fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard to 1.14.0

Signed-off-by: Milton Moura <miltonmoura@gmail.com>
fix(element): Update to EW release image and related release charts
2025-12-07 16:01:37 +01:00 · 2024-03-14 12:58:27 -01:00 · 2024-02-28 12:28:22 -01:00 · 2024-02-28 10:58:10 -01:00 · 2024-02-28 09:26:27 -01:00 · 2024-02-27 16:38:10 -01:00
24 changed files with 215 additions and 243 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,19 +1,3 @@
 ## [0.5.79](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.78...v0.5.79) (2024-02-29)
 ### Bug Fixes
 * **collabora:** Bump image to 23.05.9.2.1 ([f4b8226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f4b8226ea13971a38d61145ea9ac3821bc35f6b3))
 * **collabora:** Fix aliasgroups configuration whitelisting the Nextcloud host ([8b065fd](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8b065fd9d789cdd597a584937fefaae40f42bba2))
 * **docs:** Update version numbers of functional components for release in README.md ([31e5cf3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/31e5cf317ca7cd84a94cf42d57d0964152904471))
 * **element:** Provide end-to-end encryption as user controlled option ([3d31127](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3d31127a6ab0fa1d3af02695b521db5918932279))
 * **helmfile:** Enhance objectore environment variables to allow external Object Store ([d444226](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d4442261aa141e21222dc13407023b96570d055f))
 * **helmfile:** Set debuglevel to WARN instead of INFO when debug is not enabled. ([2efceef](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2efceef076beb06a3719859d7f4e2f0d03b99f44))
 * **nextcloud:** Bump images to enable password_policy and fix email with groupware ([8807b24](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8807b24ce09e59aaea39c349e9e12ee2a44a117a))
 * **univention-management-stack:** Bump Keycloak Extensions chart and configure the `/univention/meta.json` to be retrieved from `ums-stack-gateway` to avoid the inline 404 during Keycloak login. ([2023d5b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2023d5bce4642f794831670713b1a2520a0419d6))
 * **univention-management-stack:** Provisioning version bump ([410a023](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/410a0237149a5e41434c09795959bc53e57fb4ca))
 * **univention-management-stack:** Template more Keycloak Extension values incl. logLevel ([7ec123b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7ec123b9a174c8dade1fe9f6679796979749efab))
 ## [0.5.78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.77...v0.5.78) (2024-02-23)
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ openDesk currently features the following functional main components:
 | Function             | Functional Component        | Component<br/>Version | Upstream Documentation |
 | -------------------- | --------------------------- | --------------------- | ----------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59) | [For the most recent release](https://element.io/user-guide) |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.52](https://github.com/element-hq/element-desktop/blob/develop/CHANGELOG.md#changes-in-11152-2023-12-19) | [For the most recent release](https://element.io/user-guide) |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0) | [For the most recent release](https://docs.cryptpad.org/en/) |
 | File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2) | [Nextcloud 28](https://docs.nextcloud.com/) |
 | Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/) | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
@@ -36,7 +36,7 @@ openDesk currently features the following functional main components:
 | Portal & IAM         | Nubus                       | Product Preview[^1]   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html) |
 | Project management   | OpenProject                 | [13.3.0](https://www.openproject.org/docs/release-notes/13-3-0/) | [For the most recent release](https://www.openproject.org/docs/user-guide/) |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/) |
-| Weboffice            | Collabora                   | [23.05.9.2.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
+| Weboffice            | Collabora                   | [23.05.9.1.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/) | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/) |
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practises regarding container design and operations.
--- a/docs/components.md
+++ b/docs/components.md
@@ -113,13 +113,8 @@ The Filestore can be enabled on a per-project level in OpenProject's project adm
 # Identity data flows
 An overview of
- components that consume the LDAP service.
+- components that consume the LDAP service. Mostly by using a dedicated LDAP search account.
-  - The components accessing the LDAP using a component specific LDAP search account.
+- components using Univention Keycloak as identity provider (IdP). If not otherwise denoted based on the OAuth2 / OIDC flows.
 - components using Univention Keycloak as identity provider (IdP).
  - If not otherwise denoted the components make use of OAuth2 / OIDC flows.
  - All components have a client configured in Keycloak, except for Jitsi which is using authentication with the
    [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) that does not
    require an OIDC client to be configured in Keycloak.
 Some components trust others to handle authentication for them.
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -11,7 +11,7 @@ collabora:
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"
 fullnameOverride: "collabora"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -51,16 +51,9 @@ configuration:
  objectstore:
    auth:
      accessKey:
-        value: {{ .Values.objectstores.nextcloud.username | quote }}
+        value: "nextcloud_user"
      secretKey:
-        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
+        value: {{ .Values.secrets.minio.nextcloudUser | quote }}
    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
    host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    region: {{ .Values.objectstores.nextcloud.region | quote }}
    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
    port: {{ .Values.objectstores.nextcloud.port | quote }}
    pathStyle: {{ .Values.objectstores.nextcloud.pathStyle | quote }}
    useSSL: {{ .Values.objectstores.nextcloud.useSSL | quote }}
  oidc:
    username:
      value: "opendesk-nextcloud"
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -25,7 +25,7 @@ containerSecurityContext:
 environment:
 # For more details and more options see
 # https://www.openproject.org/docs/installation-and-operations/configuration/environment/
-  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
+  OPENPROJECT_LOG__LEVEL: {{ if .Values.debug.enabled }}"debug"{{ else }}"info"{{ end }}
  OPENPROJECT_LOGIN__REQUIRED: "true"
  OPENPROJECT_OAUTH__ALLOW__REMAPPING__OF__EXISTING__USERS: "true"
  OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
@@ -155,13 +155,13 @@ s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
+  pathStyle: "true"
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
  use_iam_profile: {{ .Values.objectstores.openproject.useIAMProfile | default "false" | quote }}
  auth:
    accessKeyId: {{ .Values.objectstores.openproject.username | quote }}
-    secretAccessKey: {{ .Values.objectstores.openproject.secretKey | default .Values.secrets.minio.openprojectUser | quote }}
+    secretAccessKey: {{ .Values.objectstores.openproject.secret | default .Values.secrets.minio.openprojectUser | quote }}
 seederJob:
  annotations:
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -20,7 +20,7 @@ oxConnector:
  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
  domainName: {{ .Values.global.domain | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  ldapBaseDn: "dc=swp-ldap,dc=internal"
  ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
--- a/helmfile/apps/services/values-minio.yaml.gotmpl
+++ b/helmfile/apps/services/values-minio.yaml.gotmpl
@@ -88,13 +88,16 @@ provisioning:
  extraCommands:
    - "mc anonymous set download provisioning/ums/portal-assets"
  buckets:
-    - name: {{ .Values.objectstores.openproject.bucket | quote }}
+    - name: "openproject"
      versioning: true
      withLock: false
    - name: "openxchange"
      versioning: true
      withLock: false
    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
      versioning: false
      withLock: false
-    - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
+    - name: "nextcloud"
      versioning: true
      withLock: false
  policies:
@@ -110,6 +113,18 @@ provisioning:
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "openxchange-bucket-policy"
      statements:
        - resources:
            - "arn:aws:s3:::openxchange"
          effect: "Allow"
          actions:
            - "s3:*"
        - resources:
            - "arn:aws:s3:::openxchange/*"
          effect: "Allow"
          actions:
            - "s3:*"
    - name: "ums-bucket-policy"
      statements:
        - resources:
@@ -135,19 +150,25 @@ provisioning:
          actions:
            - "s3:*"
  users:
-    - username: {{ .Values.objectstores.openproject.username | quote }}
+    - username: "openproject_user"
      password: {{ .Values.secrets.minio.openprojectUser | quote }}
      disabled: false
      policies:
        - "openproject-bucket-policy"
      setPolicies: true
    - username: "openxchange_user"
      password: {{ .Values.secrets.minio.openxchangeUser | quote }}
      disabled: false
      policies:
        - "openxchange-bucket-policy"
      setPolicies: true
    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
      password: {{ .Values.secrets.minio.umsUser | quote }}
      disabled: false
      policies:
        - "ums-bucket-policy"
      setPolicies: true
-    - username: {{ .Values.objectstores.nextcloud.username | quote }}
+    - username: "nextcloud_user"
      password: {{ .Values.secrets.minio.nextcloudUser | quote }}
      disabled: false
      policies:
--- a/helmfile/apps/univention-management-stack/helmfile.yaml
+++ b/helmfile/apps/univention-management-stack/helmfile.yaml
@@ -350,15 +350,6 @@ releases:
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-provisioning-udm-listener"
    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
    version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
    values:
      - "values-common.yaml.gotmpl"
      - "values-provisioning-udm-listener.yaml.gotmpl"
    installed: {{ .Values.univentionManagementStack.enabled }}
    timeout: 900
  - name: "ums-guardian-management-api"
    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
--- a/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl
@@ -7,7 +7,7 @@ guardianAuthorizationApi:
  guardianAuthzAdapterAppPersistencePort: "udm_data"
  guardianAuthzAdapterPolicyPort: "opa"
  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
+  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  guardianAuthzLoggingStructured: false
  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  home: "/guardian_service_dir"
--- a/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl
@@ -16,7 +16,7 @@ guardianManagementApi:
  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
  guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
+  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  guardianManagementLoggingStructured: false
  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
  guardianManagementBaseUrl: "http://0.0.0.0:8000"
--- a/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl
@@ -41,10 +41,10 @@ portalListener:
  udmApiUsername: "cn=admin"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
 resources:
  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -16,13 +16,13 @@ portalServer:
  editable: "false"
  umcGetUrl: "http://ums-umc-server/get"
  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
  ucsInternalPath: "portal-data"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  objectStorageEndpoint: "http://minio:9000"
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+  objectStorageBucket: "ums"
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+  objectStorageAccessKeyId: "ums_user"
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  objectStorageSecretAccessKey: {{ .Values.secrets.minio.umsUser | quote }}
  centralNavigation:
    enabled: true
    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
--- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
@@ -1,28 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
  repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}
 config:
  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
  ldapHost: {{ .Values.ldap.host | quote }}
  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  notifierServer: {{ .Values.ldap.notifierHost | quote }}
  tlsMode: "off"
  natsHost: "ums-provisioning-nats"
  natsPort: "4222"
 resources:
  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -15,13 +15,22 @@ dispatcher:
      - name: {{ . | quote }}
      {{- end }}
  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  config:
+  securityContext:
-    UDM_HOST: "ums-udm-rest-api"
+    allowPrivilegeEscalation: false
-    UDM_PORT: 9979
+    capabilities:
-    UDM_USERNAME: "cn=admin"
+      drop:
        - "ALL"
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningDispatcher }}
-api:
+events-and-consumer-api:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
@@ -31,51 +40,98 @@ api:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  config:
  rootPath: "/univention/provisioning-api"
  ingress:
    # copied from values-common.yaml.gotmpl
    # Intentionally not using the Ingress configuration of the UMS stack at the
    # moment, since it does depend on rewriting capabilities of the ingress
    # controller. Those are encapsulated into the release "stack-gateway" so that
    # the compatibility with all ingress controllers is increased.
    enabled: false
    host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
  resources:
-    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
+    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
-  
+  securityContext:
 prefill:
  image: 
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
    pullSecrets:
      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  resources:
    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
 nats:
  bundled: true
  nameOverride: ""
  resources:
    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
 containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
-  enabled: true
+    privileged: false
  runAsUser: 1000
  runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
+    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningEventsAndConsumerApi }}
-podSecurityContext:
+udm-listener:
-  enabled: true
+  image:
-  fsGroup: 1000
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
-  fsGroupChangePolicy: "Always"
+    repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
-  sysctls:
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    - name: "net.ipv4.ip_unprivileged_port_start"
+    tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
-      value: "1"
+    pullSecrets:
-
+      {{- range .Values.global.imagePullSecrets }}
      - name: {{ . | quote }}
      {{- end }}
  config:
    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
    ldapHost: {{ .Values.ldap.host | quote }}
    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  resources:
    {{ .Values.resources.umsProvisioning | toYaml | nindent 4 }}
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
      add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
    privileged: false
    seccompProfile:
      type: "RuntimeDefault"
    runAsUser: 0
    runAsGroup: 0
    runAsNonRoot: false
    readOnlyRootFilesystem: false
    seLinuxOptions: {{ .Values.seLinuxOptions.umsProvisioningUdmListener }}
 nats:
  global:
    image:
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
      pullSecretNames: {{ .Values.global.imagePullSecrets }}
      registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningNats.registry | quote }}
  container:
    image:
      registry: {{ .Values.global.imageRegistry }}
      repository: {{ .Values.images.umsProvisioningNats.repository | quote }}
      tag: {{ .Values.images.umsProvisioningNats.tag | quote }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  natsBox:
    container:
      image:
        registry: {{ .Values.global.imageRegistry }}
        repository: {{ .Values.images.umsProvisioningNatsBox.repository | quote }}
        tag: {{ .Values.images.umsProvisioningNatsBox.tag | quote }}
        pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  reloader:
    image:
      repository: {{ .Values.images.umsProvisioningNatsReloader.repository | quote }}
      tag: {{ .Values.images.umsProvisioningNatsReloader.tag | quote }}
      registry: {{ .Values.global.imageRegistry }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 ...
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl
@@ -27,10 +27,6 @@ handler:
  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
  appConfig:
    captchaProtectionEnable: false
    deviceProtectionEnable: true
    ipProtectionEnable: true
    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
    newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
    smtpPassword: {{ .Values.smtp.password | quote }}
    smtpHost: {{ .Values.smtp.host | quote }}
    smtpPort: {{ .Values.smtp.port | quote }}
@@ -54,8 +50,6 @@ handler:
 postgresql:
  enabled: false
 proxy:
  appConfig:
    logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
@@ -77,14 +71,6 @@ proxy:
        path: "/resources"
      - pathType: "Prefix"
        path: "/fingerprintjs"
      - pathType: "Exact"
        path: "/univention/meta.json"
        backend:
          service:
            name: "ums-stack-gateway"
            port:
              name: "http"
    enabled: {{ .Values.ingress.enabled }}
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
--- a/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl
@@ -25,7 +25,7 @@ config:
    user: {{ .Values.databases.keycloak.username | quote }}
    database: {{ .Values.databases.keycloak.name | quote }}
    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  enableMetrics: true
  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
--- a/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl
@@ -280,6 +280,12 @@ serverBlock: |
      proxy_pass http://ums-portal-frontend:80/;
    }
    ## ums-provisioning
    location /univention/provisioning-api/ {
      rewrite ^/univention/provisioning-api(/.*)$ $1 break;
      proxy_pass http://ums-provisioning-events-and-consumer-api:80;
    }
    ## guardian
    location /univention/guardian/management-ui {
      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -343,7 +343,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
    name: "opendesk-otterize"
-    version: "1.7.5"
+    version: "1.7.3"
    verify: true
    # @supplier: "openDesk"
@@ -483,7 +483,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ums-keycloak"
-    version: "1.0.5"
+    version: "1.0.3"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -511,7 +511,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "keycloak-extensions"
-    version: "0.2.1"
+    version: "0.1.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
@@ -623,21 +623,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "provisioning"
-    version: "0.14.0"
+    version: "0.9.5"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '9', '5']
  umsProvisioningUdmListener:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
    # upstreamRepository=souvap/tooling/charts/univention/udm-listener
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "udm-listener"
    version: "0.14.0"
    verify: true
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
--- a/helmfile/environments/default/debug.yaml
+++ b/helmfile/environments/default/debug.yaml
@@ -14,6 +14,6 @@ debug:
  # should activate debug output in all components and even allow e.g. successfully executed jobs
  # to stay available. This is going to be implemented on a case by case basis when we actually
  # need debugging in a component.
-  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}`
+  # Use: `{{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}`
  enabled: false
 ...
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.5.79"
+    releaseVersion: "v0.5.78"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -19,7 +19,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "23.05.9.2.1@sha256:4cdf38a73cfa8771d8184137525511a887cd5eab9e75ed894cee9cf1006d95eb"
+    tag: "23.05.9.1.1@sha256:9eeaf2795987d67cf6259f2942ea3318649fdf50beb939c895bef26a4c4dd146"
    # @supplier: "Collabora"
  cryptpad:
@@ -50,7 +50,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
+    tag: "1.11.0@sha256:633cc31a4c312cdb072136247ac382463ddbc458a5c57e139241394acee9baaf"
    # @supplier: "Element"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '8', '0']
@@ -174,7 +174,7 @@ images:
    # dependencyType=supplier
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
+    tag: "1.14.0@sha256:c15bbe47e7d04f25fedf9cafce8825254db2b968e3c97cf9a507891efc0992e3"
    # @supplier: "Nordeck"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['1', '4', '0']
@@ -264,7 +264,7 @@ images:
    # dependencyType=platform
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.15@sha256:f8a2a08c44ad9f4941e34a5efb1010918e52df8ce0866848a00810ad34279a2e"
+    tag: "1.1.13@sha256:874567579cbe8604e22caa06e8d5de42c74e41deda2d47bd6b50ab3898dd3dd7"
    # @supplier: "openDesk"
  nextcloudExporter:
@@ -284,7 +284,7 @@ images:
    # dependencyType=platform
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.5@sha256:790647d3424ab41cab1b0a7114a7737615b1772269699f9c3bcb078cba70d685"
+    tag: "1.3.1@sha256:a4b781a6926ca4e7a4c9c58af7a46e93b74364f1fc5c2fd65de2bce17f8efc30"
    # @supplier: "openDesk"
  nextcloudPHP:
@@ -294,7 +294,7 @@ images:
    # dependencyType=platform
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.4@sha256:d51ca3e22a493d6dd625cf9bfa40f96481ba36894a9d3eed1e082eadaef72c5c"
+    tag: "1.8.1@sha256:4ad4a6ce6c8e01e1972fa19aae65b79d43aaf3f51083aa3c4302598fce2046c8"
    # @supplier: "openDesk"
  opendeskKeycloakBootstrap:
@@ -762,50 +762,68 @@ images:
  umsProvisioningDispatcher:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/provisioning-dispatcher
+    # upstreamRepository=souvap/tooling/images/univention/dispatcher
    # dependencyType=supplier
-    registry: "registry.opencode.de"
+    registry: "registry.souvap-univention.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
+    repository: "souvap/tooling/images/univention/dispatcher"
-    tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
+    tag: "0.11.1@sha256:e3f9f185c21ff893a654e0f08ebd6c59ce4d7513150cac530792ad656348ecfa"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '14', '0']
+    # @mirrorFrom: ['0', '11', '1']
  umsProvisioningEventsAndConsumerApi:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/provisioning-events-and-consumer-api
+    # upstreamRepository=souvap/tooling/images/univention/events-and-consumer-api
    # dependencyType=supplier
-    registry: "registry.opencode.de"
+    registry: "registry.souvap-univention.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
+    repository: "souvap/tooling/images/univention/events-and-consumer-api"
-    tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
+    tag: "0.11.1@sha256:c56c862e9687a9bcc0d3f808bf12b67fbc457cc1bb10d82505706572078282d6"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '14', '0']
+    # @mirrorFrom: ['0', '11', '1']
-  umsProvisioningPrefill:
+  umsProvisioningNats:
    # renovate:
-    # upstreamRegistry=registry.souvap-univention.de
+    # upstreamRegistry=registry-1.docker.io
-    # upstreamRepository=souvap/tooling/images/univention/provisioning-prefill
+    # upstreamRepository=library/nats
-    # dependencyType=supplier
+    # dependencyType=external
-    registry: "registry.opencode.de"
+    registry: "registry-1.docker.io"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
+    repository: "library/nats"
-    tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
+    tag: "2.10.5-alpine@sha256:85319e5e541b6f273dbffc722e001601f391028e004c90a4fadab53475789e79"
    # @supplier: "Univention"
  umsProvisioningNatsBox:
    # renovate:
    # upstreamRegistry=registry-1.docker.io
    # upstreamRepository=natsio/nats-box
    # dependencyType=external
    registry: "registry-1.docker.io"
    repository: "natsio/nats-box"
    tag: "0.14.1@sha256:a67913df95f1d5b265117e49e4c83228091d13d6783d80215ddcf84aba695ef4"
    # @supplier: "Univention"
  umsProvisioningNatsReloader:
    # renovate:
    # upstreamRegistry=registry-1.docker.io
    # upstreamRepository=natsio/nats-server-config-reloader
    # dependencyType=external
    registry: "registry-1.docker.io"
    repository: "natsio/nats-server-config-reloader"
    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
    # @mirrorFrom: ['0', '14', '0']
  umsProvisioningUdmListener:
    # renovate:
    # upstreamRegistry=registry.souvap-univention.de
-    # upstreamRepository=souvap/tooling/images/univention/provisioning-udm-listener
+    # upstreamRepository=souvap/tooling/images/univention/udm-listener
    # dependencyType=supplier
-    registry: "registry.opencode.de"
+    registry: "registry.souvap-univention.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
+    repository: "souvap/tooling/images/univention/udm-listener"
-    tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
+    tag: "0.11.1@sha256:27e01c9941d19a60ced4aeac84a64a4ef566d764302ac892256b9b5dc3d7548f"
    # @supplier: "Univention"
    # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
-    # @mirrorFrom: ['0', '14', '0']
+    # @mirrorFrom: ['0', '11', '1']
  umsSelfserviceInvitation:
    # renovate:
--- a/helmfile/environments/default/objectstore.gotmpl
+++ b/helmfile/environments/default/objectstore.gotmpl
@@ -4,28 +4,20 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 objectstores:
  nextcloud:
    bucket: "nextcloud"
    endpoint: ""
    region: "eu-west-1"
    secretKey: ""
    username: "nextcloud_user"
    storageClass: "STANDARD"
    useSSL: true
    pathStyle: true
    port: 443
  openproject:
    backend: "minio"
    bucket: "openproject"
    endpoint: ""
-    region: "eu-west-1"
+    region: ""
-    secretKey: ""
+    secret: ""
    username: "openproject_user"
    pathStyle: true
    useIAMProfile: ""
  univentionManagementStack:
    backend: "minio"
    bucket: "ums"
    endpoint: ""
-    region: "eu-west-1"
+    region: ""
-    secretKey: ""
+    secret: ""
    username: "ums_user"
    useIAMProfile: ""
 ...
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -431,35 +431,7 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
-  umsProvisioningEventsAndConsumerApi:
+  umsProvisioning:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningDispatcher:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningPrefill:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningUdmListener:
    limits:
      cpu: 99
      memory: "1Gi"
    requests:
      cpu: 0.1
      memory: "256Mi"
  umsProvisioningNats:
    limits:
      cpu: 99
      memory: "1Gi"
Author	SHA1	Message	Date
Milton Moura	e0ff58a3a4	fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard to 1.14.0 Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-03-14 12:58:27 -01:00
Milton Moura	c9cca9e357	fix(element): Update to EW release image and related release charts Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 12:28:22 -01:00
Milton Moura	2b7ce2ae49	fix(element): Final tests before final MR Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 10:58:10 -01:00
Milton Moura	54e4664bf2	fix(element): Add widget toggles module config Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-28 09:26:27 -01:00
Milton Moura	89e4af80d2	feat(element): Adds Widget toggles module and e2ee + sticky room EW fixes Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-27 16:38:10 -01:00
Milton Moura	7f2b39cb46	feat(element): Enable E2EE for Element Web and NeoDateFix Bot Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-02-23 07:51:14 +00:00