad:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  dovecot:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  element:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  elementWellKnown:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  intercomService:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  istioResources:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  jitsi:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  keycloak:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  keycloakBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  keycloakExtensions:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  keycloakTheme:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  mariadb:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeoboardWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeochoiseWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeodatefixBot:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeodatefixWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixUserVerificationService:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  memcached:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  minio:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nextcloud:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nextcloudBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nginx:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openproject:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openprojectBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openXchangeAppSuite:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openXchangeAppSuiteBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  otterize:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  oxConnector:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  postfix:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  postgresql:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  redis:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapse:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapseCreateAccount:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapseWeb:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsLdapNotifier:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsLdapServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsNotificationsApi:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalFrontend:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalListener:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStackDataSwp:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStackDataUms:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStoreDav:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUdmRestApi:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUmcGateway:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUmcServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  xwiki:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ...
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -8,7 +8,6 @@ helmfiles:
  # Path to the helmfile state file being processed BEFORE releases in this state file
  - path: "helmfile/apps/services/helmfile.yaml"
  - path: "helmfile/apps/keycloak/helmfile.yaml"
  - path: "helmfile/apps/univention-corporate-container/helmfile.yaml"
  - path: "helmfile/apps/univention-management-stack/helmfile.yaml"
  - path: "helmfile/apps/keycloak-bootstrap/helmfile.yaml"
  - path: "helmfile/apps/intercom-service/helmfile.yaml"
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -3,25 +3,20 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # Collabora Online
  # Source: https://github.com/CollaboraOnline/online
  - name: "collabora-online-repo"
-    url: >-
+    username: {{ .Values.charts.collabora.username | quote }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    password: {{ .Values.charts.collabora.password | quote }}
-         default "https://collaboraonline.github.io/online" }}
+    oci: {{ .Values.charts.collabora.oci }}
    url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
 releases:
  # renovate:
  # registryUrl=https://collaboraonline.github.io/online
  # packageName=collabora-online
  # dataSource=helm
  # dependencyType=vendor
  - name: "collabora-online"
-    chart: "collabora-online-repo/collabora-online"
+    chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
-    version: "1.0.2"
+    version: "{{ .Values.charts.collabora.version }}"
    values:
      - "values.yaml"
      - "values.gotmpl"
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -3,25 +3,20 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # CryptPad
  # Source: https://github.com/cryptpad/helm
-  - name: "cryptpad-online-repo"
+  - name: "cryptpad-repo"
-    url: >-
+    username: {{ .Values.charts.cryptpad.username | quote }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    password: {{ .Values.charts.cryptpad.password | quote }}
-         default "https://cryptpad.github.io/helm" }}
+    oci: {{ .Values.charts.cryptpad.oci }}
    url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 releases:
  # renovate:
  # registryUrl=https://cryptpad.github.io/helm
  # packageName=cryptpad
  # dataSource=helm
  # dependencyType=vendor
  - name: "cryptpad"
-    chart: "cryptpad-online-repo/cryptpad"
+    chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
-    version: "0.0.14"
+    version: "{{ .Values.charts.cryptpad.version }}"
    values:
      - "values.yaml"
      - "values.gotmpl"
--- a/helmfile/apps/cryptpad/values.yaml
+++ b/helmfile/apps/cryptpad/values.yaml
@@ -22,6 +22,10 @@ enableEmbedding: true
 fullnameOverride: "cryptpad"
 ingress:
  annotations:
    nginx.org/websocket-services: "cryptpad"
 persistence:
  enabled: false
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -7,177 +7,176 @@ bases:
 repositories:
  # openDesk Element
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/sovereign-workplace-element
-  - name: "opendesk-element-repo"
+  - name: "element-repo"
-    oci: true
+    oci: {{ .Values.charts.element.oci }}
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.element.verify }}
    username: {{ .Values.charts.element.username | quote }}
    password: {{ .Values.charts.element.password | quote }}
    url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    oci: {{ .Values.charts.elementWellKnown.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ .Values.charts.elementWellKnown.username | quote }}
    password: {{ .Values.charts.elementWellKnown.password | quote }}
    url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    oci: {{ .Values.charts.synapseWeb.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ .Values.charts.synapseWeb.username | quote }}
    password: {{ .Values.charts.synapseWeb.password | quote }}
    url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    oci: {{ .Values.charts.synapse.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ .Values.charts.synapse.username | quote }}
    password: {{ .Values.charts.synapse.password | quote }}
    url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    oci: {{ .Values.charts.synapseCreateAccount.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ .Values.charts.synapseCreateAccount.username | quote }}
    password: {{ .Values.charts.synapseCreateAccount.password | quote }}
    url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
  # openDesk Matrix Widgets
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/opendesk-matrix-widgets
-  - name: "opendesk-matrix-widgets-repo"
+  - name: "matrix-user-verification-service-repo"
-    oci: true
+    oci: {{ .Values.charts.matrixUserVerificationService.oci }}
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
    username: {{ .Values.charts.matrixUserVerificationService.username | quote }}
    password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
    url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    oci: {{ .Values.charts.matrixNeodatefixWidget.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ .Values.charts.matrixNeodatefixWidget.username | quote }}
    password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
    url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    oci: {{ .Values.charts.matrixNeodatefixBot.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ .Values.charts.matrixNeodatefixBot.username | quote }}
    password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
    url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-element
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-element"
-    chart: "opendesk-element-repo/opendesk-element"
+    chart: "element-repo/{{ .Values.charts.element.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.element.version }}"
    values:
      - "values-element.yaml"
      - "values-element.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-well-known
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-well-known"
-    chart: "opendesk-element-repo/opendesk-well-known"
+    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
      - "values-well-known.yaml"
      - "values-well-known.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-web
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-synapse-web"
-    chart: "opendesk-element-repo/opendesk-synapse-web"
+    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
      - "values-synapse-web.yaml"
      - "values-synapse-web.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-synapse"
-    chart: "opendesk-element-repo/opendesk-synapse"
+    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.synapse.version }}"
    values:
      - "values-synapse.yaml"
      - "values-synapse.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-create-account
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-matrix-user-verification-service-bootstrap"
-    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-user-verification-service-bootstrap.yaml"
      - "values-matrix-user-verification-service-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-matrix-user-verification-service
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-matrix-user-verification-service"
-    chart: "opendesk-element-repo/opendesk-matrix-user-verification-service"
+    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
      - "values-matrix-user-verification-service.yaml"
      - "values-matrix-user-verification-service.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neoboard-widget
  # dataSource=docker
  # dependencyType=vendor
  - name: "matrix-neoboard-widget"
-    chart: "opendesk-matrix-widgets-repo/matrix-neoboard-widget"
+    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
      - "values-matrix-neoboard-widget.yaml"
      - "values-matrix-neoboard-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neochoice-widget
  # dataSource=docker
  # dependencyType=vendor
  - name: "matrix-neochoice-widget"
-    chart: "opendesk-matrix-widgets-repo/matrix-neochoice-widget"
+    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
      - "values-matrix-neochoice-widget.yaml"
      - "values-matrix-neochoice-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-widget
  # dataSource=docker
  # dependencyType=vendor
  - name: "matrix-neodatefix-widget"
-    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-widget"
+    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
      - "values-matrix-neodatefix-widget.yaml"
      - "values-matrix-neodatefix-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-create-account
  # dataSource=docker
  # dependencyType=vendor
  - name: "matrix-neodatefix-bot-bootstrap"
-    chart: "opendesk-element-repo/opendesk-synapse-create-account"
+    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
-    version: "2.5.1"
+    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
      - "values-matrix-neodatefix-bot-bootstrap.yaml"
      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-bot
  # dataSource=docker
  # dependencyType=vendor
  - name: "matrix-neodatefix-bot"
-    chart: "opendesk-matrix-widgets-repo/matrix-neodatefix-bot"
+    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
-    version: "3.2.0"
+    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
      - "values-matrix-neodatefix-bot.yaml"
      - "values-matrix-neodatefix-bot.gotmpl"
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -13,15 +13,15 @@ global:
 configuration:
  additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    "net.nordeck.element_web.module.opendesk":
      config:
        banner:
          ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
          ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
-          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
-          portal_url: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/"
+          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
        custom_css_variables:
          --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}
        widget_types:
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml
@@ -22,6 +22,8 @@ extraEnvVars:
      secretKeyRef:
        name: "opendesk-matrix-user-verification-service-account"
        key: "access_token"
  - name: "UVS_DISABLE_IP_BLACKLIST"
    value: "true"
 podSecurityContext:
  enabled: true
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -3,28 +3,22 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
-    oci: true
+    oci: {{ .Values.charts.intercomService.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/intercom-service" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
    username: {{ .Values.charts.intercomService.username | quote }}
    password: {{ .Values.charts.intercomService.password | quote }}
    url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/intercom-service/intercom-service
  # dataSource=docker
  # dependencyType=vendor
  - name: "intercom-service"
-    chart: "intercom-service-repo/intercom-service"
+    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
-    version: "2.0.1"
+    version: "{{ .Values.charts.intercomService.version }}"
    values:
      - "values.yaml"
      - "values.gotmpl"
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -3,28 +3,22 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Jitsi
  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-jitsi
  - name: "jitsi-repo"
-    oci: true
+    oci: {{ .Values.charts.jitsi.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.jitsi.verify }}
    username: {{ .Values.charts.jitsi.username | quote }}
    password: {{ .Values.charts.jitsi.password | quote }}
    url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-jitsi/sovereign-workplace-jitsi
  # dataSource=docker
  # dependencyType=vendor
  - name: "jitsi"
-    chart: "jitsi-repo/sovereign-workplace-jitsi"
+    chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
-    version: "1.7.1"
+    version: "{{ .Values.charts.jitsi.version }}"
    values:
      - "values-jitsi.gotmpl"
    installed: {{ .Values.jitsi.enabled }}
--- a/helmfile/apps/jitsi/values-jitsi.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.gotmpl
@@ -60,7 +60,7 @@ jitsi:
      - name: "AUTH_TYPE"
        value: "hybrid_matrix_token"
      - name: "JWT_APP_ID"
-        value: "myappid"
+        value: "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
      - name: "JWT_APP_SECRET"
        value: {{ .Values.secrets.jitsi.jwtAppSecret | quote }}
      - name: "MATRIX_UVS_SYNC_POWER_LEVELS"
--- a/helmfile/apps/keycloak-bootstrap/helmfile.yaml
+++ b/helmfile/apps/keycloak-bootstrap/helmfile.yaml
@@ -3,30 +3,22 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Keycloak Bootstrap
  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-keycloak-bootstrap
  - name: "opendesk-keycloak-bootstrap-repo"
-    oci: true
+    oci: {{ .Values.charts.keycloakBootstrap.oci }}
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.keycloakBootstrap.verify }}
    username: {{ .Values.charts.keycloakBootstrap.username | quote }}
    password: {{ .Values.charts.keycloakBootstrap.password | quote }}
    url: "{{ .Values.charts.keycloakBootstrap.registry }}/{{ .Values.charts.keycloakBootstrap.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-keycloak-bootstrap"
-    chart: "opendesk-keycloak-bootstrap-repo/sovereign-workplace-keycloak-bootstrap"
+    chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.keycloakBootstrap.name }}"
-    version: "1.1.12"
+    version: "{{ .Values.charts.keycloakBootstrap.version }}"
    values:
      - "values-bootstrap.gotmpl"
      - "values-bootstrap.yaml"
--- a/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
+++ b/helmfile/apps/keycloak-bootstrap/values-bootstrap.gotmpl
@@ -27,4 +27,8 @@ image:
 resources:
  {{ .Values.resources.keycloakBootstrap | toYaml | nindent 2 }}
 additionalAnnotations:
  annotations:
    intents.otterize.com/service-name: "keycloak-bootstrap"
 ...
--- a/helmfile/apps/keycloak/helmfile.yaml
+++ b/helmfile/apps/keycloak/helmfile.yaml
@@ -3,54 +3,46 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
-  - name: "bitnami-repo"
+  - name: "keycloak-repo"
-    oci: true
+    oci: {{ .Values.charts.keycloak.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.keycloak.verify }}
    username: {{ .Values.charts.keycloak.username | quote }}
    password: {{ .Values.charts.keycloak.password | quote }}
    url: "{{ .Values.charts.keycloak.registry }}/{{ .Values.charts.keycloak.repository }}"
  # openDesk Keycloak Theme
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-keycloak-theme
  - name: "keycloak-theme-repo"
-    oci: true
+    oci: {{ .Values.charts.keycloakTheme.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/keycloak-theme" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.keycloakTheme.verify }}
    username: {{ .Values.charts.keycloakTheme.username | quote }}
    password: {{ .Values.charts.keycloakTheme.password | quote }}
    url: "{{ .Values.charts.keycloakTheme.registry }}/{{ .Values.charts.keycloakTheme.repository }}"
  # openDesk Keycloak Extensions
  - name: "keycloak-extensions-repo"
-    url: >-
+    oci: {{ .Values.charts.keycloakExtensions.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.keycloakExtensions.username | quote }}
-         default "https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable" }}
+    password: {{ .Values.charts.keycloakExtensions.password | quote }}
    url: "{{ .Values.charts.keycloakExtensions.registry }}/{{ .Values.charts.keycloakExtensions.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/keycloak-theme/opendesk-keycloak-theme
  # dataSource=docker
  # dependencyType=vendor
  - name: "keycloak-theme"
-    chart: "keycloak-theme-repo/opendesk-keycloak-theme"
+    chart: "keycloak-theme-repo/{{ .Values.charts.keycloakTheme.name }}"
-    version: "2.0.0"
+    version: "{{ .Values.charts.keycloakTheme.version }}"
    values:
      - "values-theme.gotmpl"
    installed: {{ .Values.keycloak.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/bitnami-charts/keycloak
  # dataSource=docker
  # dependencyType=vendor
  - name: "keycloak"
-    chart: "bitnami-repo/keycloak"
+    chart: "keycloak-repo/{{ .Values.charts.keycloak.name }}"
-    version: "12.1.5"
+    version: "{{ .Values.charts.keycloak.version }}"
    values:
      - "values-keycloak.gotmpl"
      - "values-keycloak.yaml"
@@ -58,14 +50,9 @@ releases:
    wait: true
    installed: {{ .Values.keycloak.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable
  # packageName=keycloak-extensions
  # dataSource=helm
  # dependencyType=vendor
  - name: "keycloak-extensions"
-    chart: "keycloak-extensions-repo/keycloak-extensions"
+    chart: "keycloak-extensions-repo/{{ .Values.charts.keycloakExtensions.name }}"
-    version: "0.1.0"
+    version: "{{ .Values.charts.keycloakExtensions.version }}"
    needs:
      - "keycloak"
    values:
--- a/helmfile/apps/keycloak/values-keycloak.gotmpl
+++ b/helmfile/apps/keycloak/values-keycloak.gotmpl
@@ -42,7 +42,7 @@ keycloakConfigCli:
    - name: "KEYCLOAK_AVAILABILITYCHECK_TIMEOUT"
      value: "600s"
    - name: "UNIVENTION_CORPORATE_SERVER_DOMAIN"
-      value: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+      value: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    - name: "KEYCLOAK_DOMAIN"
      value: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    - name: "OPENXCHANGE_8_DOMAIN"
@@ -78,7 +78,7 @@ keycloakConfigCli:
    - name: "KEYCLOAK_STORAGEPROVICER_UCSLDAP_NAME"
      value: "storage_provider_ucsldap"
    - name: "LDAPSEARCH_PASSWORD"
-      value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
+      value: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
    - name: "LDAPSEARCH_USERNAME"
      value: "ldapsearch_keycloak"
  resources:
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -3,37 +3,30 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Keycloak Bootstrap
-  # Source:
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
-  #  https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
+  - name: "nextcloud-bootstrap-repo"
-  - name: "opendesk-nextcloud-bootstrap-repo"
+    oci: {{ .Values.charts.nextcloudBootstrap.oci }}
    oci: true
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.nextcloudBootstrap.verify }}
    username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
    password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
    url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
  # Nextcloud
  # Source: https://github.com/nextcloud/helm/
  - name: "nextcloud-repo"
-    url: >-
+    oci: {{ .Values.charts.nextcloud.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.nextcloud.username | quote }}
-         default "https://nextcloud.github.io/helm/" }}
+    password: {{ .Values.charts.nextcloud.password | quote }}
    url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap/opendesk-nextcloud-bootstrap
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-nextcloud-bootstrap"
-    chart: "opendesk-nextcloud-bootstrap-repo/opendesk-nextcloud-bootstrap"
+    chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
-    version: "3.2.4"
+    version: "{{ .Values.charts.nextcloudBootstrap.version }}"
    wait: true
    waitForJobs: true
    values:
@@ -42,14 +35,9 @@ releases:
    installed: {{ .Values.nextcloud.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://nextcloud.github.io/helm
  # packageName=nextcloud
  # dataSource=helm
  # dependencyType=vendor
  - name: "nextcloud"
-    chart: "nextcloud-repo/nextcloud"
+    chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
-    version: "3.5.19"
+    version: "{{ .Values.charts.nextcloud.version }}"
    needs:
      - "opendesk-nextcloud-bootstrap"
    values:
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -37,7 +37,7 @@ config:
  ldapSearch:
    host: {{ .Values.ldap.host | quote }}
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
+    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -3,58 +3,49 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Dovecot
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
-  - name: "opendesk-dovecot-repo"
+  - name: "dovecot-repo"
-    oci: true
+    oci: {{ .Values.charts.dovecot.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/dovecot" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
    username: {{ .Values.charts.dovecot.username | quote }}
    password: {{ .Values.charts.dovecot.password | quote }}
    url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
  # Open-Xchange
-  - name: "openxchange-repo"
+  - name: "open-xchange-repo"
-    oci: true
+    oci: {{ .Values.charts.openXchangeAppSuite.oci }}
-    url: >-
+    username: {{ .Values.charts.openXchangeAppSuite.username | quote }}
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default "registry.open-xchange.com" }}
+    password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
    url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
  # openDesk Open-Xchange Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
-  - name: "opendesk-open-xchange-bootstrap-repo"
+  - name: "open-xchange-bootstrap-repo"
-    oci: true
+    oci: {{ .Values.charts.openXchangeAppSuiteBootstrap.oci }}
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
    username: {{ .Values.charts.openXchangeAppSuiteBootstrap.username | quote }}
    password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
    url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/dovecot/dovecot
  # dataSource=docker
  # dependencyType=vendor
  - name: "dovecot"
-    chart: "opendesk-dovecot-repo/dovecot"
+    chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
-    version: "1.3.6"
+    version: "{{ .Values.charts.dovecot.version }}"
    values:
      - "values-dovecot.yaml"
      - "values-dovecot.gotmpl"
    installed: {{ .Values.dovecot.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.open-xchange.com
  # packageName=appsuite-public-sector/charts/appsuite-public-sector
  # dataSource=docker
  # dependencyType=vendor
  - name: "open-xchange"
-    chart: "openxchange-repo/appsuite-public-sector/charts/appsuite-public-sector"
+    chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
-    version: "2.1.1"
+    version: "{{ .Values.charts.openXchangeAppSuite.version }}"
    values:
      - "values-openxchange.yaml"
      - "values-openxchange.gotmpl"
@@ -63,14 +54,9 @@ releases:
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-open-xchange-bootstrap"
-    chart: "opendesk-open-xchange-bootstrap-repo/sovereign-workplace-open-xchange-bootstrap"
+    chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
-    version: "1.3.1"
+    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
    values:
      - "values-openxchange-bootstrap.gotmpl"
    installed: {{ .Values.oxAppsuite.enabled }}
--- a/helmfile/apps/open-xchange/values-dovecot.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.gotmpl
@@ -20,7 +20,7 @@ dovecot:
  ldap:
    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
    host: {{ .Values.ldap.host | quote }}
-    password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
+    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
  oidc:
    introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
    introspectionPath: "/realms/souvap/protocol/openid-connect/token/introspect"
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
@@ -14,5 +14,5 @@ appsuite:
              port: 389
          auth:
            adminDN:
-              password: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -81,21 +81,21 @@ appsuite:
      "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
      "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
-      "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+      "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
    propertiesFiles:
      "/opt/open-xchange/etc/ldapauth.properties":
-        bindDNPassword: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
+        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
    uiSettings:
      "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
-      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -150,6 +150,9 @@ appsuite:
      io.ox/core//coloredIcons: "false"
      # Mail templates
      io.ox/core//features/templates: "true"
      # Contact Collector
      io.ox/mail//contactCollectOnMailTransport: "true"
      # io.ox/mail//contactCollectOnMailAccess: "true"
    asConfig:
      default:
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -3,30 +3,22 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk OpenProject Bootstrap
  # Source: Set when repo is managed on Open CoDE
-  - name: "opendesk-openproject-bootstrap-repo"
+  - name: "openproject-bootstrap-repo"
-    oci: true
+    oci: {{ .Values.charts.openprojectBootstrap.oci }}
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.openprojectBootstrap.verify }}
    username: {{ .Values.charts.openprojectBootstrap.username | quote }}
    password: {{ .Values.charts.openprojectBootstrap.password | quote }}
    url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap
  # dataSource=docker
  # dependencyType=vendor
  - name: "opendesk-openproject-bootstrap"
-    chart: "opendesk-openproject-bootstrap-repo/opendesk-openproject-bootstrap"
+    chart: "openproject-bootstrap-repo/{{ .Values.charts.openprojectBootstrap.name }}"
-    version: "1.2.1"
+    version: "{{ .Values.charts.openprojectBootstrap.version }}"
    wait: true
    waitForJobs: true
    values:
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -3,25 +3,22 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # OpenProject
  # Source: https://github.com/opf/helm-charts
  - name: "openproject-repo"
-    url: >-
+    oci: {{ .Values.charts.openproject.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
-         default "https://charts.openproject.org" }}
+    verify: {{ .Values.charts.openproject.verify }}
    username: {{ .Values.charts.openproject.username | quote }}
    password: {{ .Values.charts.openproject.password | quote }}
    url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 releases:
  # renovate:
  # registryUrl=https://charts.openproject.org
  # packageName=openproject
  # dataSource=helm
  # dependencyType=vendor
  - name: "openproject"
-    chart: "openproject-repo/openproject"
+    chart: "openproject-repo/{{ .Values.charts.openproject.name }}"
-    version: "2.4.0"
+    version: "{{ .Values.charts.openproject.version }}"
    wait: true
    waitForJobs: true
    values:
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -67,7 +67,7 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
@@ -76,10 +76,18 @@ environment:
  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
-  OPENPROJECT_FOG_CREDENTIALS_HOST: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  {{ if ne .Values.objectstores.openproject.backend "aws" }}
-  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: "https://{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.secrets.minio.openprojectUser | quote }}
+  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
  {{ end }}
  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
  OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
  OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
  OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
 replicaCount: {{ .Values.replicas.openproject }}
--- a/helmfile/apps/openproject/values.yaml
+++ b/helmfile/apps/openproject/values.yaml
@@ -30,11 +30,18 @@ openproject:
  # seed will only be executed on initial installation
  seed_locale: "de"
-securityContext:
+containerSecurityContext:
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  readOnlyRootFilesystem: true
  runAsNonRoot: true
 persistence:
  enabled: false
@@ -75,11 +82,12 @@ environment:
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
  OPENPROJECT_FOG_DIRECTORY: "openproject"
  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: "AWS"
  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: "openproject_user"
  # Define an admin mapping from the claim
  # The attribute mapping cannot currently be defined in the value
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
 ...
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -3,24 +3,19 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # OX Connector
  - name: "ox-connector-repo"
-    url: >-
+    oci: {{ .Values.charts.oxConnector.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.oxConnector.username | quote }}
-         default "https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable" }}
+    password: {{ .Values.charts.oxConnector.password | quote }}
    url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 releases:
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable
  # packageName=ox-connector
  # dataSource=helm
  # dependencyType=vendor
  - name: "ox-connector"
-    chart: "ox-connector-repo/ox-connector"
+    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
-    version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
+    version: "{{ .Values.charts.oxConnector.version }}"
    values:
      - "values-oxconnector.yaml"
      - "values-oxconnector.gotmpl"
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -26,7 +26,7 @@ oxConnector:
  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  oxDefaultContext: "1"
-  ldapPassword: {{ if eq .Values.ldap.host "univention-corporate-container" }} "ucctempldapstring" {{ else }} {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }} {{ end }}
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
 resources:
  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -3,202 +3,194 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Otterize
  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-otterize
  - name: "otterize-repo"
    oci: {{ .Values.charts.otterize.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.otterize.verify }}
    username: {{ .Values.charts.otterize.username | quote }}
    password: {{ .Values.charts.otterize.password | quote }}
    url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-certificates
-  - name: "opendesk-certificates-repo"
+  - name: "certificates-repo"
-    oci: true
+    oci: {{ .Values.charts.certificates.oci }}
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.certificates.verify }}
    username: {{ .Values.charts.certificates.username | quote }}
    password: {{ .Values.charts.certificates.password | quote }}
    url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postgresql
  - name: "postgresql-repo"
-    oci: true
+    oci: {{ .Values.charts.postgresql.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postgresql" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.postgresql.verify }}
    username: {{ .Values.charts.postgresql.username | quote }}
    password: {{ .Values.charts.postgresql.password | quote }}
    url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
  # openDesk MariaDB
-  # Source: https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-mariadb
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-mariadb
  - name: "mariadb-repo"
-    oci: true
+    oci: {{ .Values.charts.mariadb.oci }}
-    url: >-
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
+    verify: {{ .Values.charts.mariadb.verify }}
-         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/mariadb" }}
+    username: {{ .Values.charts.mariadb.username | quote }}
-    verify: true
+    password: {{ .Values.charts.mariadb.password | quote }}
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
+    url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-postfix
  - name: "postfix-repo"
-    oci: true
+    oci: {{ .Values.charts.postfix.oci }}
    url: >-
      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/postfix" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.postfix.verify }}
    username: {{ .Values.charts.postfix.username | quote }}
    password: {{ .Values.charts.postfix.password | quote }}
    url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-istio-resources
  - name: "istio-resources-repo"
-    oci: true
+    oci: {{ .Values.charts.istioResources.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/istio-ressources" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.istioResources.verify }}
    username: {{ .Values.charts.istioResources.username | quote }}
    password: {{ .Values.charts.istioResources.password | quote }}
    url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/components/charts/opendesk-clamav
  - name: "clamav-repo"
-    oci: true
+    oci: {{ .Values.charts.clamav.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/clamav" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.clamav.verify }}
    username: {{ .Values.charts.clamav.username | quote }}
    password: {{ .Values.charts.clamav.password | quote }}
    url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    oci: {{ .Values.charts.clamavSimple.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ .Values.charts.clamavSimple.username | quote }}
    password: {{ .Values.charts.clamavSimple.password | quote }}
    url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
-  - name: "bitnami-repo"
+  - name: "memcached-repo"
-    oci: true
+    oci: {{ .Values.charts.memcached.oci }}
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.memcached.verify }}
    username: {{ .Values.charts.memcached.username | quote }}
    password: {{ .Values.charts.memcached.password | quote }}
    url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    oci: {{ .Values.charts.redis.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ .Values.charts.redis.username | quote }}
    password: {{ .Values.charts.redis.password | quote }}
    url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    oci: {{ .Values.charts.minio.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ .Values.charts.minio.username | quote }}
    password: {{ .Values.charts.minio.password | quote }}
    url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
 releases:
-  # renovate:
+  - name: "opendesk-otterize"
-  # registryUrl=https://registry.souvap-univention.de
+    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
-  # packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
+    version: "{{ .Values.charts.otterize.version }}"
-  # dataSource=docker
+    values:
-  # dependencyType=service
+      - "values-otterize.gotmpl"
    installed: {{ .Values.security.otterizeIntents.enabled }}
  - name: "opendesk-certificates"
-    chart: "opendesk-certificates-repo/opendesk-certificates"
+    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
-    version: "2.1.0"
+    version: "{{ .Values.charts.certificates.version }}"
    values:
      - "values-certificates.gotmpl"
    installed: {{ .Values.certificates.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/bitnami-charts/redis
  # dataSource=docker
  # dependencyType=service
  - name: "redis"
-    chart: "bitnami-repo/redis"
+    chart: "redis-repo/{{ .Values.charts.redis.name }}"
-    version: "18.1.2"
+    version: "{{ .Values.charts.redis.version }}"
    values:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    installed: {{ .Values.redis.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/bitnami-charts/memcached
  # dataSource=docker
  # dependencyType=service
  - name: "memcached"
-    chart: "bitnami-repo/memcached"
+    chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
-    version: "6.6.2"
+    version: "{{ .Values.charts.memcached.version }}"
    values:
      - "values-memcached.yaml"
      - "values-memcached.gotmpl"
    installed: {{ .Values.memcached.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/postgresql/postgresql
  # dataSource=docker
  # dependencyType=service
  - name: "postgresql"
-    chart: "postgresql-repo/postgresql"
+    chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
-    version: "2.0.3"
+    version: "{{ .Values.charts.postgresql.version }}"
    values:
      - "values-postgresql.yaml"
      - "values-postgresql.gotmpl"
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/mariadb/mariadb
  # dataSource=docker
  # dependencyType=service
  - name: "mariadb"
-    chart: "mariadb-repo/mariadb"
+    chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
-    version: "2.1.1"
+    version: "{{ .Values.charts.mariadb.version }}"
    values:
      - "values-mariadb.yaml"
      - "values-mariadb.gotmpl"
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/postfix/postfix
  # dataSource=docker
  # dependencyType=service
  - name: "postfix"
-    chart: "postfix-repo/postfix"
+    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
-    version: "2.0.4"
+    version: "{{ .Values.charts.postfix.version }}"
    values:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    installed: {{ .Values.postfix.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/clamav/opendesk-clamav
  # dataSource=docker
  # dependencyType=service
  - name: "clamav"
-    chart: "clamav-repo/opendesk-clamav"
+    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
-    version: "4.0.0"
+    version: "{{ .Values.charts.clamav.version }}"
    values:
      - "values-clamav-distributed.yaml"
      - "values-clamav-distributed.gotmpl"
    installed: {{ .Values.clamavDistributed.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/clamav/clamav-simple
  # dataSource=docker
  # dependencyType=service
  - name: "clamav-simple"
-    chart: "clamav-repo/clamav-simple"
+    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
-    version: "4.0.0"
+    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
      - "values-clamav-simple.yaml"
      - "values-clamav-simple.gotmpl"
    installed: {{ .Values.clamavSimple.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/istio-ressources/istio-gateway
  # dataSource=docker
  # dependencyType=service
  - name: "opendesk-gateway"
-    chart: "istio-resources-repo/istio-gateway"
+    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
-    version: "2.0.0"
+    version: "{{ .Values.charts.istioResources.version }}"
    values:
      - "values-istio-gateway.yaml"
      - "values-istio-gateway.gotmpl"
    installed: {{ .Values.istio.enabled }}
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/bitnami-charts/minio
  # dataSource=docker
  # dependencyType=service
  - name: "minio"
-    chart: "bitnami-repo/minio"
+    chart: "minio-repo/{{ .Values.charts.minio.name }}"
-    version: "12.8.19"
+    version: "{{ .Values.charts.minio.version }}"
    values:
      - "values-minio.yaml"
      - "values-minio.gotmpl"
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -8,6 +8,9 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 image:
  repository: {{ .Values.images.mariadb.repository | quote }}
  tag: {{ .Values.images.mariadb.tag | quote }}
--- a/helmfile/apps/services/values-otterize.gotmpl
+++ b/helmfile/apps/services/values-otterize.gotmpl
@@ -0,0 +1,54 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 apps:
  clamavDistributed:
    enabled: {{ .Values.clamavDistributed.enabled }}
  clamavSimple:
    enabled: {{ .Values.clamavSimple.enabled }}
  collabora:
    enabled: {{ .Values.collabora.enabled }}
  cryptpad:
    enabled: {{ .Values.cryptpad.enabled }}
  dovecot:
    enabled: {{ .Values.dovecot.enabled }}
  element:
    enabled: {{ .Values.element.enabled }}
  intercom:
    enabled: {{ .Values.intercom.enabled }}
  jitsi:
    enabled: {{ .Values.jitsi.enabled }}
  keycloak:
    enabled: {{ .Values.keycloak.enabled }}
  mariadb:
    enabled: {{ .Values.mariadb.enabled }}
  memcached:
    enabled: {{ .Values.memcached.enabled }}
  minio:
    enabled: {{ .Values.minio.enabled }}
  nextcloud:
    enabled: {{ .Values.nextcloud.enabled }}
  openproject:
    enabled: {{ .Values.openproject.enabled }}
  oxAppsuite:
    enabled: {{ .Values.oxAppsuite.enabled }}
  oxConnector:
    enabled: {{ .Values.oxConnector.enabled }}
  postfix:
    enabled: {{ .Values.postfix.enabled }}
  postgresql:
    enabled: {{ .Values.postgresql.enabled }}
  redis:
    enabled: {{ .Values.redis.enabled }}
  univentionManagementStack:
    enabled: {{ .Values.univentionManagementStack.enabled }}
  xwiki:
    enabled: {{ .Values.xwiki.enabled }}
 extraApps:
  clusterPostfix:
    enabled: {{ .Values.security.clusterPostfix.enabled }}
    namespace: {{ .Values.security.clusterPostfix.namespace }}
 ...
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -24,7 +24,7 @@ postfix:
    - fileName: "sasl_passwd.map"
      content:
        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  relayHost: {{ printf "[%s]:[%d]" .Values.smtp.host .Values.smtp.port | quote }}
+  relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
  relayNets: {{ .Values.cluster.networking.cidr | quote}}
  virtualTransport: "lmtps:dovecot:24"
  smtpdSASLPath: "inet:dovecot:3659"
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.gotmpl
@@ -24,7 +24,9 @@ job:
    - username: "matrix_user"
      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
    - username: "notificationsapi_user"
-      password: {{ .Values.secrets.postgresql.notificationsApiUser | quote }}
+      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
    - username: "selfservice_user"
      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
  databases:
    - name: "keycloak"
      user: "keycloak_user"
@@ -37,6 +39,8 @@ job:
      additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
    - name: "notificationsapi"
      user: "notificationsapi_user"
    - name: "selfservice"
      user: "selfservice_user"
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
--- a/helmfile/apps/univention-corporate-container/helmfile.yaml
+++ b/helmfile/apps/univention-corporate-container/helmfile.yaml
@@ -1,37 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Univention Corporate Server (as eval Container)
  - name: "univention-corporate-container-repo"
    oci: true
    # yamllint disable rule:line-length
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" | default
         "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/univention-corporate-container" }}
    # yamllint enable rule:line-length
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/univention-corporate-container/univention-corporate-container
  # dataSource=docker
  # dependencyType=vendor
  - name: "univention-corporate-container"
    chart: "univention-corporate-container-repo/univention-corporate-container"
    version: "1.0.10"
    values:
      - "values.yaml"
      - "values.gotmpl"
    installed: {{ .Values.univentionCorporateServer.enabled }}
 commonLabels:
  deploy-stage: "component-1"
  component: "univention-corporate-container"
 ...
--- a/helmfile/apps/univention-corporate-container/values.gotmpl
+++ b/helmfile/apps/univention-corporate-container/values.gotmpl
@@ -1,68 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  repository: {{ .Values.images.univentionCorporateServer.repository | quote }}
  tag: {{ .Values.images.univentionCorporateServer.tag | quote }}
 ingress:
  host: "{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.univentionCorporateServer | quote }}
 extraEnvVars:
  - name: ISTIO_DOMAIN
    value: {{ .Values.istio.domain | quote }}
  - name: CENTRALNAVIGATION_API_SECRET
    value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  - name: LDAPSEARCH_OX_USERNAME
    value: "ldapsearch_ox"
  - name: LDAPSEARCH_OX_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.ox | quote }}
  - name: LDAPSEARCH_DOVECOT_USERNAME
    value: "ldapsearch_dovecot"
  - name: LDAPSEARCH_DOVECOT_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.dovecot | quote }}
  - name: LDAPSEARCH_KEYCLOAK_USERNAME
    value: "ldapsearch_keycloak"
  - name: LDAPSEARCH_KEYCLOAK_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.keycloak | quote }}
  - name: LDAPSEARCH_NEXTCLOUD_USERNAME
    value: "ldapsearch_nextcloud"
  - name: LDAPSEARCH_NEXTCLOUD_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.nextcloud | quote }}
  - name: LDAPSEARCH_OPENPROJECT_USERNAME
    value: "ldapsearch_openproject"
  - name: LDAPSEARCH_OPENPROJECT_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.openproject | quote }}
  - name: LDAPSEARCH_XWIKI_USERNAME
    value: "ldapsearch_xwiki"
  - name: LDAPSEARCH_XWIKI_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
  - name: DEFAULT_ACCOUNT_USER_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.userPassword | quote }}
  - name: DEFAULT_ACCOUNT_ADMIN_PASSWORD
    value: {{ .Values.secrets.univentionCorporateServer.defaultAccounts.adminPassword | quote }}
 resources:
  {{ .Values.resources.univentionCorporateServer | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -3,60 +3,107 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # Univention Management Stack
-  - name: "ums-repo"
+  - name: "ums-store-dav-repo"
-    url: >-
+    oci: {{ .Values.charts.umsStoreDav.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.umsStoreDav.username | quote }}
-         default "https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable" }}
+    password: {{ .Values.charts.umsStoreDav.password | quote }}
    url: "{{ .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
  - name: "ums-ldap-server-repo"
    oci: {{ .Values.charts.umsLdapServer.oci }}
    username: {{ .Values.charts.umsLdapServer.username | quote }}
    password: {{ .Values.charts.umsLdapServer.password | quote }}
    url: "{{ .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
  - name: "ums-ldap-notifier-repo"
    oci: {{ .Values.charts.umsLdapNotifier.oci }}
    username: {{ .Values.charts.umsLdapNotifier.username | quote }}
    password: {{ .Values.charts.umsLdapNotifier.password | quote }}
    url: "{{ .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
  - name: "ums-udm-rest-api-repo"
    oci: {{ .Values.charts.umsUdmRestApi.oci }}
    username: {{ .Values.charts.umsUdmRestApi.username | quote }}
    password: {{ .Values.charts.umsUdmRestApi.password | quote }}
    url: "{{ .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
  - name: "ums-stack-data-ums-repo"
    oci: {{ .Values.charts.umsStackDataUms.oci }}
    username: {{ .Values.charts.umsStackDataUms.username | quote }}
    password: {{ .Values.charts.umsStackDataUms.password | quote }}
    url: "{{ .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
  - name: "ums-stack-data-swp-repo"
    oci: {{ .Values.charts.umsStackDataSwp.oci }}
    username: {{ .Values.charts.umsStackDataSwp.username | quote }}
    password: {{ .Values.charts.umsStackDataSwp.password | quote }}
    url: "{{ .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
  - name: "ums-portal-server-repo"
    oci: {{ .Values.charts.umsPortalServer.oci }}
    username: {{ .Values.charts.umsPortalServer.username | quote }}
    password: {{ .Values.charts.umsPortalServer.password | quote }}
    url: "{{ .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
  - name: "ums-notifications-api-repo"
    oci: {{ .Values.charts.umsNotificationsApi.oci }}
    username: {{ .Values.charts.umsNotificationsApi.username | quote }}
    password: {{ .Values.charts.umsNotificationsApi.password | quote }}
    url: "{{ .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
  - name: "ums-portal-listener-repo"
    oci: {{ .Values.charts.umsPortalListener.oci }}
    username: {{ .Values.charts.umsPortalListener.username | quote }}
    password: {{ .Values.charts.umsPortalListener.password | quote }}
    url: "{{ .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
  - name: "ums-portal-frontend-repo"
    oci: {{ .Values.charts.umsPortalFrontend.oci }}
    username: {{ .Values.charts.umsPortalFrontend.username | quote }}
    password: {{ .Values.charts.umsPortalFrontend.password | quote }}
    url: "{{ .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
  - name: "ums-umc-gateway-repo"
    oci: {{ .Values.charts.umsUmcGateway.oci }}
    username: {{ .Values.charts.umsUmcGateway.username | quote }}
    password: {{ .Values.charts.umsUmcGateway.password | quote }}
    url: "{{ .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
  - name: "ums-umc-server-repo"
    oci: {{ .Values.charts.umsUmcServer.oci }}
    username: {{ .Values.charts.umsUmcServer.username | quote }}
    password: {{ .Values.charts.umsUmcServer.password | quote }}
    url: "{{ .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
  - name: "ums-selfservice-listener-repo"
    oci: {{ .Values.charts.umsSelfserviceListener.oci }}
    username: {{ .Values.charts.umsSelfserviceListener.username | quote }}
    password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
    url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
-  - name: "bitnami-repo"
+  - name: "nginx-repo"
    oci: true
    url: >-
      {{ env "PRIVATE_IMAGE_REGISTRY_URL" |
         default "external-registry.souvap-univention.de/sovereign-workplace/souvap/tooling/charts/bitnami-charts" }}
    verify: true
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.nginx.verify }}
    username: "{{ .Values.charts.nginx.username }}"
    password: {{ .Values.charts.nginx.password | quote }}
    url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
 releases:
  # renovate:
  # registryUrl=https://registry.souvap-univention.de
  # packageName=souvap/tooling/charts/bitnami-charts/nginx
  # dataSource=docker
  # dependencyType=vendor
  - name: "ums-stack-gateway"
-    chart: "bitnami-repo/nginx"
+    chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
-    version: "15.3.5"
+    version: "{{ .Values.charts.nginx.version }}"
    values:
      - "values-ums-stack-gateway.gotmpl"
      - "values-ums-stack-gateway.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=store-dav
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-store-dav"
-    chart: "ums-repo/store-dav"
+    chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
-    version: "0.5.2"
+    version: "{{ .Values.charts.umsStoreDav.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-store-dav.gotmpl"
      - "values-store-dav.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=ldap-server
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-ldap-server"
-    chart: "ums-repo/ldap-server"
+    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
-    version: "0.7.0"
+    version: "{{ .Values.charts.umsLdapServer.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -64,14 +111,9 @@ releases:
      - "values-ldap-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=ldap-notifier
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-ldap-notifier"
-    chart: "ums-repo/ldap-notifier"
+    chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
-    version: "0.7.0"
+    version: "{{ .Values.charts.umsLdapNotifier.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -79,14 +121,9 @@ releases:
      - "values-ldap-notifier.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=udm-rest-api
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-udm-rest-api"
-    chart: "ums-repo/udm-rest-api"
+    chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
-    version: "0.3.5"
+    version: "{{ .Values.charts.umsUdmRestApi.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -94,14 +131,9 @@ releases:
      - "values-udm-rest-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=stack-data-ums
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-stack-data-ums"
-    chart: "ums-repo/stack-data-ums"
+    chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
-    version: "0.36.0"
+    version: "{{ .Values.charts.umsStackDataUms.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -109,14 +141,9 @@ releases:
      - "values-stack-data-ums.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=stack-data-swp
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-stack-data-swp"
-    chart: "ums-repo/stack-data-swp"
+    chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
-    version: "0.36.0"
+    version: "{{ .Values.charts.umsStackDataSwp.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -124,14 +151,9 @@ releases:
      - "values-stack-data-swp.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=portal-server
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-portal-server"
-    chart: "ums-repo/portal-server"
+    chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
-    version: "0.5.0"
+    version: "{{ .Values.charts.umsPortalServer.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -139,14 +161,9 @@ releases:
      - "values-portal-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=notifications-api
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-notifications-api"
-    chart: "ums-repo/notifications-api"
+    chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
-    version: "0.5.0"
+    version: "{{ .Values.charts.umsNotificationsApi.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -154,14 +171,9 @@ releases:
      - "values-notifications-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=portal-listener
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-portal-listener"
-    chart: "ums-repo/portal-listener"
+    chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
-    version: "0.5.0"
+    version: "{{ .Values.charts.umsPortalListener.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -169,14 +181,9 @@ releases:
      - "values-portal-listener.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=portal-frontend
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-portal-frontend"
-    chart: "ums-repo/portal-frontend"
+    chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
-    version: "0.5.0"
+    version: "{{ .Values.charts.umsPortalFrontend.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -184,14 +191,9 @@ releases:
      - "values-portal-frontend.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=umc-gateway
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-umc-gateway"
-    chart: "ums-repo/umc-gateway"
+    chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
-    version: "0.6.1"
+    version: "{{ .Values.charts.umsUmcGateway.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -199,14 +201,9 @@ releases:
      - "values-umc-gateway.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  # renovate:
  # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
  # packageName=umc-server
  # dataSource=helm
  # dependencyType=vendor
  - name: "ums-umc-server"
-    chart: "ums-repo/umc-server"
+    chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
-    version: "0.6.1"
+    version: "{{ .Values.charts.umsUmcServer.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
@@ -214,6 +211,16 @@ releases:
      - "values-umc-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
  - name: "ums-selfservice-listener"
    chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
    version: "{{ .Values.charts.umsSelfserviceListener.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-selfservice-listener.gotmpl"
      - "values-selfservice-listener.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
 commonLabels:
  deploy-stage: "component-1"
  component: "univention-management-stack"
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
@@ -7,4 +7,12 @@ volumes:
    shared-data: "shared-data-ums-ldap-server-0"
    shared-run: "shared-run-ums-ldap-server-0"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml
@@ -30,4 +30,25 @@ extraVolumeMounts:
    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
    subPath: "opendeskProjectmanagement.schema"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
@@ -6,12 +6,12 @@ SPDX-License-Identifier: Apache-2.0
 postgresql:
  bundled: false
  connection:
-    host: {{ .Values.databases.notificationsApi.host | quote }}
+    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
-    port: {{ .Values.databases.notificationsApi.port | quote }}
+    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
  auth:
-    username: {{ .Values.databases.notificationsApi.username | quote }}
+    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-    database: {{ .Values.databases.notificationsApi.name | quote }}
+    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
-    password: {{ .Values.databases.notificationsApi.password | default .Values.secrets.postgresql.notificationsApiUser | quote }}
+    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 image:
  registry: {{ .Values.global.imageRegistry }}
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml
@@ -9,4 +9,12 @@ notificationsapi:
  sql_echo: "False"
  api_prefix: "/univention/portal/notifications-api"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.yaml
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.yaml
@@ -70,4 +70,24 @@ extraVolumeMounts:
    mountPath: "/var/www/html/custom/portal_background_image.svg"
    subPath: "portal_background_image.svg"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
@@ -6,7 +6,7 @@ SPDX-License-Identifier: Apache-2.0
 portalListener:
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
  assetsRoot: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-assets/" | quote }}
-  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data/" | quote }}
+  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-listener:" .Values.secrets.univentionManagementStack.storeDavUsers.portalListener "@ums-store-dav/portal-data" | quote }}
  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml
@@ -13,4 +13,24 @@ portalListener:
 store-dav:
  bundled: false
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml
@@ -11,4 +11,24 @@ portalServer:
  centralNavigation:
    enabled: true
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl
@@ -0,0 +1,48 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 selfserviceListener:
  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
 image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
  selfserviceListener:
    registry: {{ .Values.global.imageRegistry | quote }}
    repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
    tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
  selfserviceInvitation:
    registry: {{ .Values.global.imageRegistry | quote }}
    repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
    tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
  waitForDependency:
    registry: {{ .Values.global.imageRegistry | quote }}
    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
 persistence:
  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
 resources:
  {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
 resourcesDependencyWaiter:
  {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.yaml
@@ -0,0 +1,31 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 selfserviceListener:
  debugLevel: "4"
  tlsMode: "off"
  umcServerUrl: "http://ums-umc-server"
  umcAdminUser: "default.admin"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
@@ -8,7 +8,7 @@ stackDataSwp:
 stackDataContext:
  ldapSearchUsers:
-    {{- range $username, $password := .Values.secrets.univentionCorporateServer.ldapSearch }}
+    {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
    - username: {{ printf "ldapsearch_%s" $username | quote }}
      password: {{ $password | quote }}
      lastname: "LDAP-Search-User"
@@ -23,6 +23,8 @@ stackDataContext:
  portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
  portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
  portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
  portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
  portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
  smtpHost: {{ .Values.smtp.host | quote }}
  smtpPort: {{ .Values.smtp.port | quote }}
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.yaml
@@ -8,7 +8,18 @@ stackDataSwp:
 stackDataContext:
  ldapBase: "dc=swp-ldap,dc=internal"
-  oxDefaultContext: "10"
+  oxDefaultContext: "1"
  smtpStartTls: true
 additionalAnnotations:
  intents.otterize.com/service-name: "ums-stack-data-swp"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml
@@ -12,4 +12,15 @@ stackDataContext:
  # The openDesk configuration brings its own UMC policies.
  installUmcPolicies: false
 additionalAnnotations:
  intents.otterize.com/service-name: "ums-stack-data-ums"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-store-dav.yaml
+++ b/helmfile/apps/univention-management-stack/values-store-dav.yaml
@@ -0,0 +1,24 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml
@@ -18,4 +18,24 @@ extraVolumeMounts:
    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
    subPath: "flag_to_group_mapping.json"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.yaml
@@ -20,4 +20,25 @@ extraVolumeMounts:
      "/usr/share/univention-management-console-frontend/js/dijit/themes\
      /umc/icons/16x16/udm-portals-announcement.png"
    subPath: "udm-portals-announcement.png"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
@@ -11,6 +11,19 @@ umcServer:
  smtpSecret: {{ .Values.smtp.password | quote }}
 postgresql:
  connection:
    host: {{ .Values.databases.umsSelfservice.host | quote }}
    port: {{ .Values.databases.umsSelfservice.port | quote }}
  auth:
    username: {{ .Values.databases.umsSelfservice.username | quote }}
    database: {{ .Values.databases.umsSelfservice.name | quote }}
    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
 memcached:
  server: {{ .Values.cache.umsSelfservice.host | quote }}
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.umsUmcServer.repository | quote }}
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml
@@ -43,11 +43,33 @@ extraVolumeMounts:
    mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
    subPath: "udm-portals-announcement.xml"
 postgresql:
  bundled: false
 memcached:
  bundled: false
  server: "memcached"
  auth:
    username: null
    password: null
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
@@ -10,3 +10,4 @@ ingress:
    - hosts:
        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
@@ -2,11 +2,18 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 ingress:
  annotations:
    # Ensure that the ingress controller can handle responses with plenty of
    # headers. This is a requirement from the UDM Rest API.
    nginx.org/proxy-buffer-size: "64k"
    nginx.org/proxy-buffers: "4 128k"
  tls: false
 service:
  type: "ClusterIP"
 fullnameOverride: "ums-stack-gateway"
 # The content of the "serverBlock" does resemble the Ingress configuration of
 # the UMS components. The "location" entries do intentionally reflect precisely
 # the respective paths which are configured.
@@ -14,8 +21,18 @@ serverBlock: |
  server {
    listen 8080;
    proxy_http_version 1.1;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    ## portal-frontend
-    # The frontend does not own "/univention/portal", only these two bits
+    # The frontend does not own "/univention/portal" nor
    # "/univention/selfservice", only these two bits
    location = /univention/portal/ {
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
@@ -24,6 +41,10 @@ serverBlock: |
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }
    location = /univention/selfservice/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80/;
    }
    # The following prefixes are owned by the frontend
    location /univention/portal/css/ {
@@ -50,6 +71,30 @@ serverBlock: |
      rewrite ^/univention/portal(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/css/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/fonts/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/i18n/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/media/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/js/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    location /univention/selfservice/oidc/ {
      rewrite ^/univention/selfservice(/.*)$ $1 break;
      proxy_pass http://ums-portal-frontend:80;
    }
    ## frontend redirects
@@ -69,12 +114,19 @@ serverBlock: |
       absolute_redirect off;
       return 302 /univention/portal/;
    }
    location = /univention/selfservice {
       absolute_redirect off;
       return 302 /univention/selfservice/;
    }
    ## portal-server
    location = /univention/portal/portal.json {
      proxy_pass http://ums-portal-server:80;
    }
    location = /univention/selfservice/portal.json {
      proxy_pass http://ums-portal-server:80;
    }
    location = /univention/portal/navigation.json {
      proxy_pass http://ums-portal-server:80;
    }
@@ -89,13 +141,25 @@ serverBlock: |
      rewrite ^/univention/portal(/icons/logos/.*)$ /portal-assets$1 break;
      proxy_pass http://ums-store-dav:80;
    }
    location /univention/selfservice/icons/entries/ {
      rewrite ^/univention/selfservice(/icons/entries/.*)$ /portal-assets$1 break;
      proxy_pass http://ums-store-dav:80;
    }
    location /univention/selfservice/icons/logos/ {
      rewrite ^/univention/selfservice(/icons/logos/.*)$ /portal-assets$1 break;
      proxy_pass http://ums-store-dav:80;
    }
    ## udm-rest-api
    location /univention/udm/ {
      # The UDM Rest API does return on some endpoints a lot of headers
      proxy_busy_buffers_size 128k;
      proxy_buffers 4 128k;
      proxy_buffer_size 64k;
      rewrite ^/univention(/udm/.*)$ $1 break;
      proxy_pass http://ums-udm-rest-api:80;
      proxy_set_header X-Forwarded-Host $host;
    }
@@ -128,27 +192,27 @@ serverBlock: |
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
-    location /univention/logout/ {
+    location /univention/logout {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
-    location /univention/saml/ {
+    location /univention/saml {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
-    location /univention/get/ {
+    location /univention/get {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
-    location /univention/set/ {
+    location /univention/set {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
-    location /univention/command/ {
+    location /univention/command {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
-    location /univention/upload/ {
+    location /univention/upload {
      rewrite ^/univention(/.*)$ $1 break;
      proxy_pass http://ums-umc-server:80;
    }
@@ -174,4 +238,21 @@ serverBlock: |
    }
  }
 podSecurityContext:
  enabled: true
  fsGroup: 1001
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsUser: 1001
  runAsNonRoot: true
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -3,25 +3,20 @@
 ---
 bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # XWiki
  # Source: https://github.com/xwiki-contrib/xwiki-helm
  - name: "xwiki-repo"
-    url: >-
+    oci: {{ .Values.charts.xwiki.oci }}
-      {{ env "PRIVATE_CHART_REPOSITORY_URL" |
+    username: {{ .Values.charts.xwiki.username | quote }}
-         default "https://xwiki-contrib.github.io/xwiki-helm" }}
+    password: {{ .Values.charts.xwiki.password | quote }}
    url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
 releases:
  # renovate:
  # registryUrl=https://xwiki-contrib.github.io/xwiki-helm
  # packageName=xwiki
  # dataSource=helm
  # dependencyType=vendor
  - name: "xwiki"
-    chart: "xwiki-repo/xwiki"
+    chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
-    version: "1.2.3"
+    version: "{{ .Values.charts.xwiki.version }}"
    wait: true
    values:
      - "values.yaml"
--- a/helmfile/apps/xwiki/values.gotmpl
+++ b/helmfile/apps/xwiki/values.gotmpl
@@ -22,7 +22,7 @@ customConfigs:
    xwiki.authentication.ldap.port: 389
    ## Authentication to the LDAP server
    xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionCorporateServer.ldapSearch.xwiki | quote }}
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionManagementStack.ldapSearch.xwiki | quote }}
    ## Base DN used for searching for users
    xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
    ## Allow short update cycles of the LDAP group cache
@@ -35,8 +35,8 @@ customConfigs:
    "oidc.endpoint.logout": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/souvap/protocol/openid-connect/logout"
    "oidc.secret": {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
    "url.trustedDomains": "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
+    "workplaceServices.navigationEndpoint": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
-    "workplaceServices.base": "https://{{ .Values.global.hosts.univentionCorporateServer }}.{{ .Values.global.domain }}"
+    "workplaceServices.base": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    "workplaceServices.portalSecret": {{ .Values.secrets.centralnavigation.apiKey | quote }}
 properties:
--- a/helmfile/environments/default/_helper.gotmpl
+++ b/helmfile/environments/default/_helper.gotmpl
@@ -3,9 +3,8 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 ## Define LDAP service (supports "ums_eval" from the CI pipeline)
 ldap:
-  host: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-server" {{ else }} "univention-corporate-container" {{ end }}
+  host: "ums-ldap-server"
-  notifierHost: {{ if eq (env "DEPLOY_UCS") "ums-eval" }} "ums-ldap-notifier" {{ else }} "univention-corporate-container" {{ end }}
+  notifierHost: "ums-ldap-notifier"
  baseDn: "dc=swp-ldap,dc=internal"
 ...
--- a/helmfile/environments/default/cache.yaml
+++ b/helmfile/environments/default/cache.yaml
@@ -13,4 +13,7 @@ cache:
  openproject:
    host: "memcached"
    port: 11211
  umsSelfservice:
    host: "memcached"
    port: 11211
 ...
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -0,0 +1,764 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 charts:
  certificates:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-certificates/opendesk-certificates
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-certificates"
    name: "opendesk-certificates"
    oci: true
    version: "2.1.0"
    verify: true
    username: ~
    password: ~
  clamav:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/clamav/opendesk-clamav
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/clamav"
    name: "opendesk-clamav"
    oci: true
    version: "4.0.0"
    verify: true
    username: ~
    password: ~
  clamavSimple:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/clamav/clamav-simple
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/clamav"
    name: "clamav-simple"
    version: "4.0.0"
    oci: true
    verify: true
    username: ~
    password: ~
  collabora:
    # renovate:
    # registryUrl=https://collaboraonline.github.io/online
    # packageName=collabora-online
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://collaboraonline.github.io"
    repository: "online"
    name: "collabora-online"
    oci: false
    version: "1.0.2"
    username: ~
    password: ~
  cryptpad:
    # renovate:
    # registryUrl=https://cryptpad.github.io/helm
    # packageName=cryptpad
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://cryptpad.github.io"
    repository: "helm"
    name: "cryptpad"
    oci: false
    version: "0.0.14"
    username: ~
    password: ~
  dovecot:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/dovecot/dovecot
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/dovecot"
    name: "dovecot"
    oci: true
    version: "1.3.6"
    verify: true
    username: ~
    password: ~
  element:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-element
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
    name: "opendesk-element"
    oci: true
    version: "2.6.0"
    verify: true
    username: ~
    password: ~
  elementWellKnown:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-well-known
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
    name: "opendesk-well-known"
    oci: true
    version: "2.6.0"
    verify: true
    username: ~
    password: ~
  intercomService:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/intercom-service/intercom-service
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/intercom-service"
    name: "intercom-service"
    oci: true
    version: "2.0.1"
    verify: true
    username: ~
    password: ~
  istioResources:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/istio-ressources/istio-gateway
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/istio-ressources"
    name: "istio-gateway"
    oci: true
    version: "2.0.0"
    verify: true
    username: ~
    password: ~
  jitsi:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-jitsi/sovereign-workplace-jitsi
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-jitsi"
    name: "sovereign-workplace-jitsi"
    oci: true
    version: "1.7.2"
    verify: true
    username: ~
    password: ~
  keycloak:
    # renovate:
    # registryUrl=https://registry-1.docker.io
    # packageName=bitnamicharts/keycloak
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
    name: "keycloak"
    oci: true
    version: "12.1.5"
    verify: true
    username: ~
    password: ~
  keycloakBootstrap:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap/sovereign-workplace-keycloak-bootstrap
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-keycloak-bootstrap"
    name: "sovereign-workplace-keycloak-bootstrap"
    oci: true
    version: "1.1.12"
    verify: true
    username: ~
    password: ~
  keycloakExtensions:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/77/packages/helm/stable
    # packageName=keycloak-extensions
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/77/packages/helm/stable"
    name: "keycloak-extensions"
    oci: false
    version: "0.1.0"
    username: ~
    password: ~
  keycloakTheme:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/keycloak-theme/opendesk-keycloak-theme
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/keycloak-theme"
    name: "opendesk-keycloak-theme"
    oci: true
    version: "2.0.0"
    verify: true
    username: ~
    password: ~
  mariadb:
    # renovate:
    # registryUrl=https://registry.opencode.de
    # packageName=bmi/opendesk/components/charts/opendesk-mariadb/mariadb
    # dataSource=docker
    # dependencyType=service
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/charts/opendesk-mariadb"
    name: "mariadb"
    oci: true
    version: "2.2.0"
    verify: true
    username: ~
    password: ~
  matrixNeoboardWidget:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neoboard-widget
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
    name: "matrix-neoboard-widget"
    oci: true
    version: "3.3.0"
    verify: true
    username: ~
    password: ~
  matrixNeochoiseWidget:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neochoice-widget
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
    name: "matrix-neochoice-widget"
    oci: true
    version: "3.3.0"
    verify: true
    username: ~
    password: ~
  matrixNeodatefixBot:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-bot
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-bot"
    oci: true
    version: "3.3.0"
    verify: true
    username: ~
    password: ~
  matrixNeodatefixWidget:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/opendesk-matrix-widgets/matrix-neodatefix-widget
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/opendesk-matrix-widgets"
    name: "matrix-neodatefix-widget"
    oci: true
    version: "3.3.0"
    verify: true
    username: ~
    password: ~
  matrixUserVerificationService:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-matrix-user-verification-service
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
    name: "opendesk-matrix-user-verification-service"
    oci: true
    version: "2.6.0"
    verify: true
    username: ~
    password: ~
  memcached:
    # renovate:
    # registryUrl=https://registry-1.docker.io
    # packageName=bitnamicharts/memcached
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
    name: "memcached"
    oci: true
    version: "6.6.2"
    verify: true
    username: ~
    password: ~
  minio:
    # renovate:
    # registryUrl=https://registry-1.docker.io
    # packageName=bitnamicharts/minio
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
    name: "minio"
    oci: true
    version: "12.8.19"
    verify: true
    username: ~
    password: ~
  nextcloud:
    # renovate:
    # registryUrl=https://nextcloud.github.io/helm
    # packageName=nextcloud
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://nextcloud.github.io"
    repository: "helm"
    oci: false
    name: "nextcloud"
    version: "3.5.19"
    username: ~
    password: ~
  nextcloudBootstrap:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap/opendesk-nextcloud-bootstrap
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-nextcloud-bootstrap"
    name: "opendesk-nextcloud-bootstrap"
    oci: true
    version: "3.2.6"
    verify: true
    username: ~
    password: ~
  nginx:
    # renovate:
    # registryUrl=https://registry-1.docker.io
    # packageName=bitnamicharts/nginx
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
    name: "nginx"
    oci: true
    version: "15.3.5"
    verify: true
    username: ~
    password: ~
  openproject:
    # renovate:
    # registryUrl=https://ghcr.io
    # packageName=opf/helm-charts/openproject
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/opf/helm-charts"
    name: "openproject"
    oci: true
    version: "3.0.2"
    verify: true
    username: ~
    password: ~
  openprojectBootstrap:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/opendesk-openproject-bootstrap"
    name: "opendesk-openproject-bootstrap"
    oci: true
    version: "1.2.1"
    verify: true
    username: ~
    password: ~
  openXchangeAppSuite:
    # renovate:
    # registryUrl=https://registry.open-xchange.com
    # packageName=appsuite-public-sector/charts/appsuite-public-sector
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/appsuite-public-sector/charts"
    name: "appsuite-public-sector"
    oci: true
    version: "2.2.34"
    username: ~
    password: ~
  openXchangeAppSuiteBootstrap:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap/sovereign-workplace-open-xchange-bootstrap
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-open-xchange-bootstrap"
    name: "sovereign-workplace-open-xchange-bootstrap"
    oci: true
    version: "1.3.1"
    verify: true
    username: ~
    password: ~
  otterize:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/opendesk-otterize/opendesk-otterize
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/opendesk-otterize"
    name: "opendesk-otterize"
    oci: true
    version: "1.1.6"
    verify: true
    username: ~
    password: ~
  oxConnector:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/128/packages/helm/stable
    # packageName=ox-connector
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/128/packages/helm/stable"
    name: "ox-connector"
    oci: false
    version: "0.1.0-pre-jconde-listener-entrypoint-chaining"
    username: ~
    password: ~
  postfix:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/postfix/postfix
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/postfix"
    name: "postfix"
    oci: true
    version: "2.0.4"
    verify: true
    username: ~
    password: ~
  postgresql:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/postgresql/postgresql
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/postgresql"
    name: "postgresql"
    oci: true
    version: "2.0.3"
    verify: true
    username: ~
    password: ~
  redis:
    # renovate:
    # registryUrl=https://registry-1.docker.io
    # packageName=bitnamicharts/redis
    # dataSource=docker
    # dependencyType=service
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/bitnami-charts"
    name: "redis"
    oci: true
    version: "18.1.2"
    verify: true
    username: ~
    password: ~
  synapse:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
    name: "opendesk-synapse"
    oci: true
    version: "2.6.0"
    verify: true
    username: ~
    password: ~
  synapseCreateAccount:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-create-account
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
    name: "opendesk-synapse-create-account"
    oci: true
    version: "2.6.0"
    verify: true
    username: ~
    password: ~
  synapseWeb:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # packageName=souvap/tooling/charts/sovereign-workplace-element/opendesk-synapse-web
    # dataSource=docker
    # dependencyType=vendor
    registry: "external-registry.souvap-univention.de"
    repository: "sovereign-workplace/souvap/tooling/charts/sovereign-workplace-element"
    name: "opendesk-synapse-web"
    oci: true
    version: "2.6.0"
    verify: true
    username: ~
    password: ~
  umsLdapNotifier:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=ldap-notifier
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "ldap-notifier"
    oci: false
    version: "0.7.0"
    username: ~
    password: ~
  umsLdapServer:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=ldap-server
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "ldap-server"
    oci: false
    version: "0.7.0"
    username: ~
    password: ~
  umsNotificationsApi:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=notifications-api
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "notifications-api"
    oci: false
    version: "0.9.1"
    username: ~
    password: ~
  umsPortalFrontend:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=portal-frontend
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "portal-frontend"
    oci: false
    version: "0.9.1"
    username: ~
    password: ~
  umsPortalListener:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=portal-listener
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "portal-listener"
    oci: false
    version: "0.9.1"
    username: ~
    password: ~
  umsPortalServer:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=portal-server
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "portal-server"
    oci: false
    version: "0.9.1"
    username: ~
    password: ~
  umsSelfserviceListener:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=umc-server
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "selfservice-listener"
    oci: false
    version: "0.2.0"
    username: ~
    password: ~
  umsStackDataSwp:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=stack-data-swp
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "stack-data-swp"
    oci: false
    version: "0.39.3"
    username: ~
    password: ~
  umsStackDataUms:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=stack-data-ums
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "stack-data-ums"
    oci: false
    version: "0.39.3"
    username: ~
    password: ~
  umsStoreDav:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=store-dav
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "store-dav"
    oci: false
    version: "0.9.1"
    username: ~
    password: ~
  umsUdmRestApi:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=udm-rest-api
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "udm-rest-api"
    oci: false
    version: "0.4.1"
    username: ~
    password: ~
  umsUmcGateway:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=umc-gateway
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "umc-gateway"
    oci: false
    version: "0.6.2"
    username: ~
    password: ~
  umsUmcServer:
    # renovate:
    # registryUrl=https://gitlab.souvap-univention.de/api/v4/projects/155/packages/helm/stable
    # packageName=umc-server
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://gitlab.souvap-univention.de"
    repository: "api/v4/projects/155/packages/helm/stable"
    name: "umc-server"
    oci: false
    version: "0.6.2"
    username: ~
    password: ~
  xwiki:
    # renovate:
    # registryUrl=https://xwiki-contrib.github.io/xwiki-helm
    # packageName=xwiki
    # dataSource=helm
    # dependencyType=vendor
    registry: "https://xwiki-contrib.github.io"
    repository: "xwiki-helm"
    oci: false
    name: "xwiki"
    version: "1.2.3"
    username: ~
    password: ~
 ...
--- a/helmfile/environments/default/database.yaml
+++ b/helmfile/environments/default/database.yaml
@@ -19,12 +19,6 @@ databases:
    host: "mariadb"
    username: "nextcloud_user"
    password: ""
  notificationsApi:
    name: "notificationsapi"
    host: "postgresql"
    port: 5432
    username: "notificationsapi_user"
    password: ""
  openproject:
    name: "openproject"
    host: "postgresql"
@@ -42,6 +36,18 @@ databases:
    username: "matrix_user"
    password: ""
    port: 5432
  umsNotificationsApi:
    name: "notificationsapi"
    host: "postgresql"
    port: 5432
    username: "notificationsapi_user"
    password: ""
  umsSelfservice:
    name: "selfservice"
    host: "postgresql"
    port: 5432
    username: "selfservice_user"
    password: ""
  xwiki:
    name: "xwiki"
    host: "mariadb"
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -26,7 +26,6 @@ global:
    openxchange: "webmail"
    openxchangeProvisioning: "ox-provisioning"
    synapse: "matrix"
    univentionCorporateServer: "portal"
    univentionManagementStack: "portal"
    whiteboard: "whiteboard"
    xwiki: "wiki"
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -35,7 +35,7 @@ images:
    # registryUrl=https://registry.souvap-univention.de
    # dependencyType=vendor
    repository: "souvap/tooling/images/element-web"
-    tag: "1.6.0@sha256:a71cbd75ee88471e3df59f26a2a37b9b8ff83d2f71f726053acd381ecd87e234"
+    tag: "1.7.0@sha256:b8b59aff8ed3eb07dc22cec123a2d04acaf435f5637148698183773a695444c2"
    # @supplier: "Element"
  freshclam:
    # renovate:
@@ -149,21 +149,21 @@ images:
    # registryUrl=https://ghcr.io
    # dependencyType=vendor
    repository: "nordeck/matrix-neoboard-widget"
-    tag: "1.0.0@sha256:584b9c18ea3dfd4b7f1e73f3e114bc1dcd5731b400a8d037576bf2a797c8b086"
+    tag: "1.4.0@sha256:da04d6c3c3e07ec1fcb6ecec245adc48897f107a2ab84c39d8924de951744d9f"
    # @supplier: "Nordeck"
  matrixNeoChoiceWidget:
    # renovate:
    # registryUrl=https://ghcr.io
    # dependencyType=vendor
    repository: "nordeck/matrix-poll-widget"
-    tag: "1.3.0@sha256:19d2c8c7a15fe7d12c4a83a89310831da12323fd45ff0280cce808f1be0c7e0b"
+    tag: "1.3.1@sha256:ba7a0bcbcf278df523cef8d230dc44f31ef86f8aefe6dbea7d832b7234ff5c7a"
    # @supplier: "Nordeck"
  matrixNeoDateFixBot:
    # renovate:
    # registryUrl=https://ghcr.io
    # dependencyType=vendor
    repository: "nordeck/matrix-meetings-bot"
-    tag: "2.4.2@sha256:f5b3362560255470076f3e6c95a0dd93a8f781398afb992c1e1212764fa87297"
+    tag: "2.5.0@sha256:6ea92f7e48cd71ce2c552cb5222a1d4b3696136e61045bce8456bc52ce02b9c8"
    # @supplier: "Nordeck"
  matrixNeoDateFixWidget:
    # renovate:
@@ -205,7 +205,7 @@ images:
    # registryUrl=https://docker.io
    # dependencyType=vendor
    repository: "nextcloud"
-    tag: "27.1.3-apache@sha256:ec46e99164ee7fa5d49e84784833e022be47f9f54f401bcb5a2d789f8c0bc149"
+    tag: "27.1.4-apache@sha256:bd277bec9a8cf7cc009865e15410c05e0f66ccb6269ed96841cc95dd37c214fe"
    # @supplier: "Nextcloud Community"
  nextcloudExporter:
    # renovate:
@@ -219,7 +219,7 @@ images:
    # registryUrl=https://docker.io
    # dependencyType=vendor
    repository: "openproject/open_desk"
-    tag: "dev@sha256:3c9d110c0221621530a431b5899ba16956db8253f491a55a220ec642473cb61f"
+    tag: "release-13.1@sha256:b1e6d55d913bb2dfc34caae364c54ff524c0676a74da1c036d0e64557ef42795"
    # @supplier: "OpenProject"
  openprojectInitDb:
    # renovate:
@@ -254,14 +254,14 @@ images:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/middleware-public-sector"
-    tag: "8.19.33@sha256:369c44369d727e4172f10c25137dbb00d936d20dd844cdca3a34f7f31273ea05"
+    tag: "8.20.51@sha256:4a9cc9d6745b09a9ace2475fbbacfeff2ca66db02b6314eb8e035f28e28574a8"
    # @supplier: "Open-Xchange"
  openxchangeCoreUI:
    # renovate:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/core-ui"
-    tag: "8.19.0@sha256:7fdd73f78fd7094f2968f6fcaaae175e60824f9ef68f9e7e70418de6a2b623e9"
+    tag: "8.20.1@sha256:a8bdf83b1179ca9126bcd4e5301b818aafec5e8ac6ff25914603d74a137b65dc"
    # @supplier: "Open-Xchange"
  openxchangeCoreUIMiddleware:
    # renovate:
@@ -275,14 +275,14 @@ images:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/core-user-guide"
-    tag: "8.19.771856@sha256:e00ed8f94c3c42cd288dd03f7fb18d228eb516b5e5ebd318825289b1c4ed17ab"
+    tag: "8.20.799279@sha256:075c917a7e5ebfe57c07c3c21485ee672554616252d5c57f829f443ca987e75b"
    # @supplier: "Open-Xchange"
  openxchangeDocumentConverter:
    # renovate:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/documentconverter"
-    tag: "8.19.32@sha256:82354e858b6aeeae7f0ebaf66ad106f8e9ae46e605e97bb1d2d14e6ce1c3d708"
+    tag: "8.20.50@sha256:bd11b4e5a62377aab79ebc0ebbe8da0bf54d42ce9a8ae64db0c84608570edf9f"
    # @supplier: "Open-Xchange"
  openxchangeGotenberg:
    # renovate:
@@ -303,29 +303,28 @@ images:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/imageconverter"
-    tag: "8.19.33@sha256:9543c1409a129567bd6e4a657a353819842a4b1e1807ab86a1ea2e7f73f8c18e"
+    tag: "8.20.50@sha256:590a8a4c583057f6bb071247c2f8b8566c79d5d219482dcaa452b30c944c876b"
    # @supplier: "Open-Xchange"
  openxchangeNextcloudIntegrationUI:
    # renovate:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/nextcloud-integration-ui"
-    tag: "1.1.0@sha256:82cecb5adac63806ab41546e6b49090a93a5f4645750bb3967d87585b60df2e1"
+    tag: "1.2.0@sha256:3d0ef11196f7544a01539e6790e4402ad69e2a501312eb7c7bb128c6563d0a8d"
    # @supplier: "Open-Xchange"
  openxchangePublicSectorUI:
    # renovate:
    # registryUrl=https://registry.open-xchange.com
    # dependencyType=vendor
    repository: "appsuite-public-sector/public-sector-ui"
-    tag: "2.1.0@sha256:ed56730add8afdb08bef8b43a114aba406fd86d83c7fd7af93dc16bb002fa233"
+    tag: "2.2.0@sha256:3f8c62c139c27569e6b7d38321268e7cc291caa4ea1ea03180c8ce5499edd6d5"
    # @supplier: "Open-Xchange"
  oxConnector:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # dependencyType=vendor
    repository: "souvap/tooling/images/ox-connector/ox-connector-standalone"
-    tag: "branch-jconde-listener-entrypoint-chaining\
+    tag: "0.3.4@sha256:db95466170613db46222e63aa0f69de9e60d08c6a409e27905ce5389e4b19074"
      @sha256:54748d49e37d52529d4a857ff834d1217bd2cb8c89c7eed25c0873159ed6853c"
    # @supplier: "Univention"
  postfix:
    # renovate:
@@ -383,20 +382,13 @@ images:
    repository: "rapidfort/haproxy-official"
    tag: "2.6.6-bullseye@sha256:bf22cfb1301aae433213f5f8c687bc5d9ecc6b86daf1084be5f7a339bd27cadd"
    # @supplier: "Element"
  univentionCorporateServer:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # dependencyType=vendor
    repository: "souvap/tooling/images/univention-corporate-server-swp/ucs"
    tag: "20230829T094822@sha256:6415847851ee3b474cea756212698f4a110fbbde74882e22da92500a6358a4f8"
    # @supplier: "Univention"
  umsConfigHtpasswd:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/config-htpasswd"
-    tag: "0.5.2@sha256:c8627e0b73ee1d92f74d2ae8b06e4593ac93b6bbde55d56d0497f3510912924c"
+    tag: "0.9.1@sha256:5694da729235371d93b1c7f14c00720657b34d6425f232426a1848b69f97ab15"
    # @supplier: "Univention"
  umsDataLoader:
    # renovate:
@@ -404,7 +396,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/data-loader"
-    tag: "0.36.0@sha256:045e0e524cbdc93e174ce803a12e67dbb341211f3abbc0029200ee638a0a1eb7"
+    tag: "0.39.3@sha256:f2968f98cf4f7cb4fd44339422c2d06ee590c61780ea88728af685719b497a9f"
    # @supplier: "Univention"
  umsLdapNotifier:
    # renovate:
@@ -428,7 +420,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/notifications-api"
-    tag: "0.5.2@sha256:192f0ebb77ec6191d1df1edb2427739c4a69a3733c7d423f55045db5b9209c64"
+    tag: "0.9.1@sha256:86f86119292ccda53d77db010ceac9217a2552145fad8d20e876002f74c3a187"
    # @supplier: "Univention"
  umsPortalListener:
    # renovate:
@@ -436,7 +428,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/portal-listener"
-    tag: "0.5.2@sha256:a1834a98cf4f4686a74077cb6c2b094429a49875d05801745de7ee13eee38a07"
+    tag: "0.9.1@sha256:615a587717934153179c138d3598841922e3a658e5e891347f21ecbe5c8387ae"
    # @supplier: "Univention"
  umsPortalFrontend:
    # renovate:
@@ -444,7 +436,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/portal-frontend"
-    tag: "0.5.2@sha256:aca1d481e23cbba7a33d5f261be6196690a6b7f1e593f7ff96fc6f22edab2c6b"
+    tag: "0.9.1@sha256:c0984b246692d58b3fbecac487d3737e9b4f62181666f1abfa2401d1a3a72267"
    # @supplier: "Univention"
  umsPortalServer:
    # renovate:
@@ -452,7 +444,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/portal-server"
-    tag: "0.5.2@sha256:ed982e41ac5b0b81946272acf00f76463901da4f4b3ad50282ec4c73fd4b5833"
+    tag: "0.9.1@sha256:f608986d8b072a143260531b6e3fcb08d18c88bc444b968c0713737769fd1292"
    # @supplier: "Univention"
  umsWaitForDependency:
    # renovate:
@@ -460,7 +452,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/wait-for-dependency"
-    tag: "0.5.0@sha256:78cfcc52b81f620374c4b827f0055be5339a7dd469d9b8df67e3bed547abd6bc"
+    tag: "0.9.1@sha256:22e57dca261dad12e046a827914bb888f49fd6bb61f50ad5023b53dade4eda33"
    # @supplier: "Univention"
  umsStoreDav:
    # renovate:
@@ -468,7 +460,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/store-dav"
-    tag: "0.5.2@sha256:1bc01b883a5ccd2612925e123da10f9d216389701d743f1cea4050633770639f"
+    tag: "0.9.1@sha256:82b6b5e7c20793b2a6000a1ceddd3e4b3d085bf75999e9ff9814e7224d1de629"
    # @supplier: "Univention"
  umsUdmRestApi:
    # renovate:
@@ -476,7 +468,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/udm-rest-api"
-    tag: "0.3.5@sha256:1a434f9d5e4d15217d011c13d9f1694e8a12291e09a6d0802c1158f7e2c5e035"
+    tag: "0.4.1@sha256:4b264251e9e1f2933be86051964d6113011379af107cc95dca53c1eff4c1e709"
    # @supplier: "Univention"
  umsUmcGateway:
    # renovate:
@@ -484,7 +476,7 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/umc-gateway"
-    tag: "0.6.1@sha256:e023c6b4a66eb80dc165310aff9b869cf35c102196514741676a9dba68cfae89"
+    tag: "0.6.2@sha256:326ced2ffd5cffa7591f23f5b0e2fe313a5aa0984d1537c3464df042d93b341c"
    # @supplier: "Univention"
  umsUmcServer:
    # renovate:
@@ -492,7 +484,23 @@ images:
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/umc-server"
-    tag: "0.6.1@sha256:9fc3ad7c45c436698223fe3219c314420b4687c9c694f5d255612beb51df9347"
+    tag: "0.6.2@sha256:e2694fbc1b8f3027ae48f329e034431e06648028ca9c928b464db66a9fd080fb"
    # @supplier: "Univention"
  umsSelfserviceListener:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/selfservice-listener"
    tag: "0.3.0@sha256:919c4cbef3c4920fe661f5d69de7258135096b673a26370a0cbd98d244a20752"
    # @supplier: "Univention"
  umsSelfserviceInvitation:
    # renovate:
    # registryUrl=https://registry.souvap-univention.de
    # dependencyType=vendor
    # This is a preview and not part of the standard deployment.
    repository: "souvap/tooling/images/univention/selfservice-invitation"
    tag: "0.3.0@sha256:225ce06e2859586d4c0fa1933d687df370d170b71b62cfd1e46992b44e880b08"
    # @supplier: "Univention"
  wellKnown:
    # renovate:
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -0,0 +1,16 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
  openproject:
    backend: "minio"
    bucket: "openproject"
    endpoint: ""
    provider: "AWS"
    region: ""
    secret: ""
    username: "openproject_user"
    useIAMProfile: ""
 ...
--- a/helmfile/environments/default/persistence.yaml
+++ b/helmfile/environments/default/persistence.yaml
@@ -19,11 +19,11 @@ persistence:
    prosody: "1Gi"
    redis: "1Gi"
    synapse: "1Gi"
    univentionCorporateServer: "1Gi"
    univentionManagementStack:
      ldapServerData: "1Gi"
      ldapServerShared: "1Gi"
      portalListener: "1Gi"
      selfserviceListener: "1Gi"
      storeDav: "1Gi"
    xwiki: "1Gi"
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -340,13 +340,6 @@ resources:
    requests:
      cpu: 0.1
      memory: "64Mi"
  univentionCorporateServer:
    limits:
      cpu: 99
      memory: "4Gi"
    requests:
      cpu: 0.5
      memory: "1Gi"
  umsLdapNotifier:
    limits:
      cpu: 99
@@ -396,6 +389,21 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsSelfserviceListener:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsSelfserviceListenerDependencies:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsStackDataUms:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -11,11 +11,8 @@ secrets:
    shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
    oxguardMC: {{ printf "MC%s" (randAlphaNum 20 | b64enc) | quote }}
    oxguardRC: {{ printf "RC%s" (randAlphaNum 20 | b64enc) | quote }}
-  univentionCorporateServer:
+  univentionManagementStack:
-    authSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "auth_secret" | sha1sum | quote }}
+    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
    defaultAccounts:
      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
      adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_admin" | sha1sum | quote }}
    ldapSearch:
      keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_keycloak" | sha1sum | quote }}
      nextcloud: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_nextcloud" | sha1sum | quote }}
@@ -23,8 +20,6 @@ secrets:
      ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_ox" | sha1sum | quote }}
      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_openproject" | sha1sum | quote }}
      xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "ldapsearch_xwiki" | sha1sum | quote }}
  univentionManagementStack:
    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
    defaultAccounts:
      administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "Administrator" "ums" | sha1sum | quote }}
      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ucs" "default_accounts_user_password" | sha1sum | quote }}
@@ -38,7 +33,8 @@ secrets:
    keycloakExtensionUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_extensions_user" | sha1sum | quote }}
    matrixUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "matrix_user" | sha1sum | quote }}
    openprojectUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "openproject_user" | sha1sum | quote }}
-    notificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
+    umsNotificationsApiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "notificationsapi_user" | sha1sum | quote }}
    umsSelfserviceUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "selfservice_user" | sha1sum | quote }}
  mariadb:
    rootPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "root_password" | sha1sum | quote }}
    xwikiUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "xwiki_user" | sha1sum | quote }}
--- a/helmfile/environments/default/security.yaml
+++ b/helmfile/environments/default/security.yaml
@@ -0,0 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 security:
  otterizeIntents:
    enabled: false
  clusterPostfix:
    enabled: false
    namespace: ""
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -41,10 +41,8 @@ postgresql:
  enabled: true
 redis:
  enabled: true
 univentionCorporateServer:
  enabled: true
 univentionManagementStack:
-  enabled: false
+  enabled: true
 xwiki:
  enabled: true
 ...
--- a/helmfile/files/gpg-pubkeys/opencode.gpg
+++ b/helmfile/files/gpg-pubkeys/opencode.gpg
--- a/helmfile/apps/univention-corporate-container/values.yaml
+++ b/helmfile/apps/univention-corporate-container/values.yaml
@@ -1,7 +1,2 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 service:
  nodePort:
    enabled: false
 ...
--- a/helmfile/files/gpg-pubkeys/openproject-com.gpg
+++ b/helmfile/files/gpg-pubkeys/openproject-com.gpg
--- a/helmfile/files/gpg-pubkeys/openproject-com.gpg.license
+++ b/helmfile/files/gpg-pubkeys/openproject-com.gpg.license
@@ -0,0 +1,2 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
Author	SHA1	Message	Date
opendesk	1b9f394489	chore(release): 0.5.70 [skip ci] ## [0.5.70](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.69...v0.5.70) (2023-12-14) ### Bug Fixes * univention-management-stack: Remove UCS container monolith and make UMS standard IAM ([`450c434`](`450c434ed0`))	2023-12-14 07:12:00 +00:00
merge-request-bot	450c434ed0	fix(univention-management-stack): Remove UCS container monolith and make UMS standard IAM	2023-12-14 07:10:12 +00:00
opendesk	4b6a20faa4	chore(release): 0.5.69 [skip ci] ## [0.5.69](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.68...v0.5.69) (2023-12-12) ### Bug Fixes * univention-management-stack: Functional replacement for UCS container monolith, still optional. ([`ce38714`](`ce38714a81`))	2023-12-12 21:01:26 +00:00
merge-request-bot	ce38714a81	fix(univention-management-stack): Functional replacement for UCS container monolith, still optional.	2023-12-12 19:31:27 +00:00
opendesk	37f1eb9794	chore(release): 0.5.68 [skip ci] ## [0.5.68](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.67...v0.5.68) (2023-12-11) ### Bug Fixes * jitsi: Disable IP Blacklist ([`6a649cb`](`6a649cb7f0`)) * open-xchange: Update to latest version ([`db4bfa4`](`db4bfa4884`))	2023-12-11 18:01:31 +00:00
merge-request-bot	db4bfa4884	fix(open-xchange): Update to latest version	2023-12-11 16:56:36 +00:00
Dominik Kaminski	6a649cb7f0	fix(jitsi): Disable IP Blacklist	2023-12-11 17:00:06 +01:00
opendesk	b6ef559cde	chore(release): 0.5.67 [skip ci] ## [0.5.67](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.66...v0.5.67) (2023-12-11) ### Bug Fixes * services: Use Charts from openCoDE registry ([`cc0daa2`](`cc0daa2a22`))	2023-12-11 13:01:23 +00:00
Dominik Kaminski	cc0daa2a22	fix(services): Use Charts from openCoDE registry	2023-12-10 16:52:53 +01:00
opendesk	c69c62cd45	chore(release): 0.5.66 [skip ci] ## [0.5.66](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.65...v0.5.66) (2023-12-08) ### Bug Fixes * element: Update Element and Widgets ([`6a26299`](`6a26299a75`))	2023-12-08 22:01:16 +00:00
merge-request-bot	6a26299a75	fix(element): Update Element and Widgets	2023-12-08 20:18:36 +00:00
opendesk	4101e91ae6	chore(release): 0.5.65 [skip ci] ## [0.5.65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.64...v0.5.65) (2023-12-08) ### Bug Fixes * univention-management-stack: Bump OX Connector ([`83192b7`](`83192b7834`))	2023-12-08 15:01:16 +00:00
Thorsten Roßner	83192b7834	fix(univention-management-stack): Bump OX Connector	2023-12-07 19:56:18 +01:00
opendesk	3b1091bb3e	chore(release): 0.5.64 [skip ci] ## [0.5.64](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.63...v0.5.64) (2023-12-06) ### Bug Fixes * openproject: Switch to release container and set home url link ([`e67ab8f`](`e67ab8f430`))	2023-12-06 19:01:06 +00:00
merge-request-bot	e67ab8f430	fix(openproject): Switch to release container and set home url link	2023-12-06 17:52:05 +00:00
opendesk	da731e7d5e	chore(release): 0.5.63 [skip ci] ## [0.5.63](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.62...v0.5.63) (2023-12-06) ### Bug Fixes * nextcloud: Remove Talk folder ([`0ea5856`](`0ea585633b`))	2023-12-06 11:13:39 +00:00
merge-request-bot	0ea585633b	fix(nextcloud): Remove Talk folder	2023-12-06 11:10:39 +00:00
opendesk	fe40b7cfa1	chore(release): 0.5.62 [skip ci] ## [0.5.62](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.61...v0.5.62) (2023-12-06) ### Bug Fixes * nextcloud: Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder ([`d04a603`](`d04a60349d`)) * univention-management-stack: Update optional UMS preview state ([`94ae3da`](`94ae3da78b`))	2023-12-06 09:10:05 +00:00
merge-request-bot	d04a60349d	fix(nextcloud): Bump image to 27.1.4 and update Helm chart to configure "Shared_with_me" folder	2023-12-06 09:07:44 +00:00
merge-request-bot	94ae3da78b	fix(univention-management-stack): Update optional UMS preview state	2023-12-05 20:27:57 +00:00
opendesk	3ca54159f7	chore(release): 0.5.61 [skip ci] ## [0.5.61](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.60...v0.5.61) (2023-12-05) ### Bug Fixes * services: Fix port declaration for Postfix ([`bf5dcda`](`bf5dcda3b5`))	2023-12-05 15:13:35 +00:00
merge-request-bot	bf5dcda3b5	fix(services): Fix port declaration for Postfix	2023-12-05 15:11:22 +00:00
opendesk	08ca525d3e	chore(release): 0.5.60 [skip ci] ## [0.5.60](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.59...v0.5.60) (2023-12-05) ### Bug Fixes * ci: Ensure release creation with artifacts ([`dc7ce0b`](`dc7ce0bc4b`))	2023-12-05 13:11:56 +00:00
merge-request-bot	dc7ce0bc4b	fix(ci): Ensure release creation with artifacts	2023-12-05 13:09:19 +00:00
opendesk	729a1ea849	chore(release): 0.5.59 [skip ci] ## [0.5.59](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.58...v0.5.59) (2023-12-05) ### Bug Fixes * helmfile: Add configurable objectstore ([`3b5493d`](`3b5493d78d`))	2023-12-05 08:36:22 +00:00
Robin Rush	3b5493d78d	fix(helmfile): Add configurable objectstore	2023-12-05 09:07:41 +01:00
opendesk	6711791009	chore(release): 0.5.58 [skip ci] ## [0.5.58](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.57...v0.5.58) (2023-12-01) ### Bug Fixes * cryptpad: Add websocket annotation ([`c41643e`](`c41643ee3e`)) * openproject: Add seederJob intent ([`05cc82d`](`05cc82d7c5`)) * openproject: Bump to 2.6.2 ([`c8bc8b3`](`c8bc8b3172`)) * services: Add NetworkPolicy section to docs/security.md ([`24812b6`](`24812b667c`)) * services: Add Otterize based security settings ([`bec9a2d`](`bec9a2d46b`)) * univention-management-stack: Add Otterize annotations for jobs ([`2628a0e`](`2628a0e13e`))	2023-12-01 20:53:38 +00:00
Dominik Kaminski	c41643ee3e	fix(cryptpad): Add websocket annotation	2023-12-01 20:50:08 +00:00
Dominik Kaminski	2628a0e13e	fix(univention-management-stack): Add Otterize annotations for jobs	2023-12-01 20:50:08 +00:00
Dominik Kaminski	c8bc8b3172	fix(openproject): Bump to 2.6.2	2023-12-01 20:50:08 +00:00
Dominik Kaminski	24812b667c	fix(services): Add NetworkPolicy section to docs/security.md	2023-12-01 20:50:08 +00:00
Dominik Kaminski	bec9a2d46b	fix(services): Add Otterize based security settings	2023-12-01 20:50:08 +00:00
Dominik Kaminski	05cc82d7c5	fix(openproject): Add seederJob intent	2023-12-01 20:50:08 +00:00
opendesk	82be996d97	chore(release): 0.5.57 [skip ci] ## [0.5.57](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.56...v0.5.57) (2023-12-01) ### Bug Fixes * helmfile: Using correct private registry for postfix helm-chart ([`d367739`](`d367739248`))	2023-12-01 20:48:37 +00:00
Martin Müller	d367739248	fix(helmfile): Using correct private registry for postfix helm-chart	2023-12-01 15:20:25 +00:00
		`@@ -0,0 +1,2 @@`
							`# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"`
							`# SPDX-License-Identifier: Apache-2.0`