fix(jitsi): Add exporter and serviceMonitor

chore(release): 0.5.77 [skip ci]
## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16) ### Bug Fixes * **ci:** Complete CI var usage for external registry ([3bcdcd0](3bcdcd06b7)) * **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](250ef2bc3f)) * **collabora:** Add chart validation ([0159902](01599022f1)) * **collabora:** Bump to 23.05.9.1.1 ([b525a81](b525a814fc)) * **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](6f0b1f37fc)) * **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](bc7eeb8c9d)) * **docs:** Add generated security-context.md ([d9e07ff](d9e07ff7bd)) * **element:** Change name of neodatefix bot job ([dd535da](dd535daac0)) * **element:** Disable e2ee ([ba0824b](ba0824bac3)) * **helmfile:** Add additional provisioning components and configuration ([110ff56](110ff56f74)) * **helmfile:** Add seLinuxOptions for all applications ([02d04fa](02d04faa2a)) * **helmfile:** Annotations in image.yaml ([7ebbd03](7ebbd03bdc)) * **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](d2b1f0b07b)) * **helmfile:** Fix annotations in images.yaml ([acaec3b](acaec3b8ac)) * **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](8f83261986)) * **helmfile:** Improve debugging ([56f5e35](56f5e35895)) * **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](f2b8acfba8)) * **nextcloud:** Set backchannel logout url ([c0fc225](c0fc225349)) * **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](fd2a66f8f2)) * **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](5d95e7ab2a)) * **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](7c9f38f06e)) * **open-xchange:** Bump Gotenberg image ([49f126d](49f126d169)) * **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](1396071865)) * **openproject:** Bump version to 13.3.0 ([c2087ef](c2087efcf9)) * **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](ee1a337ab5)) * **univention-management-stack:** Patches not applied to uldap ([2909e1d](2909e1d821)) * **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](83ac645fae)) * **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](c16c0ac795)) * **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](6c15dc1d66)) * **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](affa92cde2)) * **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](cabee0c9da))
2025-12-06 07:21:36 +01:00 · 2024-02-19 17:29:46 +01:00 · 2024-02-16 09:40:25 +00:00 · 2024-02-16 07:12:17 +01:00 · 2024-02-15 16:38:32 +00:00 · 2024-02-15 15:32:12 +00:00
201 changed files with 6941 additions and 4818 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,9 +5,9 @@
 .yamllint
 # Ignore changes to sample environments
-helmfile/environments/dev/values.yaml
+helmfile/environments/dev/values.yaml.gotmpl
-helmfile/environments/dev/values.gotmpl
+helmfile/environments/prod/values.yaml.gotmpl
-helmfile/environments/test/values.yaml
+
-helmfile/environments/test/values.gotmpl
+# Ignore in CI generated files
-helmfile/environments/prod/values.yaml
+.kyverno/opendesk.yaml
-helmfile/environments/prod/values.gotmpl
+.kyverno/kyverno-test.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,13 +8,25 @@ include:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
    rules:
      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
  - local: "/.gitlab/lint/lint-opendesk.yml"
    rules:
      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
        when: "never"
      - when: "always"
  - local: "/.gitlab/lint/lint-kyverno.yml"
    rules:
      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
        when: "never"
      - when: "always"
 stages:
  - ".pre"
  - "scan"
  - "automr"
  - "lint"
  - "env-cleanup"
@@ -131,22 +143,13 @@ variables:
  TESTS_BRANCH:
    description: "Branch of E2E-tests on which the test pipeline is triggered"
    value: "main"
  RUN_UMS_TESTS:
    description: "Run E2E test suite of SouvAP Dev team"
    value: "no"
    options:
      - "yes"
      - "no"
  UMS_TESTS_BRANCH:
    description: "Branch of E2E test suite of SouvAP Dev team"
    value: "main"
 .deploy-common:
  cache: {}
  dependencies: []
  extends: ".environments"
-  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
-          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
+          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -175,7 +178,7 @@ env-cleanup:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          $ENV_STOP_BEFORE != "no"
-      when: "always"
+      when: "on_success"
  script:
    - |
      if [ "${OPENDESK_SLEDGEHAMMER_DESTROY_ENABLED}" = "yes" ]; then
@@ -199,7 +202,7 @@ env-start:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/
-      when: "always"
+      when: "on_success"
  script:
    - "echo \"Deploying to Environment ${NAMESPACE} in ${CLUSTER} Cluster\""
    - "kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -"
@@ -207,8 +210,8 @@ env-start:
      kubectl create secret
      --namespace "${NAMESPACE}"
      docker-registry external-registry
-      --docker-server "external-registry.souvap-univention.de"
+      --docker-server "${EXTERNAL_REGISTRY}"
-      --docker-username sovereign-workplace
+      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
      --dry-run=client -o yaml | kubectl apply -f -
  stage: "env"
@@ -221,7 +224,7 @@ services-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "services"
@@ -233,7 +236,7 @@ provisioning-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no" || $DEPLOY_PROVISIONING != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "provisioning"
@@ -245,7 +248,7 @@ ums-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "univention-management-stack"
@@ -258,7 +261,7 @@ ox-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OX != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "open-xchange"
@@ -270,7 +273,7 @@ ics-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ICS != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "intercom-service"
@@ -282,7 +285,7 @@ xwiki-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_XWIKI != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "xwiki"
@@ -294,7 +297,7 @@ collabora-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_COLLABORA != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "collabora"
@@ -306,7 +309,7 @@ cryptpad-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "cryptpad"
@@ -318,7 +321,7 @@ nextcloud-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "nextcloud"
@@ -330,7 +333,7 @@ openproject-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_OPENPROJECT != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "openproject"
@@ -342,7 +345,7 @@ openproject-bootstrap-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || ($DEPLOY_OPENPROJECT != "no" && $DEPLOY_NEXTCLOUD != "no"))
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "openproject-bootstrap"
@@ -354,7 +357,7 @@ jitsi-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_JITSI != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "jitsi"
@@ -366,7 +369,7 @@ element-deploy:
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_ELEMENT != "no")
-      when: "always"
+      when: "on_success"
  variables:
    COMPONENT: "element"
@@ -410,7 +413,7 @@ run-tests:
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_TESTS == "yes"
-      when: "always"
+      when: "on_success"
  script:
    - *ums-default-password
    - |
@@ -442,40 +445,70 @@ run-tests:
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"
-run-souvap-dev-tests:
+avscan-prepare:
-  extends: ".deploy-common"
+  stage: ".pre"
  environment:
    name: "${NAMESPACE}"
  stage: "tests"
  rules:
-    - if: >
+    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
      when: "always"
    - when: "never"
  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
  script:
    - *ums-default-password
    - |
-      curl --request POST \
+      cat << 'EOF' > dynamic-scans.yml
-      --header "Content-Type: application/json" \
+      ---
-      --data "{ \
+      stages:
-        \"ref\": \"${UMS_TESTS_BRANCH}\", \
+        - "scan"
-        \"token\": \"${CI_JOB_TOKEN}\", \
+
-        \"variables\": { \
+      .container-clamav:
-          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
+        stage: "scan"
-          \"username\": \"${DEFAULT_USER_NAME}\", \
+        image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/clamav-imagescan:1.0.0"
-          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
+        before_script:
-          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
+          - "sed -i \"/^DatabaseMirror .*$/c DatabaseMirror ${DATABASE_MIRROR}\" /etc/clamav/freshclam.conf"
-          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          - "freshclam"
-          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
+          - "mkdir /scan"
-        } \
+        script:
-      }" \
+          - "export IMAGE=${EXTERNAL_REGISTRY:-${CONTAINER_REGISTRY}}/${CONTAINER_IMAGE}:${CONTAINER_TAG}"
-      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
+          - "echo Pulling and scanning $IMAGE..."
          - "crane pull $IMAGE /scan/image.tar"
          - "clamscan /scan"
        variables:
          CONTAINER_IMAGE: ""
          CONTAINER_REGISTRY: ""
          CONTAINER_TAG: ""
          DATABASE_MIRROR: "https://nexus.souvap-univention.de/repository/ClamAV"
      EOF
    - >
      yq '.images
      | with_entries(.key |= "scan-" + .)
      | .[].extends=".container-clamav"
      | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
      | del(.[].repository)
      | del(.[].tag)
      | del(.[].registry)'
      helmfile/environments/default/images.yaml
      >> dynamic-scans.yml
  artifacts:
    paths:
      - "dynamic-scans.yml"
 avscan-start:
  stage: "scan"
  rules:
    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  trigger:
    include:
      - artifact: "dynamic-scans.yml"
        job: "avscan-prepare"
    strategy: "depend"
 generate-release-assets:
  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
-      when: "always"
+      when: "on_success"
    - when: "never"
  script:
    - |
@@ -495,7 +528,6 @@ generate-release-assets:
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
@@ -506,14 +538,12 @@ generate-release-assets:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
  tags: []
 conventional-commits-linter:
  rules:
    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
      when: "never"
    - when: "always"
 common-yaml-linter:
  rules:
    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -530,15 +560,36 @@ reuse-linter:
 generate-release-version:
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false'"
-      when: "always"
+      when: "on_success"
 release:
  dependencies:
    - "generate-release-assets"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
-      when: "always"
+      when: "on_success"
  script:
    - >
      export RELEASE_VERSION=$(semantic-release --dry-run --branches $CI_COMMIT_REF_NAME --plugins
      "@semantic-release/gitlab" | grep -oP "Published release [0-9]+\.[0-9]+\.[0-9]+ on" |
      grep -oP "[0-9]+\.[0-9]+\.[0-9]+")
    - |
      if [ -z "${RELEASE_VERSION}" ]; then
        echo "RELEASE_VERSION=$(git describe --tags --abbrev=0 | sed s@^v@@g )"
      else
        echo "RELEASE_VERSION=${RELEASE_VERSION}"
      fi
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
      # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
        systemInformation:
          releaseVersion: "v$(echo -E "$RELEASE_VERSION")"
      ...
      EOF
    - |
      cat << 'EOF' > ${CI_PROJECT_DIR}/.releaserc
      {
@@ -557,7 +608,14 @@ release:
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
-            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md"],
+            "assets": [
              "charts/**/Chart.yaml",
              "CHANGELOG.md",
              "charts/**/README.md",
              "helmfile/environments/default/global.generated.yaml",
              ".kyverno/kyverno-test.yaml",
              "docs"
            ],
            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
          }]
        ]
@@ -566,4 +624,5 @@ release:
    - "semantic-release"
  needs:
    - "generate-release-assets"
    - "generate-docs"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -0,0 +1,15 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.2\
    @sha256:7a866a34b82dddea8867862afaaccb1d1e385854ce344fc71be492800a5b16a6"
  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.3\
    @sha256:096e649b985dd8e46e9dadff5f7e9c7a8772bf5a1b3df1bb2b4a887716c2ca85"
 .common:
  cache: {}
  needs: []
  tags:
    - "docker"
 ...
--- a/.gitlab/generate/generate-common.yml
+++ b/.gitlab/generate/generate-common.yml
@@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/common/common.yml"
 .generate-common:
  extends: ".common"
  stage: ".post"
  tags: []
 ...
--- a/.gitlab/generate/generate-docs.yml
+++ b/.gitlab/generate/generate-docs.yml
@@ -0,0 +1,20 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/generate/generate-common.yml"
 generate-docs:
  cache:
    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
      paths:
        - "${CI_PROJECT_DIR}/docs"
      policy: "push"
  extends: ".generate-common"
  image: "${OPENDESK_CI_CLI_IMAGE}"
  rules:
    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "on_success"
  script:
    - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
 ...
--- a/.gitlab/lint/lint-common.yml
+++ b/.gitlab/lint/lint-common.yml
@@ -0,0 +1,11 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/common/common.yml"
 .lint-common:
  extends: ".common"
  stage: "lint"
 ...
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -0,0 +1,35 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/lint/lint-common.yml"
 lint-kyverno:
  allow_failure: true
  extends: ".lint-common"
  image: "${OPENDESK_LINT_IMAGE}"
  parallel:
    matrix:
      - APP:
          - "collabora"
          - "cryptpad"
          - "element"
          - "intercom-service"
          - "jitsi"
          - "nextcloud"
          - "open-xchange"
          - "openproject"
          - "openproject-bootstrap"
          - "provisioning"
          - "services"
          - "univention-management-stack"
          - "xwiki"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required -s manifest -f opendesk.yaml --skip-tests true ${APP}"
    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - "cd ${CI_PROJECT_DIR}/.kyverno"
    - "kyverno test ."
 ...
--- a/.gitlab/lint/lint-opendesk.yml
+++ b/.gitlab/lint/lint-opendesk.yml
@@ -0,0 +1,13 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - local: "/.gitlab/lint/lint-common.yml"
 lint-opendesk:
  extends: ".lint-common"
  image: "${OPENDESK_CI_CLI_IMAGE}"
  script:
    - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
    - "git diff --exit-code"
 ...
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -0,0 +1,168 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 pod:
  - name: "require-tag-and-digest"
    rule: "require-tag-and-digest"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "disallow-default-serviceaccount"
    rule: "require-sa"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-imagepullsecrets"
    rule: "require-imagepullsecrets"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "disallow-latest-tag"
    rule: "validate-image-tag"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-imagepullpolicy-always"
    rule: "require-imagepullpolicy-always"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-health-and-liveness-check"
    rule: "require-health-and-liveness-check"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Pod"
      - "DaemonSet"
  - name: "require-storage"
    rule: "require-storageclass-pvc"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
  - name: "require-storage"
    rule: "require-storageclass-pod"
    type: "required"
    kinds:
      - "StatefulSet"
  - name: "require-storage"
    rule: "require-storage-size-pvc"
    type: "required"
    kinds:
      - "PersistentVolumeClaim"
  - name: "require-storage"
    rule: "require-storage-size-pod"
    type: "required"
    kinds:
      - "StatefulSet"
  - name: "require-requests-limits"
    rule: "validate-resources"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "restrict-image-registries"
    rule: "validate-registries"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-ro-rootfs"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-no-privilege-escalation"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-all-capabilities-dropped"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-no-privileged"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-run-as-user"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-run-as-group"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-seccomp-profile"
    type: "required"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-run-as-non-root"
    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
      - "Job"
      - "Pod"
      - "DaemonSet"
 ...
--- a/.kyverno/policies/disallow-default-serviceaccount.yaml
+++ b/.kyverno/policies/disallow-default-serviceaccount.yaml
@@ -0,0 +1,22 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "disallow-default-serviceaccount"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "require-sa"
      validate:
        message: "serviceAccountName must be set to anything other than 'default'."
        pattern:
          spec:
            serviceAccountName: "!default"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/disallow-latest-tag.yaml
+++ b/.kyverno/policies/disallow-latest-tag.yaml
@@ -0,0 +1,27 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "disallow-latest-tag"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "validate-image-tag"
      validate:
        message: "Using a mutable image tag e.g. 'latest' is not allowed."
        pattern:
          spec:
            =(ephemeralContainers):
              - image: "!*:latest"
            =(initContainers):
              - image: "!*:latest"
            containers:
              - image: "!*:latest"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-containersecuritycontext.yaml
+++ b/.kyverno/policies/require-containersecuritycontext.yaml
@@ -0,0 +1,173 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-containersecuritycontext"
 spec:
  background: true
  rules:
    - name: "require-ro-rootfs"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Root filesystem must be read-only."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  readOnlyRootFilesystem: true
            =(initContainers):
              - securityContext:
                  readOnlyRootFilesystem: true
            containers:
              - securityContext:
                  readOnlyRootFilesystem: true
    - name: "require-no-privilege-escalation"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Disallow privilege escalation."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  allowPrivilegeEscalation: false
            =(initContainers):
              - securityContext:
                  allowPrivilegeEscalation: false
            containers:
              - securityContext:
                  allowPrivilegeEscalation: false
    - name: "require-all-capabilities-dropped"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Required to drop ALL linux capabilities."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  capabilities:
                    drop:
                      - "ALL"
            =(initContainers):
              - securityContext:
                  capabilities:
                    drop:
                      - "ALL"
            containers:
              - securityContext:
                  capabilities:
                    drop:
                      - "ALL"
    - name: "require-no-privileged"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Disallow privileged container."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  privileged: false
            =(initContainers):
              - securityContext:
                  privileged: false
            containers:
              - securityContext:
                  privileged: false
    - name: "require-run-as-user"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Container must run as non-root user."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  runAsUser: ">0"
            =(initContainers):
              - securityContext:
                  runAsUser: ">0"
            containers:
              - securityContext:
                  runAsUser: ">0"
    - name: "require-run-as-group"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Container must run as non-root group."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  runAsGroup: ">0"
            =(initContainers):
              - securityContext:
                  runAsGroup: ">0"
            containers:
              - securityContext:
                  runAsGroup: ">0"
    - name: "require-seccomp-profile"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Container must have seccompProfile"
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  seccompProfile:
                    type: "RuntimeDefault | Localhost"
            =(initContainers):
              - securityContext:
                  seccompProfile:
                    type: "RuntimeDefault | Localhost"
            containers:
              - securityContext:
                  seccompProfile:
                    type: "RuntimeDefault | Localhost"
    - name: "require-run-as-non-root"
      match:
        resources:
          kinds:
            - "Pod"
      validate:
        message: "Container must run in non-root mode."
        pattern:
          spec:
            =(ephemeralContainers):
              - securityContext:
                  runAsNonRoot: true
            =(initContainers):
              - securityContext:
                  runAsNonRoot: true
            containers:
              - securityContext:
                  runAsNonRoot: true
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-health-and-liveness-check.yaml
+++ b/.kyverno/policies/require-health-and-liveness-check.yaml
@@ -0,0 +1,27 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-health-and-liveness-check"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "require-health-and-liveness-check"
      validate:
        message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
          must be set to a value greater than 0."
        pattern:
          spec:
            containers:
              - livenessProbe:
                  periodSeconds: ">0"
                readinessProbe:
                  periodSeconds: ">0"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-imagepullpolicy-always.yaml
+++ b/.kyverno/policies/require-imagepullpolicy-always.yaml
@@ -0,0 +1,40 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-imagepullpolicy-always"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "require-imagepullpolicy-always"
      validate:
        message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
        anyPattern:
          - spec:
              =(ephemeralContainers):
                - (image): "*:latest"
                  imagePullPolicy: "Always"
              =(initContainers):
                - (image): "*:latest"
                  imagePullPolicy: "Always"
              containers:
                - (image): "*:latest"
                  imagePullPolicy: "Always"
          - spec:
              =(ephemeralContainers):
                - (image): "!*:latest"
                  imagePullPolicy: "IfNotPresent"
              =(initContainers):
                - (image): "!*:latest"
                  imagePullPolicy: "IfNotPresent"
              containers:
                - (image): "!*:latest"
                  imagePullPolicy: "IfNotPresent"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-imagepullsecets.yaml
+++ b/.kyverno/policies/require-imagepullsecets.yaml
@@ -0,0 +1,23 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-imagepullsecrets"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "require-imagepullsecrets"
      validate:
        message: "ImagePullSecrets are required."
        pattern:
          spec:
            imagePullSecrets:
              - name: "*"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-requests-limits.yaml
+++ b/.kyverno/policies/require-requests-limits.yaml
@@ -0,0 +1,28 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-requests-limits"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "validate-resources"
      validate:
        message: "CPU and memory resource requests and limits are required."
        pattern:
          spec:
            containers:
              - resources:
                  limits:
                    memory: "?*"
                  requests:
                    cpu: "?*"
                    memory: "?*"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-storage.yaml
+++ b/.kyverno/policies/require-storage.yaml
@@ -0,0 +1,61 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-storage"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "StatefulSet"
      name: "require-storageclass-pod"
      validate:
        message: "VolumeClaims inside pods need to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
              - spec:
                  storageClassName: "kyverno-test"
    - match:
        resources:
          kinds:
            - "PersistentVolumeClaim"
      name: "require-storageclass-pvc"
      validate:
        message: "Persistent Volume Claim need to have storageClassName set when templated."
        pattern:
          spec:
            storageClassName: "kyverno-test"
    - match:
        resources:
          kinds:
            - "StatefulSet"
      name: "require-storage-size-pod"
      validate:
        message: "VolumeClaims inside pods need to have storageClass set when templated."
        pattern:
          spec:
            (volumeClaimTemplates):
              - spec:
                  resources:
                    requests:
                      storage: "42Gi"
    - match:
        resources:
          kinds:
            - "PersistentVolumeClaim"
      name: "require-storage-size-pvc"
      validate:
        message: "Persistent Volume Claim need to have storageClassName set when templated."
        pattern:
          spec:
            resources:
              requests:
                storage: "42Gi"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/require-tag-and-digest.yaml
+++ b/.kyverno/policies/require-tag-and-digest.yaml
@@ -0,0 +1,27 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "require-tag-and-digest"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "require-tag-and-digest"
      validate:
        message: "An image tag and digest required."
        pattern:
          spec:
            =(ephemeralContainers):
              - image: "*:*@sha256:*"
            =(initContainers):
              - image: "*:*@sha256:*"
            containers:
              - image: "*:*@sha256:*"
  validationFailureAction: "audit"
 ...
--- a/.kyverno/policies/restrict-image-registries.yaml
+++ b/.kyverno/policies/restrict-image-registries.yaml
@@ -0,0 +1,27 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 apiVersion: "kyverno.io/v1"
 kind: "ClusterPolicy"
 metadata:
  name: "restrict-image-registries"
 spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "validate-registries"
      validate:
        message: "Unknown image registry."
        pattern:
          spec:
            =(ephemeralContainers):
              - image: "external-registry.souvap-univention.de/*"
            =(initContainers):
              - image: "external-registry.souvap-univention.de/*"
            containers:
              - image: "external-registry.souvap-univention.de/*"
  validationFailureAction: "audit"
 ...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,108 @@
 ## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)
 ### Bug Fixes
 * **ci:** Complete CI var usage for external registry ([3bcdcd0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3bcdcd06b7c4829686f11b8f065ec38829b5a5a6))
 * **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/250ef2bc3fe9047b49b236b606ec3e3fa28e13ce))
 * **collabora:** Add chart validation ([0159902](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01599022f14d447dfdadf390ca9e8e29668dfb07))
 * **collabora:** Bump to 23.05.9.1.1 ([b525a81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b525a814fc25867c068579d5cbd8d1a993144519))
 * **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6f0b1f37fc06c40bf537dbaed60f314341211e41))
 * **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc7eeb8c9d3dd19f625d6f7ba94b15eb4b782d20))
 * **docs:** Add generated security-context.md ([d9e07ff](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9e07ff7bd0e8be090f4fe2c370fa9978c22dfd5))
 * **element:** Change name of neodatefix bot job ([dd535da](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dd535daac0bb0e602eefa45e8dc448fd07fbdd33))
 * **element:** Disable e2ee ([ba0824b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ba0824bac30ae1fc43458bdc8c09a143076e874c))
 * **helmfile:** Add additional provisioning components and configuration ([110ff56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/110ff56f7487e7ac89b1b75c8c63d04e1c2a41c0))
 * **helmfile:** Add seLinuxOptions for all applications ([02d04fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02d04faa2a8d8a0b3bfc179cc8efb3fec086bc70))
 * **helmfile:** Annotations in image.yaml ([7ebbd03](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ebbd03bdcb11abf4e459035c459b74adf8cfcda))
 * **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d2b1f0b07b5ebe4b98b2dc29b916857e28ce5706))
 * **helmfile:** Fix annotations in images.yaml ([acaec3b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/acaec3b8ac6e0ecd58167fca874cd56caa15fa98))
 * **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8f832619864504eaa04945a9a79d6790d2ab8a48))
 * **helmfile:** Improve debugging ([56f5e35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56f5e35895c712440c1a7d249be672c86fc34eeb))
 * **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2b8acfba85d384ed425779fa52133935e553e86))
 * **nextcloud:** Set backchannel logout url ([c0fc225](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0fc225349794034feea1d0c05b29068b9a455af))
 * **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd2a66f8f2a987aa71872122267f29aee3d5f22a))
 * **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d95e7ab2a71097d8c6231bff8c3a6aa3b6f163a))
 * **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7c9f38f06e1f0d000992ecdfd77921d6fc28015c))
 * **open-xchange:** Bump Gotenberg image ([49f126d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/49f126d169759b3e9dd130101e64892822750d7b))
 * **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/139607186549f7a9a129023f1f72aff82cf36460))
 * **openproject:** Bump version to 13.3.0 ([c2087ef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2087efcf95bf2eef19556ba1a1d26b7807021c4))
 * **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee1a337ab5dea7001045860eb6a5bee1dfc84219))
 * **univention-management-stack:** Patches not applied to uldap ([2909e1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2909e1d821397797244d7c11c0935a3bbc902bb1))
 * **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83ac645faec748e773dd7940ca0ca1102bd6dff3))
 * **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c16c0ac7955e64254214d7129ae70d5dd8808743))
 * **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6c15dc1d668623ddd95090e321d1bb268e681db5))
 * **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/affa92cde2caa175707f8ae0e8d4adedbdceb608))
 * **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cabee0c9da3a32e180931b3bd490ba8f83aadb79))
 ## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)
 ### Bug Fixes
 * **nextcloud:** Correct indent in monitoring resources ([bea1413](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bea1413b860aa69cab3bb4a9dfb6d8593594cc25))
 * **services:** Monitoring for minio with correct labels and there are no prometheusRule ([af63e5c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/af63e5c18dbd6d7d1e1ebd79ad91c4f994fe7003))
 * **univention-management-stack:** Fix external registry for nats charts ([cbb33b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cbb33b922d397467d01a9227f3eb18d789cdc39c))
 ## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)
 ### Bug Fixes
 * **ci:** Add Kyverno CI Lint ([e778a59](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e778a59cddecc7c73b827e03af5e47ddd5c3dcee))
 * **helmfile:** Cleanup and small conformity fixes ([db0a544](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db0a5441550ae08450afc04ef274ff8d19e85138))
 * **helmfile:** Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([a49daa6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a49daa6fa27dc7c51c3163b1155eec33b78949f5))
 * **helmfile:** Split image and helm registry ([89c149a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/89c149af954a6f0884ae905e55b52e8db9036b05))
 * **univention-management-stack:** UMC secure session cookie ([67f7c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/67f7c050387157808f010857395715335b42d767))
 * **univention-management-stack:** Update guardian to version 2 ([a99f338](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a99f3389dc90aa89ce2ba4bcfc266a2dfdf15ab9))
 ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12)
 ### Bug Fixes
 * **ci:** Add opendesk-ci linter ([b23152b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b23152bb20f3460c62719e47ce519d093a42c034))
 * **ci:** Scan all images for malware on release ([807b73c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/807b73c8a4f39de31f6ae02003541cf19597a3b7))
 * **ci:** Switch to 'on_success' instead of 'always' ([e1f6370](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/e1f63701f108bcc124ec67079df1a8649cc2e7c2))
 * **collabora:** Migrate collabora to yaml.gotmpl file ([09d001b](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/09d001b6db167ff0a5cd95a1cd58dd2f117f338f))
 * **cryptpad:** Bump image ([90152bd](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/90152bdc41131c359075556d26873c1ad5292950))
 * **cryptpad:** Bump image to 5.6.0 ([1c4db30](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/1c4db30b65249294696d71e435307d2877556b2c))
 * **cryptpad:** Verify against GPG key ([fec0d1f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/fec0d1f26acd729e71d441ae8043830049028cf4))
 * **docs:** Update Helm Chart Trust Chain information ([f894370](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f8943703ede8f3757dc10b789d95239fe8038d5c))
 * **element:** Fix rights & roles of neoboard ([7daa93f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7daa93f06179a9d6eedbc058503252d7b7aa04b1))
 * **element:** Fix rights and roles configuration ([452624c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/452624ce749b60abb1208a9f298e92af7d0168d0))
 * **helmfile:** Add image annotations for mirroring ([41e777c](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/41e777c81dcb50ead8486683fea8cbbc69f07129))
 * **helmfile:** Add logLevel to globals ([8db9bf3](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8db9bf3c993845c94331c7f1891c3abda907d6e6))
 * **helmfile:** Add XWiki GPG key ([712605e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/712605e4f14913f8e5cda61f64514e077d8df5dc))
 * **helmfile:** Increase timeouts for deployment of services ([3b557a8](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/3b557a892c80f4c0061c36fc706502c49a7c4607))
 * **helmfile:** Merge fix values filename for Jitsi ([7a14531](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/7a145315f9768f5b5606a1b951f7f07f8a8a7673))
 * **helmfile:** Remove oci flag from charts.yaml and move user/password ([2ad48b6](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2ad48b6fd528c002501771dea96784e54d272c03))
 * **helmfile:** Sort images and charts ([acf6816](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/acf681665352c84de00246b57b0be9afa48a820d))
 * **helmfile:** Switch artefacts to be pulled from Open CoDE or upstream ([6b3d99d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/6b3d99d1d1a41368650f828eaea69d9159b8e752))
 * **intercom-service:** Add scaling option. ([969c42a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/969c42a590bb47cddf4c5f59940d53d55dba8810))
 * **jitsi:** Add available securityContexts here ([8f09740](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/8f097406773ad769e3bece6af6c994df8254228c))
 * **nextcloud:** Replace community Nextcloud with openDesk Nextcloud ([813a2e2](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/813a2e29e964f95bff133a6b09608ff9f6fda255))
 * **open-xchange:** Enable ICAP and merge yaml and gotmpl files ([306252d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/306252da6fb70c3728cf781ea62ab76ad1099af6))
 * **openproject:** Consolidate env values set by Helm chart ([08754cc](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/08754cc527e2828a44e853277ed55d6b3d041a37))
 * **openproject:** Merge yaml and gotmpl value files ([45967c7](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/45967c7a0b18df6ff23ebff62d5a4c67bde7cee2))
 * **services:** Add scaling to all services ([0492420](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0492420d60bf8e866b39dc51a2e3627cc710de75))
 * **univention-management-stack:** Add guardian components ([db749d8](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/db749d8b1b5982d7ffd1728a40c343928a94dc9b))
 * **univention-management-stack:** Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions ([0bf059e](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/0bf059e8e1560a63d4b5efbd80a00a896539f86b))
 * **univention-management-stack:** Add ums provisioning service ([d039c65](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/d039c65c4b808e2a55a428502a8cfc05d001b43c))
 * **univention-management-stack:** Bump Keycloak Bootstrap image ([bb289d5](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/bb289d545e2ee306ecf032d4889c694c7182f243))
 * **univention-management-stack:** Bump Keycloak chart and image and provide settings for IT-Grundschutz ([c2e9204](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/c2e9204c56c526b96e084bd7578cb981f3be29c0))
 * **univention-management-stack:** Keycloak clients for guardian ([b30b29d](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/b30b29df8aa179dd065db4ade1d2911f6c7ab458))
 * **univention-management-stack:** Provide openDesk version info for admins in portal menu ([5f5a65f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/5f5a65f59d4f67b589f6ac1f5c51ed584ab91ff0))
 * **univention-management-stack:** SAML join using internal Keycloak hostname ([acbef3a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/acbef3ae3e335de0c5dfc2e54e2c31b64643990a))
 * **univention-management-stack:** Streamline timeouts for deployment ([506ef4a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/506ef4a20f8f5de509a678f7df64f24137e985f6))
 * **univention-management-stack:** Updated base image ([78993e1](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/78993e122bad05cc2801acf516ebebb4accc1aaf))
 * **xwiki:** Bump Helm chart und image, fix favicon ([87b6fcf](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/87b6fcfc37babaca03ffdbb1ba4ae603db4f1c23))
 * **xwiki:** Ldap group sync filter ([9aa907a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/9aa907a90996b7b4fe4addbd4ca9f0eae6f65aec))
 * **xwiki:** Update default XWiki configuration ([f13f39a](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/f13f39a0a0fe9748f12270e9c933c985919b8eda))
 * **xwiki:** Update Image to include XWiki 15.10.4 ([9ff6056](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/9ff605623c955d34dcccfdfb69c5b6245ab3f4fc))
 * **xwiki:** Update to 1.2.6 and add imagePullSecrets ([2d2455f](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/2d2455fdb347ec001e6a48a5a61dc9098a66e6d6))
 * **xwiki:** Verify against GPG key ([a0d5fb8](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/commit/a0d5fb895518aa28b6e69cffdcecde1fe2a53ceb))
 ## [0.5.73](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.72...v0.5.73) (2023-12-21)
--- a/README.md
+++ b/README.md
@@ -3,67 +3,61 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 -->
-![logo](./helmfile/environments/default/theme/logo_portal_background.svg)
+<h1>openDesk Deployment Automation</h1>
 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 It features:
 - Fully integrated Identity Management (Univention)
 - File storage (Nextcloud)
 - Weboffice (Collabora)
 - Videoconference (Nordeck w/ Jitsi)
 - Chat and Collaboration (Element w/ Nordeck)
 - Groupware (OX Appsuite)
 - Wiki (XWiki)
 - Project Management (OpenProject)
 - Notes and Diagrams (Cryptpad)
 openDesk integrates these components and is working towards a seamless user experience.
 While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
 align the applications with the best practises regarding container design and operations.
 This documentation aims to give you all that is needed to set up your own instance of the openDesk.
 Basic knowledge of Kubernetes and Devops is required though.
 <!-- TOC -->
-* [Active development notice](#active-development-notice)
+* [Overview](#overview)
-* [Feedback](#feedback)
+* [Disclaimer](#disclaimer)
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
 * [Releases](#releases)
 * [Components](#components)
 * [Feedback](#feedback)
 * [License](#license)
 * [Copyright](#copyright)
 <!-- TOC -->
-# Active development notice
+# Overview
 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
 openDesk currently features the following functional main components:
 | Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
 | -------------------- | --------------------------- | --------------------- | ----------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
 | File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
 | Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
 | Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
 | Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
 | Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.
 This documentation aims to give you all that is needed to set up your own instance of the openDesk.
 Basic knowledge of Kubernetes and DevOps processes is required though.
 # Disclaimer
 openDesk will face breaking changes in the near future without upgrade paths before
 [technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.
 While most components support upgrades, major configuration or component changes may occur, therefore we recommend
-at the moment always installing from scratch.
+from scratch installations for now.
-Components that are going to be replaced soon are:
+In the next months, we not only expect to integrate upstream updates of the functional components to include their
- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
+most recent feature and security sets, but also to address operational topics like scalability for the openDesk
- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.
+platform.
-In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
+Of course, further development also includes enhancing the documentation itself.
 are also going to address operational issues like monitoring and network policies.
 Of course, further development also includes enhancing the documentation.
 # Feedback
 We love to get feedback from you!
 Related to the deployment / contents of this repository,
 please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 # Requirements
@@ -93,16 +87,26 @@ The following release artefacts are provided beside the default source code asse
 - `chart-index.json`: An overview of all Helm charts used by the release.
 - `image-index.json`: An overview of all container images used by the release.
-⟶ Visit out detailed [Workflow](./docs/workflow.md) docs.
+⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
 # Components
 ⟶ Visit our detailed [Component](./docs/components.md) docs.
 # Feedback
 We love to get feedback from you!
 Related to the deployment / contents of this repository,
 please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
 If you want to address other topics, please check the section
 ["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).
 # License
 This project uses the following license: Apache-2.0
 # Copyright
-Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+
 Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
--- a/docs/components.md
+++ b/docs/components.md
@@ -58,12 +58,14 @@ Some use cases require inter component integration.
 ```mermaid
 flowchart TD
  OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
  Element-->|CentralNavigation|IntercomService
  IntercomService-->|SilentLogin, TokenExchange|IdP
  IntercomService-->|Filepicker|Nextcloud
  IntercomService-->|CentralNavigation|Portal
  OXAppSuiteBackend-->|Filepicker|Nextcloud
  Nextcloud-->|CentralNavigation|Portal
  OpenProject-->|CentralNavigation|Portal
  OpenProject-->|Filestore|Nextcloud
  XWiki-->|CentralNavigation|Portal
  Nextcloud-->|CentralContacts|OXAppSuiteBackend
  OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
@@ -124,7 +126,7 @@ flowchart TD
    A[OX AppSuite]-->L
    D[OX Dovecot]-->L
    P[Portal/Admin]-->L
-    X[XWiki]-->|in 2023|L
+    X[XWiki]-->L
    A-->K
    N-->K
    D-->K
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -0,0 +1,83 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Debugging</h1>
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
 * [Components](#components)
  * [MariaDB](#mariadb)
  * [Nextcloud](#nextcloud)
  * [OpenProject](#openproject)
  * [PostgreSQL](#postgresql)
 # Disclaimer
 This document collects information how to deal with debugging an openDesk deployment.
 It will be extended over time as we have to deal with debugging cases.
 We for sure do not want to reinvent the wheel, so we might link to external sources that contain helpful
 information where available.
 **Note:** You should never enable debug in production environments! By looking up `debug.enable` in the deployment you
 will find the various places changes are applied when enabling debugging. So outside of development and test
 environments you may want to make use of them in a very thoughtful and selective manner if needed.
 # Enable debugging
 Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
 component's loglevel to debug and it get some features like:
 - The `/admin` console is routed for Keycloak.
 - An ingress for `http://minio-console.<your_domain>` is configured.
 and set the loglevel for components to "Debug".
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 # Components
 ## MariaDB
 When using the openDesk bundled MariaDB you can explore database(s) using the MariaDB interactive terminal from the pod's command line: `mariadb -u root -p`. As password provide the value for `MARIADB_ROOT_PASSWORD` set in the pod's environment.
 While you will find all details for the CLI tool in [the online documentation](https://mariadb.com/kb/en/mariadb-command-line-client/), some quick commands are:
 - `help`: Get help on the psql command set
 - `show databases`: Lists all databases
 - `use <databasename>`: Connect to `<databasename>`
 - `show tables`: Lists tables within the currently connected database
 - `quit`: Quit the client
 ## Nextcloud
 `occ` is the CLI for Nextcloud, all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
 You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
 ## OpenProject
 OpenProject is a Ruby on Rails application. Therefore you can make use of the Rails console from the pod's command line `bundle exec rails console`
 and run debug code like this:
 ```
 uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
 Net::HTTP.start(uri.host, uri.port,
  :use_ssl => uri.scheme == 'https') do |http|
  request = Net::HTTP::Get.new uri
  response = http.request request # Net::HTTPResponse object
 end
 ```
 ## PostgreSQL
 When using the openDesk bundled PostgreSQL you can explore database(s) using the PostgreSQL interactive terminal from the pod's command line: `psql -U postgres`.
 While you will find all details in the [psql subsection](https://www.postgresql.org/docs/current/app-psql.html)) of the PostgreSQL documentation, some quick commands are:
 - `\?`: Get help on the psql command set
 - `\l`: Lists all databases
 - `\c <databasename>`: Connect to `<databasename>`
 - `\dt`: List (describe) tables within the currently connected database
 - `\q`: Quit the client
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -12,8 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
 * [Customize environment](#customize-environment)
  * [Domain](#domain)
    * [Apps](#apps)
-  * [Private Image registry](#private-image-registry)
+  * [Private registries](#private-registries)
  * [Private Helm registry](#private-helm-registry)
  * [Cluster capabilities](#cluster-capabilities)
    * [Service](#service)
    * [Networking](#networking)
@@ -127,58 +126,40 @@ jitsi:
  enabled: false
 ```
-## Private Image registry
+## Private registries
-By default, all OCI artifacts are proxied via the project's image registry, which should get replaced soon by the
+By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases
-OCI registries provided by Open CoDE.
+in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components).
-You also can set your own registry by:
+For untouched upstream artefacts that do not belong to a functional component's core we use upstream registries
 like Docker Hub.
 Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day
 and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you
 prefer the use of a private image registry anyway you can configure such for
 [your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
 - `global.imageRegistry` for a private image registry and
 - `global.helmRegistry` for a private Helm chart registry.
 ```yaml
 global:
  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
 ```
-or via environments variable:
+alternatively you can use an environment variable:
 ```shell
 export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
 ```
 If authentication is required, you can reference imagePullSecrets as following:
 ```yaml
 global:
  imagePullSecrets:
    - "external-registry"
 ```
 ## Private Helm registry
 Some apps use OCI style registry and some use Helm chart museum style registries.
 In `helmfile/environments/default/charts.yaml` you can find all helm charts used and modify their registry, repository
 or version.
 As an example, you can also use helmfile methods to use just a single environment variable to set registry and
 authentication for all OCI helm charts.
 ```yaml
 charts:
  certificates:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ```
 There is a full example including http and OCI style registries in `examples/private-helm-registry.yaml.gotmpl`.
 The following environment variables have to be exposed when using the example:
 | Environment variable                | Description                                                                                |
 |-------------------------------------|--------------------------------------------------------------------------------------------|
 | `OD_PRIVATE_HELM_OCI_REGISTRY`      | Registry for OCI hosted helm charts, example: `external-registry.souvap-univention.de`     |
 | `OD_PRIVATE_HELM_HTTP_REGISTRY`     | Registry URI for http hosted helm charts, `https://external-registry.souvap-univention.de` |
 | `OD_PRIVATE_HELM_REGISTRY_USERNAME` | Username                                                                                   |
 | `OD_PRIVATE_HELM_REGISTRY_PASSWORD` | Password                                                                                   |
 ## Cluster capabilities
 ### Service
@@ -375,17 +356,12 @@ by your specified subdomain.
 # Replace with your namespace
 NAMESPACE=your-namespace
-# Get credentials from ConfigMap
+# Get ConfigMap with credentials
-kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}'
  | yq '.properties.username,.properties.password'
 # default.user
 # 40615..............................e9e2f
 # ---
 # default.admin
 # bdbbb..............................04db6
 ```
-Now you can log in with obtained credentials:
+Renders you a two part ConfigMap where the `username` and `password` attributes in the `properties`
 section provide you with the desired information to login with the two default user roles:
 | Username        | Password                                   | Description      |
 |-----------------|--------------------------------------------|------------------|
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -70,3 +70,4 @@ grafana:
 |:----------|-----------------------------------|-------------------------|---------------------|
 | Collabora | :white_check_mark:                | :white_check_mark:      | :white_check_mark:  |
 | Nextcloud | :white_check_mark:                | :x:                     | :x:                 |
 | Jitsi     | :white_check_mark:                | :x:                     | :white_check_mark:  |
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 This section covers the internal system requirements as well as external service requirements for productive use.
 <!-- TOC -->
-* [TL;DR;](#tldr)
+* [tl;dr](#tldr)
 * [Hardware](#hardware)
 * [Kubernetes](#kubernetes)
 * [Ingress controller](#ingress-controller)
@@ -17,7 +17,7 @@ This section covers the internal system requirements as well as external service
 * [Deployment](#deployment)
 <!-- TOC -->
-# TL;DR;
+# tl;dr
 openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.
 - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -20,33 +20,38 @@ Verified positive effects are marke with a check-mark in `Scaling (verified)` co
 marked with a gear.
-| Component   | Name                                     | Scaling (effective) | Scaling (verified) |
+| Component        | Name                                     | Scaling (effective) | Scaling (verified) |
-|-------------|------------------------------------------|:-------------------:|:------------------:|
+|------------------|------------------------------------------|:-------------------:|:------------------:|
-| ClamAV      | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
+| ClamAV           | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.freshclam`                     |         :x:         |        :x:         |
+|                  | `replicas.freshclam`                     |         :x:         |        :x:         |
-|             | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
-| Collabora   | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
+| Collabora        | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
-| CryptPad    | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
+| CryptPad         | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
-| Dovecot     | `replicas.dovecot`                       |         :x:         |       :gear:       |
+| Dovecot          | `replicas.dovecot`                       |         :x:         |       :gear:       |
-| Element     | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
+| Element          | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
-|             | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
-|             | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
-|             | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
-|             | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
+|                  | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
-|             | `replicas.synapse`                       |         :x:         |       :gear:       |
+|                  | `replicas.synapse`                       |         :x:         |       :gear:       |
-|             | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
-|             | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
+|                  | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
-| Jitsi       | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
+| Intercom Service | `replicas.intercomService`               | :white_check_mark:  |       :gear:       |
-|             | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
+| Jitsi            | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
-|             | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
-|             | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
-|             | `replicas.jvb `                          |         :x:         |        :x:         |
+|                  | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
-| Keycloak    | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
+|                  | `replicas.jvb `                          |         :x:         |        :x:         |
-| Minio       | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
+| Keycloak         | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
-| Nextcloud   | `replicas.nextcloud`                     | :white_check_mark:  |       :gear:       |
+| Memcached        | `replicas.memcached`                     |       :gear:        |       :gear:       |
-| OpenProject | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
+| Minio            | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
-| Postfix     | `replicas.postfix`                       |         :x:         |       :gear:       |
+| Nextcloud        | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
-| XWiki       | `replicas.xwiki`                         |         :x:         |       :gear:       |
+|                  | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
 | OpenProject      | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
 | Postfix          | `replicas.postfix`                       |         :x:         |       :gear:       |
 | Redis            | `replicas.redis`                         |       :gear:        |       :gear:       |
 | XWiki            | `replicas.xwiki`                         |         :x:         |       :gear:       |
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -0,0 +1,227 @@
 <!--
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Kubernetes Security Context</h1>
 * [Container Security Context](#container-security-context)
  * [allowPrivilegeEscalation](#allowprivilegeescalation)
  * [capabilities](#capabilities)
  * [privileged](#privileged)
  * [runAsUser](#runasuser)
  * [runAsGroup](#runasgroup)
  * [seccompProfile](#seccompprofile)
  * [readOnlyRootFilesystem](#readonlyrootfilesystem)
  * [runAsNonRoot](#runasnonroot)
 * [Status quo](#status-quo)
 # Container Security Context
 The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
 ## allowPrivilegeEscalation
 Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
 ```yaml
 containerSecurityContext:
  allowPrivilegeEscalation: false
 ```
 ## capabilities
 Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
 **Optimal:**
 ```yaml
 containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
 ```
 **Allowed:**
 ```yaml
 containerSecurityContext:
  capabilities:
    drop:
      - "ALL"
    add:
      - "NET_BIND_SERVICE"
 ```
 ## privileged
 Privileged Pods disable most security mechanisms and must be disallowed.
 ```yaml
 containerSecurityContext:
  privileged: false
 ```
 ## runAsUser
 Containers should set a user id >= 1000 and never use 0 (root) as user.
 ```yaml
 containerSecurityContext:
  runAsUser: 1000
 ```
 ## runAsGroup
 Containers should set a group id >= 1000 and never use 0 (root) as user.
 ```yaml
 containerSecurityContext:
  runAsGroup: 1000
 ```
 ## seccompProfile
 Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
 ```yaml
 containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"
 ```
 or
 ```yaml
 containerSecurityContext:
  seccompProfile:
    type: "Localhost"
 ```
 ## readOnlyRootFilesystem
 Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
 ```yaml
 containerSecurityContext:
  readOnlyRootFilesystem: true
 ```
 ## runAsNonRoot
 Containers must be required to run as non-root users.
 ```yaml
 containerSecurityContext:
  runAsNonRoot: true
 ```
 # Status quo
 openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
 The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
 This list gives you an overview of templated security settings and if they comply with security standards:
 - **yes**: Value is set to `true`
 - **no**: Value is set to `false`
 - **n/a**: No explicitly templated in openDesk and default is used.
 | process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
 | ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
 | **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
 | **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
 | **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
 | **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
 | **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
 | **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
 | **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
 | **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
 | **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
 | **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
 | **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
 | **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
 | **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
 | **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
 | **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
 This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)
--- a/docs/security.md
+++ b/docs/security.md
@@ -15,104 +15,21 @@ This document should cover the current status of security measurements.
 # Helm Chart Trust Chain
-Helm Charts which are released via openDesk CI/CD process are always signed. The public GPG keys are present in
+Helm charts are signed and validated against GPG keys which can be found in `helmfile/files/gpg-pubkeys`.
 `pubkey.gpg` file and are validated during helmfile installation.
-| Repository                           | OCI |     Verifiable     |
+For more details on Chart validation please visit: https://helm.sh/docs/topics/provenance/
-|--------------------------------------|:---:|:------------------:|
+
-| bitnami-repo (openDesk build)        | yes | :white_check_mark: |
+All charts except the ones mentioned below are verifiable:
-| clamav-repo                          | yes | :white_check_mark: |
+
-| collabora-online-repo                | no  |        :x:         |
+| Repository        | Verifiable |
-| cryptpad-online-repo                 | no  |        :x:         |
+|-------------------|:----------:|
-| intercom-service-repo                | yes | :white_check_mark: |
+| open-xchange-repo |     no     |
 | istio-resources-repo                 | yes | :white_check_mark: |
 | jitsi-repo                           | yes | :white_check_mark: |
 | keycloak-extensions-repo             | no  |        :x:         |
 | mariadb-repo                         | yes | :white_check_mark: |
 | nextcloud-repo                       | no  |        :x:         |
 | opendesk-certificates-repo           | yes | :white_check_mark: |
 | opendesk-dovecot-repo                | yes | :white_check_mark: |
 | opendesk-element-repo                | yes | :white_check_mark: |
 | opendesk-keycloak-bootstrap-repo     | yes | :white_check_mark: |
 | opendesk-nextcloud-bootstrap-repo    | yes | :white_check_mark: |
 | opendesk-open-xchange-bootstrap-repo | yes | :white_check_mark: |
 | openproject-repo                     | yes | :white_check_mark: |
 | openxchange-repo                     | yes |        :x:         |
 | ox-connector-repo                    | no  |        :x:         |
 | postfix-repo                         | yes | :white_check_mark: |
 | postgresql-repo                      | yes | :white_check_mark: |
 | ums-repo                             | no  |        :x:         |
 | univention-keycloak-repo             | yes | :white_check_mark: |
 | univention-keycloak-bootstrap-repo   | yes | :white_check_mark: |
 | xwiki-repo                           | no  |        :x:         |
 # Kubernetes Security Enforcements
 This list gives you an overview of default security settings and if they comply with security standards:
-
+⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
 | Component                   | Process                      |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
 |-----------------------------|------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
 | ClamAV                      | clamd                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | freshclam                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | icap                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | milter                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
 | Collabora                   | collabora                    |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
 | CryptPad                    | npm                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
 | Dovecot                     | dovecot                      |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
 | Element                     | element                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                             | synapse                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
 |                             | synapseWeb                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 |                             | wellKnown                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
 | IntercomService             | intercom-service             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Jitsi                       | jibri                        |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | jicofo                       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | jitsiKeycloakAdapter         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
 |                             | jvb                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | prosody                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | web                          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | MariaDB                     | mariadb                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Memcached                   | memcached                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
 | Minio                       | minio                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Nextcloud                   | nextcloud                    |        :x:         |         :white_check_mark:         |                                                  :x: (`NET_BIND_SERVICE`, `SETGID`, `SETUID`)                                                  |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
 |                             | nextcloud-cron               |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
 |                             | opendesk-nextcloud-bootstrap |        :x:         |         :white_check_mark:         |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   33    |
 | Open-Xchange                | core-documentconverter       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
 |                             | core-guidedtours             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-imageconverter          |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
 |                             | core-mw-default              |        :x:         |                :x:                 |                                                                      :x:                                                                       |                :x:                |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | core-ui                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-ui-middleware           | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-ui-middleware-updater   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | core-user-guide              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | gotenberg                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | guard-ui                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | nextlcoud-integration-ui     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | public-sector-ui             | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 | OpenProject                 | openproject                  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | opendeskOpenprojectBootstrap | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 | Postfix                     | postfix                      |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 | PostgreSQL                  | postgresql                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 | Redis                       | redis                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
 | Univention Management Stack | keycloak                     |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | keycloakBootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | keycloakExtensionHandler     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | keycloakExtensionProxy       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
 |                             | ldap-notifier                |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | ldap-server                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | notifications-api            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | opendeskKeycloakBootstrap    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
 |                             | portal-frontend              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-listener              |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | portal-server                |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | selfservice-listener         |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | stack-gateway                | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
 |                             | store-dav                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | udm-rest-api                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | umc-gateway                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 |                             | umc-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
 | XWiki                       | xwiki                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
 |                             | xwiki initContainers         |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
 # NetworkPolicies
--- a/docs/theming.md
+++ b/docs/theming.md
@@ -53,7 +53,5 @@ theme:
 # Known limits
 Not all applications support theming. Known exceptions are:
  - Univention Corporate Container (should be superseded by the Univention Management Stack which has planned support
    for theming through the deployment).
  - OpenProject
  - Jitsi
--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -84,7 +84,7 @@ The below rendering in class diagram notation shows the three component classes
 **Note:** The methods prefixed with '-' are not yet available in `gitlab-config` you will learn about them later.
-```Mermaid
+```mermaid
 classDiagram
    Images <|-- Helm_charts
    Images <|-- Helmfile_based_deployment_automation
--- a/examples/private-helm-registry.yaml.gotmpl
+++ b/examples/private-helm-registry.yaml.gotmpl
@@ -1,261 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 charts:
  certificates:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  clamav:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  clamavSimple:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  collabora:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  cryptpad:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  dovecot:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  element:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  elementWellKnown:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  intercomService:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  istioResources:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  jitsi:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsKeycloak:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsKeycloakBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  opendeskKeycloakBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsKeycloakExtensions:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  mariadb:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeoboardWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeochoiseWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeodatefixBot:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixNeodatefixWidget:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  matrixUserVerificationService:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  memcached:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  minio:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nextcloud:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nextcloudBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  nginx:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openproject:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openprojectBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openXchangeAppSuite:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  openXchangeAppSuiteBootstrap:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  otterize:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  oxConnector:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  postfix:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  postgresql:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  redis:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapse:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapseCreateAccount:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  synapseWeb:
   registry: {{ requiredEnv "OD_PRIVATE_HELM_OCI_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsLdapNotifier:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsLdapServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsNotificationsApi:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalFrontend:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalListener:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsPortalServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStackDataSwp:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStackDataUms:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsStoreDav:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUdmRestApi:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUmcGateway:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  umsUmcServer:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
  xwiki:
    registry: {{ requiredEnv "OD_PRIVATE_HELM_HTTP_REGISTRY" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_USERNAME" | quote }}
    username: {{ env "OD_PRIVATE_HELM_REGISTRY_PASSWORD" | quote }}
 ...
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -37,18 +37,15 @@ environments:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/dev/values.yaml"
+      - "helmfile/environments/dev/values.yaml.gotmpl"
      - "helmfile/environments/dev/values.gotmpl"
  test:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/test/values.yaml"
+      - "helmfile/environments/test/values.yaml.gotmpl"
      - "helmfile/environments/test/values.gotmpl"
  prod:
    values:
      - "helmfile/environments/default/*.gotmpl"
      - "helmfile/environments/default/*.yaml"
-      - "helmfile/environments/prod/values.yaml"
+      - "helmfile/environments/prod/values.yaml.gotmpl"
      - "helmfile/environments/prod/values.gotmpl"
 ...
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -8,18 +8,20 @@ repositories:
  # Collabora Online
  # Source: https://github.com/CollaboraOnline/online
  - name: "collabora-online-repo"
-    username: {{ .Values.charts.collabora.username | quote }}
+    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
-    password: {{ .Values.charts.collabora.password | quote }}
+    verify: {{ .Values.charts.collabora.verify }}
-    oci: {{ .Values.charts.collabora.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    url: "{{ .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
      {{ .Values.charts.collabora.repository }}"
 releases:
  - name: "collabora-online"
    chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
    version: "{{ .Values.charts.collabora.version }}"
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.collabora.enabled }}
 commonLabels:
--- a/helmfile/apps/collabora/values.gotmpl
+++ b/helmfile/apps/collabora/values.gotmpl
@@ -1,59 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.collabora.repository }}"
  tag: {{ .Values.images.collabora.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
      paths:
        - path: "/"
          pathType: "Prefix"
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 collabora:
  # Admin Console Credentials: https://CODE-domain/browser/dist/admin/admin.html
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 replicaCount: {{ .Values.replicas.collabora }}
 resources:
  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
 grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
    annotations:
      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
 ...
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -1,16 +1,37 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+{{/*
-# SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
-# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/README.md or
+autoscaling:
-# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/collabora-online/values.yaml
+  enabled: false
 fullnameOverride: "collabora"
 image:
  pullPolicy: "IfNotPresent"
 collabora:
  extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 fullnameOverride: "collabora"
 grafana:
  dashboards:
    enabled: {{ .Values.grafana.dashboards.enabled }}
    labels:
      {{- toYaml .Values.grafana.dashboards.labels | nindent 6 }}
    annotations:
      {{- toYaml .Values.grafana.dashboards.annotations | nindent 6 }}
 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
  tag: {{ .Values.images.collabora.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  annotations:
@@ -50,11 +71,35 @@ ingress:
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
-autoscaling:
+  enabled: {{ .Values.ingress.enabled }}
-  enabled: false
+  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
      paths:
        - path: "/"
          pathType: "Prefix"
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
-serviceAccount:
+podSecurityContext:
-  create: true
+  fsGroup: 100
 prometheus:
  servicemonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  rules:
    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
    additionalLabels:
      {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
 replicaCount: {{ .Values.replicas.collabora }}
 resources:
  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 securityContext:
  allowPrivilegeEscalation: true
@@ -81,7 +126,7 @@ securityContext:
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
-
+  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
-podSecurityContext:
+serviceAccount:
-  fsGroup: 100
+  create: true
 ...
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -8,18 +8,19 @@ repositories:
  # CryptPad
  # Source: https://github.com/cryptpad/helm
  - name: "cryptpad-repo"
-    username: {{ .Values.charts.cryptpad.username | quote }}
+    keyring: "../../files/gpg-pubkeys/xwiki-com.gpg"
-    password: {{ .Values.charts.cryptpad.password | quote }}
+    verify: {{ .Values.charts.cryptpad.verify }}
-    oci: {{ .Values.charts.cryptpad.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    url: "{{ .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
 releases:
  - name: "cryptpad"
    chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.cryptpad.enabled }}
 commonLabels:
--- a/helmfile/apps/cryptpad/values.gotmpl
+++ b/helmfile/apps/cryptpad/values.gotmpl
@@ -1,33 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}"
  tag: {{ .Values.images.cryptpad.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
      paths:
        - path: "/"
          pathType: "ImplementationSpecific"
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
 replicaCount: {{ .Values.replicas.cryptpad }}
 resources:
  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -22,9 +22,30 @@ enableEmbedding: true
 fullnameOverride: "cryptpad"
 image:
  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
  tag: {{ .Values.images.cryptpad.tag | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  annotations:
    nginx.org/websocket-services: "cryptpad"
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
      paths:
        - path: "/"
          pathType: "ImplementationSpecific"
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
 persistence:
  enabled: false
@@ -32,20 +53,28 @@ persistence:
 podSecurityContext:
  fsGroup: 4001
 replicaCount: {{ .Values.replicas.cryptpad }}
 resources:
  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  # readOnlyRootFilesystem: true
+  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}
 serviceAccount:
  create: true
 workloadStateful: false
 ...
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -8,79 +8,79 @@ repositories:
  # openDesk Element
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-element
  - name: "element-repo"
    oci: {{ .Values.charts.element.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.element.verify }}
-    username: {{ .Values.charts.element.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.element.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    oci: {{ .Values.charts.elementWellKnown.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
-    username: {{ .Values.charts.elementWellKnown.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.elementWellKnown.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    oci: {{ .Values.charts.synapseWeb.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
-    username: {{ .Values.charts.synapseWeb.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.synapseWeb.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    oci: {{ .Values.charts.synapse.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
-    username: {{ .Values.charts.synapse.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.synapse.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    oci: {{ .Values.charts.synapseCreateAccount.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
-    username: {{ .Values.charts.synapseCreateAccount.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.synapseCreateAccount.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
  - name: "matrix-user-verification-service-repo"
    oci: {{ .Values.charts.matrixUserVerificationService.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixUserVerificationService.verify }}
-    username: {{ .Values.charts.matrixUserVerificationService.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixUserVerificationService.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixUserVerificationService.registry }}/\
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
-    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    oci: {{ .Values.charts.matrixNeoboardWidget.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
-    username: {{ .Values.charts.matrixNeoboardWidget.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeoboardWidget.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    oci: {{ .Values.charts.matrixNeodatefixWidget.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
-    username: {{ .Values.charts.matrixNeodatefixWidget.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeodatefixWidget.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    oci: {{ .Values.charts.matrixNeodatefixBot.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
-    username: {{ .Values.charts.matrixNeodatefixBot.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.matrixNeodatefixBot.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
 releases:
@@ -88,8 +88,7 @@ releases:
    chart: "element-repo/{{ .Values.charts.element.name }}"
    version: "{{ .Values.charts.element.version }}"
    values:
-      - "values-element.yaml"
+      - "values-element.yaml.gotmpl"
      - "values-element.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -97,8 +96,7 @@ releases:
    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
-      - "values-well-known.yaml"
+      - "values-well-known.yaml.gotmpl"
      - "values-well-known.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -106,8 +104,7 @@ releases:
    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
-      - "values-synapse-web.yaml"
+      - "values-synapse-web.yaml.gotmpl"
      - "values-synapse-web.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -115,8 +112,7 @@ releases:
    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
    version: "{{ .Values.charts.synapse.version }}"
    values:
-      - "values-synapse.yaml"
+      - "values-synapse.yaml.gotmpl"
      - "values-synapse.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -124,8 +120,7 @@ releases:
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
      - "values-matrix-user-verification-service-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -133,8 +128,7 @@ releases:
    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
-      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.yaml.gotmpl"
      - "values-matrix-user-verification-service.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -142,8 +136,7 @@ releases:
    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
-      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.yaml.gotmpl"
      - "values-matrix-neoboard-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -151,8 +144,7 @@ releases:
    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
-      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.yaml.gotmpl"
      - "values-matrix-neochoice-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -160,8 +152,7 @@ releases:
    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
-      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.yaml.gotmpl"
      - "values-matrix-neodatefix-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -169,8 +160,7 @@ releases:
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
@@ -178,8 +168,7 @@ releases:
    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
-      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.yaml.gotmpl"
      - "values-matrix-neodatefix-bot.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900
--- a/helmfile/apps/element/values-element.yaml
+++ b/helmfile/apps/element/values-element.yaml
@@ -1,21 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -1,17 +1,8 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  endToEndEncryption: false
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -106,9 +97,31 @@ configuration:
  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
  repository: {{ .Values.images.element.repository | quote }}
  tag: {{ .Values.images.element.tag | quote }}
@@ -120,11 +133,16 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.element }}
 resources:
  {{ .Values.resources.element | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml
@@ -1,21 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,11 +1,23 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +25,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoBoardWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoBoardWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoBoardWidget.tag | quote }}
@@ -23,11 +36,16 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}
 resources:
  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml
@@ -1,21 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,11 +1,23 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +25,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoChoiceWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoChoiceWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoChoiceWidget.tag | quote }}
@@ -23,11 +36,16 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 resources:
  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.gotmpl
@@ -1,23 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
@@ -1,8 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  username: "meetings-bot"
  pod: "opendesk-synapse-0"
  secretName: "matrix-neodatefix-bot-account"
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -0,0 +1,40 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "meetings-bot"
  pod: "opendesk-synapse-0"
  secretName: "matrix-neodatefix-bot-account"
  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "matrix-neodatefix-bot-bootstrap"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
@@ -1,37 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 persistence:
  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
 resources:
  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
@@ -1,50 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  bot:
    username: "meetings-bot"
    displayname: "Terminplaner Bot"
  strings:
    breakoutSessionWidgetName: "Breakoutsessions"
    calendarRoomName: "Terminplaner"
    calendarWidgetName: "Terminplaner"
    cockpitWidgetName: "Meeting Steuerung"
    jitsiWidgetName: "Videokonferenz"
    matrixNeoBoardWidgetName: "Whiteboard"
    matrixNeoChoiceWidgetName: "Abstimmungen"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 extraEnvVars:
  - name: "ACCESS_TOKEN"
    valueFrom:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
 # TODO: The health endpoint does not work with the haproxy configuration, yet
 livenessProbe:
  enabled: false
 podSecurityContext:
  enabled: true
  fsGroup: 101
 # TODO: The health endpoint does not work with the haproxy configuration, yet
 readinessProbe:
  enabled: false
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -0,0 +1,81 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 configuration:
  bot:
    username: "meetings-bot"
    displayname: "Terminplaner Bot"
  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  strings:
    breakoutSessionWidgetName: "Breakoutsessions"
    calendarRoomName: "Terminplaner"
    calendarWidgetName: "Terminplaner"
    cockpitWidgetName: "Meeting Steuerung"
    jitsiWidgetName: "Videokonferenz"
    matrixNeoBoardWidgetName: "Whiteboard"
    matrixNeoChoiceWidgetName: "Abstimmungen"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
 extraEnvVars:
  - name: "ACCESS_TOKEN"
    valueFrom:
      secretKeyRef:
        name: "matrix-neodatefix-bot-account"
        key: "access_token"
  - name: "ENABLE_CRYPTO"
    value: "false"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 livenessProbe:
  enabled: true
 persistence:
  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 readinessProbe:
  enabled: true
 replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
 resources:
  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
@@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  bot:
    username: "meetings-bot"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,11 +1,27 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  bot:
    username: "meetings-bot"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,6 +29,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixWidget.registry | quote }}
  repository: {{ .Values.images.matrixNeoDateFixWidget.repository | quote }}
  tag: {{ .Values.images.matrixNeoDateFixWidget.tag | quote }}
@@ -23,11 +40,16 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
-theme:
+podSecurityContext:
-  {{ .Values.theme | toYaml | nindent 2 }}
+  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}
 resources:
  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
@@ -1,23 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
@@ -1,8 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  username: "uvs"
  pod: "opendesk-synapse-0"
  secretName: "opendesk-matrix-user-verification-service-account"
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -0,0 +1,39 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 configuration:
  username: "uvs"
  pod: "opendesk-synapse-0"
  secretName: "opendesk-matrix-user-verification-service-account"
  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
@@ -1,23 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
 replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
 resources:
  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml
@@ -1,31 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  # TODO: the service can't run with read only filesystem or as non-root
  # readOnlyRootFilesystem: true
  # runAsGroup: 101
  # runAsNonRoot: true
  # runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
    valueFrom:
      secretKeyRef:
        name: "opendesk-matrix-user-verification-service-account"
        key: "access_token"
  - name: "UVS_DISABLE_IP_BLACKLIST"
    value: "true"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -0,0 +1,50 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: false
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
 extraEnvVars:
  - name: "UVS_ACCESS_TOKEN"
    valueFrom:
      secretKeyRef:
        name: "opendesk-matrix-user-verification-service-account"
        key: "access_token"
  - name: "UVS_DISABLE_IP_BLACKLIST"
    value: "true"
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
 resources:
  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml
+++ b/helmfile/apps/element/values-synapse-web.yaml
@@ -1,21 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,11 +1,23 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,7 +25,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseWeb.registry | quote }}
  repository: {{ .Values.images.synapseWeb.repository | quote }}
  tag: {{ .Values.images.synapseWeb.tag | quote }}
@@ -25,8 +37,13 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.synapseWeb }}
 resources:
  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-synapse.yaml
+++ b/helmfile/apps/element/values-synapse.yaml
@@ -1,47 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  additionalConfiguration:
    user_directory:
      enabled: true
      search_all_users: true
    room_prejoin_state:
      additional_event_types:
        - "m.space.parent"
        - "net.nordeck.meetings.metadata"
        - "m.room.power_levels"
    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
    rc_login:
      account:
        per_second: 2
        burst_count: 8
      address:
        per_second: 2
        burst_count: 12
  homeserver:
    guestModule:
      enabled: true
    oidc:
      clientId: "opendesk-matrix"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10991
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 10991
 ...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -1,23 +1,27 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.synapse.repository | quote }}
  tag: {{ .Values.images.synapse.tag | quote }}
 configuration:
  additionalConfiguration:
    user_directory:
      enabled: true
      search_all_users: true
    room_prejoin_state:
      additional_event_types:
        - "m.space.parent"
        - "net.nordeck.meetings.metadata"
        - "m.room.power_levels"
    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
    rc_login:
      account:
        per_second: 2
        burst_count: 8
      address:
        per_second: 2
        burst_count: 12
  database:
    host: {{ .Values.databases.synapse.host | quote }}
    name: {{ .Values.databases.synapse.name | quote }}
@@ -37,6 +41,7 @@ configuration:
        sender_localpart: intercom-service
    oidc:
      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
@@ -54,18 +59,56 @@ configuration:
        {{- end }}
    guestModule:
      enabled: true
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-        registry: {{ .Values.global.imageRegistry | quote }}
+        registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 10991
  runAsGroup: 10991
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
  repository: {{ .Values.images.synapse.repository | quote }}
  tag: {{ .Values.images.synapse.tag | quote }}
 persistence:
  size: {{ .Values.persistence.size.synapse | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 10991
 readinessProbe:
  initialDelaySeconds: 15
  periodSeconds: 5
 replicaCount: {{ .Values.replicas.synapse }}
 resources:
  {{ .Values.resources.synapse | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/element/values-well-known.yaml
+++ b/helmfile/apps/element/values-well-known.yaml
@@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 configuration:
  e2ee:
    forceDisable: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
 podSecurityContext:
  enabled: true
  fsGroup: 101
 ...
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -1,11 +1,27 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 configuration:
  e2ee:
    forceDisable: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  readOnlyRootFilesystem: true
  runAsGroup: 101
  runAsNonRoot: true
  runAsUser: 101
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
@@ -13,7 +29,7 @@ global:
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.wellKnown.registry | quote }}
  repository: {{ .Values.images.wellKnown.repository | quote }}
  tag: {{ .Values.images.wellKnown.tag | quote }}
@@ -25,8 +41,13 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 101
 replicaCount: {{ .Values.replicas.wellKnown }}
 resources:
  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -8,20 +8,19 @@ repositories:
  # Intercom Service
  # Source: https://gitlab.souvap-univention.de/souvap/tooling/charts/intercom-service
  - name: "intercom-service-repo"
    oci: {{ .Values.charts.intercomService.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.intercomService.verify }}
-    username: {{ .Values.charts.intercomService.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.intercomService.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
 releases:
  - name: "intercom-service"
    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
    version: "{{ .Values.charts.intercomService.version }}"
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.intercom.enabled }}
 commonLabels:
--- a/helmfile/apps/intercom-service/values.yaml
+++ b/helmfile/apps/intercom-service/values.yaml
@@ -1,26 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 ics:
  oidc:
    id: "opendesk-intercom"
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -1,10 +1,22 @@
-{{/*
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
@@ -20,6 +32,7 @@ ics:
  default:
    domain: {{ .Values.global.domain | quote }}
  oidc:
    id: "opendesk-intercom"
    secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
  matrix:
    asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -34,12 +47,14 @@ ics:
    port: {{ .Values.cache.intercomService.port }}
    password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
  openxchange:
    oci: true
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    audience: "opendesk-oxappsuite"
  nextcloud:
    audience: "opendesk-nextcloud"
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.intercom.registry | quote }}
  repository: {{ .Values.images.intercom.repository | quote }}
  tag: {{ .Values.images.intercom.tag | quote }}
@@ -51,6 +66,14 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "Always"
 replicaCount: {{ .Values.replicas.intercomService }}
 resources:
  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -8,19 +8,19 @@ repositories:
  # openDesk Jitsi
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-jitsi
  - name: "jitsi-repo"
    oci: {{ .Values.charts.jitsi.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.jitsi.verify }}
-    username: {{ .Values.charts.jitsi.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.jitsi.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
 releases:
  - name: "jitsi"
    chart: "jitsi-repo/{{ .Values.charts.jitsi.name }}"
    version: "{{ .Values.charts.jitsi.version }}"
    values:
-      - "values-jitsi.gotmpl"
+      - "values-jitsi.yaml.gotmpl"
    installed: {{ .Values.jitsi.enabled }}
    timeout: 900
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -5,18 +5,32 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
  privileged: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiKeycloakAdapter.registry | quote }}
  repository: {{ .Values.images.jitsiKeycloakAdapter.repository | quote }}
  tag: {{ .Values.images.jitsiKeycloakAdapter.tag | quote }}
@@ -33,7 +47,7 @@ jitsi:
  web:
    replicaCount: {{ .Values.replicas.jitsi }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsi.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jitsi.registry }}/{{ .Values.images.jitsi.repository }}"
      tag: {{ .Values.images.jitsi.tag | quote }}
    ingress:
      enabled: {{ .Values.ingress.enabled }}
@@ -50,9 +64,21 @@ jitsi:
      TURN_ENABLE: "1"
    resources:
      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
  prosody:
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.prosody.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
      tag: {{ .Values.images.prosody.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
@@ -86,20 +112,44 @@ jitsi:
    persistence:
      size: {{ .Values.persistence.size.prosody | quote }}
      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jicofo.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jicofo.registry }}/{{ .Values.images.jicofo.repository }}"
      tag: {{ .Values.images.jicofo.tag | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jicofoAuthPassword | quote }}
      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
    resources:
      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jvb.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jvb.registry }}/{{ .Values.images.jvb.repository }}"
      tag: {{ .Values.images.jvb.tag | quote }}
    xmpp:
      password: {{ .Values.secrets.jitsi.jvbAuthPassword | quote }}
@@ -107,10 +157,38 @@ jitsi:
      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
      type: {{ .Values.cluster.service.type | quote }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
    metrics:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      image:
        repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jitsiExporter.repository }}"
        tag: {{ .Values.images.jitsiExporter.tag }}
      serviceMonitor:
        enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
        selector:
          {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 10 }}
      grafanaDashboards:
        enabled: {{ .Values.grafana.dashboards.enabled }}
        labels:
          {{- toYaml .Values.grafana.dashboards.labels | nindent 10 }}
        annotations:
          {{- toYaml .Values.grafana.dashboards.annotations | nindent 10 }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
-      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.jibri.repository }}"
+      repository: "{{ .Values.global.imageRegistry | default .Values.images.jibri.registry }}/{{ .Values.images.jibri.repository }}"
      tag: {{ .Values.images.jibri.tag | quote }}
    recorder:
      password: {{ .Values.secrets.jitsi.jibriRecorderPassword | quote }}
@@ -118,6 +196,10 @@ jitsi:
      password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
    resources:
      {{ .Values.resources.jibri | toYaml | nindent 6 }}
    securityContext:
      # Chart does not allow to template more
      capabilities:
        add: ["SYS_ADMIN"]
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
@@ -127,9 +209,23 @@ patchJVB:
  configuration:
    staticLoadbalancerIP: {{ .Values.cluster.networking.ingressGatewayIP | quote }}
    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    readOnlyRootFilesystem: true
    runAsUser: 1001
    runAsGroup: 1001
    runAsNonRoot: true
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    registry: {{ .Values.global.imageRegistry | quote }}
+    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
    repository: {{ .Values.images.jitsiPatchJVB.repository | quote }}
    tag: {{ .Values.images.jitsiPatchJVB.tag | quote }}
 replicaCount: {{ .Values.replicas.jitsiKeycloakAdapter }}
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -5,46 +5,41 @@ bases:
  - "../../bases/environments.yaml"
 ---
 repositories:
  # openDesk Keycloak Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/sovereign-workplace-nextcloud-bootstrap
  - name: "nextcloud-bootstrap-repo"
    oci: {{ .Values.charts.nextcloudBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.nextcloudBootstrap.verify }}
    username: {{ .Values.charts.nextcloudBootstrap.username | quote }}
    password: {{ .Values.charts.nextcloudBootstrap.password | quote }}
    url: "{{ .Values.charts.nextcloudBootstrap.registry }}/{{ .Values.charts.nextcloudBootstrap.repository }}"
  # Nextcloud
-  # Source: https://github.com/nextcloud/helm/
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-nextcloud
  - name: "nextcloud-management-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloudManagement.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
-    oci: {{ .Values.charts.nextcloud.oci }}
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    username: {{ .Values.charts.nextcloud.username | quote }}
+    verify: {{ .Values.charts.nextcloud.verify }}
-    password: {{ .Values.charts.nextcloud.password | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    url: "{{ .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
 releases:
-  - name: "opendesk-nextcloud-bootstrap"
+  - name: "opendesk-nextcloud-management"
-    chart: "nextcloud-bootstrap-repo/{{ .Values.charts.nextcloudBootstrap.name }}"
+    chart: "nextcloud-repo/{{ .Values.charts.nextcloudManagement.name }}"
-    version: "{{ .Values.charts.nextcloudBootstrap.version }}"
+    version: "{{ .Values.charts.nextcloudManagement.version }}"
    wait: true
    waitForJobs: true
    values:
-      - "values-bootstrap.gotmpl"
+      - "values-nextcloud-mgmt.yaml.gotmpl"
-      - "values-bootstrap.yaml"
+    waitForJobs: true
    wait: true
    installed: {{ .Values.nextcloud.enabled }}
    timeout: 900
-
+  - name: "opendesk-nextcloud"
  - name: "nextcloud"
    chart: "nextcloud-repo/{{ .Values.charts.nextcloud.name }}"
    version: "{{ .Values.charts.nextcloud.version }}"
    needs:
      - "opendesk-nextcloud-bootstrap"
    values:
-      - "values-nextcloud.gotmpl"
+      - "values-nextcloud.yaml.gotmpl"
-      - "values-nextcloud.yaml"
+    needs:
      - "opendesk-nextcloud-management"
    installed: {{ .Values.nextcloud.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "component-1"
--- a/helmfile/apps/nextcloud/values-bootstrap.gotmpl
+++ b/helmfile/apps/nextcloud/values-bootstrap.gotmpl
@@ -1,82 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  istioDomain: {{ .Values.istio.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 config:
  administrator:
    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
  apps:
    integrationSwp:
      password: {{ .Values.secrets.centralnavigation.apiKey | quote }}
    userOidc:
      password: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
      realm: {{ .Values.platform.realm }}
  database:
    host: {{ .Values.databases.nextcloud.host | quote }}
    name: {{ .Values.databases.nextcloud.name | quote }}
    user: {{ .Values.databases.nextcloud.username | quote }}
    password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  ldapSearch:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
  smtp:
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
    username: {{ .Values.smtp.username | quote }}
    password: {{ .Values.smtp.password | quote }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.nextcloud.repository | quote }}
  tag: {{ .Values.images.nextcloud.tag | quote }}
 persistence:
  {{- if .Values.cluster.persistence.readWriteMany.enabled }}
  accessModes:
    - "ReadWriteMany"
  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
  {{- else }}
  accessModes:
    - "ReadWriteOnce"
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  {{- end }}
  size:
    main: {{ .Values.persistence.size.nextcloud.main | quote }}
    data: {{ .Values.persistence.size.nextcloud.data | quote }}
 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-bootstrap.yaml
+++ b/helmfile/apps/nextcloud/values-bootstrap.yaml
@@ -1,30 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 config:
  administrator:
    username: "nextcloud"
  apps:
    integrationSwp:
      username: "opendesk_username"
    userOidc:
      username: "opendesk-nextcloud"
      userIdAttribute: "opendesk_useruuid"
  cryptpad:
    enabled: true
 containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: false
 podSecurityContext:
  enabled: true
  fsGroup: 33
  fsGroupChangePolicy: "Always"
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -0,0 +1,107 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  istioDomain: {{ .Values.istio.domain }}
 additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
 configuration:
  administrator:
    username: "nextcloud"
    password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
  antivirus:
    {{- if .Values.clamavDistributed.enabled }}
    host: "clamav-icap"
    {{- else if .Values.clamavSimple.enabled }}
    host: "clamav-simple"
    {{- end }}
  cache:
    auth:
      enabled: true
      username:
        value: "default"
      password:
        value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
    host: {{ .Values.cache.nextcloud.host | quote }}
    port: {{ .Values.cache.nextcloud.port | quote }}
  database:
    host: {{ .Values.databases.nextcloud.host | quote }}
    port: {{ .Values.databases.nextcloud.port | quote }}
    auth:
      username:
        value: "nextcloud_user"
      password:
        value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  ldap:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
  objectstore:
    auth:
      accessKey:
        value: "nextcloud_user"
      secretKey:
        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
  oidc:
    username:
      value: "opendesk-nextcloud"
    password:
      value: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
  opendeskIntegration:
    username:
      value: "opendesk_username"
    password:
      value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  smtp:
    auth:
      username:
        value: {{ .Values.smtp.username | quote }}
      password:
        value: {{ .Values.smtp.password | quote }}
    host: {{ .Values.smtp.host | quote }}
    port: {{ .Values.smtp.port | quote }}
  serverinfo:
    token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 65532
  runAsGroup: 65532
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
 debug:
  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
  repository: "{{ .Values.images.nextcloudManagement.repository }}"
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloudManagement.tag | quote }}
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}
 resources:
  {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.gotmpl
@@ -1,63 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 nextcloud:
  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  username: "nextcloud"
  password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 externalDatabase:
  database: {{ .Values.databases.nextcloud.name | quote }}
  user: {{ .Values.databases.nextcloud.username | quote }}
  host: {{ .Values.databases.nextcloud.host | quote }}
  password: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
 extraEnv:
  REDIS_HOST: {{ .Values.cache.nextcloud.host | quote }}
  REDIS_HOST_PORT: {{ .Values.cache.nextcloud.port | quote }}
  REDIS_HOST_PASSWORD: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 redis:
  auth:
    enabled: true
    password: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
 ingress:
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    - secretName: {{ .Values.ingress.tls.secretName | quote }}
      hosts:
        - "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 image:
  repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloud.repository }}"
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.nextcloud.tag | quote }}
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 metrics:
  enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
  https: true
  token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
  image:
    repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.nextcloudExporter.repository }}"
    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
    pullSecrets:
      {{- toYaml .Values.global.imagePullSecrets | nindent 4 }}
  serviceMonitor:
    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
    labels:
      {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
  resources:
    {{ .Values.resources.nextcloudMetrics | toYaml | nindent 4 }}
 {{- if .Values.cluster.persistence.readWriteMany.enabled }}
 replicaCount: {{ .Values.replicas.nextcloud }}
 {{- else }}
 replicaCount: 1
 {{- end }}
 resources:
  {{ .Values.resources.nextcloud | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml
@@ -1,77 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 persistence:
  enabled: true
  existingClaim: "nextcloud-main"
  nextcloudData:
    enabled: true
    existingClaim: "nextcloud-data"
 redis:
  enabled: false
 cronjob:
  enabled: true
  lifecycle:
    postStartCommand:
      - "sh"
      - "-c"
      - >
        sed -i "s/\*\/5 \* \* \* \* php -f \/var\/www\/html\/cron.php/\*\/1 \* \* \* \* php -f
        \/var\/www\/html\/cron.php/g" /var/spool/cron/crontabs/www-data
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
 ingress:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
    nginx.org/client-max-body-size: "4G"
 internalDatabase:
  enabled: false
 postgresql:
  enabled: false
 mariadb:
  enabled: false
 externalDatabase:
  enabled: true
  # The nextcloud helm chart provides a sub-chart for mariadb.
  # If we use mariadb as a sub-chart it's linked to nextcloud,
  # and it is not independent anymore. Since externalDatabase.type
  # allows just mysql or postgres, mysql is chosen to connect
  # to the mariadb:
  type: "mysql"
 nextcloud:
  configs:
    mimetypealiases.json: |-
      {
        "application/x-drawio": "image"
      }
    mimetypemapping.json: |-
      {
        "drawio": ["application/x-drawio"]
      }
  podSecurityContext:
    fsGroup: 33
    seccompProfile:
      type: "RuntimeDefault"
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
      add:
        - "NET_BIND_SERVICE"
        - "SETGID"
        - "SETUID"
 # this is not documented but can be found in values.yaml
 service:
  port: "80"
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -0,0 +1,136 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 exporter:
  enabled: true
  configuration:
    token:
      value: {{ .Values.secrets.nextcloud.metricsToken | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudExporter.tag | quote }}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
  replicas: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
 php:
  additionalAnnotations:
    intents.otterize.com/service-name: "opendesk-nextcloud-php"
  configuration:
    cache:
      auth:
        enabled: true
        username:
          value: "default"
        password:
          value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
      host: {{ .Values.cache.nextcloud.host | quote }}
      port: {{ .Values.cache.nextcloud.port | quote }}
    database:
      host: {{ .Values.databases.nextcloud.host | quote }}
      port: {{ .Values.databases.nextcloud.port | quote }}
      auth:
        username:
          value: "nextcloud_user"
        password:
          value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
  cron:
    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
  debug:
    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudPHP.tag | quote }}
  prometheus:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
  replicas: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
 apache2:
  configuration:
    php:
      host: "opendesk-nextcloud-php.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
    tls:
      secretName: {{ .Values.ingress.tls.secretName | quote }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudApache2.registry | quote }}
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
  replicas: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -8,29 +8,29 @@ repositories:
  # openDesk Dovecot
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
  - name: "dovecot-repo"
    oci: {{ .Values.charts.dovecot.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
-    username: {{ .Values.charts.dovecot.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.dovecot.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
  # Open-Xchange
  - name: "open-xchange-repo"
-    oci: {{ .Values.charts.openXchangeAppSuite.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.openXchangeAppSuite.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.openXchangeAppSuite.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
  # openDesk Open-Xchange Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    oci: {{ .Values.charts.openXchangeAppSuiteBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
-    username: {{ .Values.charts.openXchangeAppSuiteBootstrap.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.openXchangeAppSuiteBootstrap.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"
 releases:
@@ -38,8 +38,7 @@ releases:
    chart: "dovecot-repo/{{ .Values.charts.dovecot.name }}"
    version: "{{ .Values.charts.dovecot.version }}"
    values:
-      - "values-dovecot.yaml"
+      - "values-dovecot.yaml.gotmpl"
      - "values-dovecot.gotmpl"
    installed: {{ .Values.dovecot.enabled }}
    timeout: 900
@@ -47,10 +46,8 @@ releases:
    chart: "open-xchange-repo/{{ .Values.charts.openXchangeAppSuite.name }}"
    version: "{{ .Values.charts.openXchangeAppSuite.version }}"
    values:
-      - "values-openxchange.yaml"
+      - "values-openxchange.yaml.gotmpl"
-      - "values-openxchange.gotmpl"
+      - "values-openxchange-enterprise-contact-picker.yaml.gotmpl"
      - "values-openxchange-enterprise-contact-picker.yaml"
      - "values-openxchange-enterprise-contact-picker.gotmpl"
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
@@ -58,7 +55,7 @@ releases:
    chart: "open-xchange-bootstrap-repo/{{ .Values.charts.openXchangeAppSuiteBootstrap.name }}"
    version: "{{ .Values.charts.openXchangeAppSuiteBootstrap.version }}"
    values:
-      - "values-openxchange-bootstrap.gotmpl"
+      - "values-openxchange-bootstrap.yaml.gotmpl"
    installed: {{ .Values.oxAppsuite.enabled }}
    timeout: 900
--- a/helmfile/apps/open-xchange/values-dovecot.yaml
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml
@@ -1,41 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "KILL"
      - "NET_BIND_SERVICE"
      - "SETGID"
      - "SETUID"
      - "SYS_CHROOT"
  enabled: true
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
 dovecot:
  ldap:
    enabled: true
    port: 389
    base: "dc=swp-ldap,dc=internal"
  oidc:
    enabled: true
    clientID: "opendesk-dovecot"
    usernameAttribute: "opendesk_username"
  submission:
    enabled: true
    ssl: "no"
    host: "postfix:25"
 podSecurityContext:
  enabled: true
  fsGroup: 1000
 ...
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.dovecot.registry | quote }}
-  url: {{ .Values.images.dovecot.repository | quote }}
+  repository: {{ .Values.images.dovecot.repository | quote }}
  tag: {{ .Values.images.dovecot.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -18,16 +18,28 @@ dovecot:
  mailDomain: {{ .Values.global.domain | quote }}
  password: {{ .Values.secrets.dovecot.doveadm | quote }}
  ldap:
-    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
+    enabled: true
    host: {{ .Values.ldap.host | quote }}
    port: 389
    base: "dc=swp-ldap,dc=internal"
    dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
  oidc:
    enabled: true
    clientID: "opendesk-dovecot"
    clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
    introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
    introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
-    clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+    usernameAttribute: "opendesk_username"
    clientID: "opendesk-dovecot"
  loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
  submission:
    enabled: true
    ssl: "no"
    host: "postfix:25"
 certificate:
  secretName: {{ .Values.ingress.tls.secretName | quote }}
@@ -37,6 +49,29 @@ replicaCount: {{ .Values.replicas.dovecot }}
 replicaCount: 1
 {{- end }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "KILL"
      - "NET_BIND_SERVICE"
      - "SETGID"
      - "SETUID"
      - "SYS_CHROOT"
  enabled: true
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}
 podSecurityContext:
  enabled: true
  fsGroup: 1000
 persistence:
  {{- if .Values.cluster.persistence.readWriteMany.enabled }}
  storageClassName: {{ .Values.persistence.storageClassNames.RWX | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl
@@ -8,7 +8,7 @@ cleanup:
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
 image:
-  registry: {{ .Values.global.imageRegistry | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}
  url: {{ .Values.images.openxchangeBootstrap.repository | quote }}
  tag: {{ .Values.images.openxchangeBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.gotmpl
@@ -1,18 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 appsuite:
  core-mw:
    secretYAMLFiles:
      ldap-client-config.yml:
        contactsLdapClient:
          pool:
            host:
              address: {{ .Values.ldap.host | quote }}
              port: 389
          auth:
            adminDN:
              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl
@@ -16,10 +16,14 @@ appsuite:
        contactsLdapClient:
          pool:
            type: "simple"
            host:
              address: {{ .Values.ldap.host | quote }}
              port: 389
          auth:
            type: "adminDN"
            adminDN:
              dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
    uiSettings:
      # Enterprise contact picker
--- a/helmfile/apps/open-xchange/values-openxchange.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.gotmpl
@@ -1,214 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imageRegistry: {{ .Values.global.imageRegistry | quote }}
  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  mysql:
    host: {{ .Values.databases.oxAppsuite.host | quote }}
    database: {{ .Values.databases.oxAppsuite.name | quote }}
    auth:
      user: {{ .Values.databases.oxAppsuite.username | quote }}
      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 istio:
  enabled: {{ .Values.istio.enabled }}
 nextcloud-integration-ui:
  image:
    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
 public-sector-ui:
  image:
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
 appsuite:
  istio:
    enabled: {{ .Values.istio.enabled }}
    ingressGateway:
      hosts:
        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    virtualServices:
      appsuite:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      dav:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  core-mw:
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    gotenberg:
      imagePullSecrets:
      {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
      {{- end }}
      image:
        repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
    properties:
      "com.openexchange.oauth.provider.jwt.jwksUri": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      "com.openexchange.oauth.provider.allowedIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      "com.openexchange.authentication.oauth.tokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      "com.openexchange.authentication.oauth.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      "com.openexchange.oidc.rpRedirectURIAuth": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
      "com.openexchange.oidc.opAuthorizationEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      "com.openexchange.oidc.opTokenEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      "com.openexchange.oidc.opIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      "com.openexchange.oidc.opJwkSetEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      "com.openexchange.oidc.clientSecret": {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      "com.openexchange.oidc.rpRedirectURIPostSSOLogout": "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
      "com.openexchange.oidc.opLogoutEndpoint": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
      "com.openexchange.oidc.rpRedirectURILogout": "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
    propertiesFiles:
      "/opt/open-xchange/etc/ldapauth.properties":
        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
    uiSettings:
      "io.ox.nextcloud//server": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      "io.ox.public-sector//ics/url": "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
      io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
      # RC+base64(20 random bytes)
      oxguardpass: |
        {{ .Values.secrets.oxAppsuite.oxguardMC }}
        {{ .Values.secrets.oxAppsuite.oxguardRC }}
    redis:
      auth:
        password: {{ .Values.secrets.redis.password | quote }}
    image:
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
  core-ui:
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
  core-ui-middleware:
    ingress:
      hosts:
        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    redis:
      auth:
        password: {{ .Values.secrets.redis.password | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
      updater:
      resources:
        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
  core-documentconverter:
    image:
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
  core-guidedtours:
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
  core-imageconverter:
    image:
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
  guard-ui:
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
  core-user-guide:
    image:
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml
@@ -1,347 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 appsuite:
  appsuite-toolkit:
    enabled: false
  istio:
    ingressGateway:
      name: "opendesk-gateway-istio-gateway"
  switchboard:
    enabled: false
  core-mw:
    enabled: true
    masterAdmin: "admin"
    gotenberg:
      enabled: true
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - "ALL"
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        seccompProfile:
          type: "RuntimeDefault"
    features:
      status:
        # enable admin pack
        # admin: enabled
        documents: "disabled"
        guard: "enabled"
    packages:
      status:
        open-xchange-oidc: "enabled"
        open-xchange-authentication-database: "disabled"
        open-xchange-authentication-oauth: "enabled"
    properties:
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
      # PDF Export
      com.openexchange.capability.mail_export_pdf: "true"
      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
      # OIDC
      com.openexchange.oidc.enabled: "true"
      com.openexchange.oidc.autologinCookieMode: "ox_direct"
      com.openexchange.oidc.contextLookupClaim: "context"
      com.openexchange.oidc.contextLookupNamePart: "full"
      com.openexchange.oidc.backchannelLogoutEnabled: "true"
      com.openexchange.oidc.startDefaultBackend: "true"
      com.openexchange.oidc.ssoLogout: "true"
      com.openexchange.oidc.userLookupNamePart: "full"
      com.openexchange.oidc.userLookupClaim: "opendesk_username"
      com.openexchange.oidc.clientId: "opendesk-oxappsuite"
      # OAUTH
      com.openexchange.oauth.provider.enabled: "true"
      com.openexchange.oauth.provider.contextLookupClaim: "context"
      com.openexchange.oauth.provider.contextLookupNamePart: "full"
      com.openexchange.oauth.provider.mode: "expect_jwt"
      com.openexchange.oauth.provider.userLookupNamePart: "full"
      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
      com.openexchange.mail.loginSource: "mail"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix"
      com.openexchange.mail.transportServerSource: "global"
      # Mailfilter
      com.openexchange.mail.filter.loginType: "global"
      com.openexchange.mail.filter.credentialSource: "mail"
      com.openexchange.mail.filter.server: "dovecot"
      com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
      # Dovecot
      com.openexchange.imap.attachmentMarker.enabled: "true"
      # Capabilities
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
      com.openexchange.capability.public-sector-element: "true"
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
      com.openexchange.capability.filestorage_nextcloud: "true"
      com.openexchange.capability.filestorage_nextcloud_oauth: "true"
      com.openexchange.capability.guard: "true"
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.smime: "true"
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://nextcloud/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
      com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
      # Guard
      com.openexchange.guard.storage.file.fileStorageType: "file"
      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
      com.openexchange.guard.guestSMTPServer: "postfix"
      # S/MIME
      # Usage (in browser console after login):
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: "true"
      # Other
      com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
    propertiesFiles:
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
        bindOnly: "false"
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
    uiSettings:
      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
      io.ox/core//features/enterprisePicker/showLauncher: "false"
      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
      # Text and icon color in the topbar
      io.ox/dynamic-theme//topbarColor: "#000"
      io.ox/dynamic-theme//logoWidth: "82"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
      # Categories
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
      # Nextcloud integration
      # io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
      # Central navigation
      io.ox.public-sector//navigation/oxtabname: "tab_groupware"
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
      # Mail templates
      io.ox/core//features/templates: "true"
      # Contact Collector
      io.ox/mail//contactCollectOnMailTransport: "true"
      # io.ox/mail//contactCollectOnMailAccess: "true"
    asConfig:
      default:
        host: "all"
        pageHeaderPrefix: "as8.souvap App Suite"
        oidcLogin: true
        oidcPath: "/oidc"
    redis:
      enabled: true
      mode: "standalone"
      hosts:
        - "redis-master"
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
          mkdir -p /opt/open-xchange/guard-files
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
    # Security context for core-mw has no effect yet
    # podSecurityContext: {}
    # securityContext: {}
  core-ui:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-ui-middleware:
    enabled: true
    overrides: {}
    redis:
      mode: "standalone"
      hosts:
        - "redis-master:6379"
      auth:
        enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-guidedtours:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  guard-ui:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-cacheservice:
    enabled: false
  core-user-guide:
    enabled: true
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
  core-imageconverter:
    enabled: true
    objectCache:
      s3ObjectStores:
        - id: -1
          endpoint: "."
          accessKey: "."
          secretKey: "."
    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
  core-spellcheck:
    enabled: false
  core-documentconverter:
    enabled: true
    documentConverter:
      cache:
        remoteCache:
          enabled: false
    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
    securityContext:
      # missing:
      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
  core-documents-collaboration:
    enabled: false
  office-web:
    enabled: false
  office-user-guide:
    enabled: false
  plugins-ui:
    enabled: false
  cloud-plugins-ui:
    enabled: false
  drive-client-windows-ox:
    enabled: false
  core-drive-help:
    enabled: false
 nextcloud-integration-ui:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
 public-sector-ui:
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
 ...
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -0,0 +1,559 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  mysql:
    host: {{ .Values.databases.oxAppsuite.host | quote }}
    database: {{ .Values.databases.oxAppsuite.name | quote }}
    auth:
      user: {{ .Values.databases.oxAppsuite.username | quote }}
      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 istio:
  enabled: {{ .Values.istio.enabled }}
 nextcloud-integration-ui:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
    repository: {{ .Values.images.openxchangeNextcloudIntegrationUI.repository | quote }}
    tag: {{ .Values.images.openxchangeNextcloudIntegrationUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  resources:
    {{ .Values.resources.openxchangeNextcloudIntegrationUI | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    privileged: false
    readOnlyRootFilesystem: false
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}
 public-sector-ui:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangePublicSectorUI.registry | quote }}
    repository: {{ .Values.images.openxchangePublicSectorUI.repository | quote }}
    tag: {{ .Values.images.openxchangePublicSectorUI.tag | quote }}
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
  {{- end }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  resources:
    {{ .Values.resources.openxchangePublicSectorUI | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    privileged: false
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}
 appsuite:
  appsuite-toolkit:
    enabled: false
  switchboard:
    enabled: false
  istio:
    enabled: {{ .Values.istio.enabled }}
    ingressGateway:
      name: "opendesk-gateway-istio-gateway"
      hosts:
        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    virtualServices:
      appsuite:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      dav:
        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  core-mw:
    enabled: true
    asConfig:
      default:
        host: "all"
        pageHeaderPrefix: "as8.souvap App Suite"
        oidcLogin: true
        oidcPath: "/oidc"
    masterAdmin: "admin"
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    serviceAccount:
      create: true
    features:
      status:
        # enable admin pack
        # admin: enabled
        documents: "disabled"
        guard: "enabled"
    gotenberg:
      enabled: true
      imagePullSecrets:
      {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
      {{- end }}
      image:
        repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGotenberg.registry }}/{{ .Values.images.openxchangeGotenberg.repository }}"
        tag: {{ .Values.images.openxchangeGotenberg.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      resources:
        {{ .Values.resources.openxchangeGotenberg | toYaml | nindent 8 }}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - "ALL"
        privileged: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
          mkdir -p /opt/open-xchange/guard-files
          chown open-xchange:open-xchange /opt/open-xchange/guard-files
    packages:
      status:
        open-xchange-oidc: "enabled"
        open-xchange-authentication-database: "disabled"
        open-xchange-authentication-oauth: "enabled"
    properties:
      com.openexchange.UIWebPath: "/appsuite/"
      com.openexchange.showAdmin: "false"
      # PDF Export
      com.openexchange.capability.mail_export_pdf: "true"
      com.openexchange.mail.exportpdf.gotenberg.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.pdfa.collabora.enabled: "true"
      com.openexchange.mail.exportpdf.collabora.url: "http://collabora:9980"
      com.openexchange.mail.exportpdf.gotenberg.url: "http://open-xchange-gotenberg:3000"
      # OIDC
      com.openexchange.oidc.enabled: "true"
      com.openexchange.oidc.autologinCookieMode: "ox_direct"
      com.openexchange.oidc.backchannelLogoutEnabled: "true"
      com.openexchange.oidc.clientId: "opendesk-oxappsuite"
      com.openexchange.oidc.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      com.openexchange.oidc.contextLookupClaim: "context"
      com.openexchange.oidc.contextLookupNamePart: "full"
      com.openexchange.oidc.opAuthorizationEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
      com.openexchange.oidc.opIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
      com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
      com.openexchange.oidc.ssoLogout: "true"
      com.openexchange.oidc.startDefaultBackend: "true"
      com.openexchange.oidc.userLookupClaim: "opendesk_username"
      com.openexchange.oidc.userLookupNamePart: "full"
      # OAUTH
      com.openexchange.oauth.provider.enabled: "true"
      com.openexchange.oauth.provider.allowedIssuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
      com.openexchange.oauth.provider.contextLookupClaim: "context"
      com.openexchange.oauth.provider.contextLookupNamePart: "full"
      com.openexchange.oauth.provider.jwt.jwksUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      com.openexchange.oauth.provider.mode: "expect_jwt"
      com.openexchange.oauth.provider.userLookupNamePart: "full"
      com.openexchange.oauth.provider.userLookupClaim: "opendesk_username"
      com.openexchange.authentication.oauth.clientId: "opendesk-oxappsuite"
      com.openexchange.authentication.oauth.tokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
      com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
      com.openexchange.mail.loginSource: "mail"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix"
      com.openexchange.mail.transportServerSource: "global"
      # Mailfilter
      com.openexchange.mail.filter.loginType: "global"
      com.openexchange.mail.filter.credentialSource: "mail"
      com.openexchange.mail.filter.server: "dovecot"
      com.openexchange.mail.filter.preferredSaslMech: "XOAUTH2"
      # Dovecot
      com.openexchange.imap.attachmentMarker.enabled: "true"
      # Capabilities
      # Old capability can be used to toggle all integrations with a single switch
      com.openexchange.capability.public-sector: "true"
      # New capabilities in 2.0
      com.openexchange.capability.public-sector-element: "true"
      com.openexchange.capability.public-sector-navigation: "true"
      com.openexchange.capability.client-onboarding: "true"
      com.openexchange.capability.dynamic-theme: "true"
      com.openexchange.capability.filestorage_nextcloud: "true"
      com.openexchange.capability.filestorage_nextcloud_oauth: "true"
      com.openexchange.capability.guard: "true"
      com.openexchange.capability.guard-mail: "true"
      com.openexchange.capability.smime: "true"
      com.openexchange.capability.share_links: "false"
      com.openexchange.capability.invite_guests: "false"
      com.openexchange.capability.document_preview: "true"
      # Secondary Accounts
      com.openexchange.mail.secondary.authType: "XOAUTH2"
      com.openexchange.mail.transport.secondary.authType: "xoauth2"
      # Nextcloud integration
      com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
      com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
      com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
      # GDPR
      com.openexchange.gdpr.dataexport.enabled: "false"
      com.openexchange.gdpr.dataexport.active: "false"
      # Guard
      com.openexchange.guard.storage.file.fileStorageType: "file"
      com.openexchange.guard.storage.file.uploadDirectory: "/opt/open-xchange/guard-files/"
      com.openexchange.guard.guestSMTPServer: "postfix"
      # S/MIME
      # Usage (in browser console after login):
      # http = (await import('./io.ox/core/http.js')).default
      # await http.POST({ module: 'oxguard/smime', params: { action: 'test' } })
      com.openexchange.smime.test: "true"
      # Other
      com.openexchange.secret.secretSource: "\"<user-id> + '@' + <context-id> + '/' + <random>\""
    secretProperties:
      com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
      com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
      com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
    propertiesFiles:
      /opt/open-xchange/etc/AdminDaemon.properties:
        MASTER_ACCOUNT_OVERRIDE: "true"
      /opt/open-xchange/etc/system.properties:
        SERVER_NAME: "oxserver"
      /opt/open-xchange/etc/ldapauth.properties:
        java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
        bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
        bindOnly: "false"
      /opt/open-xchange/etc/antivirus.properties:
        com.openexchange.antivirus.enabled: "true"
        {{- if .Values.clamavDistributed.enabled }}
        com.openexchange.antivirus.server: "clamav-icap"
        {{- else if .Values.clamavSimple.enabled }}
        com.openexchange.antivirus.server: "clamav-simple"
        {{- end }}
        com.openexchange.antivirus.port: "1344"
        com.openexchange.antivirus.maxFileSize: "1024"
    uiSettings:
      io.ox.nextcloud//server: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/fs/"
      io.ox.public-sector//ics/url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/"
      # Show the Enterprise Picker in the top right corner instead of the launcher drop-down
      io.ox/core//features/enterprisePicker/showLauncher: "false"
      io.ox/core//features/enterprisePicker/showTopRightLauncher: "true"
      # Text and icon color in the topbar
      io.ox/dynamic-theme//topbarColor: "#000"
      io.ox/dynamic-theme//logoWidth: "82"
      io.ox/dynamic-theme//topbarHover: "rgba(0, 0, 0, 0.1)"
      # Resources
      io.ox/core//features/resourceCalendars: "true"
      io.ox/core//features/managedResources: "true"
      # Categories
      io.ox/core//features/categories: "true"
      io.ox/core//categories/predefined: >
        [{ "name": "Predefined", "color": "orange", "icon": "bi/exclamation-circle.svg" }]
      # Nextcloud integration
      # io.ox.nextcloud//server: "https://ics.<DOMAIN>/fs/"
      # Central navigation
      io.ox.public-sector//navigation/oxtabname: "tab_groupware"
      # io.ox.public-sector//ics/url: "https://ics.<DOMAIN>/"
      io.ox/core//apps/quickLaunchCount: "0"
      io.ox/core//coloredIcons: "false"
      # Mail templates
      io.ox/core//features/templates: "true"
      # Contact Collector
      io.ox/mail//contactCollectOnMailTransport: "true"
      # io.ox/mail//contactCollectOnMailAccess: "true"
      # Dynamic theme
      io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
      io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
      io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//listHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
      io.ox/dynamic-theme//folderBackground: {{ .Values.theme.colors.white | quote }}
      io.ox/dynamic-theme//folderSelected: {{ .Values.theme.colors.primary15 | quote }}
      io.ox/dynamic-theme//folderHover: {{ .Values.theme.colors.secondaryGreyLight | quote }}
    secretETCFiles:
      # Format of the OX Guard master key:
      # MC+base64(20 random bytes)
      # RC+base64(20 random bytes)
      oxguardpass: |
        {{ .Values.secrets.oxAppsuite.oxguardMC }}
        {{ .Values.secrets.oxAppsuite.oxguardRC }}
    redis:
      enabled: true
      mode: "standalone"
      hosts:
        - "redis-master"
      auth:
        password: {{ .Values.secrets.redis.password | quote }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    # Security context for core-mw has no effect yet
    # podSecurityContext: {}
    # securityContext: {}
    update:
      image:
        repository: {{ .Values.images.openxchangeCoreMW.repository | quote }}
        tag: {{ .Values.images.openxchangeCoreMW.tag | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{ .Values.resources.openxchangeCoreMW | toYaml | nindent 6 }}
  core-ui:
    enabled: true
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUI.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUI.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUI | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}
  core-ui-middleware:
    enabled: true
    ingress:
      hosts:
        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUIMiddleware.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUIMiddleware.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    overrides: {}
    redis:
      mode: "standalone"
      hosts:
        - "redis-master:6379"
      auth:
        enabled: true
        password: {{ .Values.secrets.redis.password | quote }}
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
      updater:
      resources:
        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
  core-cacheservice:
    enabled: false
  core-documentconverter:
    enabled: true
    documentConverter:
      cache:
        remoteCache:
          enabled: false
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
    securityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
      readOnlyRootFilesystem: false
      allowPrivilegeEscalation: false
      privileged: false
      capabilities:
        drop:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}
  core-documents-collaboration:
    enabled: false
  office-web:
    enabled: false
  office-user-guide:
    enabled: false
  plugins-ui:
    enabled: false
  cloud-plugins-ui:
    enabled: false
  drive-client-windows-ox:
    enabled: false
  core-drive-help:
    enabled: false
  core-guidedtours:
    enabled: true
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreGuidedtours.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreGuidedtours.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreGuidedtours.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeCoreGuidedtours | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}
  core-imageconverter:
    enabled: true
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeImageConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeImageConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeImageConverter.tag | quote }}
    objectCache:
      s3ObjectStores:
        - id: -1
          endpoint: "."
          accessKey: "."
          secretKey: "."
    resources:
      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
    securityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
      readOnlyRootFilesystem: false
      allowPrivilegeEscalation: false
      privileged: false
      capabilities:
        drop:
          - "ALL"
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}
  guard-ui:
    enabled: true
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
      tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    resources:
      {{- .Values.resources.openxchangeGuardUI | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
  core-spellcheck:
    enabled: false
  core-user-guide:
    enabled: true
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreUserGuide.registry | quote }}
      repository: {{ .Values.images.openxchangeCoreUserGuide.repository | quote }}
      tag: {{ .Values.images.openxchangeCoreUserGuide.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
    {{- end }}
    resources:
      {{- .Values.resources.openxchangeCoreUserGuide | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
 ...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -8,12 +8,12 @@ repositories:
  # openDesk OpenProject Bootstrap
  # Source: Set when repo is managed on Open CoDE
  - name: "openproject-bootstrap-repo"
    oci: {{ .Values.charts.openprojectBootstrap.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openprojectBootstrap.verify }}
-    username: {{ .Values.charts.openprojectBootstrap.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.openprojectBootstrap.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
 releases:
  - name: "opendesk-openproject-bootstrap"
@@ -22,8 +22,7 @@ releases:
    wait: true
    waitForJobs: true
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
--- a/helmfile/apps/openproject-bootstrap/values.yaml
+++ b/helmfile/apps/openproject-bootstrap/values.yaml
@@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -7,16 +7,9 @@ global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  registry: {{ .Values.global.imageRegistry | quote }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
@@ -31,4 +24,34 @@ config:
    admin:
      username: "nextcloud"
      password: {{ .Values.secrets.nextcloud.adminPassword | quote }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
  repository: {{ .Values.images.openprojectBootstrap.repository | quote }}
  tag: {{ .Values.images.openprojectBootstrap.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
 job:
  enabled: true
 podSecurityContext:
  enabled: true
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
 ...
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -8,12 +8,12 @@ repositories:
  # OpenProject
  # Source: https://github.com/opf/helm-charts
  - name: "openproject-repo"
    oci: {{ .Values.charts.openproject.oci }}
    keyring: "../../files/gpg-pubkeys/openproject-com.gpg"
    verify: {{ .Values.charts.openproject.verify }}
-    username: {{ .Values.charts.openproject.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.openproject.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
 releases:
  - name: "openproject"
@@ -22,8 +22,7 @@ releases:
    wait: true
    waitForJobs: true
    values:
-      - "values.yaml"
+      - "values.yaml.gotmpl"
      - "values.gotmpl"
    installed: {{ .Values.openproject.enabled }}
    timeout: 900
--- a/helmfile/apps/openproject/values.gotmpl
+++ b/helmfile/apps/openproject/values.gotmpl
@@ -1,99 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}
 initdb:
  image:
    registry: "{{ .Values.global.imageRegistry }}"
    repository: "{{ .Values.images.openprojectInitDb.repository }}"
    tag: "{{ .Values.images.openprojectInitDb.tag }}"
    pullPolicy: "{{ .Values.global.imagePullPolicy }}"
 memcached:
  connection:
    host: {{ .Values.cache.openproject.host | quote }}
    port: {{ .Values.cache.openproject.port }}
  image:
    registry: {{ .Values.global.imageRegistry | quote }}
    repository: {{ .Values.images.memcached.repository | quote }}
    tag: {{ .Values.images.memcached.tag | quote }}
 postgresql:
  auth:
    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
    username: {{ .Values.databases.openproject.username | quote }}
    database: {{ .Values.databases.openproject.name | quote }}
  connection:
    host: {{ .Values.databases.openproject.host | quote }}
    port: {{ .Values.databases.openproject.port }}
 openproject:
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  # Will only be set on initial seed / installation
  admin_user:
    name: "OpenProject Internal Admin"
    mail: "openproject-admin@swp-domain.internal"
    password_reset: "false"
    password: {{ .Values.secrets.openproject.adminPassword | quote }}
  oidc:
    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
 ingress:
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 environment:
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_SECRET: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_HOST: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_END__SESSION__ENDPOINT: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
  {{ if ne .Values.objectstores.openproject.backend "aws" }}
  OPENPROJECT_FOG_CREDENTIALS_ENDPOINT: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
  {{ end }}
  OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID: {{ .Values.objectstores.openproject.username | quote }}
  OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
  OPENPROJECT_FOG_CREDENTIALS_PROVIDER: {{ .Values.objectstores.openproject.provider | default "AWS" | quote }}
  OPENPROJECT_FOG_CREDENTIALS_REGION: {{ .Values.objectstores.openproject.region | quote }}
  OPENPROJECT_FOG_DIRECTORY: {{ .Values.objectstores.openproject.bucket | quote }}
  OPENPROJECT_FOG_CREDENTIALS_USE__IAM__PROFILE: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
 replicaCount: {{ .Values.replicas.openproject }}
 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/openproject/values.yaml
+++ b/helmfile/apps/openproject/values.yaml
@@ -1,90 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
  registry: "registry.souvap-univention.de"
 memcached:
  bundled: false
 probes:
  liveness:
    initialDelaySeconds: 300
    failureThreshold: 30
  readiness:
    initialDelaySeconds: 150
    failureThreshold: 30
 postgresql:
  bundled: false
 openproject:
  oidc:
    enabled: true
    provider: "keycloak"
    identifier: "opendesk-openproject"
    scope: "[openid,opendesk]"
  # seed will only be executed on initial installation
  seed_locale: "de"
 containerSecurityContext:
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
 persistence:
  enabled: false
 s3:
  enabled: true
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
 environment:
  OPENPROJECT_LOG__LEVEL: "info"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_LOGIN: "opendesk_username"
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_DISPLAY__NAME: "Keycloak"
  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
  # Details: https://www.openproject.org/docs/installation-and-operations/configuration/#attachments-storage
  OPENPROJECT_ATTACHMENTS__STORAGE: "fog"
  OPENPROJECT_FOG_CREDENTIALS_PATH__STYLE: "true"
  # Define an admin mapping from the claim
  # The attribute mapping cannot currently be defined in the value
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ATTRIBUTE__MAP_ADMIN: "openproject_admin"
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
 ...
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -0,0 +1,168 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 containerSecurityContext:
  enabled: true
  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
  OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
  OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
  OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
  # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
  OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
  OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
  OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementUser)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_LOGIN__MAPPING: "uid"
  OPENPROJECT_SEED_LDAP_OPENDESK_FIRSTNAME__MAPPING: "givenName"
  OPENPROJECT_SEED_LDAP_OPENDESK_LASTNAME__MAPPING: "sn"
  OPENPROJECT_SEED_LDAP_OPENDESK_MAIL__MAPPING: "mailPrimaryAddress"
  OPENPROJECT_SEED_LDAP_OPENDESK_ADMIN__MAPPING: "opendeskProjectmanagementAdmin"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_BASE: "dc=swp-ldap,dc=internal"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_FILTER:
    "(&(objectClass=opendeskProjectmanagementGroup)(opendeskProjectmanagementEnabled=TRUE))"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_SYNC__USERS: "true"
  OPENPROJECT_SEED_LDAP_OPENDESK_GROUPFILTER_OPENDESK_GROUP__ATTRIBUTE: "cn"
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
  OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
  OPENPROJECT_SMTP__SSL: "false" # (default=false)
  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}
 initdb:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 memcached:
  bundled: false
  connection:
    host: {{ .Values.cache.openproject.host | quote }}
    port: {{ .Values.cache.openproject.port }}
 persistence:
  enabled: false
 postgresql:
  bundled: false
  auth:
    password: {{ .Values.databases.openproject.password | default .Values.secrets.postgresql.openprojectUser | quote }}
    username: {{ .Values.databases.openproject.username | quote }}
    database: {{ .Values.databases.openproject.name | quote }}
  connection:
    host: {{ .Values.databases.openproject.host | quote }}
    port: {{ .Values.databases.openproject.port }}
 probes:
  liveness:
    initialDelaySeconds: 300
    failureThreshold: 30
  readiness:
    initialDelaySeconds: 150
    failureThreshold: 30
 openproject:
  # seed will only be executed on initial installation
  seed_locale: "de"
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  # Will only be set on initial seed / installation
  admin_user:
    name: "OpenProject Internal Admin"
    mail: "openproject-admin@swp-domain.internal"
    password_reset: "false"
    password: {{ .Values.secrets.openproject.adminPassword | quote }}
  oidc:
    enabled: true
    authorizationEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
    endSessionEndpoint : "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
    identifier: "opendesk-openproject"
    provider: "keycloak"
    scope: "[openid,opendesk]"
    secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
    tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
    userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
    attribute_map:
      login: "opendesk_username"
      admin: "openproject_admin"
  useTmpVolumes: true
 ingress:
  host: "{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}"
  enabled: {{ .Values.ingress.enabled }}
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 replicaCount: {{ .Values.replicas.openproject }}
 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
 s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  pathStyle: "true"
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
  use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
 seederJob:
  annotations:
    intents.otterize.com/service-name: "openproject-seeder"
 ...
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -7,18 +7,17 @@ bases:
 repositories:
  # OX Connector
  - name: "ox-connector-repo"
-    oci: {{ .Values.charts.oxConnector.oci }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    username: {{ .Values.charts.oxConnector.username | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    password: {{ .Values.charts.oxConnector.password | quote }}
+    oci: true
-    url: "{{ .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
 releases:
  - name: "ox-connector"
    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
-      - "values-oxconnector.yaml"
+      - "values-oxconnector.yaml.gotmpl"
      - "values-oxconnector.gotmpl"
    installed: {{ .Values.oxConnector.enabled }}
 commonLabels:
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -1,33 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ .Values.global.imageRegistry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 oxConnector:
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
  oxMasterAdmin: "admin"
  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  oxDefaultContext: "1"
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
 resources:
  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml
@@ -1,42 +0,0 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 ingress:
  enabled: false
 oxConnector:
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
  tlsMode: "off"
  caCert: "ucctempldapstring"
  debugLevel: "5"
  logLevel: "DEBUG"
  oxDefaultContext: "1"
  oxLocalTimezone: "Europe/Berlin"
  oxLanguage: "de_DE"
  oxSmtpServer: "smtp://127.0.0.1:587"
  oxImapServer: "imap://127.0.0.1:143"
 ## Container deployment probes
 probes:
  liveness:
    enabled: true
    initialDelaySeconds: 120
    timeoutSeconds: 3
    periodSeconds: 30
    failureThreshold: 3
    successThreshold: 1
  readiness:
    enabled: true
    initialDelaySeconds: 30
    timeoutSeconds: 3
    periodSeconds: 15
    failureThreshold: 30
    successThreshold: 1
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -0,0 +1,91 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
  repository: {{ .Values.images.oxConnector.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
 imagePullSecrets:
 {{- range .Values.global.imagePullSecrets }}
  - name: {{ . | quote }}
 {{- end }}
 ingress:
  enabled: false
 oxConnector:
  caCert: "ucctempldapstring"
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
  tlsMode: "off"
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  oxDefaultContext: "1"
  oxImapServer: "imap://127.0.0.1:143"
  oxLocalTimezone: "Europe/Berlin"
  oxLanguage: "de_DE"
  oxMasterAdmin: "admin"
  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
  oxSmtpServer: "smtp://127.0.0.1:587"
  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 resources:
  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
 persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
 ## Container deployment probes
 probes:
  liveness:
    enabled: true
    initialDelaySeconds: 120
    timeoutSeconds: 3
    periodSeconds: 30
    failureThreshold: 3
    successThreshold: 1
  readiness:
    enabled: true
    initialDelaySeconds: 30
    timeoutSeconds: 3
    periodSeconds: 15
    failureThreshold: 30
    successThreshold: 1
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  readOnlyRootFilesystem: false
  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -8,141 +8,142 @@ repositories:
  # openDesk Otterize
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-otterize
  - name: "otterize-repo"
    oci: {{ .Values.charts.otterize.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.otterize.verify }}
-    username: {{ .Values.charts.otterize.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.otterize.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
  - name: "certificates-repo"
    oci: {{ .Values.charts.certificates.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.certificates.verify }}
-    username: {{ .Values.charts.certificates.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.certificates.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
  - name: "postgresql-repo"
    oci: {{ .Values.charts.postgresql.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.postgresql.verify }}
-    username: {{ .Values.charts.postgresql.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.postgresql.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
  - name: "mariadb-repo"
    oci: {{ .Values.charts.mariadb.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.mariadb.verify }}
-    username: {{ .Values.charts.mariadb.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.mariadb.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
  - name: "postfix-repo"
    oci: {{ .Values.charts.postfix.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.postfix.verify }}
-    username: {{ .Values.charts.postfix.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.postfix.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
  - name: "istio-resources-repo"
    oci: {{ .Values.charts.istioResources.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.istioResources.verify }}
-    username: {{ .Values.charts.istioResources.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.istioResources.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
  - name: "clamav-repo"
    oci: {{ .Values.charts.clamav.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamav.verify }}
-    username: {{ .Values.charts.clamav.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.clamav.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    oci: {{ .Values.charts.clamavSimple.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
-    username: {{ .Values.charts.clamavSimple.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.clamavSimple.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
  - name: "memcached-repo"
    oci: {{ .Values.charts.memcached.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.memcached.verify }}
-    username: {{ .Values.charts.memcached.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.memcached.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    oci: {{ .Values.charts.redis.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
-    username: {{ .Values.charts.redis.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.redis.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    oci: {{ .Values.charts.minio.oci }}
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
-    username: {{ .Values.charts.minio.username | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ .Values.charts.minio.password | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    url: "{{ .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
 releases:
  - name: "opendesk-otterize"
    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
    version: "{{ .Values.charts.otterize.version }}"
    values:
-      - "values-otterize.gotmpl"
+      - "values-otterize.yaml.gotmpl"
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
  - name: "opendesk-certificates"
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
    version: "{{ .Values.charts.certificates.version }}"
    values:
-      - "values-certificates.gotmpl"
+      - "values-certificates.yaml.gotmpl"
    installed: {{ .Values.certificates.enabled }}
    timeout: 900
  - name: "redis"
    chart: "redis-repo/{{ .Values.charts.redis.name }}"
    version: "{{ .Values.charts.redis.version }}"
    values:
-      - "values-redis.gotmpl"
+      - "values-redis.yaml.gotmpl"
      - "values-redis.yaml"
    installed: {{ .Values.redis.enabled }}
    timeout: 900
  - name: "memcached"
    chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
    version: "{{ .Values.charts.memcached.version }}"
    values:
-      - "values-memcached.yaml"
+      - "values-memcached.yaml.gotmpl"
      - "values-memcached.gotmpl"
    installed: {{ .Values.memcached.enabled }}
    timeout: 900
  - name: "postgresql"
    chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
    version: "{{ .Values.charts.postgresql.version }}"
    values:
-      - "values-postgresql.yaml"
+      - "values-postgresql.yaml.gotmpl"
      - "values-postgresql.gotmpl"
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900
@@ -150,8 +151,7 @@ releases:
    chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
    version: "{{ .Values.charts.mariadb.version }}"
    values:
-      - "values-mariadb.yaml"
+      - "values-mariadb.yaml.gotmpl"
      - "values-mariadb.gotmpl"
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900
@@ -159,41 +159,41 @@ releases:
    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
    version: "{{ .Values.charts.postfix.version }}"
    values:
-      - "values-postfix.yaml"
+      - "values-postfix.yaml.gotmpl"
      - "values-postfix.gotmpl"
    installed: {{ .Values.postfix.enabled }}
    timeout: 900
  - name: "clamav"
    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
    version: "{{ .Values.charts.clamav.version }}"
    values:
-      - "values-clamav-distributed.yaml"
+      - "values-clamav-distributed.yaml.gotmpl"
      - "values-clamav-distributed.gotmpl"
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900
  - name: "clamav-simple"
    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
-      - "values-clamav-simple.yaml"
+      - "values-clamav-simple.yaml.gotmpl"
      - "values-clamav-simple.gotmpl"
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900
  - name: "opendesk-gateway"
    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
    version: "{{ .Values.charts.istioResources.version }}"
    values:
-      - "values-istio-gateway.yaml"
+      - "values-istio-gateway.yaml.gotmpl"
      - "values-istio-gateway.gotmpl"
    installed: {{ .Values.istio.enabled }}
    timeout: 900
  - name: "minio"
    chart: "minio-repo/{{ .Values.charts.minio.name }}"
    version: "{{ .Values.charts.minio.version }}"
    values:
-      - "values-minio.yaml"
+      - "values-minio.yaml.gotmpl"
      - "values-minio.gotmpl"
    installed: {{ .Values.minio.enabled }}
    timeout: 900
 commonLabels:
  deploy-stage: "services"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Martin Müller	99ad9d16db	fix(jitsi): Add exporter and serviceMonitor	2024-02-19 17:29:46 +01:00
push_from_gitlab_souvap-univention_de	47d6a8d53f	chore(release): 0.5.77 [skip ci] ## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16) ### Bug Fixes * ci: Complete CI var usage for external registry ([`3bcdcd0`](`3bcdcd06b7`)) * ci: Update openDesk CI Lint to v2.3.1 ([`250ef2b`](`250ef2bc3f`)) * collabora: Add chart validation ([`0159902`](`01599022f1`)) * collabora: Bump to 23.05.9.1.1 ([`b525a81`](`b525a814fc`)) * cryptpad: Update chart to v0.0.18 ([`6f0b1f3`](`6f0b1f37fc`)) * docs: Add functional component table referencing the component versions to README.md ([`bc7eeb8`](`bc7eeb8c9d`)) * docs: Add generated security-context.md ([`d9e07ff`](`d9e07ff7bd`)) * element: Change name of neodatefix bot job ([`dd535da`](`dd535daac0`)) * element: Disable e2ee ([`ba0824b`](`ba0824bac3`)) * helmfile: Add additional provisioning components and configuration ([`110ff56`](`110ff56f74`)) * helmfile: Add seLinuxOptions for all applications ([`02d04fa`](`02d04faa2a`)) * helmfile: Annotations in image.yaml ([`7ebbd03`](`7ebbd03bdc`)) * helmfile: Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([`d2b1f0b`](`d2b1f0b07b`)) * helmfile: Fix annotations in images.yaml ([`acaec3b`](`acaec3b8ac`)) * helmfile: Fix umsPortalFrontend image annotation ([`8f83261`](`8f83261986`)) * helmfile: Improve debugging ([`56f5e35`](`56f5e35895`)) * nextcloud: Bump openincryptpad to 0.3.3 and disable circles app ([`f2b8acf`](`f2b8acfba8`)) * nextcloud: Set backchannel logout url ([`c0fc225`](`c0fc225349`)) * nextcloud: Update image, nextcloud apps and chart ([`fd2a66f`](`fd2a66f8f2`)) * nextcloud: Update nextcloud image and chart to support upgrades ([`5d95e7a`](`5d95e7ab2a`)) * nextcloud: Update to Nextcloud to v28 ([`7c9f38f`](`7c9f38f06e`)) * open-xchange: Bump Gotenberg image ([`49f126d`](`49f126d169`)) * open-xchange: Dovecot image on OpenCoDE without mirror ([`1396071`](`1396071865`)) * openproject: Bump version to 13.3.0 ([`c2087ef`](`c2087efcf9`)) * univention-management-stack: New device login notifications on first login with 2FA ([`ee1a337`](`ee1a337ab5`)) * univention-management-stack: Patches not applied to uldap ([`2909e1d`](`2909e1d821`)) * univention-management-stack: Support for object-storage icons and portal files ([`83ac645`](`83ac645fae`)) * univention-management-stack: Update NGINX Helm chart to 15.9.3 ([`c16c0ac`](`c16c0ac795`)) * univention-management-stack: Update otterize to allow umc-server communication with memcached ([`6c15dc1`](`6c15dc1d66`)) * xwiki: Add bottom border to top nav bar to be aligned with the other components ([`affa92c`](`affa92cde2`)) * xwiki: Bump XWiki chart to 1.3.0 ([`cabee0c`](`cabee0c9da`))	2024-02-16 09:40:25 +00:00
Thorsten Roßner	8b50347bfa	chore(docs): Update component table in README.md	2024-02-16 07:12:17 +01:00
Thorsten Roßner	b525a814fc	fix(collabora): Bump to 23.05.9.1.1	2024-02-15 16:38:32 +00:00
jconde	83ac645fae	fix(univention-management-stack): Support for object-storage icons and portal files fix(univention-management-stack): Test otterize policies	2024-02-15 15:32:12 +00:00
Thorsten Roßner	f2b8acfba8	fix(nextcloud): Bump openincryptpad to 0.3.3 and disable circles app	2024-02-15 15:10:35 +00:00
Thorsten Roßner	49f126d169	fix(open-xchange): Bump Gotenberg image	2024-02-15 09:15:27 +01:00
Dominik Kaminski	02d04faa2a	fix(helmfile): Add seLinuxOptions for all applications	2024-02-14 11:53:53 +00:00
Oliver Günther	c2087efcf9	fix(openproject): Bump version to 13.3.0	2024-02-14 11:28:28 +01:00
Thorsten Roßner	affa92cde2	fix(xwiki): Add bottom border to top nav bar to be aligned with the other components	2024-02-14 07:47:46 +01:00
Dominik Kaminski	d9e07ff7bd	fix(docs): Add generated security-context.md	2024-02-13 12:31:22 +00:00
Thorsten Roßner	01599022f1	fix(collabora): Add chart validation	2024-02-13 07:50:55 +00:00
Thorsten Roßner	bc7eeb8c9d	fix(docs): Add functional component table referencing the component versions to README.md	2024-02-12 17:20:39 +01:00
Thorsten Roßner	1396071865	fix(open-xchange): Dovecot image on OpenCoDE without mirror	2024-02-07 17:43:45 +01:00
Dominik Kaminski	7c9f38f06e	fix(nextcloud): Update to Nextcloud to v28	2024-02-06 15:39:42 +00:00
Thorsten Roßner	7ebbd03bdc	fix(helmfile): Annotations in image.yaml	2024-02-05 16:26:57 +01:00
Sebastian König-Festl	110ff56f74	fix(helmfile): Add additional provisioning components and configuration	2024-02-05 06:35:20 +00:00
Thorsten Roßner	c0fc225349	fix(nextcloud): Set backchannel logout url	2024-02-02 15:20:12 +01:00
Thorsten Roßner	56f5e35895	fix(helmfile): Improve debugging	2024-02-02 15:19:40 +01:00
Thorsten Roßner	ba0824bac3	fix(element): Disable e2ee	2024-02-02 15:19:40 +01:00
Dominik Kaminski	250ef2bc3f	fix(ci): Update openDesk CI Lint to v2.3.1	2024-02-02 10:45:45 +00:00
Thorsten Roßner	d2b1f0b07b	fix(helmfile): Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1	2024-02-02 09:33:34 +01:00
Thorsten Roßner	8f83261986	fix(helmfile): Fix umsPortalFrontend image annotation	2024-02-02 09:25:31 +01:00
Dominik Kaminski	5d95e7ab2a	fix(nextcloud): Update nextcloud image and chart to support upgrades	2024-02-01 11:47:00 +00:00
jconde	ee1a337ab5	fix(univention-management-stack): New device login notifications on first login with 2FA	2024-02-01 07:44:52 +00:00
Oliver Günther	41bc09ee49	chore(openproject): Bump to 13.2.1	2024-01-31 15:58:03 +00:00
Thorsten Roßner	acaec3b8ac	fix(helmfile): Fix annotations in images.yaml	2024-01-31 15:09:43 +00:00
jconde	6c15dc1d66	fix(univention-management-stack): Update otterize to allow umc-server communication with memcached	2024-01-31 12:21:11 +00:00
jconde	2909e1d821	fix(univention-management-stack): Patches not applied to uldap	2024-01-31 12:21:11 +00:00
Dominik Kaminski	cabee0c9da	fix(xwiki): Bump XWiki chart to 1.3.0	2024-01-31 12:20:38 +01:00
Dominik Kaminski	c16c0ac795	fix(univention-management-stack): Update NGINX Helm chart to 15.9.3	2024-01-31 12:20:38 +01:00
Dominik Kaminski	6f0b1f37fc	fix(cryptpad): Update chart to v0.0.18	2024-01-31 12:20:38 +01:00
Dominik Kaminski	fd2a66f8f2	fix(nextcloud): Update image, nextcloud apps and chart	2024-01-31 12:20:38 +01:00
Dominik Kaminski	dd535daac0	fix(element): Change name of neodatefix bot job	2024-01-31 12:20:38 +01:00
Thorsten Roßner	3bcdcd06b7	fix(ci): Complete CI var usage for external registry	2024-01-30 00:29:58 +01:00
push_from_gitlab_souvap-univention_de	f05acb57c9	chore(release): 0.5.76 [skip ci] ## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24) ### Bug Fixes * nextcloud: Correct indent in monitoring resources ([`bea1413`](`bea1413b86`)) * services: Monitoring for minio with correct labels and there are no prometheusRule ([`af63e5c`](`af63e5c18d`)) * univention-management-stack: Fix external registry for nats charts ([`cbb33b9`](`cbb33b922d`))	2024-01-24 17:15:48 +00:00
Martin Müller	bea1413b86	fix(nextcloud): Correct indent in monitoring resources	2024-01-24 16:11:51 +00:00
Martin Müller	af63e5c18d	fix(services): Monitoring for minio with correct labels and there are no prometheusRule	2024-01-24 16:11:51 +00:00
Dominik Kaminski	cbb33b922d	fix(univention-management-stack): Fix external registry for nats charts	2024-01-24 16:48:48 +01:00
push_from_gitlab_souvap-univention_de	02f41a2f1a	chore(release): 0.5.75 [skip ci] ## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24) ### Bug Fixes * ci: Add Kyverno CI Lint ([`e778a59`](`e778a59cdd`)) * helmfile: Cleanup and small conformity fixes ([`db0a544`](`db0a544155`)) * helmfile: Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([`a49daa6`](`a49daa6fa2`)) * helmfile: Split image and helm registry ([`89c149a`](`89c149af95`)) * univention-management-stack: UMC secure session cookie ([`67f7c05`](`67f7c05038`)) * univention-management-stack: Update guardian to version 2 ([`a99f338`](`a99f3389dc`))	2024-01-24 11:50:24 +00:00
Dominik Kaminski	e778a59cdd	fix(ci): Add Kyverno CI Lint	2024-01-23 21:07:56 +01:00
jconde	67f7c05038	fix(univention-management-stack): UMC secure session cookie	2024-01-23 06:28:43 +00:00
Martin Müller	89c149af95	fix(helmfile): Split image and helm registry	2024-01-23 07:25:38 +01:00
Oliver Günther	3630f583b5	chore(openproject): Bump version to 13.2.0	2024-01-18 13:39:53 +01:00
jconde	a99f3389dc	fix(univention-management-stack): Update guardian to version 2 fix(univention-management-stack): Otterize version for umc-server	2024-01-17 11:39:34 +01:00
Thorsten Roßner	a49daa6fa2	fix(helmfile): Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element	2024-01-16 11:50:26 +01:00
Thorsten Roßner	db0a544155	fix(helmfile): Cleanup and small conformity fixes	2024-01-16 11:49:04 +01:00
Thorsten Roßner	77e32fada8	chore(release): 0.5.74 [skip ci] ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12) ### Bug Fixes * ci: Add opendesk-ci linter ([`b23152b`](`b23152bb20`)) * ci: Scan all images for malware on release ([`807b73c`](`807b73c8a4`)) * ci: Switch to 'on_success' instead of 'always' ([`e1f6370`](`e1f63701f1`)) * collabora: Migrate collabora to yaml.gotmpl file ([`09d001b`](`09d001b6db`)) * cryptpad: Bump image ([`90152bd`](`90152bdc41`)) * cryptpad: Bump image to 5.6.0 ([`1c4db30`](`1c4db30b65`)) * cryptpad: Verify against GPG key ([`fec0d1f`](`fec0d1f26a`)) * docs: Update Helm Chart Trust Chain information ([`f894370`](`f8943703ed`)) * element: Fix rights & roles of neoboard ([`7daa93f`](`7daa93f061`)) * element: Fix rights and roles configuration ([`452624c`](`452624ce74`)) * helmfile: Add image annotations for mirroring ([`41e777c`](`41e777c81d`)) * helmfile: Add logLevel to globals ([`8db9bf3`](`8db9bf3c99`)) * helmfile: Add XWiki GPG key ([`712605e`](`712605e4f1`)) * helmfile: Increase timeouts for deployment of services ([`3b557a8`](`3b557a892c`)) * helmfile: Merge fix values filename for Jitsi ([`7a14531`](`7a145315f9`)) * helmfile: Remove oci flag from charts.yaml and move user/password ([`2ad48b6`](`2ad48b6fd5`)) * helmfile: Sort images and charts ([`acf6816`](`acf6816653`)) * helmfile: Switch artefacts to be pulled from Open CoDE or upstream ([`6b3d99d`](`6b3d99d1d1`)) * intercom-service: Add scaling option. ([`969c42a`](`969c42a590`)) * jitsi: Add available securityContexts here ([`8f09740`](`8f09740677`)) * nextcloud: Replace community Nextcloud with openDesk Nextcloud ([`813a2e2`](`813a2e29e9`)) * open-xchange: Enable ICAP and merge yaml and gotmpl files ([`306252d`](`306252da6f`)) * openproject: Consolidate env values set by Helm chart ([`08754cc`](`08754cc527`)) * openproject: Merge yaml and gotmpl value files ([`45967c7`](`45967c7a0b`)) * services: Add scaling to all services ([`0492420`](`0492420d60`)) * univention-management-stack: Add guardian components ([`db749d8`](`db749d8b1b`)) * univention-management-stack: Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions ([`0bf059e`](`0bf059e8e1`)) * univention-management-stack: Add ums provisioning service ([`d039c65`](`d039c65c4b`)) * univention-management-stack: Bump Keycloak Bootstrap image ([`bb289d5`](`bb289d545e`)) * univention-management-stack: Bump Keycloak chart and image and provide settings for IT-Grundschutz ([`c2e9204`](`c2e9204c56`)) * univention-management-stack: Keycloak clients for guardian ([`b30b29d`](`b30b29df8a`)) * univention-management-stack: Provide openDesk version info for admins in portal menu ([`5f5a65f`](`5f5a65f59d`)) * univention-management-stack: SAML join using internal Keycloak hostname ([`acbef3a`](`acbef3ae3e`)) * univention-management-stack: Streamline timeouts for deployment ([`506ef4a`](`506ef4a20f`)) * univention-management-stack: Updated base image ([`78993e1`](`78993e122b`)) * xwiki: Bump Helm chart und image, fix favicon ([`87b6fcf`](`87b6fcfc37`)) * xwiki: Ldap group sync filter ([`9aa907a`](`9aa907a909`)) * xwiki: Update default XWiki configuration ([`f13f39a`](`f13f39a0a0`)) * xwiki: Update Image to include XWiki 15.10.4 ([`9ff6056`](`9ff605623c`)) * xwiki: Update to 1.2.6 and add imagePullSecrets ([`2d2455f`](`2d2455fdb3`)) * xwiki: Verify against GPG key ([`a0d5fb8`](`a0d5fb8955`))	2024-01-12 15:46:37 +00:00
Thorsten Roßner	acbef3ae3e	fix(univention-management-stack): SAML join using internal Keycloak hostname	2024-01-12 09:52:38 +01:00
Thorsten Roßner	bb289d545e	fix(univention-management-stack): Bump Keycloak Bootstrap image	2024-01-11 16:57:15 +00:00
Dominik Kaminski	2d2455fdb3	fix(xwiki): Update to 1.2.6 and add imagePullSecrets	2024-01-11 17:19:14 +01:00
Dominik Kaminski	0bf059e8e1	fix(univention-management-stack): Add missing image template for ums stack gateway and imagePullSecrets to keycloak extensions	2024-01-11 16:31:09 +01:00
Dominik Kaminski	0492420d60	fix(services): Add scaling to all services	2024-01-11 16:31:04 +01:00
Dominik Kaminski	8f09740677	fix(jitsi): Add available securityContexts here	2024-01-11 16:07:58 +01:00
Dominik Kaminski	969c42a590	fix(intercom-service): Add scaling option.	2024-01-11 16:07:58 +01:00
nurjinn jafar	7daa93f061	fix(element): Fix rights & roles of neoboard Signed-off-by: nurjinn jafar <nurjin.jafar@nordeck.net>	2024-01-11 09:53:16 +00:00
nurjinn jafar	452624ce74	fix(element): Fix rights and roles configuration Signed-off-by: nurjinn jafar <nurjin.jafar@nordeck.net>	2024-01-11 09:53:16 +00:00
Dominik Kaminski	b23152bb20	fix(ci): Add opendesk-ci linter	2024-01-11 08:31:56 +01:00
Thorsten Roßner	78993e122b	fix(univention-management-stack): Updated base image	2024-01-10 23:47:56 +01:00
Thorsten Roßner	87b6fcfc37	fix(xwiki): Bump Helm chart und image, fix favicon	2024-01-10 13:07:15 +01:00
Oliver Günther	4945c13d05	chore(openproject): Bump chart version to 4.2.1	2024-01-09 08:34:25 +01:00
Thorsten Roßner	08754cc527	fix(openproject): Consolidate env values set by Helm chart	2024-01-09 08:33:46 +01:00
Thorsten Roßner	45967c7a0b	fix(openproject): Merge yaml and gotmpl value files	2024-01-09 16:42:24 +01:00
Dominik Kaminski	acf6816653	fix(helmfile): Sort images and charts	2024-01-09 04:19:23 +01:00
Dominik Kaminski	f8943703ed	fix(docs): Update Helm Chart Trust Chain information	2024-01-09 04:19:23 +01:00
Dominik Kaminski	712605e4f1	fix(helmfile): Add XWiki GPG key	2024-01-09 04:19:23 +01:00
Dominik Kaminski	a0d5fb8955	fix(xwiki): Verify against GPG key	2024-01-09 04:19:23 +01:00
Dominik Kaminski	fec0d1f26a	fix(cryptpad): Verify against GPG key	2024-01-09 04:19:23 +01:00
Thomas Kaltenbrunner	807b73c8a4	fix(ci): Scan all images for malware on release	2024-01-09 04:19:23 +01:00
Thorsten Roßner	506ef4a20f	fix(univention-management-stack): Streamline timeouts for deployment	2024-01-09 04:19:23 +01:00
Thorsten Roßner	306252da6f	fix(open-xchange): Enable ICAP and merge yaml and gotmpl files	2024-01-09 04:19:23 +01:00
Thorsten Roßner	5f5a65f59d	fix(univention-management-stack): Provide openDesk version info for admins in portal menu	2024-01-09 04:19:23 +01:00
Dominik Kaminski	09d001b6db	fix(collabora): Migrate collabora to yaml.gotmpl file	2024-01-09 04:19:22 +01:00
Thorsten Roßner	9aa907a909	fix(xwiki): Ldap group sync filter	2024-01-09 04:19:22 +01:00
Thorsten Roßner	2ad48b6fd5	fix(helmfile): Remove oci flag from charts.yaml and move user/password	2024-01-09 04:19:22 +01:00
Thorsten Roßner	6b3d99d1d1	fix(helmfile): Switch artefacts to be pulled from Open CoDE or upstream	2024-01-09 04:19:22 +01:00
Dominik Kaminski	813a2e29e9	fix(nextcloud): Replace community Nextcloud with openDesk Nextcloud	2024-01-09 04:19:22 +01:00
Thorsten Roßner	e1f63701f1	fix(ci): Switch to 'on_success' instead of 'always'	2024-01-09 04:19:22 +01:00
Thorsten Roßner	9ff605623c	fix(xwiki): Update Image to include XWiki 15.10.4	2024-01-09 04:19:22 +01:00
jconde	db749d8b1b	fix(univention-management-stack): Add guardian components	2024-01-09 04:19:22 +01:00
jconde	b30b29df8a	fix(univention-management-stack): Keycloak clients for guardian	2024-01-09 04:19:22 +01:00
Thorsten Roßner	7a145315f9	fix(helmfile): Merge fix values filename for Jitsi	2024-01-09 04:19:22 +01:00
Clément Aubin	f13f39a0a0	fix(xwiki): Update default XWiki configuration * Set default language to a locale with country indicator, which allows the workplace services to work properly * Set default page title (visible in the browser tab title)	2024-01-09 04:19:22 +01:00
Thorsten Roßner	3b557a892c	fix(helmfile): Increase timeouts for deployment of services	2024-01-09 04:19:15 +01:00
Thorsten Roßner	41e777c81d	fix(helmfile): Add image annotations for mirroring	2024-01-05 15:36:21 +00:00
Thorsten Roßner	90152bdc41	fix(cryptpad): Bump image	2024-01-05 15:36:21 +00:00
Thorsten Roßner	8db9bf3c99	fix(helmfile): Add logLevel to globals	2024-01-05 15:36:21 +00:00
Thorsten Roßner	c2e9204c56	fix(univention-management-stack): Bump Keycloak chart and image and provide settings for IT-Grundschutz	2024-01-05 15:36:21 +00:00
Milton Moura	61eb206c74	chore(element): Update Element Web and Widgets to latest releases Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-01-05 15:36:21 +00:00
Thorsten Roßner	1c4db30b65	fix(cryptpad): Bump image to 5.6.0	2024-01-05 15:36:21 +00:00
Sebastian König-Festl	d039c65c4b	fix(univention-management-stack): Add ums provisioning service Adds provisioning API along with NATS and NATS box	2024-01-05 15:36:21 +00:00