fix(open-xchange): Bump Gotenberg container

2025-12-06 15:31:38 +01:00 · 2024-02-19 11:07:41 +01:00
176 changed files with 2518 additions and 4689 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -6,8 +6,5 @@

 # Ignore changes to sample environments
 helmfile/environments/dev/values.yaml.gotmpl
+helmfile/environments/test/values.yaml.gotmpl
 helmfile/environments/prod/values.yaml.gotmpl
-
-# Ignore in CI generated files
-.kyverno/opendesk.yaml
-.kyverno/kyverno-test.yaml
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,24 +3,15 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.2"
+    ref: "main"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
-  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
-  - local: "/.gitlab/lint/lint-opendesk.yml"
    rules:
-      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
-        when: "never"
-      - when: "always"
-  - local: "/.gitlab/lint/lint-kyverno.yml"
-    rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
-        when: "never"
-      - when: "always"
+      - if: "$INCLUDE_ENVIRONMENTS_ENABLED != 'false'"

 stages:
  - ".pre"
@@ -141,13 +132,22 @@ variables:
  TESTS_BRANCH:
    description: "Branch of E2E-tests on which the test pipeline is triggered"
    value: "main"
+  RUN_UMS_TESTS:
+    description: "Run E2E test suite of SouvAP Dev team"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
+  UMS_TESTS_BRANCH:
+    description: "Branch of E2E test suite of SouvAP Dev team"
+    value: "main"

 .deploy-common:
  cache: {}
  dependencies: []
  extends: ".environments"
-  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/helm:1.0.1\
-          @sha256:d38f41b88374e055332860018f2936db8807b763caf6089735db0484cbb2842a"
+  image: "external-registry.souvap-univention.de/registry-souvap-univention-de/souvap/tooling/images/helm\
+          @sha256:5a53455af45f4af5c97a01ee2dd5f9ef683f365b59f1ab0102505bc0fd37f6c5"
  script:
    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${COMPONENT}"
    # MASTER_PASSWORD_WEB_VAR as precedence for MASTER_PASSWORD
@@ -195,7 +195,7 @@ env-start:
    name: "${NAMESPACE}"
    on_stop: "env-stop"
  extends: ".deploy-common"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
@@ -208,8 +208,8 @@ env-start:
      kubectl create secret
      --namespace "${NAMESPACE}"
      docker-registry external-registry
-      --docker-server "${EXTERNAL_REGISTRY}"
-      --docker-username "${EXTERNAL_REGISTRY_USERNAME}"
+      --docker-server "external-registry.souvap-univention.de"
+      --docker-username sovereign-workplace
      --docker-password "${EXTERNAL_REGISTRY_PASSWORD}"
      --dry-run=client -o yaml | kubectl apply -f -
  stage: "env"
@@ -376,7 +376,7 @@ env-stop:
  environment:
    name: "${NAMESPACE}"
    action: "stop"
-  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
+  image: "${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.6"
  needs: []
  rules:
    - if: >
@@ -443,13 +443,38 @@ run-tests:
      }" \
      "https://${TESTS_PROJECT_URL}/trigger/pipeline"

+run-souvap-dev-tests:
+  extends: ".deploy-common"
+  environment:
+    name: "${NAMESPACE}"
+  stage: "tests"
+  rules:
+    - if: >
+        $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && $NAMESPACE =~ /.+/ && $RUN_UMS_TESTS == "yes"
+      when: "on_success"
+  script:
+    - *ums-default-password
+    - |
+      curl --request POST \
+      --header "Content-Type: application/json" \
+      --data "{ \
+        \"ref\": \"${UMS_TESTS_BRANCH}\", \
+        \"token\": \"${CI_JOB_TOKEN}\", \
+        \"variables\": { \
+          \"portal_base_url\": \"https://portal.${DOMAIN}\", \
+          \"username\": \"${DEFAULT_USER_NAME}\", \
+          \"password\": \"${DEFAULT_USER_PASSWORD}\", \
+          \"admin_username\": \"${DEFAULT_ADMIN_NAME}\", \
+          \"admin_password\": \"${DEFAULT_ADMIN_PASSWORD}\", \
+          \"keycloak_base_url\": \"https://id.${DOMAIN}\" \
+        } \
+      }" \
+      "https://${UMS_TESTS_PROJECT_URL}/trigger/pipeline"
+
 avscan-prepare:
  stage: ".pre"
  rules:
-    - if: >
-          $JOB_AVSCAN_ENABLED != 'false' &&
-          $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
@@ -482,8 +507,7 @@ avscan-prepare:
      yq '.images
      | with_entries(.key |= "scan-" + .)
      | .[].extends=".container-clamav"
-      | with(.[]; .variables.CONTAINER_IMAGE = .repository
-      | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
+      | with(.[]; .variables.CONTAINER_IMAGE = .repository | .variables.CONTAINER_TAG = .tag | .variables.CONTAINER_REGISTRY = .registry)
      | del(.[].repository)
      | del(.[].tag)
      | del(.[].registry)'
@@ -496,10 +520,7 @@ avscan-prepare:
 avscan-start:
  stage: "scan"
  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_AVSCAN_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "always"
    - when: "never"
  trigger:
@@ -512,10 +533,7 @@ generate-release-assets:
  stage: "generate-release-assets"
  image: "registry.souvap-univention.de/souvap/tooling/images/ansible:4.10.0"
  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "on_success"
    - when: "never"
  script:
@@ -536,7 +554,23 @@ generate-release-assets:
  variables:
    ASSET_GENERATOR_REPO_PATH: "bmi/opendesk/tooling/opendesk-asset-generator"

-# Declare .environments which is in environments repository. In case it is not available
+opendesk-linter:
+  cache: {}
+  image: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:1.0.1"
+  needs: []
+  rules:
+    - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+      when: "never"
+    - when: "always"
+  script:
+    - "node /app/src/index.js sort-images ${CI_PROJECT_DIR}/helmfile/environments/default/images.yaml"
+    - "node /app/src/index.js sort-charts ${CI_PROJECT_DIR}/helmfile/environments/default/charts.yaml"
+    - "git diff --exit-code"
+  stage: "lint"
+  tags:
+    - "docker"
+
+# Declare .environments which is in environments repository and only loaded when INCLUDE_ENVIRONMENTS_ENABLED not false.
 # 'cache' is used because job must contain at least one key, so cache is just a dummy key.
 .environments:
  cache: {}
@@ -546,12 +580,14 @@ generate-release-assets:
  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
  tags: []

+
 conventional-commits-linter:
  rules:
    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
      when: "never"
    - when: "always"

+
 common-yaml-linter:
  rules:
    - if: "$JOB_COMMON_YAML_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|triggers|web|merge_request_event'"
@@ -567,20 +603,14 @@ reuse-linter:

 generate-release-version:
  rules:
-    - if: >
-        $JOB_RELEASE_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_RELEASE_ENABLED != 'false'"
      when: "on_success"

 release:
  dependencies:
    - "generate-release-assets"
  rules:
-    - if: >
-        $JOB_AVSCAN_ENABLED != 'false' &&
-        $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH &&
-        $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
+    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
      when: "on_success"
  script:
    - >
@@ -596,7 +626,7 @@ release:
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+      # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
@@ -622,14 +652,7 @@ release:
          "@semantic-release/release-notes-generator",
          "@semantic-release/changelog",
          ["@semantic-release/git", {
-            "assets": [
-              "charts/**/Chart.yaml",
-              "CHANGELOG.md",
-              "charts/**/README.md",
-              "helmfile/environments/default/global.generated.yaml",
-              ".kyverno/kyverno-test.yaml",
-              "docs"
-            ],
+            "assets": ["charts/**/Chart.yaml", "CHANGELOG.md", "charts/**/README.md", "helmfile/environments/default/global.generated.yaml"],
            "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
          }]
        ]
@@ -638,5 +661,4 @@ release:
    - "semantic-release"
  needs:
    - "generate-release-assets"
-    - "generate-docs"
 ...
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -1,14 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.4.3\
-    @sha256:4630299fddf4248af1ad04528f0435d78f5b2694a154c99fe72b960260a7be61"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.4\
-    @sha256:386e84e2c85c33537479e4bb1e1fe744c9cce5e87bcb9a3a384dcdc1727c19c0"
-
-.common:
-  cache: {}
-  needs: []
-  tags: []
-...
--- a/.gitlab/generate/generate-common.yml
+++ b/.gitlab/generate/generate-common.yml
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/common/common.yml"
-
-.generate-common:
-  extends: ".common"
-  stage: ".post"
-  tags: []
-...
--- a/.gitlab/generate/generate-docs.yml
+++ b/.gitlab/generate/generate-docs.yml
@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/generate/generate-common.yml"
-
-generate-docs:
-  cache:
-    - key: "generate-docs-${CI_COMMIT_REF_SLUG}"
-      paths:
-        - "${CI_PROJECT_DIR}/docs"
-      policy: "push"
-  extends: ".generate-common"
-  image: "${OPENDESK_CI_CLI_IMAGE}"
-  rules:
-    - if: "$JOB_RELEASE_ENABLED != 'false' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
-      when: "on_success"
-  script:
-    - "node /app/src/index.js generate-docs -d ${CI_PROJECT_DIR}"
-...
--- a/.gitlab/lint/lint-common.yml
+++ b/.gitlab/lint/lint-common.yml
@@ -1,11 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/common/common.yml"
-
-.lint-common:
-  extends: ".common"
-  stage: "lint"
-
-...
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -1,42 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/lint/lint-common.yml"
-
-lint-kyverno:
-  allow_failure: true
-  extends: ".lint-common"
-  image: "${OPENDESK_LINT_IMAGE}"
-  parallel:
-    matrix:
-      - APP:
-          - "collabora"
-          - "cryptpad"
-          - "element"
-          - "intercom-service"
-          - "jitsi"
-          - "nextcloud"
-          - "open-xchange"
-          - "openproject"
-          - "openproject-bootstrap"
-          - "provisioning"
-          - "services"
-          - "univention-management-stack"
-          - "xwiki"
-  script:
-    - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"
-    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - >
-      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
-      -d ${CI_PROJECT_DIR}/.kyverno
-      -t required
-      -s manifest
-      -f opendesk.yaml
-      --skip-tests true
-      ${APP}
-    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "cd ${CI_PROJECT_DIR}/.kyverno"
-    - "kyverno test ."
-
-...
--- a/.gitlab/lint/lint-opendesk.yml
+++ b/.gitlab/lint/lint-opendesk.yml
@@ -1,13 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-include:
-  - local: "/.gitlab/lint/lint-common.yml"
-
-lint-opendesk:
-  extends: ".lint-common"
-  image: "${OPENDESK_CI_CLI_IMAGE}"
-  script:
-    - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
-    - "git diff --exit-code"
-...
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -1,292 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-pod:
-  - name: "require-tag-and-digest"
-    rule: "require-tag-and-digest"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-default-serviceaccount"
-    rule: "disallow-default-serviceAccountName"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "template-imagepullsecrets"
-    rule: "template-imagePullSecrets"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-latest-tag"
-    rule: "disallow-latest-tag"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-latest-tag"
-    rule: "require-image-tag-or-digest"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-imagepullpolicy"
-    rule: "require-imagePullPolicy"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-health-and-liveness-check"
-    rule: "require-health-and-liveness-check"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Pod"
-      - "DaemonSet"
-  - name: "template-storage"
-    rule: "template-storageClassName-pod"
-    type: "required"
-    kinds:
-      - "PersistentVolumeClaim"
-  - name: "template-storage"
-    rule: "template-storageClassName-pvc"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-  - name: "template-storage"
-    rule: "template-requests-storage-pod"
-    type: "required"
-    kinds:
-      - "PersistentVolumeClaim"
-  - name: "template-storage"
-    rule: "template-requests-storage-pvc"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-  - name: "require-requests-limits"
-    rule: "validate-resources"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "template-image-registries"
-    rule: "template-image-registries"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-ro-rootfs"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-no-privilege-escalation"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-all-capabilities-dropped"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-no-privileged"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-run-as-user"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-run-as-group"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-seccomp-profile"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-run-as-non-root"
-    type: "optional"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-empty-seLinuxOptions"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "require-default-procMount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "require-containersecuritycontext"
-    rule: "restrict-sysctls"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-docker-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-containerd-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-crio-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-container-sock-mounts"
-    rule: "validate-dockerd-sock-mount"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-namespaces"
-    rule: "disallow-host-namespaces"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-path"
-    rule: "disallow-host-path"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-ports"
-    rule: "disallow-host-ports"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "disallow-host-process"
-    rule: "disallow-host-process"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-      - "Job"
-      - "Pod"
-      - "DaemonSet"
-  - name: "template-ingress"
-    rule: "template-ingressClassName"
-    type: "required"
-    kinds:
-      - "Ingress"
-  - name: "template-ingress"
-    rule: "template-tls-secretName"
-    type: "required"
-    kinds:
-      - "Ingress"
-  - name: "template-replicas"
-    rule: "template-replicas"
-    type: "required"
-    kinds:
-      - "StatefulSet"
-      - "Deployment"
-...
--- a/.kyverno/policies/disallow-container-sock-mounts.yaml
+++ b/.kyverno/policies/disallow-container-sock-mounts.yaml
@@ -1,80 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-container-sock-mounts"
-  annotations:
-    policies.kyverno.io/title: "Disallow CRI socket mounts"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Container daemon socket bind mounts allow access to the container engine on the node.
-      This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should
-      not be allowed.
-      This policy validates that the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
-      In addition to or replacement of this policy, preventing users from mounting the parent directories
-      (/var/run and /var) may be necessary to completely prevent socket bind mounts.
-spec:
-  background: true
-  rules:
-    - name: "validate-docker-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the Docker Unix socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/docker.sock"
-          - spec:
-              =(volumes):
-    - name: "validate-containerd-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the Containerd Unix socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/containerd/containerd.sock"
-          - spec:
-              =(volumes):
-    - name: "validate-crio-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the CRI-O Unix socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/crio/crio.sock"
-          - spec:
-              =(volumes):
-    - name: "validate-dockerd-sock-mount"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: "Use of the Docker CRI socket is not allowed."
-        anyPattern:
-          - spec:
-              =(volumes):
-                - =(hostPath):
-                    path: "!/var/run/cri-dockerd.sock"
-          - spec:
-              =(volumes):
--- a/.kyverno/policies/disallow-default-serviceaccount.yaml
+++ b/.kyverno/policies/disallow-default-serviceaccount.yaml
@@ -1,36 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-default-serviceaccount"
-  annotations:
-    policies.kyverno.io/title: "Prevent default ServiceAccount privilege escalation"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Kubernetes automatically creates a ServiceAccount object named default for every namespace in your cluster.
-      These default service accounts get no permissions by default.
-      Accidental or intended assignment of permissions on the default service account results in elevated permissions
-      for all pods with default service account assigned.
-      This risk can be mitigated by creating a custom ServiceAccount for each application or reduce the risk by disable
-      auto mounting the default service account into the pod.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "disallow-default-serviceAccountName"
-      validate:
-        message: >-
-          Field serviceAccountName must be set to anything other than 'default'.
-          When serviceAccountName is 'default' then automountServiceAccountToken must set to 'false' .
-        anyPattern:
-          - spec:
-              serviceAccountName: "!default"
-          - spec:
-              automountServiceAccountToken: "false"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/disallow-host-namespaces.yaml
+++ b/.kyverno/policies/disallow-host-namespaces.yaml
@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-namespaces"
-  annotations:
-    policies.kyverno.io/title: "Disallow Host Namespaces"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access
-      to shared information and can be used to elevate privileges.
-      Pods should not be allowed access to host namespaces.
-      This policy ensures fields which make use of these host namespaces are unset or set to `false`.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-namespaces"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
-          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
-        pattern:
-          spec:
-            =(hostPID): "false"
-            =(hostIPC): "false"
-            =(hostNetwork): "false"
--- a/.kyverno/policies/disallow-host-path.yaml
+++ b/.kyverno/policies/disallow-host-path.yaml
@@ -1,32 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-path"
-  annotations:
-    policies.kyverno.io/title: "Disallow hostPath"
-    policies.kyverno.io/subject: "Pod,Volume"
-    policies.kyverno.io/description: >-
-      HostPath volumes let Pods use host directories and volumes in containers.
-      Using host resources can be used to access shared data or escalate privileges and should not be allowed.
-      This policy ensures no hostPath volumes are in use.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-path"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
-        anyPattern:
-          - spec:
-              =(volumes):
-                - X(hostPath): "null"
-          - spec:
-              =(volumes):
--- a/.kyverno/policies/disallow-host-ports.yaml
+++ b/.kyverno/policies/disallow-host-ports.yaml
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-ports"
-  annotations:
-    policies.kyverno.io/title: "Disallow hostPorts"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum
-      restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-ports"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
-          , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort
-          must either be unset or set to `0`.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(ports):
-                  - =(hostPort): 0
-            =(initContainers):
-              - =(ports):
-                  - =(hostPort): 0
-            containers:
-              - =(ports):
-                  - =(hostPort): 0
--- a/.kyverno/policies/disallow-host-process.yaml
+++ b/.kyverno/policies/disallow-host-process.yaml
@@ -1,45 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-host-process"
-  annotations:
-    policies.kyverno.io/title: "Disallow hostProcess"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node.
-      Privileged access to the host is disallowed in the baseline policy.
-      HostProcess pods are an alpha feature as of Kubernetes v1.22.
-      This policy ensures the `hostProcess` field, if present, is set to `false`.
-spec:
-  background: true
-  rules:
-    - name: "disallow-host-process"
-      match:
-        any:
-          - resources:
-              kinds:
-                - "Pod"
-      validate:
-        message: >-
-          HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
-          spec.containers[*].securityContext.windowsOptions.hostProcess,
-          spec.initContainers[*].securityContext.windowsOptions.hostProcess, and
-          spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess must either be undefined or set to
-          `false`.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
-            =(initContainers):
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
-            containers:
-              - =(securityContext):
-                  =(windowsOptions):
-                    =(hostProcess): "false"
--- a/.kyverno/policies/disallow-latest-tag.yaml
+++ b/.kyverno/policies/disallow-latest-tag.yaml
@@ -1,57 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "disallow-latest-tag"
-  annotations:
-    policies.kyverno.io/title: "Disallow usage of latest tag"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      The ':latest' tag is mutable and can lead to unexpected errors if the image changes.
-      A best practice is to use an immutable tag that maps to a specific version of an application Pod.
-      This policy validates that the image specifies a tag and that it is not called `latest`.
-      Defining no image tag or digest result in the container engine retrieving the latest tag.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "disallow-latest-tag"
-      validate:
-        message: "Using a mutable image tag e.g. 'latest' is not allowed."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - image: "!*:latest"
-            =(initContainers):
-              - image: "!*:latest"
-            containers:
-              - image: "!*:latest"
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-image-tag-or-digest"
-      validate:
-        message: "A image tag or a digest is required, otherwise latest tag is chosen."
-        anyPattern:
-          - spec:
-              =(ephemeralContainers):
-                - image: "*:*"
-              =(initContainers):
-                - image: "*:*"
-              containers:
-                - image: "*:*"
-          - spec:
-              =(ephemeralContainers):
-                - image: "*@*"
-              =(initContainers):
-                - image: "*@*"
-              containers:
-                - image: "*@*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-containersecuritycontext.yaml
+++ b/.kyverno/policies/require-containersecuritycontext.yaml
@@ -1,244 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-containersecuritycontext"
-  annotations:
-    policies.kyverno.io/title: "ContainerSecurityContext best practices are set."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      The containerSecurityContext is the most important security-related section because it has the highest precedence
-      and restricts the container to its minimal privileges.
-spec:
-  background: true
-  rules:
-    - name: "require-ro-rootfs"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Root filesystem must be read-only."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  readOnlyRootFilesystem: true
-            =(initContainers):
-              - securityContext:
-                  readOnlyRootFilesystem: true
-            containers:
-              - securityContext:
-                  readOnlyRootFilesystem: true
-
-    - name: "require-no-privilege-escalation"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Disallow privilege escalation."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  allowPrivilegeEscalation: false
-            =(initContainers):
-              - securityContext:
-                  allowPrivilegeEscalation: false
-            containers:
-              - securityContext:
-                  allowPrivilegeEscalation: false
-
-    - name: "require-all-capabilities-dropped"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Required to drop ALL linux capabilities."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  capabilities:
-                    drop:
-                      - "ALL"
-            =(initContainers):
-              - securityContext:
-                  capabilities:
-                    drop:
-                      - "ALL"
-            containers:
-              - securityContext:
-                  capabilities:
-                    drop:
-                      - "ALL"
-
-    - name: "require-no-privileged"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Disallow privileged container."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  privileged: false
-            =(initContainers):
-              - securityContext:
-                  privileged: false
-            containers:
-              - securityContext:
-                  privileged: false
-
-    - name: "require-run-as-user"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must run as non-root user."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  runAsUser: ">0"
-            =(initContainers):
-              - securityContext:
-                  runAsUser: ">0"
-            containers:
-              - securityContext:
-                  runAsUser: ">0"
-
-    - name: "require-run-as-group"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must run as non-root group."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  runAsGroup: ">0"
-            =(initContainers):
-              - securityContext:
-                  runAsGroup: ">0"
-            containers:
-              - securityContext:
-                  runAsGroup: ">0"
-
-    - name: "require-seccomp-profile"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must have seccompProfile"
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  seccompProfile:
-                    type: "RuntimeDefault | Localhost"
-            =(initContainers):
-              - securityContext:
-                  seccompProfile:
-                    type: "RuntimeDefault | Localhost"
-            containers:
-              - securityContext:
-                  seccompProfile:
-                    type: "RuntimeDefault | Localhost"
-
-    - name: "require-run-as-non-root"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "Container must run in non-root mode."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  runAsNonRoot: true
-            =(initContainers):
-              - securityContext:
-                  runAsNonRoot: true
-            containers:
-              - securityContext:
-                  runAsNonRoot: true
-
-    - name: "require-empty-seLinuxOptions"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: "SELinux options have to be unset."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - securityContext:
-                  seLinuxOptions:
-            =(initContainers):
-              - securityContext:
-                  seLinuxOptions:
-            containers:
-              - securityContext:
-                  seLinuxOptions:
-
-    - name: "require-default-procMount"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: >-
-          Changing the proc mount from the default is not allowed. The fields
-          spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,
-          and spec.ephemeralContainers[*].securityContext.procMount must be unset or
-          set to `Default`.
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - =(securityContext):
-                  =(procMount): "Default"
-            =(initContainers):
-              - =(securityContext):
-                  =(procMount): "Default"
-            containers:
-              - =(securityContext):
-                  =(procMount): "Default"
-
-    - name: "restrict-sysctls"
-      match:
-        resources:
-          kinds:
-            - "Pod"
-      validate:
-        message: >-
-          Setting additional sysctls above the allowed type is not allowed.
-          The field spec.securityContext.sysctls must be unset or not use any other names
-          than kernel.shm_rmid_forced, net.ipv4.ip_local_port_range,
-          net.ipv4.ip_unprivileged_port_start, net.ipv4.tcp_syncookies and
-          net.ipv4.ping_group_range.
-        pattern:
-          spec:
-            =(securityContext):
-              =(sysctls):
-                - =(name): >-
-                    kernel.shm_rmid_forced |
-                    net.ipv4.ip_local_port_range |
-                    net.ipv4.ip_unprivileged_port_start |
-                    net.ipv4.tcp_syncookies |
-                    net.ipv4.ping_group_range
-
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-health-and-liveness-check.yaml
+++ b/.kyverno/policies/require-health-and-liveness-check.yaml
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-health-and-liveness-check"
-  annotations:
-    policies.kyverno.io/title: "Disallow usage of latest tag"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      Liveness and readiness probes need to be configured to correctly manage a Pod's lifecycle during deployments,
-      restarts, and upgrades.
-      For each Pod, a periodic `livenessProbe` is performed by the kubelet to determine if the Pod's containers are
-      running or need to be restarted.
-      A `readinessProbe` is used by Services and Pods to determine if the Pod is ready to receive network traffic.
-      This policy validates that all containers have livenessProbe and readinessProbe defined.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-health-and-liveness-check"
-      validate:
-        message: >-
-          Liveness and readiness probes are required. spec.containers[*].livenessProbe.periodSeconds must be set to a
-          value greater than 0.
-        pattern:
-          spec:
-            containers:
-              - livenessProbe:
-                  periodSeconds: ">0"
-                readinessProbe:
-                  periodSeconds: ">0"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-imagepullpolicy.yaml
+++ b/.kyverno/policies/require-imagepullpolicy.yaml
@@ -1,51 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-imagepullpolicy"
-  annotations:
-    policies.kyverno.io/title: "Disallow usage of latest tag"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to
-      ensure later pulls get an updated image in case the latest tag gets updated.
-      This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or
-      where a tag is not defined at all.
-      Additionally this policy checks if the variable `.Values.global.imagePullPolicy` is used in templates.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-imagePullPolicy"
-      validate:
-        message: >-
-          The imagePullPolicy must be set to `Always` when the `latest` tag is used, otherwise the value from
-          `.Values.global.imagePullPolicy` has to be used.
-        anyPattern:
-          - spec:
-              =(ephemeralContainers):
-                - (image): "*:latest | !*:*"
-                  imagePullPolicy: "Always"
-              =(initContainers):
-                - (image): "*:latest | !*:*"
-                  imagePullPolicy: "Always"
-              containers:
-                - (image): "*:latest | !*:*"
-                  imagePullPolicy: "Always"
-          - spec:
-              =(ephemeralContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "kyverno"
-              =(initContainers):
-                - (image): "!*:latest"
-                  imagePullPolicy: "kyverno"
-              containers:
-                - (image): "!*:latest"
-                  imagePullPolicy: "kyverno"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-requests-limits.yaml
+++ b/.kyverno/policies/require-requests-limits.yaml
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-requests-limits"
-  annotations:
-    policies.kyverno.io/title: "Require resources cpu/memory request and limits."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      As application workloads share cluster resources, it is important to limit resources requested and consumed by
-      each Pod.
-      It is recommended to require resource requests and limits per Pod, especially for memory and CPU.
-      If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on
-      the LimitRange configuration.
-      This policy validates that all containers have specified requests for memory and CPU and a limit for memory.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "validate-resources"
-      validate:
-        message: "CPU and memory resource requests and limits are required."
-        pattern:
-          spec:
-            containers:
-              - resources:
-                  limits:
-                    memory: "?*"
-                  requests:
-                    cpu: "?*"
-                    memory: "?*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/require-tag-and-digest.yaml
+++ b/.kyverno/policies/require-tag-and-digest.yaml
@@ -1,35 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "require-tag-and-digest"
-  annotations:
-    policies.kyverno.io/title: "Require tag and digest for image."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      To ensure that containers are not compromised in container registry by pushing malicious code to the same tag, it
-      is required to reference images by setting a sha256 hashed digest.
-      Setting only the digest is complicated for humans to compare software versions, therefore in openDesk it is
-      required to reference container images by tag and digest.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "require-tag-and-digest"
-      validate:
-        message: "An image tag and digest required."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - image: "*:*@sha256:*"
-            =(initContainers):
-              - image: "*:*@sha256:*"
-            containers:
-              - image: "*:*@sha256:*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-image-registries.yaml
+++ b/.kyverno/policies/template-image-registries.yaml
@@ -1,33 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-image-registries"
-  annotations:
-    policies.kyverno.io/title: "Check image registry template"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy verifies that a custom external registry can be template to allow downloads from a private registry or
-      cache.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "template-image-registries"
-      validate:
-        message: "Unknown image registry."
-        pattern:
-          spec:
-            =(ephemeralContainers):
-              - image: "external-registry.souvap-univention.de/*"
-            =(initContainers):
-              - image: "external-registry.souvap-univention.de/*"
-            containers:
-              - image: "external-registry.souvap-univention.de/*"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-ingress.yaml
+++ b/.kyverno/policies/template-ingress.yaml
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-ingress"
-  annotations:
-    policies.kyverno.io/title: "Validate openDesk Ingress templating"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy verifies that ingress variables are templated.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Ingress"
-      name: "template-ingressClassName"
-      validate:
-        message: "Verifies that ingressClassName can be customized by `.Values.ingress.ingressClassName` variable."
-        pattern:
-          spec:
-            ingressClassName: "kyverno"
-    - match:
-        resources:
-          kinds:
-            - "Ingress"
-      name: "template-tls-secretName"
-      validate:
-        message: "Verifies that tls.secretName can be customized by `.Values.ingress.tls.secretName` variable."
-        pattern:
-          spec:
-            tls:
-              - secretName: "kyverno-tls"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-replicas.yaml
+++ b/.kyverno/policies/template-replicas.yaml
@@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-replicas"
-  annotations:
-    policies.kyverno.io/title: "Validate openDesk Pod replicas templating"
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy verifies that `.Values.replicas.<app>` variables are templated.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Deployment"
-            - "StatefulSet"
-      name: "template-replicas"
-      validate:
-        message: "Verifies that replica count can be customized by `.Values.replicas.<app>` variable."
-        pattern:
-          spec:
-            replicas: 42
-
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-require-imagepullsecets.yaml
+++ b/.kyverno/policies/template-require-imagepullsecets.yaml
@@ -1,31 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-imagepullsecrets"
-  annotations:
-    policies.kyverno.io/title: "ImagePullSecrets template variable have to be implemented."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      It is recommended to cache images to ensure continuous image availability during network partitions, rate limiting
-      or registry outages.
-      These caches as well as a company proxy may require authentication which will be provided as ImagePullSecrets.
-      This is a openDesk test to ensure that environment variables are templated in Helmfile deployment.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "Pod"
-      name: "template-imagePullSecrets"
-      validate:
-        message: "ImagePullSecrets are required."
-        pattern:
-          spec:
-            imagePullSecrets:
-              - name: "kyverno-test"
-  validationFailureAction: "audit"
-...
--- a/.kyverno/policies/template-storage.yaml
+++ b/.kyverno/policies/template-storage.yaml
@@ -1,67 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-apiVersion: "kyverno.io/v1"
-kind: "ClusterPolicy"
-metadata:
-  name: "template-storage"
-  annotations:
-    policies.kyverno.io/title: "Validate storageClass and size templates."
-    policies.kyverno.io/subject: "Pod"
-    policies.kyverno.io/description: >-
-      This policy validates if `.Values.persistence.storageClassNames` variables are used in templates and if the size
-      of volumes can be customized by `.Values.persistence.size` variable.
-spec:
-  background: true
-  rules:
-    - match:
-        resources:
-          kinds:
-            - "StatefulSet"
-      name: "template-storageClassName-pod"
-      validate:
-        message: "VolumeClaims inside pods needs to have storageClass set when templated."
-        pattern:
-          spec:
-            (volumeClaimTemplates):
-              - spec:
-                  storageClassName: "kyverno-test"
-    - match:
-        resources:
-          kinds:
-            - "PersistentVolumeClaim"
-      name: "template-storageClassName-pvc"
-      validate:
-        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
-        pattern:
-          spec:
-            storageClassName: "kyverno-test"
-
-    - match:
-        resources:
-          kinds:
-            - "StatefulSet"
-      name: "template-requests-storage-pod"
-      validate:
-        message: "VolumeClaims inside pods needs to have storageClass set when templated."
-        pattern:
-          spec:
-            (volumeClaimTemplates):
-              - spec:
-                  resources:
-                    requests:
-                      storage: "42Gi"
-    - match:
-        resources:
-          kinds:
-            - "PersistentVolumeClaim"
-      name: "template-requests-storage-pvc"
-      validate:
-        message: "PersistentVolumeClaim needs to have storageClassName set when templated."
-        pattern:
-          spec:
-            resources:
-              requests:
-                storage: "42Gi"
-  validationFailureAction: "audit"
-...
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,77 +1,3 @@
-## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
-
-
-### Bug Fixes
-
-* **ci:** Move main development repo OpenCoDE ([43718b8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/43718b8da2966b87fab8e206df449c923f6615e7))
-* **ci:** Run release pipeline only on pushes to main ([13dcb00](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/13dcb004419b4efd8ded8c25e7afa41d10156be8))
-* **ci:** Update kyverno rules ([d9263c9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9263c90110df241adaef8d1a5df8e8d8ceda11b))
-* **docs:** Add missing footnote regarding Nubus ([bc6e4f8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc6e4f8e5dcc32cc476de579fd56dbade79b7c31))
-* **nextcloud:** Set admin priviledges for users in central IAM ([a3e415d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a3e415d575ba24b99e741994fb29d0f0cfd11d8a))
-* **univention-management-stack:** Scaling udm-rest-api ([57d0f61](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/57d0f61b2c3e789b72a0098907817c97fee69268))
-* **univention-management-stack:** Set Keycloak CSP header to allow session continuation in admin portal. ([a398e5a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a398e5aaf131c1f00b09e1776d6daf10f2c343ad))
-* **univention-management-stack:** UMS portal-server scalability ([b1b4c28](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b1b4c28618e0eca31b59719e9e1f2db8ecff7f5c))
-* **univention-management-stack:** Univention Portal upstream codefixes version bump ([c2f62f7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2f62f7c9487b2119b0d3efd98b40c92efb97c5d))
-* **univention-management-stack:** Update provisioning to fix high CPU usage when in idle ([d9c23bd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9c23bdf0b955c0b5e4c82dd1ee785b75ce18a3b))
-
-## [0.5.77](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.76...v0.5.77) (2024-02-16)
-
-
-### Bug Fixes
-
-* **ci:** Complete CI var usage for external registry ([3bcdcd0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3bcdcd06b7c4829686f11b8f065ec38829b5a5a6))
-* **ci:** Update openDesk CI Lint to v2.3.1 ([250ef2b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/250ef2bc3fe9047b49b236b606ec3e3fa28e13ce))
-* **collabora:** Add chart validation ([0159902](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01599022f14d447dfdadf390ca9e8e29668dfb07))
-* **collabora:** Bump to 23.05.9.1.1 ([b525a81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b525a814fc25867c068579d5cbd8d1a993144519))
-* **cryptpad:** Update chart to v0.0.18 ([6f0b1f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6f0b1f37fc06c40bf537dbaed60f314341211e41))
-* **docs:** Add functional component table referencing the component versions to README.md ([bc7eeb8](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bc7eeb8c9d3dd19f625d6f7ba94b15eb4b782d20))
-* **docs:** Add generated security-context.md ([d9e07ff](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d9e07ff7bd0e8be090f4fe2c370fa9978c22dfd5))
-* **element:** Change name of neodatefix bot job ([dd535da](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dd535daac0bb0e602eefa45e8dc448fd07fbdd33))
-* **element:** Disable e2ee ([ba0824b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ba0824bac30ae1fc43458bdc8c09a143076e874c))
-* **helmfile:** Add additional provisioning components and configuration ([110ff56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/110ff56f7487e7ac89b1b75c8c63d04e1c2a41c0))
-* **helmfile:** Add seLinuxOptions for all applications ([02d04fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/02d04faa2a8d8a0b3bfc179cc8efb3fec086bc70))
-* **helmfile:** Annotations in image.yaml ([7ebbd03](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ebbd03bdcb11abf4e459035c459b74adf8cfcda))
-* **helmfile:** Bump Collabora Chart to 1.11.1 and Image to 23.05.8.4.1 ([d2b1f0b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d2b1f0b07b5ebe4b98b2dc29b916857e28ce5706))
-* **helmfile:** Fix annotations in images.yaml ([acaec3b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/acaec3b8ac6e0ecd58167fca874cd56caa15fa98))
-* **helmfile:** Fix umsPortalFrontend image annotation ([8f83261](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8f832619864504eaa04945a9a79d6790d2ab8a48))
-* **helmfile:** Improve debugging ([56f5e35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/56f5e35895c712440c1a7d249be672c86fc34eeb))
-* **nextcloud:** Bump openincryptpad to 0.3.3 and disable circles app ([f2b8acf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f2b8acfba85d384ed425779fa52133935e553e86))
-* **nextcloud:** Set backchannel logout url ([c0fc225](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c0fc225349794034feea1d0c05b29068b9a455af))
-* **nextcloud:** Update image, nextcloud apps and chart ([fd2a66f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd2a66f8f2a987aa71872122267f29aee3d5f22a))
-* **nextcloud:** Update nextcloud image and chart to support upgrades ([5d95e7a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5d95e7ab2a71097d8c6231bff8c3a6aa3b6f163a))
-* **nextcloud:** Update to Nextcloud to v28 ([7c9f38f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7c9f38f06e1f0d000992ecdfd77921d6fc28015c))
-* **open-xchange:** Bump Gotenberg image ([49f126d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/49f126d169759b3e9dd130101e64892822750d7b))
-* **open-xchange:** Dovecot image on OpenCoDE without mirror ([1396071](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/139607186549f7a9a129023f1f72aff82cf36460))
-* **openproject:** Bump version to 13.3.0 ([c2087ef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c2087efcf95bf2eef19556ba1a1d26b7807021c4))
-* **univention-management-stack:** New device login notifications on first login with 2FA ([ee1a337](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/ee1a337ab5dea7001045860eb6a5bee1dfc84219))
-* **univention-management-stack:** Patches not applied to uldap ([2909e1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2909e1d821397797244d7c11c0935a3bbc902bb1))
-* **univention-management-stack:** Support for object-storage icons and portal files ([83ac645](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/83ac645faec748e773dd7940ca0ca1102bd6dff3))
-* **univention-management-stack:** Update NGINX Helm chart to 15.9.3 ([c16c0ac](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c16c0ac7955e64254214d7129ae70d5dd8808743))
-* **univention-management-stack:** Update otterize to allow umc-server communication with memcached ([6c15dc1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6c15dc1d668623ddd95090e321d1bb268e681db5))
-* **xwiki:** Add bottom border to top nav bar to be aligned with the other components ([affa92c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/affa92cde2caa175707f8ae0e8d4adedbdceb608))
-* **xwiki:** Bump XWiki chart to 1.3.0 ([cabee0c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cabee0c9da3a32e180931b3bd490ba8f83aadb79))
-
-## [0.5.76](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.75...v0.5.76) (2024-01-24)
-
-
-### Bug Fixes
-
-* **nextcloud:** Correct indent in monitoring resources ([bea1413](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/bea1413b860aa69cab3bb4a9dfb6d8593594cc25))
-* **services:** Monitoring for minio with correct labels and there are no prometheusRule ([af63e5c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/af63e5c18dbd6d7d1e1ebd79ad91c4f994fe7003))
-* **univention-management-stack:** Fix external registry for nats charts ([cbb33b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cbb33b922d397467d01a9227f3eb18d789cdc39c))
-
-## [0.5.75](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.74...v0.5.75) (2024-01-24)
-
-
-### Bug Fixes
-
-* **ci:** Add Kyverno CI Lint ([e778a59](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e778a59cddecc7c73b827e03af5e47ddd5c3dcee))
-* **helmfile:** Cleanup and small conformity fixes ([db0a544](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db0a5441550ae08450afc04ef274ff8d19e85138))
-* **helmfile:** Merge .yaml and .gotmpl files for Services, Provisioning, Cryptpad, Intercom-Service and Element ([a49daa6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a49daa6fa27dc7c51c3163b1155eec33b78949f5))
-* **helmfile:** Split image and helm registry ([89c149a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/89c149af954a6f0884ae905e55b52e8db9036b05))
-* **univention-management-stack:** UMC secure session cookie ([67f7c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/67f7c050387157808f010857395715335b42d767))
-* **univention-management-stack:** Update guardian to version 2 ([a99f338](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a99f3389dc90aa89ce2ba4bcfc266a2dfdf15ab9))
-
 ## [0.5.74](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/compare/v0.5.73...v0.5.74) (2024-01-12)


--- a/README.md
+++ b/README.md
@@ -3,62 +3,67 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 -->

-<h1>openDesk Deployment Automation</h1>
+![logo](./helmfile/environments/default/theme/logo_portal_background.svg)
+
+openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
+Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
+
+It features:
+- Fully integrated Identity Management (Univention)
+- File storage (Nextcloud)
+- Weboffice (Collabora)
+- Videoconference (Nordeck w/ Jitsi)
+- Chat and Collaboration (Element w/ Nordeck)
+- Groupware (OX Appsuite)
+- Wiki (XWiki)
+- Project Management (OpenProject)
+- Notes and Diagrams (Cryptpad)
+
+openDesk integrates these components and is working towards a seamless user experience.
+
+While not all components are perfectly shaped for the execution inside containers, one of the project objectives is to
+align the applications with the best practises regarding container design and operations.
+
+This documentation aims to give you all that is needed to set up your own instance of the openDesk.
+Basic knowledge of Kubernetes and Devops is required though.

 <!-- TOC -->
-* [Overview](#overview)
-* [Disclaimer](#disclaimer)
+* [Active development notice](#active-development-notice)
+* [Feedback](#feedback)
 * [Requirements](#requirements)
 * [Getting started](#getting-started)
 * [Advanced customization](#advanced-customization)
 * [Releases](#releases)
 * [Components](#components)
-* [Feedback](#feedback)
 * [License](#license)
 * [Copyright](#copyright)
-* [Footnotes](#footnotes)
 <!-- TOC -->

-# Overview
-
-openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
-Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
-
-openDesk currently features the following functional main components:
-
-| Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
-| -------------------- | --------------------------- | --------------------- | ----------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
-| Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
-| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
-| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released) | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation) |
-| Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
-| Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
-| Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
-| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
-
-While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
-align the applications with best practises regarding container design and operations.
-
-This documentation aims to give you all that is needed to set up your own instance of the openDesk.
-
-Basic knowledge of Kubernetes and DevOps processes is required though.
-
-# Disclaimer
-
+# Active development notice
 openDesk will face breaking changes in the near future without upgrade paths before
 [technical release](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases)
 v1.0.0 is reached.

 While most components support upgrades, major configuration or component changes may occur, therefore we recommend
-from scratch installations for now.
+at the moment always installing from scratch.

-In the next months, we not only expect to integrate upstream updates of the functional components to include their
-most recent feature and security sets, but also to address operational topics like scalability for the openDesk
-platform.
+Components that are going to be replaced soon are:
+- the Nextcloud community container is going to be replaced by an openDesk specific Nextcloud distroless container and
+- Dovecot Community is going to be replaced by a Dovecot container tailored for the needs of the public sector.

-Of course, further development also includes enhancing the documentation itself.
+In the next months, we not only expect upstream updates of the functional components within their feature scope, but we
+are also going to address operational issues like monitoring and network policies.
+
+Of course, further development also includes enhancing the documentation.
+
+# Feedback
+
+We love to get feedback from you!
+Related to the deployment / contents of this repository,
+please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
+
+If you want to address other topics, please check the section
+["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).

 # Requirements

@@ -88,35 +93,16 @@ The following release artefacts are provided beside the default source code asse
 - `chart-index.json`: An overview of all Helm charts used by the release.
 - `image-index.json`: An overview of all container images used by the release.

-⟶ Visit our detailed [Workflow](./docs/workflow.md) docs.
+⟶ Visit out detailed [Workflow](./docs/workflow.md) docs.

 # Components

 ⟶ Visit our detailed [Component](./docs/components.md) docs.

-# Feedback
-
-We love to get feedback from you!
-
-Related to the deployment / contents of this repository,
-please use the [issues within this project](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/issues).
-
-If you want to address other topics, please check the section
-["Rückmeldungen und Beteiligung" of the Infos' project OVERVIEW.md](https://gitlab.opencode.de/bmi/opendesk/info/-/blob/main/OVERVIEW.md#rückmeldungen-und-beteiligung).

 # License

 This project uses the following license: Apache-2.0

 # Copyright
-
-Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-
-# Footnotes
-
-[^1]: Nubus is the Cloud Portal and IAM from Univention.
-It is currently integrated as a product preview within openDesk therefore,
-not all resources like documentation and structured release notes are available,
-while the
-[source code can already be found on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/component-code/crossfunctional/univention).
-Please find updates regarding the Nubus at https://nubus.io.
+Copyright (C) 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
--- a/docs/components.md
+++ b/docs/components.md
@@ -58,14 +58,12 @@ Some use cases require inter component integration.
 ```mermaid
 flowchart TD
  OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
-  Element-->|CentralNavigation|IntercomService
  IntercomService-->|SilentLogin, TokenExchange|IdP
  IntercomService-->|Filepicker|Nextcloud
  IntercomService-->|CentralNavigation|Portal
  OXAppSuiteBackend-->|Filepicker|Nextcloud
  Nextcloud-->|CentralNavigation|Portal
  OpenProject-->|CentralNavigation|Portal
-  OpenProject-->|Filestore|Nextcloud
  XWiki-->|CentralNavigation|Portal
  Nextcloud-->|CentralContacts|OXAppSuiteBackend
  OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
@@ -126,7 +124,7 @@ flowchart TD
    A[OX AppSuite]-->L
    D[OX Dovecot]-->L
    P[Portal/Admin]-->L
-    X[XWiki]-->L
+    X[XWiki]-->|in 2023|L
    A-->K
    N-->K
    D-->K
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -1,83 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-->
-<h1>Debugging</h1>
-
-* [Disclaimer](#disclaimer)
-* [Enable debugging](#enable-debugging)
-* [Components](#components)
-  * [MariaDB](#mariadb)
-  * [Nextcloud](#nextcloud)
-  * [OpenProject](#openproject)
-  * [PostgreSQL](#postgresql)
-
-# Disclaimer
-
-This document collects information how to deal with debugging an openDesk deployment.
-
-It will be extended over time as we have to deal with debugging cases.
-
-We for sure do not want to reinvent the wheel, so we might link to external sources that contain helpful
-information where available.
-
-**Note:** You should never enable debug in production environments! By looking up `debug.enable` in the deployment you
-will find the various places changes are applied when enabling debugging. So outside of development and test
-environments you may want to make use of them in a very thoughtful and selective manner if needed.
-
-# Enable debugging
-
-Set `debug.enable` to `true` in [`debug.yaml`](../helmfile/environments/default/debug.yaml) to set the
-component's loglevel to debug and it get some features like:
- The `/admin` console is routed for Keycloak.
- An ingress for `http://minio-console.<your_domain>` is configured.
-and set the loglevel for components to "Debug".
-
-**Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
-
-# Components
-
-## MariaDB
-
-When using the openDesk bundled MariaDB you can explore database(s) using the MariaDB interactive terminal from the pod's command line: `mariadb -u root -p`. As password provide the value for `MARIADB_ROOT_PASSWORD` set in the pod's environment.
-
-While you will find all details for the CLI tool in [the online documentation](https://mariadb.com/kb/en/mariadb-command-line-client/), some quick commands are:
-
- `help`: Get help on the psql command set
- `show databases`: Lists all databases
- `use <databasename>`: Connect to `<databasename>`
- `show tables`: Lists tables within the currently connected database
- `quit`: Quit the client
-
-## Nextcloud
-
-`occ` is the CLI for Nextcloud, all the details can be found in the [upstream documentation](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html).
-
-You can run occ commands in the `opendesk-nextcloud-php` pod like this: `php /var/www/html/occ config:list`
-
-## OpenProject
-
-OpenProject is a Ruby on Rails application. Therefore you can make use of the Rails console from the pod's command line `bundle exec rails console`
-
-and run debug code like this:
-
-```
-uri = URI('https://nextcloud.url/index.php/apps/integration_openproject/check-config')
-Net::HTTP.start(uri.host, uri.port,
-  :use_ssl => uri.scheme == 'https') do |http|
-  request = Net::HTTP::Get.new uri
-  response = http.request request # Net::HTTPResponse object
-end
-```
-
-## PostgreSQL
-
-When using the openDesk bundled PostgreSQL you can explore database(s) using the PostgreSQL interactive terminal from the pod's command line: `psql -U postgres`.
-
-While you will find all details in the [psql subsection](https://www.postgresql.org/docs/current/app-psql.html)) of the PostgreSQL documentation, some quick commands are:
-
- `\?`: Get help on the psql command set
- `\l`: Lists all databases
- `\c <databasename>`: Connect to `<databasename>`
- `\dt`: List (describe) tables within the currently connected database
- `\q`: Quit the client
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -12,7 +12,7 @@ This documentation should enable you to create your own evaluation instance of o
 * [Customize environment](#customize-environment)
  * [Domain](#domain)
    * [Apps](#apps)
-  * [Private registries](#private-registries)
+  * [Private Helm chart and container image registry](#private-helm-chart-and-container-image-registry)
  * [Cluster capabilities](#cluster-capabilities)
    * [Service](#service)
    * [Networking](#networking)
@@ -126,7 +126,7 @@ jitsi:
  enabled: false
 ```

-## Private registries
+## Private Helm chart and container image registry

 By default Helm charts and container images are fetched from OCI registries. These registries can be found for most cases
 in the [openDesk/component section on Open CoDE](https://gitlab.opencode.de/bmi/opendesk/components).
@@ -137,9 +137,8 @@ like Docker Hub.
 Doing a test deployment will most likely be fine with this setup. In case you want to deploy multiple times a day
 and fetch from the same IP address you might run into rate limits at Docker Hub. In that case and in cases you
 prefer the use of a private image registry anyway you can configure such for
-[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting
- `global.imageRegistry` for a private image registry and
- `global.helmRegistry` for a private Helm chart registry.
+[your target environment](./../helmfile/environments/dev/values.yaml.gotmpl.sample) by setting `global.imageRegistry`
+like this:

 ```yaml
 global:
@@ -356,12 +355,17 @@ by your specified subdomain.
 # Replace with your namespace
 NAMESPACE=your-namespace

-# Get ConfigMap with credentials
-kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}'
+# Get credentials from ConfigMap
+kubectl -n ${NAMESPACE} get cm ums-stack-data-swp-data -o jsonpath='{.data.dev-test-users\.yaml}' \
+  | yq '.properties.username,.properties.password'
+# default.user
+# 40615..............................e9e2f
+# ---
+# default.admin
+# bdbbb..............................04db6
 ```

-Renders you a two part ConfigMap where the `username` and `password` attributes in the `properties`
-section provide you with the desired information to login with the two default user roles:
+Now you can log in with obtained credentials:

 | Username        | Password                                   | Description      |
 |-----------------|--------------------------------------------|------------------|
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -7,7 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 This section covers the internal system requirements as well as external service requirements for productive use.

 <!-- TOC -->
-* [tl;dr](#tldr)
+* [TL;DR;](#tldr)
 * [Hardware](#hardware)
 * [Kubernetes](#kubernetes)
 * [Ingress controller](#ingress-controller)
@@ -17,7 +17,7 @@ This section covers the internal system requirements as well as external service
 * [Deployment](#deployment)
 <!-- TOC -->

-# tl;dr
+# TL;DR;
 openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s) cluster.

 - K8s cluster >= 1.24, [CNCF Certified Kubernetes Distro](https://www.cncf.io/certification/software-conformance/)
--- a/docs/scaling.md
+++ b/docs/scaling.md
@@ -21,7 +21,7 @@ marked with a gear.


 | Component        | Name                                     | Scaling (effective) | Scaling (verified) |
-|-----------------------------|------------------------------------------|:-------------------:|:------------------:|
+|------------------|------------------------------------------|:-------------------:|:------------------:|
 | ClamAV           | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.freshclam`                     |         :x:         |        :x:         |
@@ -39,7 +39,7 @@ marked with a gear.
 |                  | `replicas.synapse`                       |         :x:         |       :gear:       |
 |                  | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
 |                  | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
-| Intercom Service            | `replicas.intercomService`               | :white_check_mark:  | :white_check_mark: |
+| Intercom Service | `replicas.intercomService`               | :white_check_mark:  |       :gear:       |
 | Jitsi            | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
 |                  | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
 |                  | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
@@ -54,8 +54,4 @@ marked with a gear.
 | OpenProject      | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
 | Postfix          | `replicas.postfix`                       |         :x:         |       :gear:       |
 | Redis            | `replicas.redis`                         |       :gear:        |       :gear:       |
-| Univention Management Stack |                                          |       :gear:        |       :gear:       |
-|                             | `replicas.umsPortalFrontend`             | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.umsPortalServer`               | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.umsUdmRestApi`                 | :white_check_mark:  | :white_check_mark: |
 | XWiki            | `replicas.xwiki`                         |         :x:         |       :gear:       |
--- a/docs/security-context.md
+++ b/docs/security-context.md
@@ -1,227 +0,0 @@
-<!--
-SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-->
-<h1>Kubernetes Security Context</h1>
-
-* [Container Security Context](#container-security-context)
-  * [allowPrivilegeEscalation](#allowprivilegeescalation)
-  * [capabilities](#capabilities)
-  * [privileged](#privileged)
-  * [runAsUser](#runasuser)
-  * [runAsGroup](#runasgroup)
-  * [seccompProfile](#seccompprofile)
-  * [readOnlyRootFilesystem](#readonlyrootfilesystem)
-  * [runAsNonRoot](#runasnonroot)
-* [Status quo](#status-quo)
-
-# Container Security Context
-
-
-The containerSecurityContext is the most important security-related section because it has the highest precedence and restricts the container to its minimal privileges.
-
-## allowPrivilegeEscalation
-
-
-Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed (Linux only) at any time.
-
-```yaml
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-```
-
-## capabilities
-
-
-Containers must drop ALL capabilities, and are only permitted to add back the `NET_BIND_SERVICE` capability (Linux only).
-
-
-**Optimal:**
-
-```yaml
-containerSecurityContext:
-  capabilities:
-    drop:
-      - "ALL"
-```
-
-
-**Allowed:**
-
-```yaml
-containerSecurityContext:
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "NET_BIND_SERVICE"
-```
-
-## privileged
-
-
-Privileged Pods disable most security mechanisms and must be disallowed.
-
-```yaml
-containerSecurityContext:
-  privileged: false
-```
-
-## runAsUser
-
-
-Containers should set a user id >= 1000 and never use 0 (root) as user.
-
-```yaml
-containerSecurityContext:
-  runAsUser: 1000
-```
-
-## runAsGroup
-
-
-Containers should set a group id >= 1000 and never use 0 (root) as user.
-
-```yaml
-containerSecurityContext:
-  runAsGroup: 1000
-```
-
-## seccompProfile
-
-
-Seccomp profile must be explicitly set to one of the allowed values. An unconfined profile and the complete absence of the profile are prohibited.
-
-```yaml
-containerSecurityContext:
-  seccompProfile:
-    type: "RuntimeDefault"
-```
-
-
-or
-
-```yaml
-containerSecurityContext:
-  seccompProfile:
-    type: "Localhost"
-```
-
-## readOnlyRootFilesystem
-
-
-Containers should have an immutable file systems, so that attackers could not modify application code or download malicious code.
-
-```yaml
-containerSecurityContext:
-  readOnlyRootFilesystem: true
-```
-
-## runAsNonRoot
-
-
-Containers must be required to run as non-root users.
-
-```yaml
-containerSecurityContext:
-  runAsNonRoot: true
-```
-
-# Status quo
-
-
-openDesk aims to achieve that all security relevant settings are explicitly templated and comply with security recommendations.
-
-
-The rendered manifests are also validated against Kyverno [policies](/.kyverno/policies) in CI to ensure that the provided values inside openDesk are also properly templated by the given Helm charts.
-
-
-This list gives you an overview of templated security settings and if they comply with security standards:
-
-
- - **yes**: Value is set to `true`
- - **no**: Value is set to `false`
- - **n/a**: No explicitly templated in openDesk and default is used.
-
-| process | status | allowPrivilegeEscalation | privileged | readOnlyRootFilesystem | runAsNonRoot | runAsUser | runAsGroup | seccompProfile | capabilities |
-| ------- | ------ | ------------------------ | ---------- | ---------------------- | ------------ | --------- | ---------- | -------------- | ------------ |
-| **collabora**/collabora-online | :x: | yes | no | no | yes | 100 | 101 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT","MKNOD"] |
-| **cryptpad**/cryptpad | :x: | no | no | no | yes | 4001 | 4001 | yes | yes |
-| **element**/matrix-neoboard-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/matrix-neochoice-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/matrix-neodatefix-bot | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/matrix-neodatefix-bot-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/matrix-neodatefix-widget | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/opendesk-element | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/opendesk-matrix-user-verification-service | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **element**/opendesk-matrix-user-verification-service-bootstrap | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/opendesk-synapse | :white_check_mark: | no | no | yes | yes | 10991 | 10991 | yes | yes |
-| **element**/opendesk-synapse-web | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **element**/opendesk-well-known | :white_check_mark: | no | no | yes | yes | 101 | 101 | yes | yes |
-| **intercom-service**/intercom-service | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
-| **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
-| **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
-| **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
-| **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
-| **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |
-| **jitsi**/jitsi/patchJVB | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **nextcloud**/opendesk-nextcloud-management | :x: | no | no | no | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/apache2 | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/exporter | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **nextcloud**/opendesk-nextcloud/php | :white_check_mark: | no | no | yes | yes | 65532 | 65532 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-documentconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-guidedtours | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-imageconverter | :x: | no | no | no | yes | 987 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-mw/gotenberg | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-ui-middleware | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/core-user-guide | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/appsuite/guard-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/nextcloud-integration-ui | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **open-xchange**/open-xchange/public-sector-ui | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject**/openproject | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **openproject-bootstrap**/opendesk-openproject-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **provisioning**/ox-connector | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **services**/clamav | :x: | no | no | yes | no | 0 | 0 | yes | no |
-| **services**/clamav-simple | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/clamd | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/freshclam | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/icap | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/clamav/milter | :white_check_mark: | no | no | yes | yes | 100 | 101 | yes | yes |
-| **services**/mariadb | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/memcached | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/minio | :x: | no | no | no | yes | 1000 | 0 | yes | yes |
-| **services**/postfix | :x: | yes | yes | no | no | 0 | 0 | yes | no |
-| **services**/postgresql | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **services**/redis/master | :white_check_mark: | no | no | yes | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/opendesk-keycloak-bootstrap | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-guardian-authorization-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-guardian-management-api | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-guardian-management-ui | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-keycloak | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-keycloak-bootstrap | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-keycloak-extensions/handler | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-keycloak-extensions/proxy | :white_check_mark: | no | no | yes | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-ldap-notifier | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums-ldap-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-notifications-api | :x: | no | no | no | no | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-open-policy-agent | :x: | no | no | no | yes | 1000 | 1000 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-portal-frontend | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-portal-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-portal-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-provisioning/dispatcher | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-provisioning/events-and-consumer-api | :x: | no | no | no | yes | 1000 | 1000 | yes | yes |
-| **univention-management-stack**/ums-provisioning/udm-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-selfservice-listener | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-stack-data-swp | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums-stack-data-ums | :x: | no | no | no | no | 0 | 0 | yes | yes |
-| **univention-management-stack**/ums-stack-gateway | :x: | no | no | no | yes | 1001 | 1001 | yes | yes |
-| **univention-management-stack**/ums-store-dav | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-udm-rest-api | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-umc-gateway | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **univention-management-stack**/ums-umc-server | :x: | no | no | no | no | 0 | 0 | yes | no ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE","NET_RAW","SYS_CHROOT"] |
-| **xwiki**/xwiki | :x: | no | no | no | yes | 100 | 101 | yes | yes |
-
-
-This file is auto-generated by [openDesk CI CLI](https://gitlab.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli)
--- a/docs/security.md
+++ b/docs/security.md
@@ -15,21 +15,89 @@ This document should cover the current status of security measurements.

 # Helm Chart Trust Chain

-Helm charts are signed and validated against GPG keys which can be found in `helmfile/files/gpg-pubkeys`.
+Helm charts are signed and validated against GPG keys which could be found in `helmfile/files/gpg-pubkeys`.

-For more details on Chart validation please visit: https://helm.sh/docs/topics/provenance/
-
-All charts except the ones mentioned below are verifiable:
+All charts except these are verifiable:

 | Repository        | Verifiable |
 |-------------------|:----------:|
+| collabora-repo    |     no     |
 | open-xchange-repo |     no     |

 # Kubernetes Security Enforcements

 This list gives you an overview of default security settings and if they comply with security standards:

-⟶ Visit our generated detailed [Security Context](./security-context.md) overview.
+
+| Component                   | Process                       |         =          | allowPrivilegeEscalation (`false`) |                                                           capabilities (`drop: ALL`)                                                           | seccompProfile (`RuntimeDefault`) | readOnlyRootFilesystem (`true`) | runAsNonRoot (`true`) | runAsUser | runAsGroup | fsGroup |
+|-----------------------------|-------------------------------|:------------------:|:----------------------------------:|:----------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------:|:-------------------------------:|:---------------------:|:---------:|:----------:|:-------:|
+| ClamAV                      | clamd                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | freshclam                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | icap                          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | milter                        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    100    |    101     |   101   |
+| Collabora                   | collabora                     |        :x:         |                :x:                 | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   100   |
+| CryptPad                    | cryptpad                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   4001    |    4001    |  4001   |
+| Dovecot                     | dovecot                       |        :x:         |         :white_check_mark:         |                          :x: (`CHOWN`, `DAC_OVERRIDE`, `KILL`, `NET_BIND_SERVICE`, `SETGID`, `SETUID`, `SYS_CHROOT`)                           |        :white_check_mark:         |       :white_check_mark:        |          :x:          |     -     |     -      |  1000   |
+| Element                     | element                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|                             | synapse                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   10991   |     -      |  10991  |
+|                             | synapseWeb                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+|                             | wellKnown                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |    101    |    101     |   101   |
+| IntercomService             | intercom-service              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+| Jitsi                       | jibri                         |        :x:         |                :x:                 |                                                               :x: (`SYS_ADMIN`)                                                                |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | jicofo                        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | jitsiKeycloakAdapter          | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1993    |    1993    |    -    |
+|                             | jvb                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | prosody                       |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | web                           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| MariaDB                     | mariadb                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Memcached                   | memcached                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     -      |  1001   |
+| Minio                       | minio                         | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+| Nextcloud                   | opendesk-nextcloud-apache2    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
+|                             | opendesk-nextcloud-cron       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
+|                             | opendesk-nextcloud-exporter   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
+|                             | opendesk-nextcloud-management |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   65532   |   65532    |  65532  |
+|                             | opendesk-nextcloud-php        | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   65532   |   65532    |  65532  |
+| Open-Xchange                | core-documentconverter        |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
+|                             | core-guidedtours              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-imageconverter           |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    987    |    1000    |    -    |
+|                             | core-mw-default               |        :x:         |                :x:                 |                                                                      :x:                                                                       |                :x:                |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | core-ui                       | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-ui-middleware            | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-ui-middleware-updater    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | core-user-guide               | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | gotenberg                     | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | guard-ui                      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | nextlcoud-integration-ui      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | public-sector-ui              | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+| OpenProject                 | openproject                   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | opendeskOpenprojectBootstrap  | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+| Postfix                     | postfix                       |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |
+| PostgreSQL                  | postgresql                    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+| Redis                       | redis                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |     0      |  1001   |
+| Univention Management Stack | guardian-authorization-api    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | guardian-management-api       |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | guardian-management-ui        |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | keycloak                      |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | keycloak-bootstrap            |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | keycloak-extension-handler    | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | keycloak-extension-proxy      | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |    -    |
+|                             | ldap-notifier                 |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | ldap-server                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | notifications-api             |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | opendesk-keycloak-bootstrap   | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1000    |    1000    |  1000   |
+|                             | open-policy-agent             |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | portal-frontend               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | portal-listener               |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | portal-server                 |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | provisioning-api              |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | selfservice-listener          |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | stack-gateway                 | :white_check_mark: |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |       :white_check_mark:        |  :white_check_mark:   |   1001    |    1001    |  1001   |
+|                             | store-dav                     |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | udm-rest-api                  |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | umc-gateway                   |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+|                             | umc-server                    |        :x:         |         :white_check_mark:         |     :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`)      |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |    -    |
+| XWiki                       | xwiki                         |        :x:         |         :white_check_mark:         |                                                               :white_check_mark:                                                               |        :white_check_mark:         |               :x:               |  :white_check_mark:   |    100    |    101     |   101   |
+|                             | xwiki initContainers          |        :x:         |                :x:                 |                                                                      :x:                                                                       |        :white_check_mark:         |               :x:               |          :x:          |     -     |     -      |   101   |

 # NetworkPolicies

--- a/helmfile/apps/collabora/helmfile.yaml
+++ b/helmfile/apps/collabora/helmfile.yaml
@@ -8,12 +8,10 @@ repositories:
  # Collabora Online
  # Source: https://github.com/CollaboraOnline/online
  - name: "collabora-online-repo"
-    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
-    verify: {{ .Values.charts.collabora.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.collabora.registry }}/\
      {{ .Values.charts.collabora.repository }}"

 releases:
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -126,7 +126,7 @@ securityContext:
      - "NET_RAW"
      - "SYS_CHROOT"
      - "MKNOD"
-  seLinuxOptions: {{ .Values.seLinuxOptions.collabora }}
+
 serviceAccount:
  create: true
 ...
--- a/helmfile/apps/cryptpad/helmfile.yaml
+++ b/helmfile/apps/cryptpad/helmfile.yaml
@@ -13,15 +13,15 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.cryptpad.registry }}/\
-      {{ .Values.charts.cryptpad.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.cryptpad.registry }}/{{ .Values.charts.cryptpad.repository }}"

 releases:
  - name: "cryptpad"
    chart: "cryptpad-repo/{{ .Values.charts.cryptpad.name }}"
    version: "{{ .Values.charts.cryptpad.version }}"
    values:
-      - "values.yaml.gotmpl"
+      - "values.yaml"
+      - "values.gotmpl"
    installed: {{ .Values.cryptpad.enabled }}

 commonLabels:
--- a/helmfile/apps/cryptpad/values.gotmpl
+++ b/helmfile/apps/cryptpad/values.gotmpl
@@ -0,0 +1,33 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
+  tag: {{ .Values.images.cryptpad.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  className: {{ .Values.ingress.ingressClassName | quote }}
+  hosts:
+    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+      paths:
+        - path: "/"
+          pathType: "ImplementationSpecific"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
+
+replicaCount: {{ .Values.replicas.cryptpad }}
+
+resources:
+  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/cryptpad/values.yaml.gotmpl
+++ b/helmfile/apps/cryptpad/values.yaml.gotmpl
@@ -22,30 +22,9 @@ enableEmbedding: true

 fullnameOverride: "cryptpad"

-image:
-  repository: "{{ .Values.global.imageRegistry | default .Values.images.cryptpad.registry }}/{{ .Values.images.cryptpad.repository }}"
-  tag: {{ .Values.images.cryptpad.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
 ingress:
-  enabled: {{ .Values.ingress.enabled }}
  annotations:
    nginx.org/websocket-services: "cryptpad"
-  className: {{ .Values.ingress.ingressClassName | quote }}
-  hosts:
-    - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"
-      paths:
-        - path: "/"
-          pathType: "ImplementationSpecific"
-  tls:
-    - secretName: {{ .Values.ingress.tls.secretName | quote }}
-      hosts:
-        - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}"

 persistence:
  enabled: false
@@ -53,28 +32,20 @@ persistence:
 podSecurityContext:
  fsGroup: 4001

-replicaCount: {{ .Values.replicas.cryptpad }}
-
-resources:
-  {{ .Values.resources.cryptpad | toYaml | nindent 2 }}
-
 securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
+  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 4001
  runAsGroup: 4001
-  seLinuxOptions: {{ .Values.seLinuxOptions.cryptpad }}

 serviceAccount:
  create: true

 workloadStateful: false
-
 ...
--- a/helmfile/apps/element/helmfile.yaml
+++ b/helmfile/apps/element/helmfile.yaml
@@ -13,40 +13,35 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.element.registry }}/\
-      {{ .Values.charts.element.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.element.registry }}/{{ .Values.charts.element.repository }}"
  - name: "element-well-known-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.elementWellKnown.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.elementWellKnown.registry }}/\
-      {{ .Values.charts.elementWellKnown.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.elementWellKnown.registry }}/{{ .Values.charts.elementWellKnown.repository }}"
  - name: "synapse-web-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseWeb.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseWeb.registry }}/\
-      {{ .Values.charts.synapseWeb.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseWeb.registry }}/{{ .Values.charts.synapseWeb.repository }}"
  - name: "synapse-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapse.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapse.registry }}/\
-      {{ .Values.charts.synapse.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapse.registry }}/{{ .Values.charts.synapse.repository }}"
  - name: "synapse-create-account-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.synapseCreateAccount.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.synapseCreateAccount.registry }}/\
-      {{ .Values.charts.synapseCreateAccount.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.synapseCreateAccount.registry }}/{{ .Values.charts.synapseCreateAccount.repository }}"

  # openDesk Matrix Widgets
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets
@@ -56,7 +51,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixUserVerificationService.registry }}/\
      {{ .Values.charts.matrixUserVerificationService.repository }}"
  - name: "matrix-neoboard-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -64,32 +59,28 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
-      {{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neochoice-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeoboardWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/\
-      {{ .Values.charts.matrixNeoboardWidget.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeoboardWidget.registry }}/{{ .Values.charts.matrixNeoboardWidget.repository }}"
  - name: "matrix-neodatefix-widget-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixWidget.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/\
-      {{ .Values.charts.matrixNeodatefixWidget.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixWidget.registry }}/{{ .Values.charts.matrixNeodatefixWidget.repository }}"
  - name: "matrix-neodatefix-bot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.matrixNeodatefixBot.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/\
-      {{ .Values.charts.matrixNeodatefixBot.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.matrixNeodatefixBot.registry }}/{{ .Values.charts.matrixNeodatefixBot.repository }}"


 releases:
@@ -97,7 +88,8 @@ releases:
    chart: "element-repo/{{ .Values.charts.element.name }}"
    version: "{{ .Values.charts.element.version }}"
    values:
-      - "values-element.yaml.gotmpl"
+      - "values-element.yaml"
+      - "values-element.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -105,7 +97,8 @@ releases:
    chart: "element-well-known-repo/{{ .Values.charts.elementWellKnown.name }}"
    version: "{{ .Values.charts.elementWellKnown.version }}"
    values:
-      - "values-well-known.yaml.gotmpl"
+      - "values-well-known.yaml"
+      - "values-well-known.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -113,7 +106,8 @@ releases:
    chart: "synapse-web-repo/{{ .Values.charts.synapseWeb.name }}"
    version: "{{ .Values.charts.synapseWeb.version }}"
    values:
-      - "values-synapse-web.yaml.gotmpl"
+      - "values-synapse-web.yaml"
+      - "values-synapse-web.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -121,7 +115,8 @@ releases:
    chart: "synapse-repo/{{ .Values.charts.synapse.name }}"
    version: "{{ .Values.charts.synapse.version }}"
    values:
-      - "values-synapse.yaml.gotmpl"
+      - "values-synapse.yaml"
+      - "values-synapse.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -129,7 +124,8 @@ releases:
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      - "values-matrix-user-verification-service-bootstrap.yaml.gotmpl"
+      - "values-matrix-user-verification-service-bootstrap.yaml"
+      - "values-matrix-user-verification-service-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -137,7 +133,8 @@ releases:
    chart: "matrix-user-verification-service-repo/{{ .Values.charts.matrixUserVerificationService.name }}"
    version: "{{ .Values.charts.matrixUserVerificationService.version }}"
    values:
-      - "values-matrix-user-verification-service.yaml.gotmpl"
+      - "values-matrix-user-verification-service.yaml"
+      - "values-matrix-user-verification-service.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -145,7 +142,8 @@ releases:
    chart: "matrix-neoboard-widget-repo/{{ .Values.charts.matrixNeoboardWidget.name }}"
    version: "{{ .Values.charts.matrixNeoboardWidget.version }}"
    values:
-      - "values-matrix-neoboard-widget.yaml.gotmpl"
+      - "values-matrix-neoboard-widget.yaml"
+      - "values-matrix-neoboard-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -153,7 +151,8 @@ releases:
    chart: "matrix-neochoice-widget-repo/{{ .Values.charts.matrixNeochoiseWidget.name }}"
    version: "{{ .Values.charts.matrixNeochoiseWidget.version }}"
    values:
-      - "values-matrix-neochoice-widget.yaml.gotmpl"
+      - "values-matrix-neochoice-widget.yaml"
+      - "values-matrix-neochoice-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -161,7 +160,8 @@ releases:
    chart: "matrix-neodatefix-widget-repo/{{ .Values.charts.matrixNeodatefixWidget.name }}"
    version: "{{ .Values.charts.matrixNeodatefixWidget.version }}"
    values:
-      - "values-matrix-neodatefix-widget.yaml.gotmpl"
+      - "values-matrix-neodatefix-widget.yaml"
+      - "values-matrix-neodatefix-widget.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -169,7 +169,8 @@ releases:
    chart: "synapse-create-account-repo/{{ .Values.charts.synapseCreateAccount.name }}"
    version: "{{ .Values.charts.synapseCreateAccount.version }}"
    values:
-      - "values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl"
+      - "values-matrix-neodatefix-bot-bootstrap.yaml"
+      - "values-matrix-neodatefix-bot-bootstrap.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

@@ -177,7 +178,8 @@ releases:
    chart: "matrix-neodatefix-bot-repo/{{ .Values.charts.matrixNeodatefixBot.name }}"
    version: "{{ .Values.charts.matrixNeodatefixBot.version }}"
    values:
-      - "values-matrix-neodatefix-bot.yaml.gotmpl"
+      - "values-matrix-neodatefix-bot.yaml"
+      - "values-matrix-neodatefix-bot.gotmpl"
    installed: {{ .Values.element.enabled }}
    timeout: 900

--- a/helmfile/apps/element/values-element.yaml.gotmpl
+++ b/helmfile/apps/element/values-element.yaml.gotmpl
@@ -1,8 +1,16 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 configuration:
-  endToEndEncryption: false
  additionalConfiguration:
    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

@@ -97,28 +105,6 @@ configuration:

  welcomeUserId: "@meetings-bot:{{ .Values.global.domain }}"

-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.element }}
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 image:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registry: {{ .Values.global.imageRegistry | default .Values.images.element.registry | quote }}
@@ -133,16 +119,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.element }}

 resources:
  {{ .Values.resources.element | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-element.yaml
+++ b/helmfile/apps/element/values-element.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml.gotmpl
@@ -1,21 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoBoardWidget }}
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -36,16 +23,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.matrixNeoBoardWidget }}

 resources:
  {{ .Values.resources.matrixNeoBoardWidget | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neoboard-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neoboard-widget.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml.gotmpl
@@ -1,21 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoChoiceWidget }}
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -36,16 +23,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
-
 theme:
  {{ .Values.theme | toYaml | nindent 2 }}

+replicaCount: {{ .Values.replicas.matrixNeoChoiceWidget }}
+
 resources:
  {{ .Values.resources.matrixNeoChoiceWidget | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neochoice-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neochoice-widget.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl
@@ -1,40 +1,22 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}

 configuration:
-  username: "meetings-bot"
-  pod: "opendesk-synapse-0"
-  secretName: "matrix-neodatefix-bot-account"
  password: {{ .Values.secrets.matrixNeoDateFixBot.password | quote }}

-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
  url: {{ .Values.images.synapseCreateUser.repository | quote }}
  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-fullnameOverride: "matrix-neodatefix-bot-bootstrap"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "meetings-bot"
+  pod: "opendesk-synapse-0"
+  secretName: "matrix-neodatefix-bot-account"
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.gotmpl
@@ -0,0 +1,37 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+configuration:
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
+  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
+  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  tls:
+    enabled: {{ .Values.ingress.tls.enabled }}
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+persistence:
+  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
+
+resources:
+  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml
@@ -0,0 +1,50 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+    displayname: "Terminplaner Bot"
+
+  strings:
+    breakoutSessionWidgetName: "Breakoutsessions"
+    calendarRoomName: "Terminplaner"
+    calendarWidgetName: "Terminplaner"
+    cockpitWidgetName: "Meeting Steuerung"
+    jitsiWidgetName: "Videokonferenz"
+    matrixNeoBoardWidgetName: "Whiteboard"
+    matrixNeoChoiceWidgetName: "Abstimmungen"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "matrix-neodatefix-bot-account"
+        key: "access_token"
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+livenessProbe:
+  enabled: false
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+
+# TODO: The health endpoint does not work with the haproxy configuration, yet
+readinessProbe:
+  enabled: false
+...
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -1,81 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-configuration:
-  bot:
-    username: "meetings-bot"
-    displayname: "Terminplaner Bot"
-  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-  strings:
-    breakoutSessionWidgetName: "Breakoutsessions"
-    calendarRoomName: "Terminplaner"
-    calendarWidgetName: "Terminplaner"
-    cockpitWidgetName: "Meeting Steuerung"
-    jitsiWidgetName: "Videokonferenz"
-    matrixNeoBoardWidgetName: "Whiteboard"
-    matrixNeoChoiceWidgetName: "Abstimmungen"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixBot }}
-
-extraEnvVars:
-  - name: "ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "matrix-neodatefix-bot-account"
-        key: "access_token"
-  - name: "ENABLE_CRYPTO"
-    value: "false"
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixNeoDateFixBot.registry | quote }}
-  repository: {{ .Values.images.matrixNeoDateFixBot.repository | quote }}
-  tag: {{ .Values.images.matrixNeoDateFixBot.tag | quote }}
-
-ingress:
-  enabled: {{ .Values.ingress.enabled }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    enabled: {{ .Values.ingress.tls.enabled }}
-    secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-livenessProbe:
-  enabled: true
-
-persistence:
-  size: {{ .Values.persistence.size.matrixNeoDateFixBot | quote }}
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-readinessProbe:
-  enabled: true
-
-replicaCount: {{ .Values.replicas.matrixNeoDateFixBot }}
-
-resources:
-  {{ .Values.resources.matrixNeoDateFixBot | toYaml | nindent 2 }}
-
-...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -1,25 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-configuration:
-  bot:
-    username: "meetings-bot"
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixNeoDateFixWidget }}
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -40,16 +23,11 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
+theme:
+  {{ .Values.theme | toYaml | nindent 2 }}

 replicaCount: {{ .Values.replicas.matrixNeoDateFixWidget }}

 resources:
  {{ .Values.resources.matrixNeoDateFixWidget | toYaml | nindent 2 }}
-
-theme:
-  {{ .Values.theme | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  bot:
+    username: "meetings-bot"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.gotmpl
@@ -0,0 +1,22 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+
+configuration:
+  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
+  url: {{ .Values.images.synapseCreateUser.repository | quote }}
+  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml
@@ -0,0 +1,8 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  username: "uvs"
+  pod: "opendesk-synapse-0"
+  secretName: "opendesk-matrix-user-verification-service-account"
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl
@@ -1,39 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
-
-configuration:
-  username: "uvs"
-  pod: "opendesk-synapse-0"
-  secretName: "opendesk-matrix-user-verification-service-account"
-  password: {{ .Values.secrets.matrixUserVerificationService.password | quote }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapseCreateUser.registry | quote }}
-  url: {{ .Values.images.synapseCreateUser.repository | quote }}
-  tag: {{ .Values.images.synapseCreateUser.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-fullnameOverride: "opendesk-matrix-user-verification-service-bootstrap"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseCreateUser }}
-...
--- a/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.gotmpl
@@ -0,0 +1,23 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
+  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
+  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
+
+replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
+
+resources:
+  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml
@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  # TODO: the service can't run with read only filesystem or as non-root
+  # readOnlyRootFilesystem: true
+  # runAsGroup: 101
+  # runAsNonRoot: true
+  # runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+extraEnvVars:
+  - name: "UVS_ACCESS_TOKEN"
+    valueFrom:
+      secretKeyRef:
+        name: "opendesk-matrix-user-verification-service-account"
+        key: "access_token"
+  - name: "UVS_DISABLE_IP_BLACKLIST"
+    value: "true"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-user-verification-service.yaml.gotmpl
@@ -1,50 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsGroup: 0
-  runAsNonRoot: false
-  runAsUser: 0
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.matrixUserVerificationService }}
-
-extraEnvVars:
-  - name: "UVS_ACCESS_TOKEN"
-    valueFrom:
-      secretKeyRef:
-        name: "opendesk-matrix-user-verification-service-account"
-        key: "access_token"
-  - name: "UVS_DISABLE_IP_BLACKLIST"
-    value: "true"
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.matrixUserVerificationService.registry | quote }}
-  repository: {{ .Values.images.matrixUserVerificationService.repository | quote }}
-  tag: {{ .Values.images.matrixUserVerificationService.tag | quote }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
-replicaCount: {{ .Values.replicas.matrixUserVerificationService }}
-
-resources:
-  {{ .Values.resources.matrixUserVerificationService | toYaml | nindent 2 }}
-
-...
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,21 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapseWeb }}
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -37,13 +24,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
 replicaCount: {{ .Values.replicas.synapseWeb }}

 resources:
  {{ .Values.resources.synapseWeb | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-synapse-web.yaml
+++ b/helmfile/apps/element/values-synapse-web.yaml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -1,27 +1,22 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-configuration:
-  additionalConfiguration:
-    user_directory:
-      enabled: true
-      search_all_users: true
-    room_prejoin_state:
-      additional_event_types:
-        - "m.space.parent"
-        - "net.nordeck.meetings.metadata"
-        - "m.room.power_levels"
-    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
-    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
-    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
-    rc_login:
-      account:
-        per_second: 2
-        burst_count: 8
-      address:
-        per_second: 2
-        burst_count: 12
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

+image:
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
+  repository: {{ .Values.images.synapse.repository | quote }}
+  tag: {{ .Values.images.synapse.tag | quote }}
+
+configuration:
  database:
    host: {{ .Values.databases.synapse.host | quote }}
    name: {{ .Values.databases.synapse.name | quote }}
@@ -41,7 +36,6 @@ configuration:
        sender_localpart: intercom-service

    oidc:
-      clientId: "opendesk-matrix"
      clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
      issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"

@@ -59,56 +53,18 @@ configuration:
        {{- end }}

    guestModule:
-      enabled: true
      image:
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
        registry: {{ .Values.global.imageRegistry | default .Values.images.synapseGuestModule.registry | quote }}
        repository: {{ .Values.images.synapseGuestModule.repository | quote }}
        tag: {{ .Values.images.synapseGuestModule.tag | quote }}

-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 10991
-  runAsGroup: 10991
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.synapse }}
-
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  registry: {{ .Values.global.imageRegistry | default .Values.images.synapse.registry | quote }}
-  repository: {{ .Values.images.synapse.repository | quote }}
-  tag: {{ .Values.images.synapse.tag | quote }}
-
 persistence:
  size: {{ .Values.persistence.size.synapse | quote }}
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 10991
-
-readinessProbe:
-  initialDelaySeconds: 15
-  periodSeconds: 5
-
 replicaCount: {{ .Values.replicas.synapse }}

 resources:
  {{ .Values.resources.synapse | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-synapse.yaml
+++ b/helmfile/apps/element/values-synapse.yaml
@@ -0,0 +1,52 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  additionalConfiguration:
+    user_directory:
+      enabled: true
+      search_all_users: true
+    room_prejoin_state:
+      additional_event_types:
+        - "m.space.parent"
+        - "net.nordeck.meetings.metadata"
+        - "m.room.power_levels"
+    # When a user logs into Element a parallel request is done through Intercom Service to allow Synapse API
+    # interaction, to avoid (temporary) blocking of the user for followup logins we want to raise the limits.
+    # https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#ratelimiting
+    rc_login:
+      account:
+        per_second: 2
+        burst_count: 8
+      address:
+        per_second: 2
+        burst_count: 12
+
+  homeserver:
+    guestModule:
+      enabled: true
+    oidc:
+      clientId: "opendesk-matrix"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10991
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 10991
+
+readinessProbe:
+  initialDelaySeconds: 15
+  periodSeconds: 5
+
+...
--- a/helmfile/apps/element/values-well-known.yaml.gotmpl
+++ b/helmfile/apps/element/values-well-known.yaml.gotmpl
@@ -1,25 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-configuration:
-  e2ee:
-    forceDisable: true
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  runAsGroup: 101
-  runAsNonRoot: true
-  runAsUser: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.wellKnown }}
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -41,13 +24,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-
 replicaCount: {{ .Values.replicas.wellKnown }}

 resources:
  {{ .Values.resources.wellKnown | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/element/values-well-known.yaml
+++ b/helmfile/apps/element/values-well-known.yaml
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+configuration:
+  e2ee:
+    forceDisable: true
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsGroup: 101
+  runAsNonRoot: true
+  runAsUser: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+...
--- a/helmfile/apps/intercom-service/helmfile.yaml
+++ b/helmfile/apps/intercom-service/helmfile.yaml
@@ -13,15 +13,15 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.intercomService.registry }}/\
-      {{ .Values.charts.intercomService.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.intercomService.registry }}/{{ .Values.charts.intercomService.repository }}"

 releases:
  - name: "intercom-service"
    chart: "intercom-service-repo/{{ .Values.charts.intercomService.name }}"
    version: "{{ .Values.charts.intercomService.version }}"
    values:
-      - "values.yaml.gotmpl"
+      - "values.yaml"
+      - "values.gotmpl"
    installed: {{ .Values.intercom.enabled }}

 commonLabels:
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -1,21 +1,8 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.intercom }}
-
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
@@ -32,7 +19,6 @@ ics:
  default:
    domain: {{ .Values.global.domain | quote }}
  oidc:
-    id: "opendesk-intercom"
    secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
  matrix:
    asSecret: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -66,14 +52,8 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-
 replicaCount: {{ .Values.replicas.intercomService }}

 resources:
  {{ .Values.resources.intercomService | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/intercom-service/values.yaml
+++ b/helmfile/apps/intercom-service/values.yaml
@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+
+ics:
+  oidc:
+    id: "opendesk-intercom"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+...
--- a/helmfile/apps/jitsi/helmfile.yaml
+++ b/helmfile/apps/jitsi/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.jitsi.registry }}/\
-      {{ .Values.charts.jitsi.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.jitsi.registry }}/{{ .Values.charts.jitsi.repository }}"

 releases:
  - name: "jitsi"
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -14,7 +14,6 @@ containerSecurityContext:
  allowPrivilegeEscalation: false
  enabled: true
  readOnlyRootFilesystem: true
-  privileged: false
  capabilities:
    drop:
      - "ALL"
@@ -23,7 +22,6 @@ containerSecurityContext:
  runAsUser: 1993
  runAsGroup: 1993
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.jitsiKeycloakAdapter }}

 cleanup:
  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
@@ -64,18 +62,6 @@ jitsi:
      TURN_ENABLE: "1"
    resources:
      {{ .Values.resources.jitsi | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities: {}
-      enabled: true
-      privileged: false
-      readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jitsi }}
  prosody:
    image:
      repository: "{{ .Values.global.imageRegistry | default .Values.images.prosody.registry }}/{{ .Values.images.prosody.repository }}"
@@ -112,18 +98,6 @@ jitsi:
    persistence:
      size: {{ .Values.persistence.size.prosody | quote }}
      storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities: {}
-      enabled: true
-      privileged: false
-      readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.prosody }}
  jicofo:
    replicaCount: {{ .Values.replicas.jicofo }}
    image:
@@ -134,18 +108,6 @@ jitsi:
      componentSecret: {{ .Values.secrets.jitsi.jicofoComponentPassword | quote }}
    resources:
      {{ .Values.resources.jicofo | toYaml | nindent 6 }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities: {}
-      enabled: true
-      privileged: false
-      readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jicofo }}
  jvb:
    replicaCount: {{ .Values.replicas.jvb }}
    image:
@@ -157,18 +119,6 @@ jitsi:
      {{ .Values.resources.jvb | toYaml | nindent 6 }}
    service:
      type: {{ .Values.cluster.service.type | quote }}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities: {}
-      enabled: true
-      privileged: false
-      readOnlyRootFilesystem: false
-      runAsGroup: 0
-      runAsNonRoot: false
-      runAsUser: 0
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.jvb }}
  jibri:
    replicaCount: {{ .Values.replicas.jibri }}
    image:
@@ -180,10 +130,6 @@ jitsi:
      password: {{ .Values.secrets.jitsi.jibriXmppPassword | quote }}
    resources:
      {{ .Values.resources.jibri | toYaml | nindent 6 }}
-    securityContext:
-      # Chart does not allow to template more
-      capabilities:
-        add: ["SYS_ADMIN"]
  imagePullSecrets:
  {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
@@ -195,18 +141,8 @@ patchJVB:
    loadbalancerStatusField: {{ .Values.cluster.networking.loadBalancerStatusField | quote }}
  containerSecurityContext:
    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
    enabled: true
-    privileged: false
    readOnlyRootFilesystem: true
-    runAsUser: 1001
-    runAsGroup: 1001
-    runAsNonRoot: true
-    seccompProfile:
-      type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.jitsiPatchJVB }}
  image:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    registry: {{ .Values.global.imageRegistry | default .Values.images.jitsiPatchJVB.registry | quote }}
--- a/helmfile/apps/nextcloud/helmfile.yaml
+++ b/helmfile/apps/nextcloud/helmfile.yaml
@@ -13,16 +13,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloudManagement.registry }}/\
-      {{ .Values.charts.nextcloudManagement.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloudManagement.registry }}/{{ .Values.charts.nextcloudManagement.repository }}"
  - name: "nextcloud-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.nextcloud.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nextcloud.registry }}/\
-      {{ .Values.charts.nextcloud.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.nextcloud.registry }}/{{ .Values.charts.nextcloud.repository }}"

 releases:
  - name: "opendesk-nextcloud-management"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -14,9 +14,6 @@ global:
 additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"

-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-
 configuration:
  administrator:
    username: "nextcloud"
@@ -47,7 +44,6 @@ configuration:
  ldap:
    host: {{ .Values.ldap.host | quote }}
    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
-    adminGroupName: "managed-by-attribute-FileshareAdmin"
  objectstore:
    auth:
      accessKey:
@@ -81,17 +77,12 @@ containerSecurityContext:
    drop:
      - "ALL"
  enabled: true
-  privileged: false
  runAsUser: 65532
  runAsGroup: 65532
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudManagement }}
-
-debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
@@ -104,5 +95,4 @@ theme:

 resources:
  {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
-
 ...
--- a/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl
@@ -18,14 +18,12 @@ exporter:
      drop:
        - "ALL"
    enabled: true
-    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudExporter }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudExporter.registry | quote }}
    repository: "{{ .Values.images.nextcloudExporter.repository }}"
@@ -35,12 +33,12 @@ exporter:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
-  replicaCount: {{ .Values.replicas.nextcloudExporter }}
+        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+  replicas: {{ .Values.replicas.nextcloudExporter }}
  resources:
    {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}

@@ -71,18 +69,12 @@ php:
      drop:
        - "ALL"
    enabled: true
-    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudPHP }}
-  cron:
-    successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
-  debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
    repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,12 +84,12 @@ php:
    serviceMonitor:
      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
      labels:
-        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 8 }}
+        {{- toYaml .Values.prometheus.serviceMonitors.labels | nindent 6 }}
    prometheusRule:
      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
      additionalLabels:
-        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 8 }}
-  replicaCount: {{ .Values.replicas.nextcloudPHP }}
+        {{- toYaml .Values.prometheus.prometheusRules.labels | nindent 6 }}
+  replicas: {{ .Values.replicas.nextcloudPHP }}
  resources:
    {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}

@@ -111,14 +103,12 @@ apache2:
      drop:
        - "ALL"
    enabled: true
-    privileged: false
    runAsUser: 65532
    runAsGroup: 65532
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.nextcloudApache2 }}
  ingress:
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
@@ -130,7 +120,7 @@ apache2:
    repository: {{ .Values.images.nextcloudApache2.repository | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.nextcloudApache2.tag | quote }}
-  replicaCount: {{ .Values.replicas.nextcloudApache2 }}
+  replicas: {{ .Values.replicas.nextcloudApache2 }}
  resources:
    {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -13,16 +13,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.dovecot.registry }}/\
-      {{ .Values.charts.dovecot.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.dovecot.registry }}/{{ .Values.charts.dovecot.repository }}"

  # Open-Xchange
  - name: "open-xchange-repo"
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuite.registry }}/\
-      {{ .Values.charts.openXchangeAppSuite.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuite.registry }}/{{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
@@ -32,7 +30,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openXchangeAppSuiteBootstrap.registry }}/\
      {{ .Values.charts.openXchangeAppSuiteBootstrap.repository }}"

 releases:
--- a/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl
@@ -66,7 +66,6 @@ containerSecurityContext:
  readOnlyRootFilesystem: true
  seccompProfile:
    type: "RuntimeDefault"
-  seLinuxOptions: {{ .Values.seLinuxOptions.dovecot }}

 podSecurityContext:
  enabled: true
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -32,15 +32,12 @@ nextcloud-integration-ui:
    capabilities:
      drop:
        - "ALL"
-    privileged: false
-    readOnlyRootFilesystem: false
+    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
-    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeNextcloudIntegrationUI }}

 public-sector-ui:
  image:
@@ -59,15 +56,12 @@ public-sector-ui:
    capabilities:
      drop:
        - "ALL"
-    privileged: false
    readOnlyRootFilesystem: true
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
-    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
-    seLinuxOptions: {{ .Values.seLinuxOptions.openxchangePublicSectorUI }}

 appsuite:
  appsuite-toolkit:
@@ -98,8 +92,6 @@ appsuite:
    masterAdmin: "admin"
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-    serviceAccount:
-      create: true
    features:
      status:
        # enable admin pack
@@ -127,11 +119,8 @@ appsuite:
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
-        runAsGroup: 1001
-        privileged: false
        seccompProfile:
          type: "RuntimeDefault"
-        seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGotenberg }}
    hooks:
      beforeAppsuiteStart:
        create-guard-dir.sh: |
@@ -353,10 +342,8 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
-      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUI }}

  core-ui-middleware:
    enabled: true
@@ -395,10 +382,9 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
-      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUIMiddleware }}
+
  core-cacheservice:
    enabled: false

@@ -412,23 +398,21 @@ appsuite:
      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
      repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
      tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
-    resources:
-      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
-    securityContext:
+    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
-      readOnlyRootFilesystem: false
+    resources:
+      {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
+    securityContext:
+      # missing:
+      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
-      privileged: false
      capabilities:
        drop:
          - "ALL"
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeDocumentConverter }}

  core-documents-collaboration:
    enabled: false
@@ -467,10 +451,8 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
-      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreGuidedtours }}

  core-imageconverter:
    enabled: true
@@ -484,23 +466,21 @@ appsuite:
          endpoint: "."
          accessKey: "."
          secretKey: "."
-    resources:
-      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
-    securityContext:
+    podSecurityContext:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 987
      seccompProfile:
        type: "RuntimeDefault"
-      readOnlyRootFilesystem: false
+    resources:
+      {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
+    securityContext:
+      # missing:
+      # readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
-      privileged: false
      capabilities:
        drop:
          - "ALL"
-      seccompProfile:
-        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeImageConverter }}

  guard-ui:
    enabled: true
@@ -523,10 +503,9 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
-      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeGuardUI }}
+
  core-spellcheck:
    enabled: false

@@ -552,8 +531,6 @@ appsuite:
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
-      privileged: false
      seccompProfile:
        type: "RuntimeDefault"
-      seLinuxOptions: {{ .Values.seLinuxOptions.openxchangeCoreUserGuide }}
 ...
--- a/helmfile/apps/openproject-bootstrap/helmfile.yaml
+++ b/helmfile/apps/openproject-bootstrap/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openprojectBootstrap.registry }}/\
-      {{ .Values.charts.openprojectBootstrap.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openprojectBootstrap.registry }}/{{ .Values.charts.openprojectBootstrap.repository }}"

 releases:
  - name: "opendesk-openproject-bootstrap"
--- a/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
+++ b/helmfile/apps/openproject-bootstrap/values.yaml.gotmpl
@@ -38,7 +38,6 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openprojectBootstrap }}

 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectBootstrap.registry | quote }}
--- a/helmfile/apps/openproject/helmfile.yaml
+++ b/helmfile/apps/openproject/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.openproject.registry }}/\
-      {{ .Values.charts.openproject.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.openproject.registry }}/{{ .Values.charts.openproject.repository }}"

 releases:
  - name: "openproject"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -9,7 +9,6 @@ global:

 containerSecurityContext:
  enabled: true
-  privileged: false
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
@@ -20,12 +19,11 @@ containerSecurityContext:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: true
  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.openproject }}

 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ .Values.debug.logLevel | lower | quote }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -73,7 +71,7 @@ environment:
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
  repository: {{ .Values.images.openproject.repository | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.openproject.tag | quote }}

 initdb:
@@ -81,7 +79,7 @@ initdb:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openprojectInitDb.registry | quote }}
    repository: {{ .Values.images.openprojectInitDb.repository | quote }}
    tag: {{ .Values.images.openprojectInitDb.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}

 memcached:
  bundled: false
@@ -144,9 +142,7 @@ ingress:
    enabled: {{ .Values.ingress.tls.enabled }}
    secretName: {{ .Values.ingress.tls.secretName | quote }}

-backgroundReplicaCount: {{ .Values.replicas.openprojectWorker }}
-
-replicaCount: {{ .Values.replicas.openprojectWeb }}
+replicaCount: {{ .Values.replicas.openproject }}

 resources:
  {{ .Values.resources.openproject | toYaml | nindent 2 }}
--- a/helmfile/apps/provisioning/helmfile.yaml
+++ b/helmfile/apps/provisioning/helmfile.yaml
@@ -10,15 +10,15 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.oxConnector.registry }}/\
-      {{ .Values.charts.oxConnector.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.oxConnector.registry }}/{{ .Values.charts.oxConnector.repository }}"

 releases:
  - name: "ox-connector"
    chart: "ox-connector-repo/{{ .Values.charts.oxConnector.name }}"
    version: "{{ .Values.charts.oxConnector.version }}"
    values:
-      - "values-oxconnector.yaml.gotmpl"
+      - "values-oxconnector.yaml"
+      - "values-oxconnector.gotmpl"
    installed: {{ .Values.oxConnector.enabled }}

 commonLabels:
--- a/helmfile/apps/provisioning/values-oxconnector.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.gotmpl
@@ -0,0 +1,34 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
+  repository: {{ .Values.images.oxConnector.repository | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  tag: {{ .Values.images.oxConnector.tag | quote }}
+
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+  - name: {{ . | quote }}
+{{- end }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+
+oxConnector:
+  domainName: {{ .Values.global.domain | quote }}
+  ldapHost: {{ .Values.ldap.host | quote }}
+  notifierServer: {{ .Values.ldap.notifierHost | quote }}
+  logLevel: {{ .Values.debug.logLevel | quote }}
+  #oxMasterAdmin: "(( .Values.appsuite.core-mw.masterAdmin ))"
+  oxMasterAdmin: "admin"
+  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
+  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
+  oxDefaultContext: "1"
+  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+
+resources:
+  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml
@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+ingress:
+  enabled: false
+
+oxConnector:
+  ldapBaseDn: "dc=swp-ldap,dc=internal"
+  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
+  tlsMode: "off"
+  caCert: "ucctempldapstring"
+  debugLevel: "5"
+  oxDefaultContext: "1"
+  oxLocalTimezone: "Europe/Berlin"
+  oxLanguage: "de_DE"
+  oxSmtpServer: "smtp://127.0.0.1:587"
+  oxImapServer: "imap://127.0.0.1:143"
+
+## Container deployment probes
+probes:
+  liveness:
+    enabled: true
+    initialDelaySeconds: 120
+    timeoutSeconds: 3
+    periodSeconds: 30
+    failureThreshold: 3
+    successThreshold: 1
+
+  readiness:
+    enabled: true
+    initialDelaySeconds: 30
+    timeoutSeconds: 3
+    periodSeconds: 15
+    failureThreshold: 30
+    successThreshold: 1
+
+
+serviceAccount:
+  create: true
+
+...
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -1,93 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.oxConnector.registry | quote }}
-  repository: {{ .Values.images.oxConnector.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.oxConnector.tag | quote }}
-
-imagePullSecrets:
-{{- range .Values.global.imagePullSecrets }}
-  - name: {{ . | quote }}
-{{- end }}
-
-ingress:
-  enabled: false
-
-oxConnector:
-  caCert: "ucctempldapstring"
-  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
-  domainName: {{ .Values.global.domain | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: "dc=swp-ldap,dc=internal"
-  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
-  tlsMode: "off"
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  oxDefaultContext: "1"
-  oxImapServer: "imap://127.0.0.1:143"
-  oxLocalTimezone: "Europe/Berlin"
-  oxLanguage: "de_DE"
-  oxMasterAdmin: "admin"
-  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
-  oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-
-resources:
-  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
-
-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-
-## Container deployment probes
-probes:
-  liveness:
-    enabled: true
-    initialDelaySeconds: 120
-    timeoutSeconds: 3
-    periodSeconds: 30
-    failureThreshold: 3
-    successThreshold: 1
-
-  readiness:
-    enabled: true
-    initialDelaySeconds: 30
-    timeoutSeconds: 3
-    periodSeconds: 15
-    failureThreshold: 30
-    successThreshold: 1
-
-replicaCount: {{ .Values.replicas.oxConnector }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.oxConnector }}
-
-serviceAccount:
-  create: true
-
-...
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -13,8 +13,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
-      {{ .Values.charts.otterize.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.otterize.registry }}/{{ .Values.charts.otterize.repository }}"

  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
@@ -24,8 +23,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.certificates.registry }}/\
-      {{ .Values.charts.certificates.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.certificates.registry }}/{{ .Values.charts.certificates.repository }}"

  # openDesk PostgreSQL
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postgresql
@@ -35,8 +33,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postgresql.registry }}/\
-      {{ .Values.charts.postgresql.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.postgresql.registry }}/{{ .Values.charts.postgresql.repository }}"

  # openDesk MariaDB
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-mariadb
@@ -46,8 +43,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
-      {{ .Values.charts.mariadb.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.mariadb.registry }}/{{ .Values.charts.mariadb.repository }}"

  # openDesk Postfix
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
@@ -57,8 +53,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
-      {{ .Values.charts.postfix.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.postfix.registry }}/{{ .Values.charts.postfix.repository }}"

  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
@@ -68,8 +63,7 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\
-      {{ .Values.charts.istioResources.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.istioResources.registry }}/{{ .Values.charts.istioResources.repository }}"

  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
@@ -79,16 +73,14 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamav.registry }}/\
-      {{ .Values.charts.clamav.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamav.registry }}/{{ .Values.charts.clamav.repository }}"
  - name: "clamav-simple-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.clamavSimple.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.clamavSimple.registry }}/\
-      {{ .Values.charts.clamavSimple.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.clamavSimple.registry }}/{{ .Values.charts.clamavSimple.repository }}"

  # VMWare Bitnami
  # Source: https://github.com/bitnami/charts/
@@ -98,31 +90,28 @@ repositories:
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.memcached.registry }}/\
-      {{ .Values.charts.memcached.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.memcached.registry }}/{{ .Values.charts.memcached.repository }}"
  - name: "redis-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.redis.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.redis.registry }}/\
-      {{ .Values.charts.redis.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.redis.registry }}/{{ .Values.charts.redis.repository }}"
  - name: "minio-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.minio.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/\
-      {{ .Values.charts.minio.repository }}"
+    url: "{{ .Values.global.imageRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"

 releases:
  - name: "opendesk-otterize"
    chart: "otterize-repo/{{ .Values.charts.otterize.name }}"
    version: "{{ .Values.charts.otterize.version }}"
    values:
-      - "values-otterize.yaml.gotmpl"
+      - "values-otterize.gotmpl"
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900

@@ -130,7 +119,7 @@ releases:
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
    version: "{{ .Values.charts.certificates.version }}"
    values:
-      - "values-certificates.yaml.gotmpl"
+      - "values-certificates.gotmpl"
    installed: {{ .Values.certificates.enabled }}
    timeout: 900

@@ -138,7 +127,8 @@ releases:
    chart: "redis-repo/{{ .Values.charts.redis.name }}"
    version: "{{ .Values.charts.redis.version }}"
    values:
-      - "values-redis.yaml.gotmpl"
+      - "values-redis.gotmpl"
+      - "values-redis.yaml"
    installed: {{ .Values.redis.enabled }}
    timeout: 900

@@ -146,7 +136,8 @@ releases:
    chart: "memcached-repo/{{ .Values.charts.memcached.name }}"
    version: "{{ .Values.charts.memcached.version }}"
    values:
-      - "values-memcached.yaml.gotmpl"
+      - "values-memcached.yaml"
+      - "values-memcached.gotmpl"
    installed: {{ .Values.memcached.enabled }}
    timeout: 900

@@ -154,7 +145,8 @@ releases:
    chart: "postgresql-repo/{{ .Values.charts.postgresql.name }}"
    version: "{{ .Values.charts.postgresql.version }}"
    values:
-      - "values-postgresql.yaml.gotmpl"
+      - "values-postgresql.yaml"
+      - "values-postgresql.gotmpl"
    installed: {{ .Values.postgresql.enabled }}
    timeout: 900

@@ -162,7 +154,8 @@ releases:
    chart: "mariadb-repo/{{ .Values.charts.mariadb.name }}"
    version: "{{ .Values.charts.mariadb.version }}"
    values:
-      - "values-mariadb.yaml.gotmpl"
+      - "values-mariadb.yaml"
+      - "values-mariadb.gotmpl"
    installed: {{ .Values.mariadb.enabled }}
    timeout: 900

@@ -170,7 +163,8 @@ releases:
    chart: "postfix-repo/{{ .Values.charts.postfix.name }}"
    version: "{{ .Values.charts.postfix.version }}"
    values:
-      - "values-postfix.yaml.gotmpl"
+      - "values-postfix.yaml"
+      - "values-postfix.gotmpl"
    installed: {{ .Values.postfix.enabled }}
    timeout: 900

@@ -178,7 +172,8 @@ releases:
    chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
    version: "{{ .Values.charts.clamav.version }}"
    values:
-      - "values-clamav-distributed.yaml.gotmpl"
+      - "values-clamav-distributed.yaml"
+      - "values-clamav-distributed.gotmpl"
    installed: {{ .Values.clamavDistributed.enabled }}
    timeout: 900

@@ -186,7 +181,8 @@ releases:
    chart: "clamav-simple-repo/{{ .Values.charts.clamavSimple.name }}"
    version: "{{ .Values.charts.clamavSimple.version }}"
    values:
-      - "values-clamav-simple.yaml.gotmpl"
+      - "values-clamav-simple.yaml"
+      - "values-clamav-simple.gotmpl"
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900

@@ -194,7 +190,8 @@ releases:
    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
    version: "{{ .Values.charts.istioResources.version }}"
    values:
-      - "values-istio-gateway.yaml.gotmpl"
+      - "values-istio-gateway.yaml"
+      - "values-istio-gateway.gotmpl"
    installed: {{ .Values.istio.enabled }}
    timeout: 900

@@ -202,7 +199,8 @@ releases:
    chart: "minio-repo/{{ .Values.charts.minio.name }}"
    version: "{{ .Values.charts.minio.version }}"
    values:
-      - "values-minio.yaml.gotmpl"
+      - "values-minio.yaml"
+      - "values-minio.gotmpl"
    installed: {{ .Values.minio.enabled }}
    timeout: 900

--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
--- a/helmfile/apps/services/values-clamav-distributed.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.gotmpl
@@ -0,0 +1,56 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+clamd:
+  podSecurityContext:
+  replicaCount: {{ .Values.replicas.clamd }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
+    repository: {{ .Values.images.clamd.repository | quote }}
+    tag: {{ .Values.images.clamd.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.clamd | toYaml | nindent 4 }}
+
+freshclam:
+  podSecurityContext:
+  replicaCount: {{ .Values.replicas.freshclam }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
+    repository: {{ .Values.images.freshclam.repository | quote }}
+    tag: {{ .Values.images.freshclam.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+icap:
+  replicaCount: {{ .Values.replicas.icap }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
+    repository: {{ .Values.images.icap.repository | quote }}
+    tag: {{ .Values.images.icap.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.icap | toYaml | nindent 4 }}
+
+milter:
+  podSecurityContext:
+  replicaCount: {{ .Values.replicas.milter }}
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
+    repository: {{ .Values.images.milter.repository | quote }}
+    tag: {{ .Values.images.milter.tag | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+  resources:
+    {{ .Values.resources.milter | toYaml | nindent 4 }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
+  size: {{ .Values.persistence.size.clamav | quote }}
+...
--- a/helmfile/apps/services/values-clamav-distributed.yaml
+++ b/helmfile/apps/services/values-clamav-distributed.yaml
@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  enabled: true
+  readOnlyRootFilesystem: true
+
+clamd:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+freshclam:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+icap:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+
+milter:
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - "ALL"
+    enabled: true
+    runAsUser: 100
+    runAsGroup: 101
+    seccompProfile:
+      type: "RuntimeDefault"
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+  podSecurityContext:
+    enabled: true
+    fsGroup: 101
+    fsGroupChangePolicy: "Always"
+...
--- a/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-distributed.yaml.gotmpl
@@ -1,137 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-clamd:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    privileged: false
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.clamd }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.clamd.registry | quote }}
-    repository: {{ .Values.images.clamd.repository | quote }}
-    tag: {{ .Values.images.clamd.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.clamd }}
-  resources:
-    {{ .Values.resources.clamd | toYaml | nindent 4 }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  enabled: true
-  readOnlyRootFilesystem: true
-  runAsUser: 0
-  runAsGroup: 0
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsNonRoot: false
-  capabilities:
-    drop: []
-  privileged: false
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamav }}
-
-freshclam:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    privileged: false
-    runAsUser: 100
-    runAsGroup: 101
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.freshclam }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.freshclam.registry | quote }}
-    repository: {{ .Values.images.freshclam.repository | quote }}
-    tag: {{ .Values.images.freshclam.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.freshclam }}
-  resources:
-    {{ .Values.resources.freshclam | toYaml | nindent 4 }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-icap:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.icap }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.icap.registry | quote }}
-    repository: {{ .Values.images.icap.repository | quote }}
-    tag: {{ .Values.images.icap.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.icap }}
-  resources:
-    {{ .Values.resources.icap | toYaml | nindent 4 }}
-
-milter:
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    enabled: true
-    runAsUser: 100
-    runAsGroup: 101
-    privileged: false
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    runAsNonRoot: true
-    seLinuxOptions: {{ .Values.seLinuxOptions.milter }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.milter.registry | quote }}
-    repository: {{ .Values.images.milter.repository | quote }}
-    tag: {{ .Values.images.milter.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  podSecurityContext:
-    enabled: true
-    fsGroup: 101
-    fsGroupChangePolicy: "Always"
-  replicaCount: {{ .Values.replicas.milter }}
-  resources:
-    {{ .Values.resources.milter | toYaml | nindent 4 }}
-
-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWX | quote }}
-  size: {{ .Values.persistence.size.clamav | quote }}
-...
--- a/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
+++ b/helmfile/apps/services/values-clamav-simple.yaml.gotmpl
@@ -1,24 +1,9 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 100
-  runAsGroup: 101
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.clamavSimple }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+replicaCount: {{ .Values.replicas.clamav }}

 image:
  clamav:
@@ -32,18 +17,14 @@ image:
    tag: {{ .Values.images.icap.tag | quote }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

-persistence:
-  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.clamav | quote }}
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 101
-  fsGroupChangePolicy: "Always"
-
-replicaCount: {{ .Values.replicas.clamav }}
-
 resources:
  {{ .Values.resources.clamd | toYaml | nindent 4 }}

+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+persistence:
+  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+  size: {{ .Values.persistence.size.clamav | quote }}
 ...
--- a/helmfile/apps/services/values-clamav-simple.yaml
+++ b/helmfile/apps/services/values-clamav-simple.yaml
@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 101
+  fsGroupChangePolicy: "Always"
+...
--- a/helmfile/apps/services/values-istio-gateway.gotmpl
+++ b/helmfile/apps/services/values-istio-gateway.gotmpl
@@ -0,0 +1,13 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.istio.domain | quote }}
+  hosts:
+    openxchange: {{ .Values.global.hosts.openxchange | quote }}
+
+tls:
+  secretName: "{{ .Values.istio.domain }}-tls"
+...
--- a/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
+++ b/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
@@ -1,12 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-global:
-  domain: {{ .Values.istio.domain | quote }}
-  hosts:
-    openxchange: {{ .Values.global.hosts.openxchange | quote }}
-
 tls:
  httpsRedirect: false
-  secretName: "{{ .Values.istio.domain }}-tls"
 ...
--- a/helmfile/apps/services/values-mariadb.yaml.gotmpl
+++ b/helmfile/apps/services/values-mariadb.yaml.gotmpl
@@ -1,36 +1,24 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
 ---
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.mariadb }}
-
 global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}

+cleanup:
+  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.mariadb.registry | quote }}
  repository: {{ .Values.images.mariadb.repository | quote }}
  tag: {{ .Values.images.mariadb.tag | quote }}
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

+# Open-Xchange and XWiki require the permission to create database schemas, so they use the `root` account anyway.
+# Please refer to `databases.yaml` for details.
 job:
-  enabled: true
  retries: 10
  wait: 30
  users:
@@ -55,14 +43,6 @@ persistence:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.mariadb | quote }}

-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-  fsGroupChangePolicy: "OnRootMismatch"
-
-replicaCount: {{ .Values.replicas.mariadb }}
-
 resources:
  {{ .Values.resources.mariadb | toYaml | nindent 2 }}
-
 ...
--- a/helmfile/apps/services/values-mariadb.yaml
+++ b/helmfile/apps/services/values-mariadb.yaml
@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1001
+  runAsGroup: 1001
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1001
+  fsGroupChangePolicy: "OnRootMismatch"
+
+replicaCount: 1
+...
--- a/helmfile/apps/services/values-memcached.gotmpl
+++ b/helmfile/apps/services/values-memcached.gotmpl
@@ -0,0 +1,20 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.memcached.registry | quote }}
+  repository: {{ .Values.images.memcached.repository | quote }}
+  tag: {{ .Values.images.memcached.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+replicaCount: {{ .Values.replicas.memcached }}
+
+resources:
+  {{ .Values.resources.memcached | toYaml | nindent 2 }}
+...
--- a/helmfile/apps/services/values-memcached.yaml
+++ b/helmfile/apps/services/values-memcached.yaml
@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1001
+  runAsNonRoot: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+
+serviceAccount:
+  create: true
+...
--- a/helmfile/apps/services/values-memcached.yaml.gotmpl
+++ b/helmfile/apps/services/values-memcached.yaml.gotmpl
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
---
-architecture: {{ if gt .Values.replicas.memcached 1 }}"high-availability"{{ else }}"standalone"{{ end }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  privileged: false
-  runAsUser: 1001
-  runAsGroup: 1001
-  runAsNonRoot: true
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  seLinuxOptions: {{ .Values.seLinuxOptions.memcached }}
-
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.memcached.registry | quote }}
-  repository: {{ .Values.images.memcached.repository | quote }}
-  tag: {{ .Values.images.memcached.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-replicaCount: {{ .Values.replicas.memcached }}
-
-resources:
-  {{ .Values.resources.memcached | toYaml | nindent 2 }}
-
-serviceAccount:
-  create: true
-...
--- a/helmfile/apps/services/values-minio.gotmpl
+++ b/helmfile/apps/services/values-minio.gotmpl
@@ -0,0 +1,79 @@
+{{/*
+SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.minio.registry | quote }}
+  repository: "{{ .Values.images.minio.repository }}"
+  tag: "{{ .Values.images.minio.tag }}"
+  pullPolicy: "{{ .Values.global.imagePullPolicy }}"
+
+auth:
+  rootPassword: {{ .Values.secrets.minio.rootPassword | quote }}
+
+statefulset:
+  replicaCount: {{ .Values.replicas.minioDistributed }}
+
+resources:
+  {{ .Values.resources.minio | toYaml | nindent 2 }}
+
+ingress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioConsole }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+apiIngress:
+  enabled: {{ .Values.ingress.enabled }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  hostname: "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+  extraTls:
+    - hosts:
+      - "{{ .Values.global.hosts.minioApi }}.{{ .Values.global.domain }}"
+      secretName: "{{ .Values.ingress.tls.secretName }}"
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+  prometheusRule:
+    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+
+persistence:
+  storageClass: "{{ .Values.persistence.storageClassNames.RWO }}"
+  size: "{{ .Values.persistence.size.minio }}"
+
+provisioning:
+  users:
+    - username: "openproject_user"
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+      disabled: false
+      policies:
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: "openxchange_user"
+      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
+      disabled: false
+      policies:
+        - "openxchange-bucket-policy"
+      setPolicies: true
+    - username: "ums_user"
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
+    - username: "nextcloud_user"
+      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
+      disabled: false
+      policies:
+        - "nextcloud-bucket-policy"
+      setPolicies: true
+...
--- a/Show More
+++ b/Show More