fix(open-xchange): Bump Gotenberg container

2025-12-06 15:31:38 +01:00 · 2024-02-19 11:07:41 +01:00
135 changed files with 1894 additions and 2487 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,8 +6,5 @@

 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml.gotmpl
+helmfile/environments/test/values.yaml.gotmpl
 helmfile/environments/prod/values.yaml.gotmpl
-
-# Ignore in CI generated files
-.kyverno/opendesk.yaml
-.kyverno/kyverno-test.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,16 +12,6 @@ include:
    file: "gitlab/environments.yaml"
    rules:
      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"
-  - local: "/.gitlab/lint/lint-opendesk.yml"
-    rules:
-      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
-        when: "never"
-      - when: "always"
-  - local: "/.gitlab/lint/lint-kyverno.yml"
-    rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
-        when: "never"
-      - when: "always"

 stages:
  - ".pre"
@@ -142,13 +132,22 @@ variables:
  TESTS_BRANCH:
    description: "Branch of E2E-tests on which the test pipeline is triggered"
    value: "main"
+  RUN_UMS_TESTS:
+    description: "Run E2E test suite of SouvAP Dev team"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  UMS_TESTS_BRANCH:
+    description: "Branch of E2E test suite of SouvAP Dev team"
+    value: "main"

 .deploy-common:
  cache: {}
  dependencies: []
  extends: ".environments"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
-          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
+  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
+          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -444,6 +443,34 @@ run-tests:
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"

+run-souvap-dev-tests:
+  extends: ".deploy-common"
+  environment:
+    name: "${NAMESPACE}"
+  stage: "tests"
+  rules:
+    - if: >
+        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
+      when: "on_success"
+  script:
+    - *ums-default-password
+    - |
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${UMS_TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
+          \"username\": \"${DEFAULT_USER_NAME}\", \
+          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
+        } \
+      }" \
+      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
+
 avscan-prepare:
  stage: ".pre"
  rules:
@@ -527,6 +554,22 @@ generate-release-assets:
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"

+opendesk-linter:
+  cache: {}
+  image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
+  needs: []
+  rules:
+    - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+      when: "never"
+    - when: "always"
+  script:
+    - "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
+    - "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
+    - "git diff --exit-code"
+  stage: "lint"
+  tags:
+    - "docker"
+
 # Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
@@ -537,12 +580,14 @@ generate-release-assets:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
  tags: []

+
 conventional-commits-linter:
  rules:
    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
      when: "never"
    - when: "always"

+
 common-yaml-linter:
  rules:
    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -607,13 +652,7 @@ release:
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
-            "assets": [
-              "charts/**/Chart.yaml",
-              "CHANGELOG.md",
-              "charts/**/README.md",
-              "helmfile/environments/default/global.generated.yaml",
-              ".kyverno/kyverno-test.yaml"
-            ],
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"],
            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
          }]
        ]
--- a/.gitlab/lint/lint-common.yml
+++ b/.gitlab/lint/lint-common.yml
@@ -1,17 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.2.0\
-    @sha256:b36b1fc8a19605306dffef2c919c2a6bf5a3099e8a42ecb39a416394410b75d7"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.1\
-    @sha256:5b1bd85cc73ba0cede1f37d79fa7eeebffa653afa7944406eea9287c29a7769a"
-
-.lint-common:
-  cache: {}
-  needs: []
-  stage: "lint"
-  tags:
-    - "docker"
-
-...
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -1,35 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/lint/lint-common.yml"
-
-lint-kyverno:
-  allow_failure: true
-  extends: ".lint-common"
-  image: "${OPENDESK_LINT_IMAGE}"
-  parallel:
-    matrix:
-      - APP:
-          - "collabora"
-          - "cryptpad"
-          - "element"
-          - "intercom-service"
-          - "jitsi"
-          - "nextcloud"
-          - "open-xchange"
-          - "openproject"
-          - "openproject-bootstrap"
-          - "provisioning"
-          - "services"
-          - "univention-management-stack"
-          - "xwiki"
-  script:
-    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
-    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests -d ${CI_PROJECT_DIR}/.kyverno -t required ${APP}"
-    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "cd ${CI_PROJECT_DIR}/.kyverno"
-    - "kyverno test ."
-
-...
--- a/.gitlab/lint/lint-opendesk.yml
+++ b/.gitlab/lint/lint-opendesk.yml
@@ -1,13 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/lint/lint-common.yml"
-
-lint-opendesk:
-  extends: ".lint-common"
-  image: "${OPENDESK_CI_CLI_IMAGE}"
-  script:
-    - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
-    - "git diff --exit-code"
-...
--- a/.kyverno/_apps.yaml
+++ b/.kyverno/_apps.yaml
@@ -1,276 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-pod:
-  - resource: "mariadb"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "postgresql"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "clamav-simple"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "redis-master"
-    kind: "StatefulSet"
-    app: "services"
-  - resource: "ums-store-dav"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-ldap-server"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-ldap-notifier"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-portal-listener"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-selfservice-listener"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-provisioning-nats"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-guardian-management-api"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-guardian-management-ui"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-guardian-authorization-api"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "ums-open-policy-agent"
-    kind: "StatefulSet"
-    app: "univention-management-stack"
-  - resource: "open-xchange-core-mw-default"
-    kind: "StatefulSet"
-    app: "open-xchange"
-  - resource: "jitsi-prosody"
-    kind: "StatefulSet"
-    app: "jitsi"
-  - resource: "opendesk-synapse"
-    kind: "StatefulSet"
-    app: "element"
-  - resource: "xwiki"
-    kind: "StatefulSet"
-    app: "xwiki"
-  - resource: "ox-connector"
-    kind: "StatefulSet"
-    app: "provisioning"
-  - resource: "minio"
-    kind: "Deployment"
-    app: "services"
-  - resource: "memcached"
-    kind: "Deployment"
-    app: "services"
-  - resource: "postfix"
-    kind: "Deployment"
-    app: "services"
-  - resource: "ums-keycloak"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-stack-gateway"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-udm-rest-api"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-portal-server"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-notifications-api"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-portal-frontend"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-umc-gateway"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-umc-server"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-provisioning-nats-box"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-keycloak-extensions-handler"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "ums-keycloak-extensions-proxy"
-    kind: "Deployment"
-    app: "univention-management-stack"
-  - resource: "intercom-service"
-    kind: "Deployment"
-    app: "intercom-service"
-  - resource: "dovecot"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-documentconverter"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-guidedtours"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-imageconverter"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-gotenberg"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-ui-middleware"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-ui-middleware-updater"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-core-user-guide"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-guard-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-nextcloud-integration-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "open-xchange-public-sector-ui"
-    kind: "Deployment"
-    app: "open-xchange"
-  - resource: "opendesk-nextcloud-apache2"
-    kind: "Deployment"
-    app: "nextcloud"
-  - resource: "opendesk-nextcloud-exporter"
-    kind: "Deployment"
-    app: "nextcloud"
-  - resource: "opendesk-nextcloud-php"
-    kind: "Deployment"
-    app: "nextcloud"
-  - resource: "collabora"
-    kind: "Deployment"
-    app: "collabora"
-  - resource: "jitsi-jibri"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-jicofo"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-jvb"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-web"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "jitsi-opendesk-jitsi-keycloak-adapter"
-    kind: "Deployment"
-    app: "jitsi"
-  - resource: "opendesk-element"
-    kind: "Deployment"
-    app: "element"
-  - resource: "opendesk-well-known"
-    kind: "Deployment"
-    app: "element"
-  - resource: "opendesk-synapse-web"
-    kind: "Deployment"
-    app: "element"
-  - resource: "opendesk-matrix-user-verification-service"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neoboard-widget"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neochoice-widget"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neodatefix-widget"
-    kind: "Deployment"
-    app: "element"
-  - resource: "matrix-neodatefix-bot"
-    kind: "Deployment"
-    app: "element"
-  - resource: "openproject-web"
-    kind: "Deployment"
-    app: "openproject"
-  - resource: "openproject-worker"
-    kind: "Deployment"
-    app: "openproject"
-  - resource: "mariadb-bootstrap"
-    kind: "Job"
-    app: "services"
-  - resource: "postgresql-bootstrap"
-    kind: "Job"
-    app: "services"
-  - resource: "minio-provisioning"
-    kind: "Job"
-    app: "services"
-  - resource: "ums-stack-data-ums-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "ums-stack-data-swp-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "ums-keycloak-bootstrap-bootstrap-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "opendesk-keycloak-bootstrap-bootstrap-1"
-    kind: "Job"
-    app: "univention-management-stack"
-  - resource: "opendesk-open-xchange-bootstrap"
-    kind: "Job"
-    app: "open-xchange"
-  - resource: "opendesk-nextcloud-management-1"
-    kind: "Job"
-    app: "nextcloud"
-  - resource: "jitsi-opendesk-jitsi"
-    kind: "Job"
-    app: "jitsi"
-  - resource: "opendesk-matrix-user-verification-service-bootstrap"
-    kind: "Job"
-    app: "element"
-  - resource: "matrix-neodatefix-bot-bootstrap"
-    kind: "Job"
-    app: "element"
-  - resource: "opendesk-openproject-bootstrap-bootstrap-1"
-    kind: "Job"
-    app: "openproject-bootstrap"
-#  # Has timestamp in resource name - not supported yet.
-#  - resource: "openproject-seeder-*"
-#    kind: "Job"
-#  - resource: "ums-store-dav-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-udm-rest-api-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-portal-server-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-notifications-api-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-portal-frontend-test-connection"
-#    kind: "Pod"
-#  - resource: "ums-provisioning-nats-test-request-reply"
-#    kind: "Pod"
-#  - resource: "ums-provisioning-provisioning-api-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-core-guidedtours-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-gotenberg-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-core-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-core-user-guide-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-guard-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-nextcloud-integration-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "open-xchange-public-sector-ui-test-connection"
-#    kind: "Pod"
-#  - resource: "jitsi-prosody-test-connection"
-#    kind: "Pod"
-#  - resource: "jitsi-web-test-connection"
-#    kind: "Pod"
-#  - resource: "openproject-test-connection"
-#    kind: "Pod"
-...
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -1,55 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-pod:
-  - name: "require-tag-and-digest"
-    rule: "require-tag-and-digest"
-    type: "required"
-  - name: "disallow-default-serviceaccount"
-    rule: "require-sa"
-    type: "required"
-  - name: "require-imagepullsecrets"
-    rule: "require-imagepullsecrets"
-    type: "required"
-  - name: "disallow-latest-tag"
-    rule: "validate-image-tag"
-    type: "required"
-  - name: "require-imagepullpolicy-always"
-    rule: "require-imagepullpolicy-always"
-    type: "required"
-  - name: "require-health-and-liveness-check"
-    rule: "require-health-and-liveness-check"
-    type: "required"
-    excludeKinds:
-      - "Job"
-  - name: "require-requests-limits"
-    rule: "validate-resources"
-    type: "required"
-  - name: "restrict-image-registries"
-    rule: "validate-registries"
-    type: "required"
-  - name: "require-containersecuritycontext"
-    rule: "require-ro-rootfs"
-    type: "optional"
-  - name: "require-containersecuritycontext"
-    rule: "require-no-privilege-escalation"
-    type: "optional"
-  - name: "require-containersecuritycontext"
-    rule: "require-all-capabilities-dropped"
-    type: "optional"
-  - name: "require-containersecuritycontext"
-    rule: "require-no-privileged"
-    type: "optional"
-  - name: "require-containersecuritycontext"
-    rule: "require-run-as-user"
-    type: "optional"
-  - name: "require-containersecuritycontext"
-    rule: "require-run-as-group"
-    type: "optional"
-  - name: "require-containersecuritycontext"
-    rule: "require-seccomp-profile"
-    type: "required"
-  - name: "require-containersecuritycontext"
-    rule: "require-run-as-non-root"
-    type: "optional"
-...
--- a/.kyverno/policies/disallow-default-serviceaccount.yaml
+++ b/.kyverno/policies/disallow-default-serviceaccount.yaml
@@ -1,22 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-default-serviceaccount"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-sa"
-      validate:
-        message: "serviceAccountName must be set to anything other than 'default'."
-        pattern:
-          spec:
-            serviceAccountName: "!default"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/disallow-latest-tag.yaml
+++ b/.kyverno/policies/disallow-latest-tag.yaml
@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-latest-tag"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "validate-image-tag"
-      validate:
-        message: "Using a mutable image tag e.g. 'latest' is not allowed."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - image: "!*:latest"
-            =(initContainers):
-              - image: "!*:latest"
-            containers:
-              - image: "!*:latest"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-containersecuritycontext.yaml
+++ b/.kyverno/policies/require-containersecuritycontext.yaml
@@ -1,173 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-containersecuritycontext"
-spec:
-  background: true
-  rules:
-    - name: "require-ro-rootfs"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Root filesystem must be read-only."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  readOnlyRootFilesystem: true
-            =(initContainers):
-              - securityContext:
-                  readOnlyRootFilesystem: true
-            containers:
-              - securityContext:
-                  readOnlyRootFilesystem: true
-
-    - name: "require-no-privilege-escalation"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Disallow privilege escalation."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  allowPrivilegeEscalation: false
-            =(initContainers):
-              - securityContext:
-                  allowPrivilegeEscalation: false
-            containers:
-              - securityContext:
-                  allowPrivilegeEscalation: false
-
-    - name: "require-all-capabilities-dropped"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Required to drop ALL linux capabilities."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  capabilities:
-                    drop:
-                      - "ALL"
-            =(initContainers):
-              - securityContext:
-                  capabilities:
-                    drop:
-                      - "ALL"
-            containers:
-              - securityContext:
-                  capabilities:
-                    drop:
-                      - "ALL"
-
-    - name: "require-no-privileged"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Disallow privileged container."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  privileged: false
-            =(initContainers):
-              - securityContext:
-                  privileged: false
-            containers:
-              - securityContext:
-                  privileged: false
-
-    - name: "require-run-as-user"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must run as non-root user."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  runAsUser: ">0"
-            =(initContainers):
-              - securityContext:
-                  runAsUser: ">0"
-            containers:
-              - securityContext:
-                  runAsUser: ">0"
-
-    - name: "require-run-as-group"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must run as non-root group."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  runAsGroup: ">0"
-            =(initContainers):
-              - securityContext:
-                  runAsGroup: ">0"
-            containers:
-              - securityContext:
-                  runAsGroup: ">0"
-
-    - name: "require-seccomp-profile"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must have seccompProfile"
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  seccompProfile:
-                    type: "RuntimeDefault | Localhost"
-            =(initContainers):
-              - securityContext:
-                  seccompProfile:
-                    type: "RuntimeDefault | Localhost"
-            containers:
-              - securityContext:
-                  seccompProfile:
-                    type: "RuntimeDefault | Localhost"
-
-    - name: "require-run-as-non-root"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must run in non-root mode."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  runAsNonRoot: true
-            =(initContainers):
-              - securityContext:
-                  runAsNonRoot: true
-            containers:
-              - securityContext:
-                  runAsNonRoot: true
-
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-health-and-liveness-check.yaml
+++ b/.kyverno/policies/require-health-and-liveness-check.yaml
@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-health-and-liveness-check"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-health-and-liveness-check"
-      validate:
-        message: "Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds
-          must be set to a value greater than 0."
-        pattern:
-          spec:
-            containers:
-              - livenessProbe:
-                  periodSeconds: ">0"
-                readinessProbe:
-                  periodSeconds: ">0"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-imagepullpolicy-always.yaml
+++ b/.kyverno/policies/require-imagepullpolicy-always.yaml
@@ -1,40 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-imagepullpolicy-always"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-imagepullpolicy-always"
-      validate:
-        message: "The imagePullPolicy must be set to `Always` when the tag `latest` is used."
-        anyPattern:
-          - spec:
-              =(ephemeralContainers):
-                - (image): "*:latest"
-                  imagePullPolicy: "Always"
-              =(initContainers):
-                - (image): "*:latest"
-                  imagePullPolicy: "Always"
-              containers:
-                - (image): "*:latest"
-                  imagePullPolicy: "Always"
-          - spec:
-              =(ephemeralContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "IfNotPresent"
-              =(initContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "IfNotPresent"
-              containers:
-                - (image): "!*:latest"
-                  imagePullPolicy: "IfNotPresent"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-imagepullsecets.yaml
+++ b/.kyverno/policies/require-imagepullsecets.yaml
@@ -1,23 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-imagepullsecrets"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-imagepullsecrets"
-      validate:
-        message: "ImagePullSecrets are required."
-        pattern:
-          spec:
-            imagePullSecrets:
-              - name: "*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-requests-limits.yaml
+++ b/.kyverno/policies/require-requests-limits.yaml
@@ -1,28 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-requests-limits"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "validate-resources"
-      validate:
-        message: "CPU and memory resource requests and limits are required."
-        pattern:
-          spec:
-            containers:
-              - resources:
-                  limits:
-                    memory: "?*"
-                  requests:
-                    cpu: "?*"
-                    memory: "?*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-tag-and-digest.yaml
+++ b/.kyverno/policies/require-tag-and-digest.yaml
@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-tag-and-digest"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-tag-and-digest"
-      validate:
-        message: "An image tag and digest required."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - image: "*:*@sha256:*"
-            =(initContainers):
-              - image: "*:*@sha256:*"
-            containers:
-              - image: "*:*@sha256:*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/restrict-image-registries.yaml
+++ b/.kyverno/policies/restrict-image-registries.yaml
@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "restrict-image-registries"
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "validate-registries"
-      validate:
-        message: "Unknown image registry."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - image: "external-registry.souvap-univention.de/*"
-            =(initContainers):
-              - image: "external-registry.souvap-univention.de/*"
-            containers:
-              - image: "external-registry.souvap-univention.de/*"
-  validationFailureAction: "audit"
-...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,15 +1,3 @@
-## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)
-
-
-### Bug Fixes
-
-* **ci:** Add Kyverno CI Lint ([e778a59](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e778a59cddecc7c73b827e03af5e47ddd5c3dcee))
-* **helmfile:** Cleanup and small conformity fixes ([db0a544](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db0a5441550ae08450afc04ef274ff8d19e85138))
-* **helmfile:** Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([a49daa6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a49daa6fa27dc7c51c3163b1155eec33b78949f5))
-* **helmfile:** Split image and helm registry ([89c149a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/89c149af954a6f0884ae905e55b52e8db9036b05))
-* **univention-management-stack:** UMC secure session cookie ([67f7c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/67f7c050387157808f010857395715335b42d767))
-* **univention-management-stack:** Update guardian to version 2 ([a99f338](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a99f3389dc90aa89ce2ba4bcfc266a2dfdf15ab9))
-
 ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12)


--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 -->

-<h1>openDesk Deployment Automation</h1>
+![logo](./helmfile/environments/default/theme/logo_portal_background.svg)

 openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
 Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -12,7 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
 * [Customize environment](#customize-environment)
  * [Domain](#domain)
    * [Apps](#apps)
-  * [Private registries](#private-registries)
+  * [Private Helm chart and container image registry](#private-helm-chart-and-container-image-registry)
  * [Cluster capabilities](#cluster-capabilities)
    * [Service](#service)
    * [Networking](#networking)
@@ -126,7 +126,7 @@ jitsi:
  enabled: false
 ```

-## Private registries
+## Private Helm chart and container image registry

 By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases
 in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components).
@@ -137,9 +137,8 @@ like Docker Hub.
 Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day
 and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you
 prefer the use of a private image registry anyway you can configure such for
-[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
- `global.imageRegistry` for a private image registry and
- `global.helmRegistry` for a private Helm chart registry.
+[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting `global.imageRegistry`
+like this:

 ```yaml
 global:
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 This section covers the internal system requirements as well as external service requirements for productive use.

 <!-- TOC -->
-* [tl;dr](#tldr)
+* [TL;DR;](#tldr)
 * [Hardware](#hardware)
 * [Kubernetes](#kubernetes)
 * [Ingress controller](#ingress-controller)
@@ -17,7 +17,7 @@ This section covers the internal system requirements as well as external service
 * [Deployment](#deployment)
 <!-- TOC -->

-# tl;dr
+# TL;DR;
 openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.

 - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -11,7 +11,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.collabora.registry }}/\
      {{ .Values.charts.collabora.repository }}"

 releases:
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -13,14 +13,15 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
    chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
-      - "values.yaml.gotmpl"
+      - "values.yaml"
+      - "values.gotmpl"
    installed: {{ .Values.cryptpad.enabled }}

 commonLabels:
--- a/helmfile/apps/cryptpad/values.gotmpl
+++ b/helmfile/apps/cryptpad/values.gotmpl
@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -22,30 +22,9 @@ enableEmbedding: true

 fullnameOverride: "cryptpad"

-image:
-  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
-  tag: {{ .Values.images.cryptpad.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
 ingress:
-  enabled: {{ .Values.ingress.enabled }}
  annotations:
    nginx.org/websocket-services: "cryptpad"
-  className: {{ .Values.ingress.ingressClassName | quote }}
-  hosts:
-    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-      paths:
-        - path: "/"
-          pathType: "ImplementationSpecific"
-  tls:
-    - secretName: {{ .Values.ingress.tls.secretName | quote }}
-      hosts:
-        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"

 persistence:
  enabled: false
@@ -53,11 +32,6 @@ persistence:
 podSecurityContext:
  fsGroup: 4001

-replicaCount: {{ .Values.replicas.cryptpad }}
-
-resources:
-  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
-
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -74,5 +48,4 @@ serviceAccount:
  create: true

 workloadStateful: false
-
 ...
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -13,35 +13,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -51,7 +51,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -59,28 +59,28 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"


 releases:
@@ -88,7 +88,8 @@ releases:
    chart: "element-repo/{{ .Values.charts.element.name }}"
    version: "{{ .Values.charts.element.version }}"
    values:
-      - "values-element.yaml.gotmpl"
+      - "values-element.yaml"
+      - "values-element.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -96,7 +97,8 @@ releases:
    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
-      - "values-well-known.yaml.gotmpl"
+      - "values-well-known.yaml"
+      - "values-well-known.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -104,7 +106,8 @@ releases:
    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
-      - "values-synapse-web.yaml.gotmpl"
+      - "values-synapse-web.yaml"
+      - "values-synapse-web.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -112,7 +115,8 @@ releases:
    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
    version: "{{ .Values.charts.synapse.version }}"
    values:
-      - "values-synapse.yaml.gotmpl"
+      - "values-synapse.yaml"
+      - "values-synapse.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -120,7 +124,8 @@ releases:
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
+      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -128,7 +133,8 @@ releases:
    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
-      - "values-matrix-user-verification-service.yaml.gotmpl"
+      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -136,7 +142,8 @@ releases:
    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
-      - "values-matrix-neoboard-widget.yaml.gotmpl"
+      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -144,7 +151,8 @@ releases:
    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
-      - "values-matrix-neochoice-widget.yaml.gotmpl"
+      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -152,7 +160,8 @@ releases:
    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
-      - "values-matrix-neodatefix-widget.yaml.gotmpl"
+      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -160,7 +169,8 @@ releases:
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
+      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -168,7 +178,8 @@ releases:
    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
-      - "values-matrix-neodatefix-bot.yaml.gotmpl"
+      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -1,6 +1,15 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 configuration:
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
@@ -96,27 +105,6 @@ configuration:

  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"

-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -131,16 +119,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.element }}

 resources:
  {{ .Values.resources.element | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-element.yaml
+++ b/helmfile/apps/element/values-element.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,20 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -35,16 +23,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}

 resources:
  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,20 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -35,16 +23,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
-
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}

+replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
+
 resources:
  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -1,24 +1,22 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
-  username: "meetings-bot"
-  pod: "opendesk-synapse-0"
-  secretName: "matrix-neodatefix-bot-account"
  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}

-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -1,5 +1,7 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
@@ -9,39 +11,7 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 configuration:
-  bot:
-    username: "meetings-bot"
-    displayname: "Terminplaner Bot"
  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  strings:
-    breakoutSessionWidgetName: "Breakoutsessions"
-    calendarRoomName: "Terminplaner"
-    calendarWidgetName: "Terminplaner"
-    cockpitWidgetName: "Meeting Steuerung"
-    jitsiWidgetName: "Videokonferenz"
-    matrixNeoBoardWidgetName: "Whiteboard"
-    matrixNeoChoiceWidgetName: "Abstimmungen"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-extraEnvVars:
-  - name: "ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "matrix-neodatefix-bot-account"
-        key: "access_token"

 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -56,23 +26,12 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-livenessProbe:
-  enabled: true
-
 persistence:
  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-readinessProbe:
-  enabled: true
-
 replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}

 resources:
  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
@@ -0,0 +1,50 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+    displayname: "Terminplaner Bot"
+
+  strings:
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
+    matrixNeoBoardWidgetName: "Whiteboard"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "matrix-neodatefix-bot-account"
+        key: "access_token"
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+livenessProbe:
+  enabled: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+readinessProbe:
+  enabled: false
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,24 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-configuration:
-  bot:
-    username: "meetings-bot"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -39,16 +23,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}

 resources:
  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -1,38 +1,22 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
-  username: "uvs"
-  pod: "opendesk-synapse-0"
-  secretName: "opendesk-matrix-user-verification-service-account"
  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}

-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
 ...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -25,26 +25,7 @@ extraEnvVars:
  - name: "UVS_DISABLE_IP_BLACKLIST"
    value: "true"

-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
-  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
-  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-
 podSecurityContext:
  enabled: true
  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
-
-resources:
-  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,20 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -36,13 +24,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
 replicaCount: {{ .Values.replicas.synapseWeb }}

 resources:
  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml
+++ b/helmfile/apps/element/values-synapse-web.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -1,27 +1,22 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-configuration:
-  additionalConfiguration:
-    user_directory:
-      enabled: true
-      search_all_users: true
-    room_prejoin_state:
-      additional_event_types:
-        - "m.space.parent"
-        - "net.nordeck.meetings.metadata"
-        - "m.room.power_levels"
-    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
-    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
-    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
-    rc_login:
-      account:
-        per_second: 2
-        burst_count: 8
-      address:
-        per_second: 2
-        burst_count: 12
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
+  repository: {{ .Values.images.synapse.repository | quote }}
+  tag: {{ .Values.images.synapse.tag | quote }}
+
+configuration:
  database:
    host: {{ .Values.databases.synapse.host | quote }}
    name: {{ .Values.databases.synapse.name | quote }}
@@ -41,7 +36,6 @@ configuration:
        sender_localpart: intercom-service

    oidc:
-      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"

@@ -59,54 +53,18 @@ configuration:
        {{- end }}

    guestModule:
-      enabled: true
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
        registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}

-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 10991
-  seccompProfile:
-    type: "RuntimeDefault"
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
-  repository: {{ .Values.images.synapse.repository | quote }}
-  tag: {{ .Values.images.synapse.tag | quote }}
-
 persistence:
  size: {{ .Values.persistence.size.synapse | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 10991
-
-readinessProbe:
-  initialDelaySeconds: 15
-  periodSeconds: 5
-
 replicaCount: {{ .Values.replicas.synapse }}

 resources:
  {{ .Values.resources.synapse | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-synapse.yaml
+++ b/helmfile/apps/element/values-synapse.yaml
@@ -0,0 +1,52 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
+    room_prejoin_state:
+      additional_event_types:
+        - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
+        - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
+
+  homeserver:
+    guestModule:
+      enabled: true
+    oidc:
+      clientId: "opendesk-matrix"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+
+readinessProbe:
+  initialDelaySeconds: 15
+  periodSeconds: 5
+
+...
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -1,24 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-configuration:
-  e2ee:
-    forceDisable: true
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -40,13 +24,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
 replicaCount: {{ .Values.replicas.wellKnown }}

 resources:
  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-well-known.yaml
+++ b/helmfile/apps/element/values-well-known.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  e2ee:
+    forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -13,14 +13,15 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"

 releases:
  - name: "intercom-service"
    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
    version: "{{ .Values.charts.intercomService.version }}"
    values:
-      - "values.yaml.gotmpl"
+      - "values.yaml"
+      - "values.gotmpl"
    installed: {{ .Values.intercom.enabled }}

 commonLabels:
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -1,19 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -30,7 +19,6 @@ ics:
  default:
    domain: {{ .Values.global.domain | quote }}
  oidc:
-    id: "opendesk-intercom"
    secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
  matrix:
    asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -64,14 +52,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-
 replicaCount: {{ .Values.replicas.intercomService }}

 resources:
  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/intercom-service/values.yaml
+++ b/helmfile/apps/intercom-service/values.yaml
@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ics:
+  oidc:
+    id: "opendesk-intercom"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+...
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -13,7 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -62,9 +62,6 @@ jitsi:
      TURN_ENABLE: "1"
    resources:
      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -101,9 +98,6 @@ jitsi:
    persistence:
      size: {{ .Values.persistence.size.prosody | quote }}
      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -114,9 +108,6 @@ jitsi:
      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
    resources:
      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
@@ -128,9 +119,6 @@ jitsi:
      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
      type: {{ .Values.cluster.service.type | quote }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -142,9 +130,6 @@ jitsi:
      password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
    resources:
      {{ .Values.resources.jibri | toYaml | nindent 6 }}
-    securityContext:
-      seccompProfile:
-        type: "RuntimeDefault"
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
@@ -158,8 +143,6 @@ patchJVB:
    allowPrivilegeEscalation: false
    enabled: true
    readOnlyRootFilesystem: true
-    seccompProfile:
-      type: "RuntimeDefault"
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -13,14 +13,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -13,14 +13,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"

  # Open-Xchange
  - name: "open-xchange-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
@@ -30,7 +30,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"

 releases:
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -92,8 +92,6 @@ appsuite:
    masterAdmin: "admin"
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-    serviceAccount:
-      create: true
    features:
      status:
        # enable admin pack
@@ -415,8 +413,6 @@ appsuite:
      capabilities:
        drop:
          - "ALL"
-      seccompProfile:
-        type: "RuntimeDefault"

  core-documents-collaboration:
    enabled: false
@@ -485,8 +481,6 @@ appsuite:
      capabilities:
        drop:
          - "ALL"
-      seccompProfile:
-        type: "RuntimeDefault"

  guard-ui:
    enabled: true
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -13,7 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -13,7 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -71,7 +71,7 @@ environment:
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}

 initdb:
@@ -79,7 +79,7 @@ initdb:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 memcached:
  bundled: false
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -10,14 +10,15 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "ox-connector"
    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
-      - "values-oxconnector.yaml.gotmpl"
+      - "values-oxconnector.yaml"
+      - "values-oxconnector.gotmpl"
    installed: {{ .Values.oxConnector.enabled }}

 commonLabels:
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -0,0 +1,34 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
+  repository: {{ .Values.images.oxConnector.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.oxConnector.tag | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+oxConnector:
+  domainName: {{ .Values.global.domain | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  logLevel: {{ .Values.debug.logLevel | quote }}
+  #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
+  oxMasterAdmin: "admin"
+  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  oxDefaultContext: "1"
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+
+resources:
+  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml
@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  enabled: false
+
+oxConnector:
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  tlsMode: "off"
+  caCert: "ucctempldapstring"
+  debugLevel: "5"
+  oxDefaultContext: "1"
+  oxLocalTimezone: "Europe/Berlin"
+  oxLanguage: "de_DE"
+  oxSmtpServer: "smtp://127.0.0.1:587"
+  oxImapServer: "imap://127.0.0.1:143"
+
+## Container deployment probes
+probes:
+  liveness:
+    enabled: true
+    initialDelaySeconds: 120
+    timeoutSeconds: 3
+    periodSeconds: 30
+    failureThreshold: 3
+    successThreshold: 1
+
+  readiness:
+    enabled: true
+    initialDelaySeconds: 30
+    timeoutSeconds: 3
+    periodSeconds: 15
+    failureThreshold: 30
+    successThreshold: 1
+
+
+serviceAccount:
+  create: true
+
+...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -1,86 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
-  repository: {{ .Values.images.oxConnector.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.oxConnector.tag | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
-ingress:
-  enabled: false
-
-oxConnector:
-  caCert: "ucctempldapstring"
-  debugLevel: "5"
-  domainName: {{ .Values.global.domain | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ .Values.debug.logLevel | quote }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  tlsMode: "off"
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  oxDefaultContext: "1"
-  oxImapServer: "imap://127.0.0.1:143"
-  oxLocalTimezone: "Europe/Berlin"
-  oxLanguage: "de_DE"
-  oxMasterAdmin: "admin"
-  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
-  oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-
-resources:
-  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
-
-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-## Container deployment probes
-probes:
-  liveness:
-    enabled: true
-    initialDelaySeconds: 120
-    timeoutSeconds: 3
-    periodSeconds: 30
-    failureThreshold: 3
-    successThreshold: 1
-
-  readiness:
-    enabled: true
-    initialDelaySeconds: 30
-    timeoutSeconds: 3
-    periodSeconds: 15
-    failureThreshold: 30
-    successThreshold: 1
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-
-serviceAccount:
-  create: true
-
-...
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -13,7 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -23,7 +23,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"

  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -33,7 +33,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -43,7 +43,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -53,7 +53,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"

  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
@@ -63,7 +63,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -73,14 +73,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -90,28 +90,28 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"

 releases:
  - name: "opendesk-otterize"
    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
    version: "{{ .Values.charts.otterize.version }}"
    values:
-      - "values-otterize.yaml.gotmpl"
+      - "values-otterize.gotmpl"
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900

@@ -119,7 +119,7 @@ releases:
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
    version: "{{ .Values.charts.certificates.version }}"
    values:
-      - "values-certificates.yaml.gotmpl"
+      - "values-certificates.gotmpl"
    installed: {{ .Values.certificates.enabled }}
    timeout: 900

@@ -127,7 +127,8 @@ releases:
    chart: "redis-repo/{{ .Values.charts.redis.name }}"
    version: "{{ .Values.charts.redis.version }}"
    values:
-      - "values-redis.yaml.gotmpl"
+      - "values-redis.gotmpl"
+      - "values-redis.yaml"
    installed: {{ .Values.redis.enabled }}
    timeout: 900

@@ -135,7 +136,8 @@ releases:
    chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
    version: "{{ .Values.charts.memcached.version }}"
    values:
-      - "values-memcached.yaml.gotmpl"
+      - "values-memcached.yaml"
+      - "values-memcached.gotmpl"
    installed: {{ .Values.memcached.enabled }}
    timeout: 900

@@ -143,7 +145,8 @@ releases:
    chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
    version: "{{ .Values.charts.postgresql.version }}"
    values:
-      - "values-postgresql.yaml.gotmpl"
+      - "values-postgresql.yaml"
+      - "values-postgresql.gotmpl"
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900

@@ -151,7 +154,8 @@ releases:
    chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
    version: "{{ .Values.charts.mariadb.version }}"
    values:
-      - "values-mariadb.yaml.gotmpl"
+      - "values-mariadb.yaml"
+      - "values-mariadb.gotmpl"
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900

@@ -159,7 +163,8 @@ releases:
    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
    version: "{{ .Values.charts.postfix.version }}"
    values:
-      - "values-postfix.yaml.gotmpl"
+      - "values-postfix.yaml"
+      - "values-postfix.gotmpl"
    installed: {{ .Values.postfix.enabled }}
    timeout: 900

@@ -167,7 +172,8 @@ releases:
    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
    version: "{{ .Values.charts.clamav.version }}"
    values:
-      - "values-clamav-distributed.yaml.gotmpl"
+      - "values-clamav-distributed.yaml"
+      - "values-clamav-distributed.gotmpl"
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900

@@ -175,7 +181,8 @@ releases:
    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
-      - "values-clamav-simple.yaml.gotmpl"
+      - "values-clamav-simple.yaml"
+      - "values-clamav-simple.gotmpl"
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900

@@ -183,7 +190,8 @@ releases:
    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
    version: "{{ .Values.charts.istioResources.version }}"
    values:
-      - "values-istio-gateway.yaml.gotmpl"
+      - "values-istio-gateway.yaml"
+      - "values-istio-gateway.gotmpl"
    installed: {{ .Values.istio.enabled }}
    timeout: 900

@@ -191,7 +199,8 @@ releases:
    chart: "minio-repo/{{ .Values.charts.minio.name }}"
    version: "{{ .Values.charts.minio.version }}"
    values:
-      - "values-minio.yaml.gotmpl"
+      - "values-minio.yaml"
+      - "values-minio.gotmpl"
    installed: {{ .Values.minio.enabled }}
    timeout: 900

--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -1,60 +1,27 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
 clamd:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
+  podSecurityContext:
+  replicaCount: {{ .Values.replicas.clamd }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
    repository: {{ .Values.images.clamd.repository | quote }}
    tag: {{ .Values.images.clamd.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.clamd }}
  resources:
    {{ .Values.resources.clamd | toYaml | nindent 4 }}

-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  enabled: true
-  readOnlyRootFilesystem: true
-
 freshclam:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
+  podSecurityContext:
+  replicaCount: {{ .Values.replicas.freshclam }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
    repository: {{ .Values.images.freshclam.repository | quote }}
    tag: {{ .Values.images.freshclam.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.freshclam }}
  resources:
    {{ .Values.resources.freshclam | toYaml | nindent 4 }}

@@ -63,54 +30,23 @@ global:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

 icap:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
+  replicaCount: {{ .Values.replicas.icap }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
    repository: {{ .Values.images.icap.repository | quote }}
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.icap }}
  resources:
    {{ .Values.resources.icap | toYaml | nindent 4 }}

 milter:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
+  podSecurityContext:
+  replicaCount: {{ .Values.replicas.milter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
    repository: {{ .Values.images.milter.repository | quote }}
    tag: {{ .Values.images.milter.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.milter }}
  resources:
    {{ .Values.resources.milter | toYaml | nindent 4 }}

--- a/helmfile/apps/services/values-clamav-distributed.yaml
+++ b/helmfile/apps/services/values-clamav-distributed.yaml
@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+...
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -1,20 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 100
-  runAsGroup: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+replicaCount: {{ .Values.replicas.clamav }}

 image:
  clamav:
@@ -28,18 +17,14 @@ image:
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.clamav | quote }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-  fsGroupChangePolicy: "Always"
-
-replicaCount: {{ .Values.replicas.clamav }}
-
 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}

+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.size.clamav | quote }}
 ...
--- a/helmfile/apps/services/values-clamav-simple.yaml
+++ b/helmfile/apps/services/values-clamav-simple.yaml
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+...
--- a/helmfile/apps/services/values-istio-gateway.gotmpl
+++ b/helmfile/apps/services/values-istio-gateway.gotmpl
@@ -4,5 +4,10 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  domain: {{ .Values.istio.domain | quote }}
+  hosts:
+    openxchange: {{ .Values.global.hosts.openxchange | quote }}
+
+tls:
+  secretName: "{{ .Values.istio.domain }}-tls"
 ...
--- a/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
+++ b/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
@@ -1,12 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-global:
-  domain: {{ .Values.istio.domain | quote }}
-  hosts:
-    openxchange: {{ .Values.global.hosts.openxchange | quote }}
-
 tls:
  httpsRedirect: false
-  secretName: "{{ .Values.istio.domain }}-tls"
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -1,35 +1,24 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
  repository: {{ .Values.images.mariadb.repository | quote }}
  tag: {{ .Values.images.mariadb.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
-  enabled: true
  retries: 10
  wait: 30
  users:
@@ -54,14 +43,6 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.mariadb | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-
-replicaCount: 1
-
 resources:
  {{ .Values.resources.mariadb | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/services/values-mariadb.yaml
+++ b/helmfile/apps/services/values-mariadb.yaml
@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+replicaCount: 1
+...
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,18 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1001
-  runAsNonRoot: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -27,7 +17,4 @@ replicaCount: {{ .Values.replicas.memcached }}

 resources:
  {{ .Values.resources.memcached | toYaml | nindent 2 }}
-
-serviceAccount:
-  create: true
 ...
--- a/helmfile/apps/services/values-memcached.yaml
+++ b/helmfile/apps/services/values-memcached.yaml
@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+
+serviceAccount:
+  create: true
+...
--- a/helmfile/apps/services/values-minio.gotmpl
+++ b/helmfile/apps/services/values-minio.gotmpl
@@ -0,0 +1,79 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
+  repository: "{{ .Values.images.minio.repository }}"
+  tag: "{{ .Values.images.minio.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+auth:
+  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+
+statefulset:
+  replicaCount: {{ .Values.replicas.minioDistributed }}
+
+resources:
+  {{ .Values.resources.minio | toYaml | nindent 2 }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+apiIngress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  prometheusRule:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+
+persistence:
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.minio }}"
+
+provisioning:
+  users:
+    - username: "openproject_user"
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+      disabled: false
+      policies:
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
+    - username: "ums_user"
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
+...
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -1,20 +1,11 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-apiIngress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName }}
-  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-  extraTls:
-    - hosts:
-      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
-      secretName: "{{ .Values.ingress.tls.secretName }}"
-  annotations:
-    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
-    nginx.org/client-max-body-size: "4G"
+mode: "standalone"

-auth:
-  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000

 containerSecurityContext:
  enabled: true
@@ -28,53 +19,19 @@ containerSecurityContext:
  seccompProfile:
    type: "RuntimeDefault"

-defaultBuckets: "openproject,openxchange,ums,nextcloud"
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
-  repository: "{{ .Values.images.minio.repository }}"
-  tag: "{{ .Values.images.minio.tag }}"
-  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
-
 ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName }}
-  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
-  extraTls:
-    - hosts:
-      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
-      secretName: "{{ .Values.ingress.tls.secretName }}"
  annotations:
    nginx.org/websocket-services: "minio"

-livenessProbe:
-  enabled: true
-  initialDelaySeconds: 5
-  periodSeconds: 10
-  timeoutSeconds: 10
-
-mode: "standalone"
-
-metrics:
-  serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
-  prometheusRule:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+apiIngress:
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+    nginx.org/client-max-body-size: "4G"

 networkPolicy:
  enabled: false

-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-
-persistence:
-  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
-  size: "{{ .Values.persistence.size.minio }}"
+defaultBuckets: "openproject,openxchange,ums,nextcloud"

 provisioning:
  enabled: true
@@ -142,33 +99,12 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
-  users:
-    - username: "openproject_user"
-      password: {{ .Values.secrets.minio.openprojectUser | quote }}
-      disabled: false
-      policies:
-        - "openproject-bucket-policy"
-      setPolicies: true
-    - username: "openxchange_user"
-      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
-      disabled: false
-      policies:
-        - "openxchange-bucket-policy"
-      setPolicies: true
-    - username: "ums_user"
-      password: {{ .Values.secrets.minio.umsUser | quote }}
-      disabled: false
-      policies:
-        - "ums-bucket-policy"
-      setPolicies: true
-    - username: "nextcloud_user"
-      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
-      disabled: false
-      policies:
-        - "nextcloud-bucket-policy"
-      setPolicies: true
-  resources:
-    {{ .Values.resources.minio | toYaml | nindent 4 }}
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 5
+  periodSeconds: 10
+  timeoutSeconds: 10

 readinessProbe:
  enabled: true
@@ -176,15 +112,8 @@ readinessProbe:
  periodSeconds: 10
  timeoutSeconds: 10

-resources:
-  {{ .Values.resources.minio | toYaml | nindent 2 }}
-
 startupProbe:
  enabled: true
  periodSeconds: 10
  timeoutSeconds: 10
-
-statefulset:
-  replicaCount: {{ .Values.replicas.minioDistributed }}
-
 ...
--- a/helmfile/apps/services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/services/values-otterize.yaml.gotmpl
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -1,20 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-certificate:
-  secretName: {{ .Values.ingress.tls.secretName | quote }}
-  request:
-    enabled: false
-
-containerSecurityContext:
-  allowPrivilegeEscalation: true
-  capabilities: {}
-  enabled: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsNonRoot: false
-
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -25,45 +13,29 @@ image:
  tag: {{ .Values.images.postfix.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

-persistence:
-  size: {{ .Values.persistence.size.postfix | quote }}
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+certificate:
+  secretName: {{ .Values.ingress.tls.secretName | quote }}

 postfix:
-  amavisHost: ""
-  amavisPortIn: ""
  domain: {{ .Values.global.domain | quote }}
-  hostname: "postfix"
-  inetProtocols: "ipv4"
-  milterDefaultAction: "accept"
+  virtualMailboxDomains: {{ .Values.global.domain | quote }}
  overrides:
    - fileName: "sasl_passwd.map"
      content:
        - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
-  rspamdHost: ""
  relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
  relayNets: {{ .Values.cluster.networking.cidr | quote}}
-  smtpSASLAuthEnable: "yes"
-  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
-  smtpUseTLS: "yes"
-  smtpdSASLAuthEnable: "no"
-  smtpdSASLSecurityOptions: "noanonymous"
-  smtpdSASLType: "dovecot"
-  smtpdUseTLS: "yes"
-  smtpdTLSCertFile: "/etc/tls/tls.crt"
-  smtpdKeyFile: "/etc/tls/tls.key"
+  virtualTransport: "lmtps:dovecot:24"
  smtpdSASLPath: "inet:dovecot:3659"
  {{- if .Values.clamavDistributed.enabled }}
  smtpdMilters: "inet:clamav-milter:7357"
  {{- else if .Values.clamavSimple.enabled }}
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
-  virtualMailboxDomains: {{ .Values.global.domain | quote }}
-  virtualTransport: "lmtps:dovecot:24"
+
+persistence:
+  size: {{ .Values.persistence.size.postfix | quote }}
+  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote}}

 replicaCount: {{ .Values.replicas.postfix }}

--- a/helmfile/apps/services/values-postfix.yaml
+++ b/helmfile/apps/services/values-postfix.yaml
@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+certificate:
+  request:
+    enabled: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+postfix:
+  hostname: "postfix"
+  inetProtocols: "ipv4"
+  smtpSASLAuthEnable: "yes"
+  smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
+  smtpUseTLS: "yes"
+  smtpdSASLAuthEnable: "no"
+  smtpdSASLSecurityOptions: "noanonymous"
+  smtpdSASLType: "dovecot"
+  smtpdUseTLS: "yes"
+  smtpdTLSCertFile: "/etc/tls/tls.crt"
+  smtpdKeyFile: "/etc/tls/tls.key"
+  milterDefaultAction: "accept"
+  rspamdHost: ""
+  amavisHost: ""
+  amavisPortIn: ""
+...
--- a/helmfile/apps/services/values-postgresql.yaml.gotmpl
+++ b/helmfile/apps/services/values-postgresql.yaml.gotmpl
@@ -1,32 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-job:
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-
-postgres:
-  user: "postgres"
-
-replicaCount: 1
-
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -36,8 +12,6 @@ image:
  repository: {{ .Values.images.postgresql.repository | quote }}
  tag: {{ .Values.images.postgresql.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  image:
-    digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"

 job:
  users:
--- a/helmfile/apps/services/values-postgresql.yaml
+++ b/helmfile/apps/services/values-postgresql.yaml
@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+  image:
+    digest: "sha256:de7451b563ef79eb6acb2851dbadd18388e6436cd757b65d275a3dc60dbb0b73"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+postgres:
+  user: "postgres"
+
+replicaCount: 1
+...
--- a/helmfile/apps/services/values-redis.yaml.gotmpl
+++ b/helmfile/apps/services/values-redis.yaml.gotmpl
@@ -1,8 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-architecture: "standalone"
-
 auth:
  password: {{ .Values.secrets.redis.password | quote }}

@@ -18,27 +18,10 @@ image:
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 master:
-  containerSecurityContext:
-    readOnlyRootFilesystem: true
-    runAsUser: 1001
-    runAsGroup: 1001
-    runAsNonRoot: true
-    allowPrivilegeEscalation: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    capabilities:
-      drop:
-        - "ALL"
  count: {{ .Values.replicas.redis }}
  persistence:
    size: {{ .Values.persistence.size.redis | quote }}
+
  resources:
    {{ .Values.resources.redis | toYaml | nindent 4 }}
-
-metrics:
-  enabled: false
-
-sentinel:
-  enabled: false
-
 ...
--- a/helmfile/apps/services/values-redis.yaml
+++ b/helmfile/apps/services/values-redis.yaml
@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+architecture: "standalone"
+
+sentinel:
+  enabled: false
+
+metrics:
+  enabled: false
+
+master:
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+...
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -12,133 +12,133 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/{{ .Values.charts.umsGuardianManagementApi.repository }}"
  - name: "ums-guardian-management-ui-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/{{ .Values.charts.umsGuardianManagementUi.repository }}"
  - name: "ums-guardian-authorization-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/{{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
  - name: "ums-open-policy-agent-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/{{ .Values.charts.umsOpenPolicyAgent.repository }}"
  - name: "ums-store-dav-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStoreDav.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStoreDav.registry }}/{{ .Values.charts.umsStoreDav.repository }}"
  - name: "ums-ldap-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsLdapServer.registry }}/{{ .Values.charts.umsLdapServer.repository }}"
  - name: "ums-ldap-notifier-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsLdapNotifier.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsLdapNotifier.registry }}/{{ .Values.charts.umsLdapNotifier.repository }}"
  - name: "ums-udm-rest-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUdmRestApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUdmRestApi.registry }}/{{ .Values.charts.umsUdmRestApi.repository }}"
  - name: "ums-stack-data-ums-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataUms.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStackDataUms.registry }}/{{ .Values.charts.umsStackDataUms.repository }}"
  - name: "ums-stack-data-swp-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsStackDataSwp.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsStackDataSwp.registry }}/{{ .Values.charts.umsStackDataSwp.repository }}"
  - name: "ums-portal-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalServer.registry }}/{{ .Values.charts.umsPortalServer.repository }}"
  - name: "ums-notifications-api-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsNotificationsApi.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsNotificationsApi.registry }}/{{ .Values.charts.umsNotificationsApi.repository }}"
  - name: "ums-portal-listener-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalListener.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalListener.registry }}/{{ .Values.charts.umsPortalListener.repository }}"
  - name: "ums-portal-frontend-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsPortalFrontend.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsPortalFrontend.registry }}/{{ .Values.charts.umsPortalFrontend.repository }}"
  - name: "ums-umc-gateway-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcGateway.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUmcGateway.registry }}/{{ .Values.charts.umsUmcGateway.repository }}"
  - name: "ums-umc-server-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsUmcServer.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsUmcServer.registry }}/{{ .Values.charts.umsUmcServer.repository }}"
  - name: "ums-selfservice-listener-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsSelfserviceListener.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsSelfserviceListener.registry }}/{{ .Values.charts.umsSelfserviceListener.repository }}"
  - name: "ums-provisioning-repo"
    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
    verify: {{ .Values.charts.umsProvisioning.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsProvisioning.registry }}/{{ .Values.charts.umsProvisioning.repository }}"

  # Univention Keycloak Extensions
  - name: "ums-keycloak-extensions-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/{{ .Values.charts.umsKeycloakExtensions.repository }}"
  # Univention Keycloak
  - name: "ums-keycloak-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
@@ -146,21 +146,21 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloak.registry }}/{{ .Values.charts.umsKeycloak.repository }}"
  - name: "ums-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/{{ .Values.charts.umsKeycloakBootstrap.repository }}"
  - name: "opendesk-keycloak-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
      {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -170,7 +170,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.nginx.registry }}/{{ .Values.charts.nginx.repository }}"

 releases:
  - name: "ums-keycloak"
@@ -215,7 +215,8 @@ releases:
    chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
    version: "{{ .Values.charts.nginx.version }}"
    values:
-      - "values-ums-stack-gateway.yaml.gotmpl"
+      - "values-ums-stack-gateway.gotmpl"
+      - "values-ums-stack-gateway.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -223,8 +224,10 @@ releases:
    chart: "ums-store-dav-repo/{{ .Values.charts.umsStoreDav.name }}"
    version: "{{ .Values.charts.umsStoreDav.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-store-dav.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-store-dav.gotmpl"
+      - "values-store-dav.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -232,8 +235,10 @@ releases:
    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
    version: "{{ .Values.charts.umsLdapServer.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-ldap-server.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-server.gotmpl"
+      - "values-ldap-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -241,8 +246,10 @@ releases:
    chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
    version: "{{ .Values.charts.umsLdapNotifier.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-ldap-notifier.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-ldap-notifier.gotmpl"
+      - "values-ldap-notifier.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -250,8 +257,10 @@ releases:
    chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
    version: "{{ .Values.charts.umsUdmRestApi.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-udm-rest-api.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-udm-rest-api.gotmpl"
+      - "values-udm-rest-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -259,8 +268,10 @@ releases:
    chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
    version: "{{ .Values.charts.umsStackDataUms.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-stack-data-ums.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-ums.gotmpl"
+      - "values-stack-data-ums.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -268,8 +279,10 @@ releases:
    chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
    version: "{{ .Values.charts.umsStackDataSwp.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-stack-data-swp.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-stack-data-swp.gotmpl"
+      - "values-stack-data-swp.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -277,8 +290,10 @@ releases:
    chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
    version: "{{ .Values.charts.umsPortalServer.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-server.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-server.gotmpl"
+      - "values-portal-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -286,8 +301,10 @@ releases:
    chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
    version: "{{ .Values.charts.umsNotificationsApi.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-notifications-api.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-notifications-api.gotmpl"
+      - "values-notifications-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -295,8 +312,10 @@ releases:
    chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
    version: "{{ .Values.charts.umsPortalListener.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-listener.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-listener.gotmpl"
+      - "values-portal-listener.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -304,8 +323,10 @@ releases:
    chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
    version: "{{ .Values.charts.umsPortalFrontend.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-frontend.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-portal-frontend.gotmpl"
+      - "values-portal-frontend.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -313,8 +334,10 @@ releases:
    chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
    version: "{{ .Values.charts.umsUmcGateway.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-umc-gateway.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-gateway.gotmpl"
+      - "values-umc-gateway.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -322,8 +345,10 @@ releases:
    chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
    version: "{{ .Values.charts.umsUmcServer.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-umc-server.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-umc-server.gotmpl"
+      - "values-umc-server.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -331,8 +356,10 @@ releases:
    chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
    version: "{{ .Values.charts.umsSelfserviceListener.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-selfservice-listener.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-selfservice-listener.gotmpl"
+      - "values-selfservice-listener.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -340,8 +367,10 @@ releases:
    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
    version: "{{ .Values.charts.umsProvisioning.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-provisioning.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-provisioning.gotmpl"
+      - "values-provisioning.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -349,8 +378,10 @@ releases:
    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-management-api.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-guardian-management-api.gotmpl"
+      - "values-guardian-management-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -358,8 +389,10 @@ releases:
    chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-management-ui.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-guardian-management-ui.gotmpl"
+      - "values-guardian-management-ui.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -367,8 +400,10 @@ releases:
    chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
    version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-authorization-api.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-guardian-authorization-api.gotmpl"
+      - "values-guardian-authorization-api.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

@@ -376,8 +411,10 @@ releases:
    chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
    version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
    values:
-      - "values-common.yaml.gotmpl"
-      - "values-open-policy-agent.yaml.gotmpl"
+      - "values-common.gotmpl"
+      - "values-common.yaml"
+      - "values-open-policy-agent.gotmpl"
+      - "values-open-policy-agent.yaml"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900

--- a/helmfile/apps/univention-management-stack/values-common.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-common.gotmpl
@@ -0,0 +1,10 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+ingress:
+  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+
+...
--- a/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-common.yaml.gotmpl
@@ -12,8 +12,6 @@ ingress:
  # controller. Those are encapsulated into the release "stack-gateway" so that
  # the compatibility with all ingress controllers is increased.
  enabled: false
-  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  tls:
    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
    enabled: false
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.gotmpl
@@ -0,0 +1,21 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianAuthorizationApi:
+  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
+  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -2,34 +2,19 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 guardianAuthorizationApi:
+  home: "/guardian_service_dir"
  guardianAuthzCorsAllowedOrigins: "*"
  guardianAuthzAdapterSettingsPort: "env"
  guardianAuthzAdapterAppPersistencePort: "udm_data"
  guardianAuthzAdapterPolicyPort: "opa"
  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ .Values.debug.logLevel | quote }}
-  guardianAuthzLoggingStructured: false
-  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
-  home: "/guardian_service_dir"
  isUniventionAppCenter: 0
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-  opaAdapterUrl: "http://ums-open-policy-agent/"
  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
  udmDataAdapterUsername: "cn=admin"
-  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
+  opaAdapterUrl: "http://ums-open-policy-agent/"
+  guardianAuthzLoggingLevel: "DEBUG"
+  guardianAuthzLoggingStructured: false
+  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"

 securityContext:
  allowPrivilegeEscalation: false
@@ -51,5 +36,4 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.gotmpl
@@ -0,0 +1,32 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+guardianManagementApi:
+  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
+
+postgresql:
+  bundled: false
+  connection:
+    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+  auth:
+    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
+  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -3,7 +3,6 @@
 ---
 guardianManagementApi:
  home: "/guardian_service_dir"
-  isUniventionAppCenter: 0
  guardianManagementCorsAllowedOrigins: "*"
  guardianManagementAdapterSettingsPort: "env"
  guardianManagementAdapterAppPersistencePort: "sql"
@@ -16,38 +15,14 @@ guardianManagementApi:
  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
  guardianManagementAdapterResourceAuthorizationPort: "always"
+  isUniventionAppCenter: 0
+  sqlPersistenceAdapterDialect: "postgresql"
+  sqlPersistenceAdapterDbName: "postgres"
+  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
  guardianManagementLoggingLevel: "DEBUG"
  guardianManagementLoggingStructured: false
  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  guardianManagementBaseUrl: "http://0.0.0.0:8000"
-  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
-  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-  sqlPersistenceAdapterDialect: "postgresql"
-  sqlPersistenceAdapterDbName: "postgres"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
-    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-
-resources:
-  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}

 securityContext:
  allowPrivilegeEscalation: false
@@ -69,5 +44,4 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl
@@ -1,10 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
 guardianManagementUi:
-  viteManagementUiAdapterAuthenticationPort: "keycloak"
-  viteManagementUiAdapterDataPort: "api"
-  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
  viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
  viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
  viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
@@ -21,26 +20,4 @@ image:

 resources:
  {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-
 ...
--- a/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml
@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+guardianManagementUi:
+  viteManagementUiAdapterAuthenticationPort: "keycloak"
+  viteManagementUiAdapterDataPort: "api"
+  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -1,5 +1,7 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
@@ -13,19 +15,4 @@ image:

 resources:
  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-
-volumes:
-  claims:
-    shared-data: "shared-data-ums-ldap-server-0"
-    shared-run: "shared-run-ums-ldap-server-0"
-
 ...
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml
@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+volumes:
+  claims:
+    shared-data: "shared-data-ums-ldap-server-0"
+    shared-run: "shared-run-ums-ldap-server-0"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...
--- a/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.gotmpl
@@ -0,0 +1,36 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+ldapServer:
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
+  repository: {{ .Values.images.umsLdapServer.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsLdapServer.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+  waitForDependency:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
+
+persistence:
+  data:
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
+  shared:
+    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
+
+resources:
+  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -1,6 +1,13 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+
+ldapServer:
+  waitForSamlMetadata: true
+
+service:
+  type: "ClusterIP"
+
 extraVolumes:
  - name: "opendesk-schemas"
    configMap:
@@ -23,34 +30,6 @@ extraVolumeMounts:
    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
    subPath: "opendeskProjectmanagement.schema"

-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsLdapServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-ldapServer:
-  waitForSamlMetadata: true
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-persistence:
-  data:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  shared:
-    storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}

 securityContext:
  allowPrivilegeEscalation: false
@@ -72,11 +51,4 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-
-service:
-  type: "ClusterIP"
-
-resources:
-  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -1,24 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
-  repository: {{ .Values.images.umsNotificationsApi.repository }}
-  pullPolicy: {{ .Values.global.imagePullPolicy }}
-  tag: {{ .Values.images.umsNotificationsApi.tag }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-notificationsapi:
-  apply_database_migrations: "True"
-  dev_mode: "False"
-  environment: "staging"
-  log_level: "DEBUG"
-  sql_echo: "False"
-  api_prefix: "/univention/portal/notifications-api"
-
 postgresql:
  bundled: false
  connection:
@@ -29,16 +13,16 @@ postgresql:
    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}

+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
+  repository: {{ .Values.images.umsNotificationsApi.repository }}
+  pullPolicy: {{ .Values.global.imagePullPolicy }}
+  tag: {{ .Values.images.umsNotificationsApi.tag }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
 resources:
  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml
@@ -0,0 +1,20 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+notificationsapi:
+  apply_database_migrations: "True"
+  dev_mode: "False"
+  environment: "staging"
+  log_level: "DEBUG"
+  sql_echo: "False"
+  api_prefix: "/univention/portal/notifications-api"
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  privileged: false
+  seccompProfile:
+    type: "RuntimeDefault"
+...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.gotmpl
@@ -0,0 +1,18 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
+  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
+  pullSecrets:
+    {{- range .Values.global.imagePullSecrets }}
+    - name: {{ . | quote }}
+    {{- end }}
+
+resources:
+  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl
@@ -1,16 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
-  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
 openPolicyAgent:
  isUniventionAppCenter: 0
  opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
@@ -19,9 +9,6 @@ openPolicyAgent:
  opaPollingMaxDelay: 15
  opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"

-resources:
-  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
-
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
@@ -42,5 +29,4 @@ securityContext:
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-
 ...
--- a/Show More
+++ b/Show More