fix(open-xchange): Bump Gotenberg container

chore(release): 0.5.74 [skip ci]
## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12) ### Bug Fixes * **ci:** Add opendesk-ci linter ([b23152b](b23152bb20)) * **ci:** Scan all images for malware on release ([807b73c](807b73c8a4)) * **ci:** Switch to 'on_success' instead of 'always' ([e1f6370](e1f63701f1)) * **collabora:** Migrate collabora to yaml.gotmpl file ([09d001b](09d001b6db)) * **cryptpad:** Bump image ([90152bd](90152bdc41)) * **cryptpad:** Bump image to 5.6.0 ([1c4db30](1c4db30b65)) * **cryptpad:** Verify against GPG key ([fec0d1f](fec0d1f26a)) * **docs:** Update Helm Chart Trust Chain information ([f894370](f8943703ed)) * **element:** Fix rights & roles of neoboard ([7daa93f](7daa93f061)) * **element:** Fix rights and roles configuration ([452624c](452624ce74)) * **helmfile:** Add image annotations for mirroring ([41e777c](41e777c81d)) * **helmfile:** Add logLevel to globals ([8db9bf3](8db9bf3c99)) * **helmfile:** Add XWiki GPG key ([712605e](712605e4f1)) * **helmfile:** Increase timeouts for deployment of services ([3b557a8](3b557a892c)) * **helmfile:** Merge fix values filename for Jitsi ([7a14531](7a145315f9)) * **helmfile:** Remove oci flag from charts.yaml and move user/password ([2ad48b6](2ad48b6fd5)) * **helmfile:** Sort images and charts ([acf6816](acf6816653)) * **helmfile:** Switch artefacts to be pulled from Open CoDE or upstream ([6b3d99d](6b3d99d1d1)) * **intercom-service:** Add scaling option. ([969c42a](969c42a590)) * **jitsi:** Add available securityContexts here ([8f09740](8f09740677)) * **nextcloud:** Replace community Nextcloud with openDesk Nextcloud ([813a2e2](813a2e29e9)) * **open-xchange:** Enable ICAP and merge yaml and gotmpl files ([306252d](306252da6f)) * **openproject:** Consolidate env values set by Helm chart ([08754cc](08754cc527)) * **openproject:** Merge yaml and gotmpl value files ([45967c7](45967c7a0b)) * **services:** Add scaling to all services ([0492420](0492420d60)) * **univention-management-stack:** Add guardian components ([db749d8](db749d8b1b)) * **univention-management-stack:** Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions ([0bf059e](0bf059e8e1)) * **univention-management-stack:** Add ums provisioning service ([d039c65](d039c65c4b)) * **univention-management-stack:** Bump Keycloak Bootstrap image ([bb289d5](bb289d545e)) * **univention-management-stack:** Bump Keycloak chart and image and provide settings for IT-Grundschutz ([c2e9204](c2e9204c56)) * **univention-management-stack:** Keycloak clients for guardian ([b30b29d](b30b29df8a)) * **univention-management-stack:** Provide openDesk version info for admins in portal menu ([5f5a65f](5f5a65f59d)) * **univention-management-stack:** SAML join using internal Keycloak hostname ([acbef3a](acbef3ae3e)) * **univention-management-stack:** Streamline timeouts for deployment ([506ef4a](506ef4a20f)) * **univention-management-stack:** Updated base image ([78993e1](78993e122b)) * **xwiki:** Bump Helm chart und image, fix favicon ([87b6fcf](87b6fcfc37)) * **xwiki:** Ldap group sync filter ([9aa907a](9aa907a909)) * **xwiki:** Update default XWiki configuration ([f13f39a](f13f39a0a0)) * **xwiki:** Update Image to include XWiki 15.10.4 ([9ff6056](9ff605623c)) * **xwiki:** Update to 1.2.6 and add imagePullSecrets ([2d2455f](2d2455fdb3)) * **xwiki:** Verify against GPG key ([a0d5fb8](a0d5fb8955))
2025-12-06 15:31:38 +01:00 · 2024-02-19 11:07:41 +01:00 · 2024-01-12 15:46:37 +00:00 · 2024-01-12 09:52:38 +01:00 · 2024-01-11 16:57:15 +00:00 · 2024-01-11 17:19:14 +01:00
127 changed files with 3523 additions and 2820 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,9 +5,6 @@
 .yamllint
 # Ignore changes to sample environments
-helmfile/environments/dev/values.yaml
+helmfile/environments/dev/values.yaml.gotmpl
-helmfile/environments/dev/values.gotmpl
+helmfile/environments/test/values.yaml.gotmpl
-helmfile/environments/test/values.yaml
+helmfile/environments/prod/values.yaml.gotmpl
 helmfile/environments/test/values.gotmpl
 helmfile/environments/prod/values.yaml
 helmfile/environments/prod/values.gotmpl
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,6 +15,7 @@ include:
 stages:
  - ".pre"
  - "scan"
  - "automr"
  - "lint"
  - "env-cleanup"
@@ -175,7 +176,7 @@ env-cleanup:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          $ENV_STOP_BEFORE != "no"
-      when: "always"
+      when: "on_success"
  script:
    - |
      if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
@@ -199,7 +200,7 @@ env-start:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/
-      when: "always"
+      when: "on_success"
  script:
    - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
    - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
@@ -221,7 +222,7 @@ services-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "services"
@@ -233,7 +234,7 @@ provisioning-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "provisioning"
@@ -245,7 +246,7 @@ ums-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "univention-management-stack"
@@ -258,7 +259,7 @@ ox-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OX != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "open-xchange"
@@ -270,7 +271,7 @@ ics-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ICS != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "intercom-service"
@@ -282,7 +283,7 @@ xwiki-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_XWIKI != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "xwiki"
@@ -294,7 +295,7 @@ collabora-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_COLLABORA != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "collabora"
@@ -306,7 +307,7 @@ cryptpad-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "cryptpad"
@@ -318,7 +319,7 @@ nextcloud-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "nextcloud"
@@ -330,7 +331,7 @@ openproject-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OPENPROJECT != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "openproject"
@@ -342,7 +343,7 @@ openproject-bootstrap-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "openproject-bootstrap"
@@ -354,7 +355,7 @@ jitsi-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_JITSI != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "jitsi"
@@ -366,7 +367,7 @@ element-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "element"
@@ -410,7 +411,7 @@ run-tests:
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
-      when: "always"
+      when: "on_success"
  script:
    - *ums-default-password
    - |
@@ -450,7 +451,7 @@ run-souvap-dev-tests:
  rules:
    - if: >
        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
-      when: "always"
+      when: "on_success"
  script:
    - *ums-default-password
    - |
@@ -470,12 +471,70 @@ run-souvap-dev-tests:
      }" \
      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
 avscan-prepare:
  stage: ".pre"
  rules:
    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
  script:
    - |
      cat << 'EOF' > dynamic-scans.yml
      ---
      stages:
        - "scan"
      .container-clamav:
        stage: "scan"
        image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/clamav-imagescan:1.0.0"
        before_script:
          - "sed -i \"/^DatabaseMirror .*$/c DatabaseMirror ${DATABASE_MIRROR}\" /etc/clamav/freshclam.conf"
          - "freshclam"
          - "mkdir /scan"
        script:
          - "export IMAGE=${EXTERNAL_REGISTRY:-${CONTAINER_REGISTRY}}/${CONTAINER_IMAGE}:${CONTAINER_TAG}"
          - "echo Pulling and scanning $IMAGE..."
          - "crane pull $IMAGE /scan/image.tar"
          - "clamscan /scan"
        variables:
          CONTAINER_IMAGE: ""
          CONTAINER_REGISTRY: ""
          CONTAINER_TAG: ""
          DATABASE_MIRROR: "https://nexus.souvap-univention.de/repository/ClamAV"
      EOF
    - >
      yq '.images
      | with_entries(.key |= "scan-" + .)
      | .[].extends=".container-clamav"
      | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
      | del(.[].repository)
      | del(.[].tag)
      | del(.[].registry)'
      helmfile/environments/default/images.yaml
      >> dynamic-scans.yml
  artifacts:
    paths:
      - "dynamic-scans.yml"
 avscan-start:
  stage: "scan"
  rules:
    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  trigger:
    include:
      - artifact: "dynamic-scans.yml"
        job: "avscan-prepare"
    strategy: "depend"
 generate-release-assets:
  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
-      when: "always"
+      when: "on_success"
    - when: "never"
  script:
    - |
@@ -495,6 +554,21 @@ generate-release-assets:
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
 opendesk-linter:
  cache: {}
  image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
  needs: []
  rules:
    - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
      when: "never"
    - when: "always"
  script:
    - "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
    - "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
    - "git diff --exit-code"
  stage: "lint"
  tags:
    - "docker"
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
@@ -530,15 +604,36 @@ reuse-linter:
 generate-release-version:
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false'"
-      when: "always"
+      when: "on_success"
 release:
  dependencies:
    - "generate-release-assets"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
-      when: "always"
+      when: "on_success"
  script:
    - >
      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
    - |
      if [ -z "${RELEASE_VERSION}" ]; then
        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
      else
        echo "RELEASE_VERSION=${RELEASE_VERSION}"
      fi
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
      # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
        systemInformation:
          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
      ...
      EOF
    - |
      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
      {
@@ -557,7 +652,7 @@ release:
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
-            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"],
            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
          }]
        ]
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,50 @@
 ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12)
 ### Bug Fixes
 * **ci:** Add opendesk-ci linter ([b23152b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b23152bb20f3460c62719e47ce519d093a42c034))
 * **ci:** Scan all images for malware on release ([807b73c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/807b73c8a4f39de31f6ae02003541cf19597a3b7))
 * **ci:** Switch to 'on_success' instead of 'always' ([e1f6370](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e1f63701f108bcc124ec67079df1a8649cc2e7c2))
 * **collabora:** Migrate collabora to yaml.gotmpl file ([09d001b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/09d001b6db167ff0a5cd95a1cd58dd2f117f338f))
 * **cryptpad:** Bump image ([90152bd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/90152bdc41131c359075556d26873c1ad5292950))
 * **cryptpad:** Bump image to 5.6.0 ([1c4db30](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c4db30b65249294696d71e435307d2877556b2c))
 * **cryptpad:** Verify against GPG key ([fec0d1f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/fec0d1f26acd729e71d441ae8043830049028cf4))
 * **docs:** Update Helm Chart Trust Chain information ([f894370](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f8943703ede8f3757dc10b789d95239fe8038d5c))
 * **element:** Fix rights & roles of neoboard ([7daa93f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7daa93f06179a9d6eedbc058503252d7b7aa04b1))
 * **element:** Fix rights and roles configuration ([452624c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/452624ce749b60abb1208a9f298e92af7d0168d0))
 * **helmfile:** Add image annotations for mirroring ([41e777c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/41e777c81dcb50ead8486683fea8cbbc69f07129))
 * **helmfile:** Add logLevel to globals ([8db9bf3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8db9bf3c993845c94331c7f1891c3abda907d6e6))
 * **helmfile:** Add XWiki GPG key ([712605e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/712605e4f14913f8e5cda61f64514e077d8df5dc))
 * **helmfile:** Increase timeouts for deployment of services ([3b557a8](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b557a892c80f4c0061c36fc706502c49a7c4607))
 * **helmfile:** Merge fix values filename for Jitsi ([7a14531](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a145315f9768f5b5606a1b951f7f07f8a8a7673))
 * **helmfile:** Remove oci flag from charts.yaml and move user/password ([2ad48b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2ad48b6fd528c002501771dea96784e54d272c03))
 * **helmfile:** Sort images and charts ([acf6816](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/acf681665352c84de00246b57b0be9afa48a820d))
 * **helmfile:** Switch artefacts to be pulled from Open CoDE or upstream ([6b3d99d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6b3d99d1d1a41368650f828eaea69d9159b8e752))
 * **intercom-service:** Add scaling option. ([969c42a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/969c42a590bb47cddf4c5f59940d53d55dba8810))
 * **jitsi:** Add available securityContexts here ([8f09740](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8f097406773ad769e3bece6af6c994df8254228c))
 * **nextcloud:** Replace community Nextcloud with openDesk Nextcloud ([813a2e2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/813a2e29e964f95bff133a6b09608ff9f6fda255))
 * **open-xchange:** Enable ICAP and merge yaml and gotmpl files ([306252d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/306252da6fb70c3728cf781ea62ab76ad1099af6))
 * **openproject:** Consolidate env values set by Helm chart ([08754cc](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/08754cc527e2828a44e853277ed55d6b3d041a37))
 * **openproject:** Merge yaml and gotmpl value files ([45967c7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/45967c7a0b18df6ff23ebff62d5a4c67bde7cee2))
 * **services:** Add scaling to all services ([0492420](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0492420d60bf8e866b39dc51a2e3627cc710de75))
 * **univention-management-stack:** Add guardian components ([db749d8](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db749d8b1b5982d7ffd1728a40c343928a94dc9b))
 * **univention-management-stack:** Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions ([0bf059e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0bf059e8e1560a63d4b5efbd80a00a896539f86b))
 * **univention-management-stack:** Add ums provisioning service ([d039c65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d039c65c4b808e2a55a428502a8cfc05d001b43c))
 * **univention-management-stack:** Bump Keycloak Bootstrap image ([bb289d5](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bb289d545e2ee306ecf032d4889c694c7182f243))
 * **univention-management-stack:** Bump Keycloak chart and image and provide settings for IT-Grundschutz ([c2e9204](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c2e9204c56c526b96e084bd7578cb981f3be29c0))
 * **univention-management-stack:** Keycloak clients for guardian ([b30b29d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b30b29df8aa179dd065db4ade1d2911f6c7ab458))
 * **univention-management-stack:** Provide openDesk version info for admins in portal menu ([5f5a65f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/5f5a65f59d4f67b589f6ac1f5c51ed584ab91ff0))
 * **univention-management-stack:** SAML join using internal Keycloak hostname ([acbef3a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/acbef3ae3e335de0c5dfc2e54e2c31b64643990a))
 * **univention-management-stack:** Streamline timeouts for deployment ([506ef4a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/506ef4a20f8f5de509a678f7df64f24137e985f6))
 * **univention-management-stack:** Updated base image ([78993e1](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/78993e122bad05cc2801acf516ebebb4accc1aaf))
 * **xwiki:** Bump Helm chart und image, fix favicon ([87b6fcf](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/87b6fcfc37babaca03ffdbb1ba4ae603db4f1c23))
 * **xwiki:** Ldap group sync filter ([9aa907a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/9aa907a90996b7b4fe4addbd4ca9f0eae6f65aec))
 * **xwiki:** Update default XWiki configuration ([f13f39a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f13f39a0a0fe9748f12270e9c933c985919b8eda))
 * **xwiki:** Update Image to include XWiki 15.10.4 ([9ff6056](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/9ff605623c955d34dcccfdfb69c5b6245ab3f4fc))
 * **xwiki:** Update to 1.2.6 and add imagePullSecrets ([2d2455f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2d2455fdb347ec001e6a48a5a61dc9098a66e6d6))
 * **xwiki:** Verify against GPG key ([a0d5fb8](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a0d5fb895518aa28b6e69cffdcecde1fe2a53ceb))
 ## [0.5.73](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.72...v0.5.73) (2023-12-21)
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -12,8 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
 * [Customize environment](#customize-environment)
  * [Domain](#domain)
    * [Apps](#apps)
-  * [Private Image registry](#private-image-registry)
+  * [Private Helm chart and container image registry](#private-helm-chart-and-container-image-registry)
  * [Private Helm registry](#private-helm-registry)
  * [Cluster capabilities](#cluster-capabilities)
    * [Service](#service)
    * [Networking](#networking)
@@ -127,58 +126,39 @@ jitsi:
  enabled: false
 ```
-## Private Image registry
+## Private Helm chart and container image registry
-By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
+By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases
-OCI registries provided by Open CoDE.
+in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components).
-You also can set your own registry by:
+For untouched upstream artefacts that do not belong to a functional component's core we use upstream registries
 like Docker Hub.
 Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day
 and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you
 prefer the use of a private image registry anyway you can configure such for
 [your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting `global.imageRegistry`
 like this:
 ```yaml
 global:
  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
 ```
-or via environments variable:
+alternatively you can use an environment variable:
 ```shell
 export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
 ```
 If authentication is required, you can reference imagePullSecrets as following:
 ```yaml
 global:
  imagePullSecrets:
    - "external-registry"
 ```
 ## Private Helm registry
 Some apps use OCI style registry and some use Helm chart museum style registries.
 In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
 or version.
 As an example, you can also use helmfile methods to use just a single environment variable to set registry and
 authentication for all OCI helm charts.
 ```yaml
 charts:
  certificates:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ```
 There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
 The following environment variables have to be exposed when using the example:
 | Environment variable                | Description                                                                                |
 |-------------------------------------|--------------------------------------------------------------------------------------------|
 | `OD_PRIVATE_HELM_OCI_REGISTRY`      | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de`     |
 | `OD_PRIVATE_HELM_HTTP_REGISTRY`     | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
 | `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username                                                                                   |
 | `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password                                                                                   |
 ## Cluster capabilities
 ### Service
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -21,7 +21,7 @@ marked with a gear.
 | Component        | Name                                     | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------------------------|:-------------------:|:------------------:|
+|------------------|------------------------------------------|:-------------------:|:------------------:|
 | ClamAV           | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.freshclam`                     |         :x:         |        :x:         |
@@ -39,14 +39,19 @@ marked with a gear.
 |                  | `replicas.synapse`                       |         :x:         |       :gear:       |
 |                  | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
 | Intercom Service | `replicas.intercomService`               | :white_check_mark:  |       :gear:       |
 | Jitsi            | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
 |                  | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
 |                  | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
 |                  | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
 |                  | `replicas.jvb `                          |         :x:         |        :x:         |
 | Keycloak         | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
 | Memcached        | `replicas.memcached`                     |       :gear:        |       :gear:       |
 | Minio            | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
-| Nextcloud   | `replicas.nextcloud`                     | :white_check_mark:  |       :gear:       |
+| Nextcloud        | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
 | OpenProject      | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
 | Postfix          | `replicas.postfix`                       |         :x:         |       :gear:       |
 | Redis            | `replicas.redis`                         |       :gear:        |       :gear:       |
 | XWiki            | `replicas.xwiki`                         |         :x:         |       :gear:       |
--- a/docs/security.md
+++ b/docs/security.md
@@ -15,36 +15,14 @@ This document should cover the current status of security measurements.
 # Helm Chart Trust Chain
-Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
+Helm charts are signed and validated against GPG keys which could be found in `helmfile/files/gpg-pubkeys`.
 `pubkey.gpg` file and are validated during helmfile installation.
-| Repository                           | OCI |     Verifiable     |
+All charts except these are verifiable:
-|--------------------------------------|:---:|:------------------:|
+
-| bitnami-repo (openDesk build)        | yes | :white_check_mark: |
+| Repository        | Verifiable |
-| clamav-repo                          | yes | :white_check_mark: |
+|-------------------|:----------:|
-| collabora-online-repo                | no  |        :x:         |
+| collabora-repo    |     no     |
-| cryptpad-online-repo                 | no  |        :x:         |
+| open-xchange-repo |     no     |
 | intercom-service-repo                | yes | :white_check_mark: |
 | istio-resources-repo                 | yes | :white_check_mark: |
 | jitsi-repo                           | yes | :white_check_mark: |
 | keycloak-extensions-repo             | no  |        :x:         |
 | mariadb-repo                         | yes | :white_check_mark: |
 | nextcloud-repo                       | no  |        :x:         |
 | opendesk-certificates-repo           | yes | :white_check_mark: |
 | opendesk-dovecot-repo                | yes | :white_check_mark: |
 | opendesk-element-repo                | yes | :white_check_mark: |
 | opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
 | opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
 | opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
 | openproject-repo                     | yes | :white_check_mark: |
 | openxchange-repo                     | yes |        :x:         |
 | ox-connector-repo                    | no  |        :x:         |
 | postfix-repo                         | yes | :white_check_mark: |
 | postgresql-repo                      | yes | :white_check_mark: |
 | ums-repo                             | no  |        :x:         |
 | univention-keycloak-repo             | yes | :white_check_mark: |
 | univention-keycloak-bootstrap-repo   | yes | :white_check_mark: |
 | xwiki-repo                           | no  |        :x:         |
 # Kubernetes Security Enforcements
@@ -52,13 +30,13 @@ This list gives you an overview of default security settings and if they comply
 | Component                   | Process                       |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
-|-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV                      | clamd                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | freshclam                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | icap                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | milter                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora                   | collabora                     |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
-| CryptPad                    | npm                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
+| CryptPad                    | cryptpad                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
 | Dovecot                     | dovecot                       |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
 | Element                     | element                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                             | synapse                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
@@ -74,9 +52,11 @@ This list gives you an overview of default security settings and if they comply
 | MariaDB                     | mariadb                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Memcached                   | memcached                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
 | Minio                       | minio                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
-| Nextcloud                   | nextcloud                    |        :x:         |         :white_check_mark:         |                                                  :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`)                                                  |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
+| Nextcloud                   | opendesk-nextcloud-apache2    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | nextcloud-cron               |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
+|                             | opendesk-nextcloud-cron       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
-|                             | opendesk-nextcloud-bootstrap |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
+|                             | opendesk-nextcloud-exporter   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
 |                             | opendesk-nextcloud-management |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   65532   |   65532    |  65532  |
 |                             | opendesk-nextcloud-php        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
 | Open-Xchange                | core-documentconverter        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
 |                             | core-guidedtours              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-imageconverter           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
@@ -94,17 +74,22 @@ This list gives you an overview of default security settings and if they comply
 | Postfix                     | postfix                       |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL                  | postgresql                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Redis                       | redis                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
-| Univention Management Stack | keycloak                     |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
+| Univention Management Stack | guardian-authorization-api    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | keycloakBootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | guardian-management-api       |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | keycloakExtensionHandler     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | guardian-management-ui        |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | keycloakExtensionProxy       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | keycloak                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | keycloak-bootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | keycloak-extension-handler    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | keycloak-extension-proxy      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | ldap-notifier                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | ldap-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | notifications-api             |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
-|                             | opendeskKeycloakBootstrap    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | opendesk-keycloak-bootstrap   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | open-policy-agent             |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-frontend               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-listener               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-server                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | provisioning-api              |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | selfservice-listener          |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | stack-gateway                 | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |                             | store-dav                     |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
--- a/docs/theming.md
+++ b/docs/theming.md
@@ -53,7 +53,5 @@ theme:
 # Known limits
 Not all applications support theming. Known exceptions are:
  - Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
    for theming through the deployment).
  - OpenProject
  - Jitsi
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -84,7 +84,7 @@ The below rendering in class diagram notation shows the three component classes
 **Note:** The methods prefixed with '-' are not yet available in `gitlab-config` you will learn about them later.
-```Mermaid
+```mermaid
 classDiagram
    Images <|-- Helm_charts
    Images <|-- Helmfile_based_deployment_automation
--- a/examples/private-helm-registry.yaml.gotmpl
+++ b/examples/private-helm-registry.yaml.gotmpl
@@ -1,261 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 charts:
  certificates:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  clamav:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  clamavSimple:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  collabora:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  cryptpad:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  dovecot:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  element:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  elementWellKnown:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  intercomService:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  istioResources:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  jitsi:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsKeycloak:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsKeycloakBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  opendeskKeycloakBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsKeycloakExtensions:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  mariadb:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeoboardWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeochoiseWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeodatefixBot:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeodatefixWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixUserVerificationService:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  memcached:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  minio:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nextcloud:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nextcloudBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nginx:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openproject:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openprojectBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openXchangeAppSuite:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openXchangeAppSuiteBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  otterize:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  oxConnector:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  postfix:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  postgresql:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  redis:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapse:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapseCreateAccount:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapseWeb:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsLdapNotifier:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsLdapServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsNotificationsApi:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalFrontend:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalListener:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStackDataSwp:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStackDataUms:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStoreDav:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUdmRestApi:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUmcGateway:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUmcServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  xwiki:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ...
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -37,18 +37,15 @@ environments:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/dev/values.yaml"
+      - "helmfile/environments/dev/values.yaml.gotmpl"
      - "helmfile/environments/dev/values.gotmpl"
  test:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/test/values.yaml"
+      - "helmfile/environments/test/values.yaml.gotmpl"
      - "helmfile/environments/test/values.gotmpl"
  prod:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/prod/values.yaml"
+      - "helmfile/environments/prod/values.yaml.gotmpl"
      - "helmfile/environments/prod/values.gotmpl"
 ...
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -8,18 +8,18 @@ repositories:
  # Collabora Online
  # Source: https://github.com/CollaboraOnline/online
  - name: "collabora-online-repo"
-    username: {{ .Values.charts.collabora.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.collabora.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: {{ .Values.charts.collabora.oci }}
+    oci: true
-    url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.collabora.registry }}/\
      {{ .Values.charts.collabora.repository }}"
 releases:
  - name: "collabora-online"
    chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
    version: "{{ .Values.charts.collabora.version }}"
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.collabora.enabled }}
 commonLabels:
--- a/helmfile/apps/collabora/values.gotmpl
+++ b/helmfile/apps/collabora/values.gotmpl
@@ -1,59 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
  tag: {{ .Values.images.collabora.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
      paths:
        - path: "/"
          pathType: "Prefix"
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 collabora:
  # Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 replicaCount: {{ .Values.replicas.collabora }}
 resources:
  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
 grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
    annotations:
      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
 ...
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -1,16 +1,37 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+{{/*
-# SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/README.md or
+autoscaling:
-# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/collabora-online/values.yaml
+  enabled: false
 fullnameOverride: "collabora"
 image:
  pullPolicy: "IfNotPresent"
 collabora:
  extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 fullnameOverride: "collabora"
 grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
    annotations:
      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
  tag: {{ .Values.images.collabora.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  annotations:
@@ -50,11 +71,35 @@ ingress:
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
-autoscaling:
+  enabled: {{ .Values.ingress.enabled }}
-  enabled: false
+  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
      paths:
        - path: "/"
          pathType: "Prefix"
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
-serviceAccount:
+podSecurityContext:
-  create: true
+  fsGroup: 100
 prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
 replicaCount: {{ .Values.replicas.collabora }}
 resources:
  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 securityContext:
  allowPrivilegeEscalation: true
@@ -82,6 +127,6 @@ securityContext:
      - "SYS_CHROOT"
      - "MKNOD"
-podSecurityContext:
+serviceAccount:
-  fsGroup: 100
+  create: true
 ...
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -8,10 +8,12 @@ repositories:
  # CryptPad
  # Source: https://github.com/cryptpad/helm
  - name: "cryptpad-repo"
-    username: {{ .Values.charts.cryptpad.username | quote }}
+    keyring: "../../files/gpg-pubkeys/xwiki-com.gpg"
-    password: {{ .Values.charts.cryptpad.password | quote }}
+    verify: {{ .Values.charts.cryptpad.verify }}
-    oci: {{ .Values.charts.cryptpad.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 releases:
  - name: "cryptpad"
--- a/helmfile/apps/cryptpad/values.gotmpl
+++ b/helmfile/apps/cryptpad/values.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
  tag: {{ .Values.images.cryptpad.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -8,79 +8,79 @@ repositories:
  # openDesk Element
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-element
  - name: "element-repo"
    oci: {{ .Values.charts.element.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.element.verify }}
-    username: {{ .Values.charts.element.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.element.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    oci: {{ .Values.charts.elementWellKnown.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
-    username: {{ .Values.charts.elementWellKnown.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.elementWellKnown.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    oci: {{ .Values.charts.synapseWeb.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
-    username: {{ .Values.charts.synapseWeb.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.synapseWeb.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    oci: {{ .Values.charts.synapse.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
-    username: {{ .Values.charts.synapse.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.synapse.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    oci: {{ .Values.charts.synapseCreateAccount.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
-    username: {{ .Values.charts.synapseCreateAccount.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.synapseCreateAccount.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
  - name: "matrix-user-verification-service-repo"
    oci: {{ .Values.charts.matrixUserVerificationService.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
-    username: {{ .Values.charts.matrixUserVerificationService.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
-    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
-    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    oci: {{ .Values.charts.matrixNeodatefixWidget.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
-    username: {{ .Values.charts.matrixNeodatefixWidget.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    oci: {{ .Values.charts.matrixNeodatefixBot.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
-    username: {{ .Values.charts.matrixNeodatefixBot.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 releases:
--- a/helmfile/apps/element/values-element.gotmpl
+++ b/helmfile/apps/element/values-element.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -108,7 +107,7 @@ configuration:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
  repository: {{ .Values.images.element.repository | quote }}
  tag: {{ .Values.images.element.tag | quote }}
--- a/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoBoardWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
--- a/helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoChoiceWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
@@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -16,7 +15,7 @@ configuration:
  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -16,6 +15,7 @@ configuration:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
@@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -16,7 +15,7 @@ configuration:
  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
--- a/helmfile/apps/element/values-synapse-web.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,7 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseWeb.registry | quote }}
  repository: {{ .Values.images.synapseWeb.repository | quote }}
  tag: {{ .Values.images.synapseWeb.tag | quote }}
--- a/helmfile/apps/element/values-synapse.gotmpl
+++ b/helmfile/apps/element/values-synapse.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,7 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
  repository: {{ .Values.images.synapse.repository | quote }}
  tag: {{ .Values.images.synapse.tag | quote }}
@@ -56,7 +55,7 @@ configuration:
    guestModule:
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-        registry: {{ .Values.global.imageRegistry | quote }}
+        registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
--- a/helmfile/apps/element/values-synapse.yaml
+++ b/helmfile/apps/element/values-synapse.yaml
@@ -44,4 +44,9 @@ containerSecurityContext:
 podSecurityContext:
  enabled: true
  fsGroup: 10991
 readinessProbe:
  initialDelaySeconds: 15
  periodSeconds: 5
 ...
--- a/helmfile/apps/element/values-well-known.gotmpl
+++ b/helmfile/apps/element/values-well-known.gotmpl
@@ -5,7 +5,6 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,7 +12,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.wellKnown.registry | quote }}
  repository: {{ .Values.images.wellKnown.repository | quote }}
  tag: {{ .Values.images.wellKnown.tag | quote }}
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -8,12 +8,12 @@ repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
    oci: {{ .Values.charts.intercomService.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
-    username: {{ .Values.charts.intercomService.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.intercomService.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
 releases:
  - name: "intercom-service"
--- a/helmfile/apps/intercom-service/values.gotmpl
+++ b/helmfile/apps/intercom-service/values.gotmpl
@@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
@@ -34,12 +33,14 @@ ics:
    port: {{ .Values.cache.intercomService.port }}
    password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
  openxchange:
    oci: true
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    audience: "opendesk-oxappsuite"
  nextcloud:
    audience: "opendesk-nextcloud"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.intercom.registry | quote }}
  repository: {{ .Values.images.intercom.repository | quote }}
  tag: {{ .Values.images.intercom.tag | quote }}
@@ -51,6 +52,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 replicaCount: {{ .Values.replicas.intercomService }}
 resources:
  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -8,19 +8,19 @@ repositories:
  # openDesk Jitsi
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-jitsi
  - name: "jitsi-repo"
    oci: {{ .Values.charts.jitsi.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.jitsi.verify }}
-    username: {{ .Values.charts.jitsi.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.jitsi.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 releases:
  - name: "jitsi"
    chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
    version: "{{ .Values.charts.jitsi.version }}"
    values:
-      - "values-jitsi.gotmpl"
+      - "values-jitsi.yaml.gotmpl"
    installed: {{ .Values.jitsi.enabled }}
    timeout: 900
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -5,18 +5,30 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiKeycloakAdapter.registry | quote }}
  repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
@@ -33,7 +45,7 @@ jitsi:
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
      tag: {{ .Values.images.jitsi.tag | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
@@ -52,7 +64,7 @@ jitsi:
      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
  prosody:
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
      tag: {{ .Values.images.prosody.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
@@ -89,7 +101,7 @@ jitsi:
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
      tag: {{ .Values.images.jicofo.tag | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
@@ -99,7 +111,7 @@ jitsi:
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
      tag: {{ .Values.images.jvb.tag | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
@@ -110,7 +122,7 @@ jitsi:
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
      tag: {{ .Values.images.jibri.tag | quote }}
    recorder:
      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
@@ -127,9 +139,13 @@ patchJVB:
  configuration:
    staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    enabled: true
    readOnlyRootFilesystem: true
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -5,46 +5,41 @@ bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Keycloak Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
  - name: "nextcloud-bootstrap-repo"
    oci: {{ .Values.charts.nextcloudBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.nextcloudBootstrap.verify }}
    username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
    password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
    url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
  # Nextcloud
-  # Source: https://github.com/nextcloud/helm/
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-nextcloud
  - name: "nextcloud-management-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloudManagement.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
-    oci: {{ .Values.charts.nextcloud.oci }}
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    username: {{ .Values.charts.nextcloud.username | quote }}
+    verify: {{ .Values.charts.nextcloud.verify }}
-    password: {{ .Values.charts.nextcloud.password | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 releases:
-  - name: "opendesk-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-management"
-    chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
+    chart: "nextcloud-repo/{{ .Values.charts.nextcloudManagement.name }}"
-    version: "{{ .Values.charts.nextcloudBootstrap.version }}"
+    version: "{{ .Values.charts.nextcloudManagement.version }}"
    wait: true
    waitForJobs: true
    values:
-      - "values-bootstrap.gotmpl"
+      - "values-nextcloud-mgmt.yaml.gotmpl"
-      - "values-bootstrap.yaml"
+    waitForJobs: true
    wait: true
    installed: {{ .Values.nextcloud.enabled }}
    timeout: 900
-
+  - name: "opendesk-nextcloud"
  - name: "nextcloud"
    chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
    version: "{{ .Values.charts.nextcloud.version }}"
    needs:
      - "opendesk-nextcloud-bootstrap"
    values:
-      - "values-nextcloud.gotmpl"
+      - "values-nextcloud.yaml.gotmpl"
-      - "values-nextcloud.yaml"
+    needs:
      - "opendesk-nextcloud-management"
    installed: {{ .Values.nextcloud.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -1,82 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  istioDomain: {{ .Values.istio.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 config:
  administrator:
    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
  apps:
    integrationSwp:
      password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    userOidc:
      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
      realm: {{ .Values.platform.realm }}
  database:
    host: {{ .Values.databases.nextcloud.host | quote }}
    name: {{ .Values.databases.nextcloud.name | quote }}
    user: {{ .Values.databases.nextcloud.username | quote }}
    password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  ldapSearch:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
  smtp:
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
    username: {{ .Values.smtp.username | quote }}
    password: {{ .Values.smtp.password | quote }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.nextcloud.repository | quote }}
  tag: {{ .Values.images.nextcloud.tag | quote }}
 persistence:
  {{- if .Values.cluster.persistence.readWriteMany.enabled }}
  accessModes:
    - "ReadWriteMany"
  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
  {{- else }}
  accessModes:
    - "ReadWriteOnce"
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  {{- end }}
  size:
    main: {{ .Values.persistence.size.nextcloud.main | quote }}
    data: {{ .Values.persistence.size.nextcloud.data | quote }}
 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-bootstrap.yaml
+++ b/helmfile/apps/nextcloud/values-bootstrap.yaml
@@ -1,30 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 config:
  administrator:
    username: "nextcloud"
  apps:
    integrationSwp:
      username: "opendesk_username"
    userOidc:
      username: "opendesk-nextcloud"
      userIdAttribute: "opendesk_useruuid"
  cryptpad:
    enabled: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: false
 podSecurityContext:
  enabled: true
  fsGroup: 33
  fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -0,0 +1,98 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  istioDomain: {{ .Values.istio.domain }}
 additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"
 configuration:
  administrator:
    username: "nextcloud"
    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
  cache:
    auth:
      enabled: true
      username:
        value: "default"
      password:
        value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
    host: {{ .Values.cache.nextcloud.host | quote }}
    port: {{ .Values.cache.nextcloud.port | quote }}
  database:
    host: {{ .Values.databases.nextcloud.host | quote }}
    port: {{ .Values.databases.nextcloud.port | quote }}
    auth:
      username:
        value: "nextcloud_user"
      password:
        value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  ldap:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
  objectstore:
    auth:
      accessKey:
        value: "nextcloud_user"
      secretKey:
        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
  oidc:
    username:
      value: "opendesk-nextcloud"
    password:
      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
  opendeskIntegration:
    username:
      value: "opendesk_username"
    password:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  smtp:
    auth:
      username:
        value: {{ .Values.smtp.username | quote }}
      password:
        value: {{ .Values.smtp.password | quote }}
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 65532
  runAsGroup: 65532
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
  repository: "{{ .Values.images.nextcloudManagement.repository }}"
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloudManagement.tag | quote }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 resources:
  {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl
@@ -1,63 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 nextcloud:
  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  username: "nextcloud"
  password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 externalDatabase:
  database: {{ .Values.databases.nextcloud.name | quote }}
  user: {{ .Values.databases.nextcloud.username | quote }}
  host: {{ .Values.databases.nextcloud.host | quote }}
  password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 extraEnv:
  REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
  REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
  REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 redis:
  auth:
    enabled: true
    password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloud.tag | quote }}
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 metrics:
  enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
  https: true
  token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
  image:
    repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
    pullSecrets:
      {{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
  serviceMonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  resources:
    {{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.nextcloud }}
 {{- else }}
 replicaCount: 1
 {{- end }}
 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml
@@ -1,77 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 persistence:
  enabled: true
  existingClaim: "nextcloud-main"
  nextcloudData:
    enabled: true
    existingClaim: "nextcloud-data"
 redis:
  enabled: false
 cronjob:
  enabled: true
  lifecycle:
    postStartCommand:
      - "sh"
      - "-c"
      - >
        sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
        \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
 internalDatabase:
  enabled: false
 postgresql:
  enabled: false
 mariadb:
  enabled: false
 externalDatabase:
  enabled: true
  # The nextcloud helm chart provides a sub-chart for mariadb.
  # If we use mariadb as a sub-chart it's linked to nextcloud,
  # and it is not independent anymore. Since externalDatabase.type
  # allows just mysql or postgres, mysql is chosen to connect
  # to the mariadb:
  type: "mysql"
 nextcloud:
  configs:
    mimetypealiases.json: |-
      {
        "application/x-drawio": "image"
      }
    mimetypemapping.json: |-
      {
        "drawio": ["application/x-drawio"]
      }
  podSecurityContext:
    fsGroup: 33
    seccompProfile:
      type: "RuntimeDefault"
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
      add:
        - "NET_BIND_SERVICE"
        - "SETGID"
        - "SETUID"
 # this is not documented but can be found in values.yaml
 service:
  port: "80"
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -0,0 +1,126 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 exporter:
  enabled: true
  configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
  replicas: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
 php:
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-php"
  configuration:
    cache:
      auth:
        enabled: true
        username:
          value: "default"
        password:
          value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
      host: {{ .Values.cache.nextcloud.host | quote }}
      port: {{ .Values.cache.nextcloud.port | quote }}
    database:
      host: {{ .Values.databases.nextcloud.host | quote }}
      port: {{ .Values.databases.nextcloud.port | quote }}
      auth:
        username:
          value: "nextcloud_user"
        password:
          value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
  replicas: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
 apache2:
  configuration:
    php:
      host: "opendesk-nextcloud-php.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudApache2.registry | quote }}
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
  replicas: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -8,29 +8,29 @@ repositories:
  # openDesk Dovecot
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
  - name: "dovecot-repo"
    oci: {{ .Values.charts.dovecot.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
-    username: {{ .Values.charts.dovecot.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.dovecot.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
  # Open-Xchange
  - name: "open-xchange-repo"
-    oci: {{ .Values.charts.openXchangeAppSuite.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.openXchangeAppSuite.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
  # openDesk Open-Xchange Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    oci: {{ .Values.charts.openXchangeAppSuiteBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
-    username: {{ .Values.charts.openXchangeAppSuiteBootstrap.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 releases:
@@ -38,8 +38,7 @@ releases:
    chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
    version: "{{ .Values.charts.dovecot.version }}"
    values:
-      - "values-dovecot.yaml"
+      - "values-dovecot.yaml.gotmpl"
      - "values-dovecot.gotmpl"
    installed: {{ .Values.dovecot.enabled }}
    timeout: 900
@@ -47,10 +46,8 @@ releases:
    chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
    version: "{{ .Values.charts.openXchangeAppSuite.version }}"
    values:
-      - "values-openxchange.yaml"
+      - "values-openxchange.yaml.gotmpl"
-      - "values-openxchange.gotmpl"
+      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml"
      - "values-openxchange-enterprise-contact-picker.gotmpl"
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
@@ -58,7 +55,7 @@ releases:
    chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
    values:
-      - "values-openxchange-bootstrap.gotmpl"
+      - "values-openxchange-bootstrap.yaml.gotmpl"
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.dovecot.registry | quote }}
-  url: {{ .Values.images.dovecot.repository | quote }}
+  repository: {{ .Values.images.dovecot.repository | quote }}
  tag: {{ .Values.images.dovecot.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -18,16 +18,28 @@ dovecot:
  mailDomain: {{ .Values.global.domain | quote }}
  password: {{ .Values.secrets.dovecot.doveadm | quote }}
  ldap:
-    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    enabled: true
    host: {{ .Values.ldap.host | quote }}
    port: 389
    base: "dc=swp-ldap,dc=internal"
    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
  oidc:
    enabled: true
    clientID: "opendesk-dovecot"
    clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
    introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
-    clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+    usernameAttribute: "opendesk_username"
    clientID: "opendesk-dovecot"
  loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
  submission:
    enabled: true
    ssl: "no"
    host: "postfix:25"
 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -37,6 +49,28 @@ replicaCount: {{ .Values.replicas.dovecot }}
 replicaCount: 1
 {{- end }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "KILL"
      - "NET_BIND_SERVICE"
      - "SETGID"
      - "SETUID"
      - "SYS_CHROOT"
  enabled: true
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 1000
 persistence:
  {{- if .Values.cluster.persistence.readWriteMany.enabled }}
  storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -8,7 +8,7 @@ cleanup:
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
  tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
@@ -1,18 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 appsuite:
  core-mw:
    secretYAMLFiles:
      ldap-client-config.yml:
        contactsLdapClient:
          pool:
            host:
              address: {{ .Values.ldap.host | quote }}
              port: 389
          auth:
            adminDN:
              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
@@ -16,10 +16,14 @@ appsuite:
        contactsLdapClient:
          pool:
            type: "simple"
            host:
              address: {{ .Values.ldap.host | quote }}
              port: 389
          auth:
            type: "adminDN"
            adminDN:
              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
    uiSettings:
      # Enterprise contact picker
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -1,214 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  mysql:
    host: {{ .Values.databases.oxAppsuite.host | quote }}
    database: {{ .Values.databases.oxAppsuite.name | quote }}
    auth:
      user: {{ .Values.databases.oxAppsuite.username | quote }}
      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 istio:
  enabled: {{ .Values.istio.enabled }}
 nextcloud-integration-ui:
  image:
    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
 public-sector-ui:
  image:
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
 appsuite:
  istio:
    enabled: {{ .Values.istio.enabled }}
    ingressGateway:
      hosts:
        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    virtualServices:
      appsuite:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      dav:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  core-mw:
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    gotenberg:
      imagePullSecrets:
      {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
      {{- end }}
      image:
        repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
    properties:
      "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      "com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      "com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
      "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
      "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
      "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
    propertiesFiles:
      "/opt/open-xchange/etc/ldapauth.properties":
        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
    uiSettings:
      "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
      io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
      # RC+base64(20 random bytes)
      oxguardpass: |
        {{ .Values.secrets.oxAppsuite.oxguardMC }}
        {{ .Values.secrets.oxAppsuite.oxguardRC }}
    redis:
      auth:
        password: {{ .Values.secrets.redis.password | quote }}
    image:
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
  core-ui:
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
  core-ui-middleware:
    ingress:
      hosts:
        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    redis:
      auth:
        password: {{ .Values.secrets.redis.password | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
      updater:
      resources:
        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
  core-documentconverter:
    image:
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
  core-guidedtours:
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
  core-imageconverter:
    image:
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
  guard-ui:
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
  core-user-guide:
    image:
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -1,347 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 appsuite:
  appsuite-toolkit:
    enabled: false
  istio:
    ingressGateway:
      name: "opendesk-gateway-istio-gateway"
  switchboard:
    enabled: false
  core-mw:
    enabled: true
    masterAdmin: "admin"
    gotenberg:
      enabled: true
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - "ALL"
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        seccompProfile:
          type: "RuntimeDefault"
    features:
      status:
        # enable admin pack
        # admin: enabled
        documents: "disabled"
        guard: "enabled"
    packages:
      status:
        open-xchange-oidc: "enabled"
        open-xchange-authentication-database: "disabled"
        open-xchange-authentication-oauth: "enabled"
    properties:
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
      # PDF Export
      com.openexchange.capability.mail_export_pdf: "true"
      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
      # OIDC
      com.openexchange.oidc.enabled: "true"
      com.openexchange.oidc.autologinCookieMode: "ox_direct"
      com.openexchange.oidc.contextLookupClaim: "context"
      com.openexchange.oidc.contextLookupNamePart: "full"
      com.openexchange.oidc.backchannelLogoutEnabled: "true"
      com.openexchange.oidc.startDefaultBackend: "true"
      com.openexchange.oidc.ssoLogout: "true"
      com.openexchange.oidc.userLookupNamePart: "full"
      com.openexchange.oidc.userLookupClaim: "opendesk_username"
      com.openexchange.oidc.clientId: "opendesk-oxappsuite"
      # OAUTH
      com.openexchange.oauth.provider.enabled: "true"
      com.openexchange.oauth.provider.contextLookupClaim: "context"
      com.openexchange.oauth.provider.contextLookupNamePart: "full"
      com.openexchange.oauth.provider.mode: "expect_jwt"
      com.openexchange.oauth.provider.userLookupNamePart: "full"
      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
      com.openexchange.mail.loginSource: "mail"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix"
      com.openexchange.mail.transportServerSource: "global"
      # Mailfilter
      com.openexchange.mail.filter.loginType: "global"
      com.openexchange.mail.filter.credentialSource: "mail"
      com.openexchange.mail.filter.server: "dovecot"
      com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
      # Dovecot
      com.openexchange.imap.attachmentMarker.enabled: "true"
      # Capabilities
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
      com.openexchange.capability.public-sector-element: "true"
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
      com.openexchange.capability.filestorage_nextcloud: "true"
      com.openexchange.capability.filestorage_nextcloud_oauth: "true"
      com.openexchange.capability.guard: "true"
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.smime: "true"
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
      com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
      # Guard
      com.openexchange.guard.storage.file.fileStorageType: "file"
      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
      com.openexchange.guard.guestSMTPServer: "postfix"
      # S/MIME
      # Usage (in browser console after login):
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: "true"
      # Other
      com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
    propertiesFiles:
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
        bindOnly: "false"
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
    uiSettings:
      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
      io.ox/core//features/enterprisePicker/showLauncher: "false"
      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
      # Text and icon color in the topbar
      io.ox/dynamic-theme//topbarColor: "#000"
      io.ox/dynamic-theme//logoWidth: "82"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
      # Categories
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
      # Nextcloud integration
      # io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
      # Central navigation
      io.ox.public-sector//navigation/oxtabname: "tab_groupware"
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
      # Mail templates
      io.ox/core//features/templates: "true"
      # Contact Collector
      io.ox/mail//contactCollectOnMailTransport: "true"
      # io.ox/mail//contactCollectOnMailAccess: "true"
    asConfig:
      default:
        host: "all"
        pageHeaderPrefix: "as8.souvap App Suite"
        oidcLogin: true
        oidcPath: "/oidc"
    redis:
      enabled: true
      mode: "standalone"
      hosts:
        - "redis-master"
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
          mkdir -p /opt/open-xchange/guard-files
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
    # Security context for core-mw has no effect yet
    # podSecurityContext: {}
    # securityContext: {}
  core-ui:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-ui-middleware:
    enabled: true
    overrides: {}
    redis:
      mode: "standalone"
      hosts:
        - "redis-master:6379"
      auth:
        enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-guidedtours:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  guard-ui:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-cacheservice:
    enabled: false
  core-user-guide:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-imageconverter:
    enabled: true
    objectCache:
      s3ObjectStores:
        - id: -1
          endpoint: "."
          accessKey: "."
          secretKey: "."
    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
  core-spellcheck:
    enabled: false
  core-documentconverter:
    enabled: true
    documentConverter:
      cache:
        remoteCache:
          enabled: false
    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
  core-documents-collaboration:
    enabled: false
  office-web:
    enabled: false
  office-user-guide:
    enabled: false
  plugins-ui:
    enabled: false
  cloud-plugins-ui:
    enabled: false
  drive-client-windows-ox:
    enabled: false
  core-drive-help:
    enabled: false
 nextcloud-integration-ui:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
 public-sector-ui:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -0,0 +1,536 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  mysql:
    host: {{ .Values.databases.oxAppsuite.host | quote }}
    database: {{ .Values.databases.oxAppsuite.name | quote }}
    auth:
      user: {{ .Values.databases.oxAppsuite.username | quote }}
      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 istio:
  enabled: {{ .Values.istio.enabled }}
 nextcloud-integration-ui:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
 public-sector-ui:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }}
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
 appsuite:
  appsuite-toolkit:
    enabled: false
  switchboard:
    enabled: false
  istio:
    enabled: {{ .Values.istio.enabled }}
    ingressGateway:
      name: "opendesk-gateway-istio-gateway"
      hosts:
        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    virtualServices:
      appsuite:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      dav:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  core-mw:
    enabled: true
    asConfig:
      default:
        host: "all"
        pageHeaderPrefix: "as8.souvap App Suite"
        oidcLogin: true
        oidcPath: "/oidc"
    masterAdmin: "admin"
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    features:
      status:
        # enable admin pack
        # admin: enabled
        documents: "disabled"
        guard: "enabled"
    gotenberg:
      enabled: true
      imagePullSecrets:
      {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
      {{- end }}
      image:
        repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - "ALL"
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        seccompProfile:
          type: "RuntimeDefault"
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
          mkdir -p /opt/open-xchange/guard-files
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
    packages:
      status:
        open-xchange-oidc: "enabled"
        open-xchange-authentication-database: "disabled"
        open-xchange-authentication-oauth: "enabled"
    properties:
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
      # PDF Export
      com.openexchange.capability.mail_export_pdf: "true"
      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
      # OIDC
      com.openexchange.oidc.enabled: "true"
      com.openexchange.oidc.autologinCookieMode: "ox_direct"
      com.openexchange.oidc.backchannelLogoutEnabled: "true"
      com.openexchange.oidc.clientId: "opendesk-oxappsuite"
      com.openexchange.oidc.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      com.openexchange.oidc.contextLookupClaim: "context"
      com.openexchange.oidc.contextLookupNamePart: "full"
      com.openexchange.oidc.opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      com.openexchange.oidc.opIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
      com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
      com.openexchange.oidc.ssoLogout: "true"
      com.openexchange.oidc.startDefaultBackend: "true"
      com.openexchange.oidc.userLookupClaim: "opendesk_username"
      com.openexchange.oidc.userLookupNamePart: "full"
      # OAUTH
      com.openexchange.oauth.provider.enabled: "true"
      com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      com.openexchange.oauth.provider.contextLookupClaim: "context"
      com.openexchange.oauth.provider.contextLookupNamePart: "full"
      com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      com.openexchange.oauth.provider.mode: "expect_jwt"
      com.openexchange.oauth.provider.userLookupNamePart: "full"
      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
      com.openexchange.authentication.oauth.tokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
      com.openexchange.mail.loginSource: "mail"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix"
      com.openexchange.mail.transportServerSource: "global"
      # Mailfilter
      com.openexchange.mail.filter.loginType: "global"
      com.openexchange.mail.filter.credentialSource: "mail"
      com.openexchange.mail.filter.server: "dovecot"
      com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
      # Dovecot
      com.openexchange.imap.attachmentMarker.enabled: "true"
      # Capabilities
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
      com.openexchange.capability.public-sector-element: "true"
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
      com.openexchange.capability.filestorage_nextcloud: "true"
      com.openexchange.capability.filestorage_nextcloud_oauth: "true"
      com.openexchange.capability.guard: "true"
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.smime: "true"
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
      com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
      # Guard
      com.openexchange.guard.storage.file.fileStorageType: "file"
      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
      com.openexchange.guard.guestSMTPServer: "postfix"
      # S/MIME
      # Usage (in browser console after login):
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: "true"
      # Other
      com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
    propertiesFiles:
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
        bindOnly: "false"
      /opt/open-xchange/etc/antivirus.properties:
        com.openexchange.antivirus.enabled: "true"
        {{- if .Values.clamavDistributed.enabled }}
        com.openexchange.antivirus.server: "clamav-icap"
        {{- else if .Values.clamavSimple.enabled }}
        com.openexchange.antivirus.server: "clamav-simple"
        {{- end }}
        com.openexchange.antivirus.port: "1344"
        com.openexchange.antivirus.maxFileSize: "1024"
    uiSettings:
      io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      io.ox.public-sector//ics/url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
      io.ox/core//features/enterprisePicker/showLauncher: "false"
      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
      # Text and icon color in the topbar
      io.ox/dynamic-theme//topbarColor: "#000"
      io.ox/dynamic-theme//logoWidth: "82"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
      # Categories
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
      # Nextcloud integration
      # io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
      # Central navigation
      io.ox.public-sector//navigation/oxtabname: "tab_groupware"
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
      # Mail templates
      io.ox/core//features/templates: "true"
      # Contact Collector
      io.ox/mail//contactCollectOnMailTransport: "true"
      # io.ox/mail//contactCollectOnMailAccess: "true"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
      io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
      # RC+base64(20 random bytes)
      oxguardpass: |
        {{ .Values.secrets.oxAppsuite.oxguardMC }}
        {{ .Values.secrets.oxAppsuite.oxguardRC }}
    redis:
      enabled: true
      mode: "standalone"
      hosts:
        - "redis-master"
      auth:
        password: {{ .Values.secrets.redis.password | quote }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    # Security context for core-mw has no effect yet
    # podSecurityContext: {}
    # securityContext: {}
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
  core-ui:
    enabled: true
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-ui-middleware:
    enabled: true
    ingress:
      hosts:
        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
    redis:
      mode: "standalone"
      hosts:
        - "redis-master:6379"
      auth:
        enabled: true
        password: {{ .Values.secrets.redis.password | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
      updater:
      resources:
        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-cacheservice:
    enabled: false
  core-documentconverter:
    enabled: true
    documentConverter:
      cache:
        remoteCache:
          enabled: false
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
  core-documents-collaboration:
    enabled: false
  office-web:
    enabled: false
  office-user-guide:
    enabled: false
  plugins-ui:
    enabled: false
  cloud-plugins-ui:
    enabled: false
  drive-client-windows-ox:
    enabled: false
  core-drive-help:
    enabled: false
  core-guidedtours:
    enabled: true
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-imageconverter:
    enabled: true
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
    objectCache:
      s3ObjectStores:
        - id: -1
          endpoint: "."
          accessKey: "."
          secretKey: "."
    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
  guard-ui:
    enabled: true
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-spellcheck:
    enabled: false
  core-user-guide:
    enabled: true
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
 ...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -8,12 +8,12 @@ repositories:
  # openDesk OpenProject Bootstrap
  # Source: Set when repo is managed on Open CoDE
  - name: "openproject-bootstrap-repo"
    oci: {{ .Values.charts.openprojectBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openprojectBootstrap.verify }}
-    username: {{ .Values.charts.openprojectBootstrap.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.openprojectBootstrap.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 releases:
  - name: "opendesk-openproject-bootstrap"
@@ -22,8 +22,7 @@ releases:
    wait: true
    waitForJobs: true
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -7,16 +7,9 @@ global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
@@ -31,4 +24,33 @@ config:
    admin:
      username: "nextcloud"
      password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -8,12 +8,12 @@ repositories:
  # OpenProject
  # Source: https://github.com/opf/helm-charts
  - name: "openproject-repo"
    oci: {{ .Values.charts.openproject.oci }}
    keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
    verify: {{ .Values.charts.openproject.verify }}
-    username: {{ .Values.charts.openproject.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.openproject.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 releases:
  - name: "openproject"
@@ -22,8 +22,7 @@ releases:
    wait: true
    waitForJobs: true
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -1,99 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}
 initdb:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.openprojectInitDb.repository }}"
    tag: "{{ .Values.images.openprojectInitDb.tag }}"
    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 memcached:
  connection:
    host: {{ .Values.cache.openproject.host | quote }}
    port: {{ .Values.cache.openproject.port }}
  image:
    registry: {{ .Values.global.imageRegistry | quote }}
    repository: {{ .Values.images.memcached.repository | quote }}
    tag: {{ .Values.images.memcached.tag | quote }}
 postgresql:
  auth:
    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
    username: {{ .Values.databases.openproject.username | quote }}
    database: {{ .Values.databases.openproject.name | quote }}
  connection:
    host: {{ .Values.databases.openproject.host | quote }}
    port: {{ .Values.databases.openproject.port }}
 openproject:
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  # Will only be set on initial seed / installation
  admin_user:
    name: "OpenProject Internal Admin"
    mail: "openproject-admin@swp-domain.internal"
    password_reset: "false"
    password: {{ .Values.secrets.openproject.adminPassword | quote }}
  oidc:
    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
 ingress:
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 environment:
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
  {{ if ne .Values.objectstores.openproject.backend "aws" }}
  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
  {{ end }}
  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
  OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
  OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
  OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
 replicaCount: {{ .Values.replicas.openproject }}
 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/openproject/values.yaml
+++ b/helmfile/apps/openproject/values.yaml
@@ -1,90 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
  registry: "registry.souvap-univention.de"
 memcached:
  bundled: false
 probes:
  liveness:
    initialDelaySeconds: 300
    failureThreshold: 30
  readiness:
    initialDelaySeconds: 150
    failureThreshold: 30
 postgresql:
  bundled: false
 openproject:
  oidc:
    enabled: true
    provider: "keycloak"
    identifier: "opendesk-openproject"
    scope: "[openid,opendesk]"
  # seed will only be executed on initial installation
  seed_locale: "de"
 containerSecurityContext:
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 persistence:
  enabled: false
 s3:
  enabled: true
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:
  OPENPROJECT_LOG__LEVEL: "info"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
  # Define an admin mapping from the claim
  # The attribute mapping cannot currently be defined in the value
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -0,0 +1,166 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 containerSecurityContext:
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
  OPENPROJECT_LOG__LEVEL: {{ .Values.debug.logLevel | lower | quote }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}
 initdb:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 memcached:
  bundled: false
  connection:
    host: {{ .Values.cache.openproject.host | quote }}
    port: {{ .Values.cache.openproject.port }}
 persistence:
  enabled: false
 postgresql:
  bundled: false
  auth:
    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
    username: {{ .Values.databases.openproject.username | quote }}
    database: {{ .Values.databases.openproject.name | quote }}
  connection:
    host: {{ .Values.databases.openproject.host | quote }}
    port: {{ .Values.databases.openproject.port }}
 probes:
  liveness:
    initialDelaySeconds: 300
    failureThreshold: 30
  readiness:
    initialDelaySeconds: 150
    failureThreshold: 30
 openproject:
  # seed will only be executed on initial installation
  seed_locale: "de"
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  # Will only be set on initial seed / installation
  admin_user:
    name: "OpenProject Internal Admin"
    mail: "openproject-admin@swp-domain.internal"
    password_reset: "false"
    password: {{ .Values.secrets.openproject.adminPassword | quote }}
  oidc:
    enabled: true
    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
    endSessionEndpoint : "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    identifier: "opendesk-openproject"
    provider: "keycloak"
    scope: "[openid,opendesk]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
    attribute_map:
      login: "opendesk_username"
      admin: "openproject_admin"
  useTmpVolumes: true
 ingress:
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 replicaCount: {{ .Values.replicas.openproject }}
 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
 s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  pathStyle: "true"
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
  use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
 ...
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -7,10 +7,10 @@ bases:
 repositories:
  # OX Connector
  - name: "ox-connector-repo"
-    oci: {{ .Values.charts.oxConnector.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.oxConnector.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.oxConnector.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 releases:
  - name: "ox-connector"
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
@@ -21,6 +21,7 @@ oxConnector:
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  logLevel: {{ .Values.debug.logLevel | quote }}
  #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
  oxMasterAdmin: "admin"
  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
--- a/helmfile/apps/provisioning/values-oxconnector.yaml
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml
@@ -10,7 +10,6 @@ oxConnector:
  tlsMode: "off"
  caCert: "ucctempldapstring"
  debugLevel: "5"
  logLevel: "DEBUG"
  oxDefaultContext: "1"
  oxLocalTimezone: "Europe/Berlin"
  oxLanguage: "de_DE"
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -8,103 +8,103 @@ repositories:
  # openDesk Otterize
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-otterize
  - name: "otterize-repo"
    oci: {{ .Values.charts.otterize.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.otterize.verify }}
-    username: {{ .Values.charts.otterize.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.otterize.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
  - name: "certificates-repo"
    oci: {{ .Values.charts.certificates.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.certificates.verify }}
-    username: {{ .Values.charts.certificates.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.certificates.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
  - name: "postgresql-repo"
    oci: {{ .Values.charts.postgresql.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.postgresql.verify }}
-    username: {{ .Values.charts.postgresql.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.postgresql.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
  - name: "mariadb-repo"
    oci: {{ .Values.charts.mariadb.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.mariadb.verify }}
-    username: {{ .Values.charts.mariadb.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.mariadb.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
  - name: "postfix-repo"
    oci: {{ .Values.charts.postfix.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.postfix.verify }}
-    username: {{ .Values.charts.postfix.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.postfix.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
  - name: "istio-resources-repo"
    oci: {{ .Values.charts.istioResources.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.istioResources.verify }}
-    username: {{ .Values.charts.istioResources.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.istioResources.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
  - name: "clamav-repo"
    oci: {{ .Values.charts.clamav.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamav.verify }}
-    username: {{ .Values.charts.clamav.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.clamav.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    oci: {{ .Values.charts.clamavSimple.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
-    username: {{ .Values.charts.clamavSimple.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.clamavSimple.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
  - name: "memcached-repo"
    oci: {{ .Values.charts.memcached.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.memcached.verify }}
-    username: {{ .Values.charts.memcached.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.memcached.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    oci: {{ .Values.charts.redis.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
-    username: {{ .Values.charts.redis.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.redis.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    oci: {{ .Values.charts.minio.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
-    username: {{ .Values.charts.minio.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.minio.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
 releases:
  - name: "opendesk-otterize"
@@ -113,6 +113,7 @@ releases:
    values:
      - "values-otterize.gotmpl"
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
  - name: "opendesk-certificates"
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
@@ -120,6 +121,7 @@ releases:
    values:
      - "values-certificates.gotmpl"
    installed: {{ .Values.certificates.enabled }}
    timeout: 900
  - name: "redis"
    chart: "redis-repo/{{ .Values.charts.redis.name }}"
@@ -128,6 +130,7 @@ releases:
      - "values-redis.gotmpl"
      - "values-redis.yaml"
    installed: {{ .Values.redis.enabled }}
    timeout: 900
  - name: "memcached"
    chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
@@ -136,6 +139,7 @@ releases:
      - "values-memcached.yaml"
      - "values-memcached.gotmpl"
    installed: {{ .Values.memcached.enabled }}
    timeout: 900
  - name: "postgresql"
    chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
@@ -162,6 +166,7 @@ releases:
      - "values-postfix.yaml"
      - "values-postfix.gotmpl"
    installed: {{ .Values.postfix.enabled }}
    timeout: 900
  - name: "clamav"
    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
@@ -170,6 +175,7 @@ releases:
      - "values-clamav-distributed.yaml"
      - "values-clamav-distributed.gotmpl"
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900
  - name: "clamav-simple"
    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
@@ -178,6 +184,7 @@ releases:
      - "values-clamav-simple.yaml"
      - "values-clamav-simple.gotmpl"
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900
  - name: "opendesk-gateway"
    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
@@ -186,6 +193,7 @@ releases:
      - "values-istio-gateway.yaml"
      - "values-istio-gateway.gotmpl"
    installed: {{ .Values.istio.enabled }}
    timeout: 900
  - name: "minio"
    chart: "minio-repo/{{ .Values.charts.minio.name }}"
@@ -194,6 +202,7 @@ releases:
      - "values-minio.yaml"
      - "values-minio.gotmpl"
    installed: {{ .Values.minio.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "services"
--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.gotmpl
@@ -7,7 +7,7 @@ clamd:
  podSecurityContext:
  replicaCount: {{ .Values.replicas.clamd }}
  image:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -18,7 +18,7 @@ freshclam:
  podSecurityContext:
  replicaCount: {{ .Values.replicas.freshclam }}
  image:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -32,7 +32,7 @@ global:
 icap:
  replicaCount: {{ .Values.replicas.icap }}
  image:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -43,7 +43,7 @@ milter:
  podSecurityContext:
  replicaCount: {{ .Values.replicas.milter }}
  image:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services/values-clamav-simple.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.gotmpl
@@ -7,12 +7,12 @@ replicaCount: {{ .Values.replicas.clamav }}
 image:
  clamav:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  icap:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services/values-mariadb.gotmpl
+++ b/helmfile/apps/services/values-mariadb.gotmpl
@@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -12,6 +11,7 @@ cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
  repository: {{ .Values.images.mariadb.repository | quote }}
  tag: {{ .Values.images.mariadb.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -19,6 +19,8 @@ image:
 # Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
 # Please refer to `databases.yaml` for details.
 job:
  retries: 10
  wait: 30
  users:
    - username: "xwiki_user"
      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
--- a/helmfile/apps/services/values-mariadb.yaml
+++ b/helmfile/apps/services/values-mariadb.yaml
@@ -22,4 +22,6 @@ podSecurityContext:
  enabled: true
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 replicaCount: 1
 ...
--- a/helmfile/apps/services/values-memcached.gotmpl
+++ b/helmfile/apps/services/values-memcached.gotmpl
@@ -4,16 +4,17 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.memcached.registry | quote }}
  repository: {{ .Values.images.memcached.repository | quote }}
  tag: {{ .Values.images.memcached.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 replicaCount: {{ .Values.replicas.memcached }}
 resources:
  {{ .Values.resources.memcached | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/services/values-minio.gotmpl
+++ b/helmfile/apps/services/values-minio.gotmpl
@@ -4,12 +4,11 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  registry: "{{ .Values.global.imageRegistry }}"
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
  repository: "{{ .Values.images.minio.repository }}"
  tag: "{{ .Values.images.minio.tag }}"
  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
--- a/helmfile/apps/services/values-minio.yaml
+++ b/helmfile/apps/services/values-minio.yaml
@@ -23,6 +23,11 @@ ingress:
  annotations:
    nginx.org/websocket-services: "minio"
 apiIngress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
 networkPolicy:
  enabled: false
--- a/helmfile/apps/services/values-postfix.gotmpl
+++ b/helmfile/apps/services/values-postfix.gotmpl
@@ -4,12 +4,11 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.postfix.registry | quote }}
  repository: {{ .Values.images.postfix.repository | quote }}
  tag: {{ .Values.images.postfix.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/services/values-postgresql.gotmpl
+++ b/helmfile/apps/services/values-postgresql.gotmpl
@@ -4,11 +4,11 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.postgresql.registry | quote }}
  repository: {{ .Values.images.postgresql.repository | quote }}
  tag: {{ .Values.images.postgresql.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -25,6 +25,8 @@ job:
      password: {{ .Values.secrets.postgresql.matrixUser | quote }}
    - username: "notificationsapi_user"
      password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
    - username: "guardianmanagementapi_user"
      password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
    - username: "selfservice_user"
      password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
  databases:
@@ -37,6 +39,8 @@ job:
    - name: "matrix"
      user: "matrix_user"
      additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
    - name: "guardianmanagementapi"
      user: "guardianmanagementapi_user"
    - name: "notificationsapi"
      user: "notificationsapi_user"
    - name: "selfservice"
--- a/helmfile/apps/services/values-postgresql.yaml
+++ b/helmfile/apps/services/values-postgresql.yaml
@@ -23,7 +23,8 @@ podSecurityContext:
  fsGroup: 1001
  fsGroupChangePolicy: "OnRootMismatch"
 postgres:
  user: "postgres"
 replicaCount: 1
 ...
--- a/helmfile/apps/services/values-redis.gotmpl
+++ b/helmfile/apps/services/values-redis.gotmpl
@@ -7,18 +7,18 @@ auth:
  password: {{ .Values.secrets.redis.password | quote }}
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.redis.registry | quote }}
  repository: {{ .Values.images.redis.repository | quote }}
  tag: {{ .Values.images.redis.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 master:
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -6,136 +6,171 @@ bases:
 ---
 repositories:
  # Univention Management Stack
  - name: "ums-guardian-management-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
  - name: "ums-guardian-management-ui-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
  - name: "ums-guardian-authorization-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
  - name: "ums-open-policy-agent-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
  - name: "ums-store-dav-repo"
    oci: {{ .Values.charts.umsStoreDav.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStoreDav.verify }}
-    username: {{ .Values.charts.umsStoreDav.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsStoreDav.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
  - name: "ums-ldap-server-repo"
    oci: {{ .Values.charts.umsLdapServer.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapServer.verify }}
-    username: {{ .Values.charts.umsLdapServer.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsLdapServer.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
  - name: "ums-ldap-notifier-repo"
    oci: {{ .Values.charts.umsLdapNotifier.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapNotifier.verify }}
-    username: {{ .Values.charts.umsLdapNotifier.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsLdapNotifier.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
  - name: "ums-udm-rest-api-repo"
    oci: {{ .Values.charts.umsUdmRestApi.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUdmRestApi.verify }}
-    username: {{ .Values.charts.umsUdmRestApi.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsUdmRestApi.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
  - name: "ums-stack-data-ums-repo"
    oci: {{ .Values.charts.umsStackDataUms.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataUms.verify }}
-    username: {{ .Values.charts.umsStackDataUms.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsStackDataUms.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
  - name: "ums-stack-data-swp-repo"
    oci: {{ .Values.charts.umsStackDataSwp.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataSwp.verify }}
-    username: {{ .Values.charts.umsStackDataSwp.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsStackDataSwp.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
  - name: "ums-portal-server-repo"
    oci: {{ .Values.charts.umsPortalServer.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalServer.verify }}
-    username: {{ .Values.charts.umsPortalServer.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsPortalServer.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
  - name: "ums-notifications-api-repo"
    oci: {{ .Values.charts.umsNotificationsApi.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsNotificationsApi.verify }}
-    username: {{ .Values.charts.umsNotificationsApi.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsNotificationsApi.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
  - name: "ums-portal-listener-repo"
    oci: {{ .Values.charts.umsPortalListener.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalListener.verify }}
-    username: {{ .Values.charts.umsPortalListener.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsPortalListener.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
  - name: "ums-portal-frontend-repo"
    oci: {{ .Values.charts.umsPortalFrontend.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalFrontend.verify }}
-    username: {{ .Values.charts.umsPortalFrontend.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsPortalFrontend.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
  - name: "ums-umc-gateway-repo"
    oci: {{ .Values.charts.umsUmcGateway.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcGateway.verify }}
-    username: {{ .Values.charts.umsUmcGateway.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsUmcGateway.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
  - name: "ums-umc-server-repo"
    oci: {{ .Values.charts.umsUmcServer.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcServer.verify }}
-    username: {{ .Values.charts.umsUmcServer.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsUmcServer.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
  - name: "ums-selfservice-listener-repo"
    oci: {{ .Values.charts.umsSelfserviceListener.oci }}
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsSelfserviceListener.verify }}
-    username: {{ .Values.charts.umsSelfserviceListener.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.umsSelfserviceListener.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
  - name: "ums-provisioning-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsProvisioning.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"
  # Univention Keycloak Extensions
  - name: "ums-keycloak-extensions-repo"
-    oci: {{ .Values.charts.umsKeycloakExtensions.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.umsKeycloakExtensions.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.umsKeycloakExtensions.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
  # Univention Keycloak
  - name: "ums-keycloak-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.umsKeycloak.verify }}
-    oci: {{ .Values.charts.umsKeycloak.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.umsKeycloak.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.umsKeycloak.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
  - name: "ums-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
-    oci: {{ .Values.charts.umsKeycloakBootstrap.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.umsKeycloakBootstrap.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.umsKeycloakBootstrap.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
  - name: "opendesk-keycloak-bootstrap-repo"
    oci: {{ .Values.charts.opendeskKeycloakBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
-    username: {{ .Values.charts.opendeskKeycloakBootstrap.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.opendeskKeycloakBootstrap.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.opendeskKeycloakBootstrap.registry }}/\
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
  - name: "nginx-repo"
    oci: {{ .Values.charts.nginx.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nginx.verify }}
-    username: {{ .Values.charts.nginx.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.nginx.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
+    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
 releases:
  - name: "ums-keycloak"
@@ -154,6 +189,7 @@ releases:
    needs:
      - "ums-keycloak"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-keycloak-bootstrap"
    chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
@@ -163,6 +199,7 @@ releases:
    needs:
      - "ums-keycloak"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "opendesk-keycloak-bootstrap"
    chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
@@ -172,6 +209,7 @@ releases:
    needs:
      - "ums-keycloak-bootstrap"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-stack-gateway"
    chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
@@ -180,6 +218,7 @@ releases:
      - "values-ums-stack-gateway.gotmpl"
      - "values-ums-stack-gateway.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-store-dav"
    chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
@@ -190,6 +229,7 @@ releases:
      - "values-store-dav.gotmpl"
      - "values-store-dav.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-ldap-server"
    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
@@ -222,6 +262,7 @@ releases:
      - "values-udm-rest-api.gotmpl"
      - "values-udm-rest-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-stack-data-ums"
    chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
@@ -232,6 +273,7 @@ releases:
      - "values-stack-data-ums.gotmpl"
      - "values-stack-data-ums.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-stack-data-swp"
    chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
@@ -242,6 +284,7 @@ releases:
      - "values-stack-data-swp.gotmpl"
      - "values-stack-data-swp.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-portal-server"
    chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
@@ -252,6 +295,7 @@ releases:
      - "values-portal-server.gotmpl"
      - "values-portal-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-notifications-api"
    chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
@@ -262,6 +306,7 @@ releases:
      - "values-notifications-api.gotmpl"
      - "values-notifications-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-portal-listener"
    chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
@@ -272,6 +317,7 @@ releases:
      - "values-portal-listener.gotmpl"
      - "values-portal-listener.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-portal-frontend"
    chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
@@ -282,6 +328,7 @@ releases:
      - "values-portal-frontend.gotmpl"
      - "values-portal-frontend.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-umc-gateway"
    chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
@@ -292,6 +339,7 @@ releases:
      - "values-umc-gateway.gotmpl"
      - "values-umc-gateway.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-umc-server"
    chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
@@ -313,6 +361,62 @@ releases:
      - "values-selfservice-listener.gotmpl"
      - "values-selfservice-listener.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-provisioning"
    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
    version: "{{ .Values.charts.umsProvisioning.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-provisioning.gotmpl"
      - "values-provisioning.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-guardian-management-api"
    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-guardian-management-api.gotmpl"
      - "values-guardian-management-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-guardian-management-ui"
    chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-guardian-management-ui.gotmpl"
      - "values-guardian-management-ui.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-guardian-authorization-api"
    chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
    version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-guardian-authorization-api.gotmpl"
      - "values-guardian-authorization-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-open-policy-agent"
    chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
    version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
    values:
      - "values-common.gotmpl"
      - "values-common.yaml"
      - "values-open-policy-agent.gotmpl"
      - "values-open-policy-agent.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
@@ -0,0 +1,21 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 guardianAuthorizationApi:
  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 resources:
  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml
@@ -0,0 +1,39 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 guardianAuthorizationApi:
  home: "/guardian_service_dir"
  guardianAuthzCorsAllowedOrigins: "*"
  guardianAuthzAdapterSettingsPort: "env"
  guardianAuthzAdapterAppPersistencePort: "udm_data"
  guardianAuthzAdapterPolicyPort: "opa"
  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
  isUniventionAppCenter: 0
  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
  udmDataAdapterUsername: "cn=admin"
  opaAdapterUrl: "http://ums-open-policy-agent/"
  guardianAuthzLoggingLevel: "DEBUG"
  guardianAuthzLoggingStructured: false
  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
@@ -0,0 +1,32 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 guardianManagementApi:
  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
 postgresql:
  bundled: false
  connection:
    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
  auth:
    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 resources:
  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml
@@ -0,0 +1,47 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 guardianManagementApi:
  home: "/guardian_service_dir"
  guardianManagementCorsAllowedOrigins: "*"
  guardianManagementAdapterSettingsPort: "env"
  guardianManagementAdapterAppPersistencePort: "sql"
  guardianManagementAdapterConditionPersistencePort: "sql"
  guardianManagementAdapterContextPersistencePort: "sql"
  guardianManagementAdapterNamespacePersistencePort: "sql"
  guardianManagementAdapterPermissionPersistencePort: "sql"
  guardianManagementAdapterRolePersistencePort: "sql"
  guardianManagementAdapterCapabilityPersistencePort: "sql"
  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
  guardianManagementAdapterResourceAuthorizationPort: "always"
  isUniventionAppCenter: 0
  sqlPersistenceAdapterDialect: "postgresql"
  sqlPersistenceAdapterDbName: "postgres"
  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
  guardianManagementLoggingLevel: "DEBUG"
  guardianManagementLoggingStructured: false
  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  guardianManagementBaseUrl: "http://0.0.0.0:8000"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.gotmpl
@@ -0,0 +1,23 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 guardianManagementUi:
  viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
  viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
  viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }}
  repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 resources:
  {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
@@ -1,7 +1,12 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-containerSecurityContext:
+guardianManagementUi:
  viteManagementUiAdapterAuthenticationPort: "keycloak"
  viteManagementUiAdapterDataPort: "api"
  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
@@ -9,33 +14,16 @@ containerSecurityContext:
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "NET_BIND_SERVICE"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
-  enabled: true
+  privileged: false
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
 dovecot:
  ldap:
    enabled: true
    port: 389
    base: "dc=swp-ldap,dc=internal"
  oidc:
    enabled: true
    clientID: "opendesk-dovecot"
    usernameAttribute: "opendesk_username"
  submission:
    enabled: true
    ssl: "no"
    host: "postfix:25"
 podSecurityContext:
  enabled: true
  fsGroup: 1000
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
  repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
@@ -8,7 +8,7 @@ ldapServer:
  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
  repository: {{ .Values.images.umsLdapServer.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsLdapServer.tag | quote }}
@@ -18,7 +18,7 @@ image:
    {{- end }}
  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.gotmpl
@@ -14,7 +14,7 @@ postgresql:
    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
  repository: {{ .Values.images.umsNotificationsApi.repository }}
  pullPolicy: {{ .Values.global.imagePullPolicy }}
  tag: {{ .Values.images.umsNotificationsApi.tag }}
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
@@ -0,0 +1,18 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 resources:
  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml
@@ -0,0 +1,32 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 openPolicyAgent:
  isUniventionAppCenter: 0
  opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
  opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
  opaPollingMinDelay: 10
  opaPollingMaxDelay: 15
  opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -7,15 +7,14 @@ global:
  domain: "{{ .Values.global.domain }}"
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  registry: "{{ .Values.global.imageRegistry }}"
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: "{{ .Values.global.imageRegistry }}"
+  registry: {{ .Values.global.imageRegistry | default .Values.images.opendeskKeycloakBootstrap.registry | quote }}
-  repository: "{{ .Values.images.opendeskKeycloakBootstrap.repository }}"
+  repository: {{ .Values.images.opendeskKeycloakBootstrap.repository | quote }}
-  tag: "{{ .Values.images.opendeskKeycloakBootstrap.tag }}"
+  tag: {{ .Values.images.opendeskKeycloakBootstrap.tag | quote }}
-  imagePullPolicy: "{{ .Values.global.imagePullPolicy }}"
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -69,6 +68,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: false
        defaultClientScopes:
@@ -83,6 +83,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
@@ -136,6 +137,7 @@ config:
        frontchannelLogout: false
        publicClient: true
        fullScopeAllowed: true
        authorizationServicesEnabled: false
        defaultClientScopes:
          - "opendesk"
          - "profile"
@@ -154,6 +156,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
@@ -174,6 +177,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
      - name: "opendesk-nextcloud"
@@ -187,6 +191,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/user_oidc/backchannel-logout/ncoidc"
@@ -220,6 +225,7 @@ config:
        frontchannelLogout: false
        publicClient: false
        serviceAccountsEnabled: true
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
@@ -251,6 +257,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
@@ -282,6 +289,7 @@ config:
        consentRequired: false
        frontchannelLogout: false
        publicClient: false
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: false
          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
@@ -291,6 +299,255 @@ config:
          - "address"
          - "email"
          - "profile"
      - name: "guardian-cli"
        clientId: "guardian-cli"
        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        protocol: "openid-connect"
        clientAuthenticatorType: "client-secret"
        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
        redirectUris:
          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
        fullScopeAllowed: true
        protocolMappers:
          - name: "Client Host"
            protocol: "openid-connect"
            protocolMapper: "oidc-usersessionmodel-note-mapper"
            consentRequired: false
            config:
              user.session.note: "clientHost"
              userinfo.token.claim: true
              id.token.claim: true
              access.token.claim: true
              claim.name: "clientHost"
              jsonType.label: "String"
          - name: "Client ID"
            protocol: "openid-connect"
            protocolMapper: "oidc-usersessionmodel-note-mapper"
            consentRequired: false
            config:
              user.session.note: "client_id"
              userinfo.token.claim: true
              id.token.claim: true
              access.token.claim: true
              claim.name: "client_id"
              jsonType.label: "String"
          - name: "guardian-audience"
            protocol: "openid-connect"
            protocolMapper: "oidc-audience-mapper"
            consentRequired: false
            config:
              included.client.audience: "guardian"
              userinfo.token.claim: false
              id.token.claim: false
              access.token.claim: true
          - name: "audiencemap"
            protocol: "openid-connect"
            protocolMapper: "oidc-audience-mapper"
            consentRequired: false
            config:
              included.client.audience: "guardian-cli"
              userinfo.token.claim: true
              id.token.claim: true
              access.token.claim: true
          - name: "dn"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: false
              user.attribute: "LDAP_ENTRY_DN"
              id.token.claim: false
              access.token.claim: true
              claim.name: "dn"
              jsonType.label: "String"
          - name: "username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-property-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "username"
              id.token.claim: true
              access.token.claim: true
              claim.name: "preferred_username"
              jsonType.label: "String"
          - name: "uid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "uid"
              jsonType.label: "String"
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-property-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "Client IP Address"
            protocol: "openid-connect"
            protocolMapper: "oidc-usersessionmodel-note-mapper"
            consentRequired: false
            config:
              user.session.note: "clientAddress"
              userinfo.token.claim: true
              id.token.claim: true
              access.token.claim: true
              claim.name: "clientAddress"
              jsonType.label: "String"
      - name: "guardian"
        clientId: "guardian"
        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        clientAuthenticatorType: "client-secret"
        redirectUris:
          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
        fullScopeAllowed: true
        protocol: "openid-connect"
        publicClient: true
        frontchannelLogout: false
        standardFlowEnabled: true
        attributes:
          use.refresh.tokens: "true"
          backchannel.logout.session.required: "true"
        protocolMappers:
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-property-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "dn"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: false
              user.attribute: "LDAP_ENTRY_DN"
              id.token.claim: false
              access.token.claim: true
              claim.name: "dn"
              jsonType.label: "String"
          - name: "uid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "udi"
              jsonType.label: "String"
          - name: "username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-property-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "username"
              id.token.claim: true
              access.token.claim: true
              claim.name: "preferred_username"
              jsonType.label: "String"
          - name: "audiencemap"
            protocol: "openid-connect"
            protocolMapper: "oidc-audience-mapper"
            consentRequired: false
            config:
              included.client.audience: "guardian"
              id.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
      - name: "guardian-ui"
        clientId: "guardian-ui"
        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
        clientAuthenticatorType: "client-secret"
        redirectUris:
          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
        standardFlowEnabled: true
        publicClient: true
        protocol: "openid-connect"
        fullScopeAllowed: true
        protocolMappers:
          - name: "uid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "uid"
              jsonType.label: "String"
          - name: "username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-property-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "username"
              id.token.claim: true
              access.token.claim: true
              claim.name: "preferred_username"
              jsonType.label: "String"
          - name: "dn"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: "false"
              user.attribute: "LDAP_ENTRY_DN"
              id.token.claim: false
              access.token.claim: true
              claim.name: "dn"
              jsonType.label: "String"
          - name: "audiencemap"
            protocol: "openid-connect"
            protocolMapper: "oidc-audience-mapper"
            consentRequired: false
            config:
              included.client.audience: "guardian-ui"
              id.token.claim: true
              access.token.claim: true
              userinfo.token.claim: true
          - name: "email"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-property-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "email"
              id.token.claim: true
              access.token.claim: true
              claim.name: "email"
              jsonType.label: "String"
          - name: "guardian-audience"
            protocol: "openid-connect"
            protocolMapper: "oidc-audience-mapper"
            consentRequired: false
            config:
              included.client.audience: "guardian"
              id.token.claim: false
              access.token.claim: true
              userinfo.token.claim: false
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-frontend.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.gotmpl
@@ -20,7 +20,7 @@ portalListener:
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
  repository: {{ .Values.images.umsPortalListener.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsPortalListener.tag | quote }}
@@ -30,7 +30,7 @@ image:
    {{- end }}
  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-portal-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.gotmpl
@@ -4,13 +4,14 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 portalServer:
  logLevel: {{ .Values.debug.logLevel | quote }}
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
  ucsInternalUrl: {{ printf "%s%s%s" "http://portal-server:" .Values.secrets.univentionManagementStack.storeDavUsers.portalServer "@ums-store-dav/portal-data" | quote }}
  centralNavigation:
    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
  repository: {{ .Values.images.umsPortalServer.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsPortalServer.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml
@@ -5,7 +5,6 @@
 portalServer:
  authMode: "saml"
  editable: "false"
  logLevel: "DEBUG"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
  centralNavigation:
--- a/helmfile/apps/univention-management-stack/values-provisioning.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.gotmpl
@@ -0,0 +1,19 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioning.registry | quote }}
  repository: {{ .Values.images.umsProvisioning.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsProvisioning.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 resources:
  {{ .Values.resources.umsProvisioning | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml
@@ -1,25 +1,15 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-containerSecurityContext:
+provisioningApi:
  rootPath: "/univention/provisioning-api"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-selfservice-listener.gotmpl
@@ -21,17 +21,17 @@ image:
    {{- end }}
  selfserviceListener:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }}
    repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
    tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
  selfserviceInvitation:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
    repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
    tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-swp.gotmpl
@@ -5,6 +5,9 @@ SPDX-License-Identifier: Apache-2.0
 ---
 stackDataSwp:
  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  systemInformation:
    deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
    releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
 stackDataContext:
  ldapSearchUsers:
@@ -34,7 +37,7 @@ stackDataContext:
  adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
  repository: {{ .Values.images.umsDataLoader.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsDataLoader.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.gotmpl
@@ -14,7 +14,7 @@ stackDataContext:
  ldapBase: {{ .Values.ldap.baseDn | quote }}
  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  idpSamlMetadataUrl: {{ printf "https://%s.%s/%s/%s/%s" .Values.global.hosts.keycloak .Values.global.domain "realms" .Values.platform.realm "protocol/saml/descriptor" | quote }}
+  idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
@@ -22,7 +22,7 @@ stackDataContext:
  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.defaultAccounts.administratorPassword | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
  repository: {{ .Values.images.umsDataLoader.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsDataLoader.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-store-dav.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-store-dav.gotmpl
@@ -9,7 +9,7 @@ storeDav:
      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
  repository: {{ .Values.images.umsStoreDav.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsStoreDav.tag | quote }}
@@ -19,7 +19,7 @@ image:
    {{- end }}
  configHtpasswd:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsConfigHtpasswd.registry | quote }}
    repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.gotmpl
@@ -10,7 +10,7 @@ udmRestApi:
  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-gateway.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.gotmpl
@@ -25,7 +25,7 @@ memcached:
  server: {{ .Values.cache.umsSelfservice.host | quote }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
  repository: {{ .Values.images.umsUmcServer.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsUmcServer.tag | quote }}
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl
@@ -12,7 +12,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }}
  repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
  tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy }}
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  keycloak:
-    host: "ums-keycloak:8080"
+    host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
    adminUsername: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
    adminRealm: "master"
@@ -20,10 +20,11 @@ global:
      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
 handler:
  image:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }}
    repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
    tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
  appConfig:
    captchaProtectionEnable: false
    smtpPassword: {{ .Values.smtp.password | quote }}
@@ -48,10 +49,11 @@ postgresql:
  enabled: false
 proxy:
  image:
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
    tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
  ingress:
    annotations:
      nginx.org/proxy-buffer-size: "8k"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -7,12 +7,11 @@ global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }}
  repository: {{ .Values.images.umsKeycloak.repository | quote }}
  tag: {{ .Values.images.umsKeycloak.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -26,6 +25,12 @@ config:
    user: {{ .Values.databases.keycloak.username | quote }}
    database: {{ .Values.databases.keycloak.name | quote }}
    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
  logLevel: {{ .Values.debug.logLevel | quote }}
  enableMetrics: true
  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
  # through an own ingress.
  exposeAdminConsole: false
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.gotmpl
@@ -2,6 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
  repository: {{ .Values.images.umsStackGateway.repository | quote }}
  tag: {{ .Values.images.umsStackGateway.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml
@@ -237,6 +237,27 @@ serverBlock: |
      proxy_pass http://ums-portal-frontend:80/;
    }
    ## provisioning-api
    location /univention/provisioning-api/ {
      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
      proxy_pass http://ums-provisioning-provisioning-api:80;
    }
    ## guardian
    location /univention/guardian/management-ui {
      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
    }
    location /guardian/opa {
      rewrite ^/guardian/opa(/.*)$ $1 break;
      proxy_pass http://ums-open-policy-agent:80/;
    }
    location /guardian/management {
      proxy_pass http://ums-guardian-management-api:80/guardian/management;
    }
    location /guardian/authorization {
      proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
    }
  }
 podSecurityContext:
--- a/helmfile/apps/xwiki/helmfile.yaml
+++ b/helmfile/apps/xwiki/helmfile.yaml
@@ -8,10 +8,12 @@ repositories:
  # XWiki
  # Source: https://github.com/xwiki-contrib/xwiki-helm
  - name: "xwiki-repo"
-    oci: {{ .Values.charts.xwiki.oci }}
+    keyring: "../../files/gpg-pubkeys/xwiki-com.gpg"
-    username: {{ .Values.charts.xwiki.username | quote }}
+    verify: {{ .Values.charts.xwiki.verify }}
-    password: {{ .Values.charts.xwiki.password | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    url: "{{ .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.imageRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
 releases:
  - name: "xwiki"
@@ -19,8 +21,7 @@ releases:
    version: "{{ .Values.charts.xwiki.version }}"
    wait: true
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.xwiki.enabled }}
    timeout: 900
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Thorsten Roßner	6496ac787b	fix(open-xchange): Bump Gotenberg container	2024-02-19 11:07:41 +01:00
Thorsten Roßner	77e32fada8	chore(release): 0.5.74 [skip ci] ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12) ### Bug Fixes * ci: Add opendesk-ci linter ([`b23152b`](`b23152bb20`)) * ci: Scan all images for malware on release ([`807b73c`](`807b73c8a4`)) * ci: Switch to 'on_success' instead of 'always' ([`e1f6370`](`e1f63701f1`)) * collabora: Migrate collabora to yaml.gotmpl file ([`09d001b`](`09d001b6db`)) * cryptpad: Bump image ([`90152bd`](`90152bdc41`)) * cryptpad: Bump image to 5.6.0 ([`1c4db30`](`1c4db30b65`)) * cryptpad: Verify against GPG key ([`fec0d1f`](`fec0d1f26a`)) * docs: Update Helm Chart Trust Chain information ([`f894370`](`f8943703ed`)) * element: Fix rights & roles of neoboard ([`7daa93f`](`7daa93f061`)) * element: Fix rights and roles configuration ([`452624c`](`452624ce74`)) * helmfile: Add image annotations for mirroring ([`41e777c`](`41e777c81d`)) * helmfile: Add logLevel to globals ([`8db9bf3`](`8db9bf3c99`)) * helmfile: Add XWiki GPG key ([`712605e`](`712605e4f1`)) * helmfile: Increase timeouts for deployment of services ([`3b557a8`](`3b557a892c`)) * helmfile: Merge fix values filename for Jitsi ([`7a14531`](`7a145315f9`)) * helmfile: Remove oci flag from charts.yaml and move user/password ([`2ad48b6`](`2ad48b6fd5`)) * helmfile: Sort images and charts ([`acf6816`](`acf6816653`)) * helmfile: Switch artefacts to be pulled from Open CoDE or upstream ([`6b3d99d`](`6b3d99d1d1`)) * intercom-service: Add scaling option. ([`969c42a`](`969c42a590`)) * jitsi: Add available securityContexts here ([`8f09740`](`8f09740677`)) * nextcloud: Replace community Nextcloud with openDesk Nextcloud ([`813a2e2`](`813a2e29e9`)) * open-xchange: Enable ICAP and merge yaml and gotmpl files ([`306252d`](`306252da6f`)) * openproject: Consolidate env values set by Helm chart ([`08754cc`](`08754cc527`)) * openproject: Merge yaml and gotmpl value files ([`45967c7`](`45967c7a0b`)) * services: Add scaling to all services ([`0492420`](`0492420d60`)) * univention-management-stack: Add guardian components ([`db749d8`](`db749d8b1b`)) * univention-management-stack: Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions ([`0bf059e`](`0bf059e8e1`)) * univention-management-stack: Add ums provisioning service ([`d039c65`](`d039c65c4b`)) * univention-management-stack: Bump Keycloak Bootstrap image ([`bb289d5`](`bb289d545e`)) * univention-management-stack: Bump Keycloak chart and image and provide settings for IT-Grundschutz ([`c2e9204`](`c2e9204c56`)) * univention-management-stack: Keycloak clients for guardian ([`b30b29d`](`b30b29df8a`)) * univention-management-stack: Provide openDesk version info for admins in portal menu ([`5f5a65f`](`5f5a65f59d`)) * univention-management-stack: SAML join using internal Keycloak hostname ([`acbef3a`](`acbef3ae3e`)) * univention-management-stack: Streamline timeouts for deployment ([`506ef4a`](`506ef4a20f`)) * univention-management-stack: Updated base image ([`78993e1`](`78993e122b`)) * xwiki: Bump Helm chart und image, fix favicon ([`87b6fcf`](`87b6fcfc37`)) * xwiki: Ldap group sync filter ([`9aa907a`](`9aa907a909`)) * xwiki: Update default XWiki configuration ([`f13f39a`](`f13f39a0a0`)) * xwiki: Update Image to include XWiki 15.10.4 ([`9ff6056`](`9ff605623c`)) * xwiki: Update to 1.2.6 and add imagePullSecrets ([`2d2455f`](`2d2455fdb3`)) * xwiki: Verify against GPG key ([`a0d5fb8`](`a0d5fb8955`))	2024-01-12 15:46:37 +00:00
Thorsten Roßner	acbef3ae3e	fix(univention-management-stack): SAML join using internal Keycloak hostname	2024-01-12 09:52:38 +01:00
Thorsten Roßner	bb289d545e	fix(univention-management-stack): Bump Keycloak Bootstrap image	2024-01-11 16:57:15 +00:00
Dominik Kaminski	2d2455fdb3	fix(xwiki): Update to 1.2.6 and add imagePullSecrets	2024-01-11 17:19:14 +01:00
Dominik Kaminski	0bf059e8e1	fix(univention-management-stack): Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions	2024-01-11 16:31:09 +01:00
Dominik Kaminski	0492420d60	fix(services): Add scaling to all services	2024-01-11 16:31:04 +01:00
Dominik Kaminski	8f09740677	fix(jitsi): Add available securityContexts here	2024-01-11 16:07:58 +01:00
Dominik Kaminski	969c42a590	fix(intercom-service): Add scaling option.	2024-01-11 16:07:58 +01:00
nurjinn jafar	7daa93f061	fix(element): Fix rights & roles of neoboard Signed-off-by: nurjinn jafar <nurjin.jafar@nordeck.net>	2024-01-11 09:53:16 +00:00
nurjinn jafar	452624ce74	fix(element): Fix rights and roles configuration Signed-off-by: nurjinn jafar <nurjin.jafar@nordeck.net>	2024-01-11 09:53:16 +00:00
Dominik Kaminski	b23152bb20	fix(ci): Add opendesk-ci linter	2024-01-11 08:31:56 +01:00
Thorsten Roßner	78993e122b	fix(univention-management-stack): Updated base image	2024-01-10 23:47:56 +01:00
Thorsten Roßner	87b6fcfc37	fix(xwiki): Bump Helm chart und image, fix favicon	2024-01-10 13:07:15 +01:00
Oliver Günther	4945c13d05	chore(openproject): Bump chart version to 4.2.1	2024-01-09 08:34:25 +01:00
Thorsten Roßner	08754cc527	fix(openproject): Consolidate env values set by Helm chart	2024-01-09 08:33:46 +01:00
Thorsten Roßner	45967c7a0b	fix(openproject): Merge yaml and gotmpl value files	2024-01-09 16:42:24 +01:00
Dominik Kaminski	acf6816653	fix(helmfile): Sort images and charts	2024-01-09 04:19:23 +01:00
Dominik Kaminski	f8943703ed	fix(docs): Update Helm Chart Trust Chain information	2024-01-09 04:19:23 +01:00
Dominik Kaminski	712605e4f1	fix(helmfile): Add XWiki GPG key	2024-01-09 04:19:23 +01:00
Dominik Kaminski	a0d5fb8955	fix(xwiki): Verify against GPG key	2024-01-09 04:19:23 +01:00
Dominik Kaminski	fec0d1f26a	fix(cryptpad): Verify against GPG key	2024-01-09 04:19:23 +01:00
Thomas Kaltenbrunner	807b73c8a4	fix(ci): Scan all images for malware on release	2024-01-09 04:19:23 +01:00
Thorsten Roßner	506ef4a20f	fix(univention-management-stack): Streamline timeouts for deployment	2024-01-09 04:19:23 +01:00
Thorsten Roßner	306252da6f	fix(open-xchange): Enable ICAP and merge yaml and gotmpl files	2024-01-09 04:19:23 +01:00
Thorsten Roßner	5f5a65f59d	fix(univention-management-stack): Provide openDesk version info for admins in portal menu	2024-01-09 04:19:23 +01:00
Dominik Kaminski	09d001b6db	fix(collabora): Migrate collabora to yaml.gotmpl file	2024-01-09 04:19:22 +01:00
Thorsten Roßner	9aa907a909	fix(xwiki): Ldap group sync filter	2024-01-09 04:19:22 +01:00
Thorsten Roßner	2ad48b6fd5	fix(helmfile): Remove oci flag from charts.yaml and move user/password	2024-01-09 04:19:22 +01:00
Thorsten Roßner	6b3d99d1d1	fix(helmfile): Switch artefacts to be pulled from Open CoDE or upstream	2024-01-09 04:19:22 +01:00
Dominik Kaminski	813a2e29e9	fix(nextcloud): Replace community Nextcloud with openDesk Nextcloud	2024-01-09 04:19:22 +01:00
Thorsten Roßner	e1f63701f1	fix(ci): Switch to 'on_success' instead of 'always'	2024-01-09 04:19:22 +01:00
Thorsten Roßner	9ff605623c	fix(xwiki): Update Image to include XWiki 15.10.4	2024-01-09 04:19:22 +01:00
jconde	db749d8b1b	fix(univention-management-stack): Add guardian components	2024-01-09 04:19:22 +01:00
jconde	b30b29df8a	fix(univention-management-stack): Keycloak clients for guardian	2024-01-09 04:19:22 +01:00
Thorsten Roßner	7a145315f9	fix(helmfile): Merge fix values filename for Jitsi	2024-01-09 04:19:22 +01:00
Clément Aubin	f13f39a0a0	fix(xwiki): Update default XWiki configuration * Set default language to a locale with country indicator, which allows the workplace services to work properly * Set default page title (visible in the browser tab title)	2024-01-09 04:19:22 +01:00
Thorsten Roßner	3b557a892c	fix(helmfile): Increase timeouts for deployment of services	2024-01-09 04:19:15 +01:00
Thorsten Roßner	41e777c81d	fix(helmfile): Add image annotations for mirroring	2024-01-05 15:36:21 +00:00
Thorsten Roßner	90152bdc41	fix(cryptpad): Bump image	2024-01-05 15:36:21 +00:00
Thorsten Roßner	8db9bf3c99	fix(helmfile): Add logLevel to globals	2024-01-05 15:36:21 +00:00
Thorsten Roßner	c2e9204c56	fix(univention-management-stack): Bump Keycloak chart and image and provide settings for IT-Grundschutz	2024-01-05 15:36:21 +00:00
Milton Moura	61eb206c74	chore(element): Update Element Web and Widgets to latest releases Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-01-05 15:36:21 +00:00
Thorsten Roßner	1c4db30b65	fix(cryptpad): Bump image to 5.6.0	2024-01-05 15:36:21 +00:00
Sebastian König-Festl	d039c65c4b	fix(univention-management-stack): Add ums provisioning service Adds provisioning API along with NATS and NATS box	2024-01-05 15:36:21 +00:00