fix(univention-management-stack): Update otterize helm chart

This change is a preparatory step towards the integration of the upcoming
umbrella chart. It updates both the chart and images to the current release and
adjusts the value files accordingly.

.gitlab-ci.yml

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -11,6 +12,7 @@ include:
   - local: "/.gitlab/generate/generate-docs.yml"
   - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     file: "gitlab/environments.yaml"
+    ref: "main"
   - local: "/.gitlab/lint/lint-opendesk.yml"
     rules:
       - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -18,7 +20,7 @@ include:
       - when: "always"
   - local: "/.gitlab/lint/lint-kyverno.yml"
     rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
         when: "never"
       - when: "always"
 
@@ -41,14 +43,17 @@ variables:
     description: "The name of namespaces to deploy to."
     value: ""
   CLUSTER:
-    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
+    description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
-      sovereign-workplace-env included above."
+        repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
+        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
     value: "dev"
   MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a passphrase to be used for password generation."
+    description: >
+      Optional: Provide a seed to be used for generation of all internal secrets.
+      Same seed will result in same secrets.
     value: ""
   ENV_STOP_BEFORE:
-    description: "Stop environment/delete namespace for the deployment"
+    description: "Stop environment/delete namespace for the deployment."
     value: "no"
     options:
       - "yes"
@@ -451,7 +456,7 @@ avscan-prepare:
           $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
       when: "always"
     - when: "never"
-  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
   script:
     - |
       cat << 'EOF' > dynamic-scans.yml
@@ -565,7 +570,7 @@ release:
     - |
       echo -e "\n[INFO] Writing data to helm value file..."
       cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
       # SPDX-License-Identifier: Apache-2.0
       ---
       global:

CHANGELOG.md

@@ -1,3 +1,22 @@
+## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
+
+
+### Bug Fixes
+
+* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
+* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
+* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
+* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
+* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
+* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
+* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
+* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
+* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
+* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
+* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
+* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
+* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
+
 ## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)
 
 

README.md

@@ -31,11 +31,11 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
-| File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
-| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Groupware            | OX Appsuite                 | [8.22](https://documentation.open-xchange.com/appsuite/releases/8.22/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [13.3.1](https://www.openproject.org/docs/release-notes/13-3-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 

docs/components.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Components</h1>
@@ -34,7 +35,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
-| Dovecot                     | Mail backend                   | Functional |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -44,7 +44,8 @@ they need to be replaced in production deployments.
 | Nextcloud                   | File share                     | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
-| Provisioning                | Backend provisioning           | Functional |
+| OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |

docs/development.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 
@@ -32,7 +33,7 @@ flowchart TD
     D-->G[images.yaml]
     D-->H[global.*]
     D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
-    A-->|overwrite defaults with\nyour environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
+    A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
 ```
 
 The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
@@ -96,13 +97,13 @@ Example:
 
 ## Renovate
 
-- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/renovate-opencode
+Uses a regular expression to match the values of the following attributes:
 
-Uses a regular expression to match the values of the attributes
+- `registry`
-- `# upstreamRegistry`
+- `repository`
-- `# upstreamRepository`
 - `tag`
-check for newer versions of the given artefact and create a MR containing the newest version's tag (and digest).
+
+Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).
 
 ## Mirroring
 

docs/workflow.md

@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 
@@ -139,17 +140,19 @@ As a standard, the openDesk platform development team uses [reuse.software](http
 
 openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
 ```
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ```
 As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).
 
+**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
+
 ## Development workflow
 
 ### Disclaimer
 
 openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
-- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
+- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
 - openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.
 
 ### Workflow
@@ -225,22 +228,28 @@ gitGraph
 
 The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.
 
+1. Linting
+   - Blocking
+     - Licening: [reuse](https://github.com/fsfe/reuse-tool)
+     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
+   - Non Blocking
+     - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
+     - Formal: Yaml
 1. Deploy the full openDesk stack from scratch:
    - All deployment steps must be successful (green)
    - All tests from the end-to-end test set must be successful
-2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
+1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
    - Deploy the current merge target baseline (`develop` or `main`)
    - Update deploy from your QA branch into the instance from the previous step
-3. No showstopper found regarding
+1. No showstopper found regarding
    - SBOM compliance[^4]
    - Malware check
    - CVE check[^5]
    - Kubescape scan[^5]
-   - Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]
 
-Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
+Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.
 
-Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
+Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
 
 ```mermaid
 flowchart TD

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -68,7 +68,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -117,7 +116,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -140,7 +138,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0
@@ -164,7 +161,6 @@ jitsi:
     securityContext:
       allowPrivilegeEscalation: false
       capabilities: {}
-      enabled: true
       privileged: false
       readOnlyRootFilesystem: false
       runAsGroup: 0

helmfile/apps/open-xchange/helmfile.yaml

@@ -6,7 +6,7 @@ bases:
 ---
 repositories:
   # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
   - name: "dovecot-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.dovecot.verify }}
@@ -18,6 +18,8 @@ repositories:
 
   # Open-Xchange
   - name: "open-xchange-repo"
+    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
+    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
@@ -25,7 +27,8 @@ repositories:
       {{ .Values.charts.openXchangeAppSuite.repository }}"
 
   # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
+  # Source:
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
   - name: "open-xchange-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}

helmfile/apps/services/values-otterize.yaml.gotmpl

@@ -45,6 +45,10 @@ apps:
   xwiki:
     enabled: {{ .Values.xwiki.enabled }}
 
+ingressController:
+  {{ .Values.security.ingressController | toYaml | nindent 2 }}
+
+
 extraApps:
   clusterPostfix:
     enabled: {{ .Values.security.clusterPostfix.enabled }}

helmfile/apps/univention-management-stack/helmfile.yaml

@@ -5,168 +5,17 @@ bases:
   - "../../bases/environments.yaml"
 ---
 repositories:
-  # Univention Management Stack
+  # Univention Management Stack Umbrella Chart
-  - name: "ums-guardian-management-api-repo"
+  - name: "ums"
     keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsGuardianManagementApi.verify }}
+    verify: {{ .Values.charts.ums.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementApi.registry }}/\
+    url:
-      {{ .Values.charts.umsGuardianManagementApi.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.ums.registry }}/\
-  - name: "ums-guardian-management-ui-repo"
+      {{ .Values.charts.ums.repository }}"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
+  # OpenDesk Keycloak Bootstrap Chart
-    verify: {{ .Values.charts.umsGuardianManagementUi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianManagementUi.registry }}/\
-      {{ .Values.charts.umsGuardianManagementUi.repository }}"
-  - name: "ums-guardian-authorization-api-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsGuardianAuthorizationApi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsGuardianAuthorizationApi.registry }}/\
-      {{ .Values.charts.umsGuardianAuthorizationApi.repository }}"
-  - name: "ums-open-policy-agent-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsOpenPolicyAgent.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsOpenPolicyAgent.registry }}/\
-      {{ .Values.charts.umsOpenPolicyAgent.repository }}"
-  - name: "ums-ldap-server-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsLdapServer.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapServer.registry }}/\
-      {{ .Values.charts.umsLdapServer.repository }}"
-  - name: "ums-ldap-notifier-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsLdapNotifier.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsLdapNotifier.registry }}/\
-      {{ .Values.charts.umsLdapNotifier.repository }}"
-  - name: "ums-udm-rest-api-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsUdmRestApi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUdmRestApi.registry }}/\
-      {{ .Values.charts.umsUdmRestApi.repository }}"
-  - name: "ums-stack-data-ums-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsStackDataUms.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataUms.registry }}/\
-      {{ .Values.charts.umsStackDataUms.repository }}"
-  - name: "ums-stack-data-swp-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsStackDataSwp.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsStackDataSwp.registry }}/\
-      {{ .Values.charts.umsStackDataSwp.repository }}"
-  - name: "ums-portal-server-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsPortalServer.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalServer.registry }}/\
-      {{ .Values.charts.umsPortalServer.repository }}"
-  - name: "ums-notifications-api-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsNotificationsApi.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsNotificationsApi.registry }}/\
-      {{ .Values.charts.umsNotificationsApi.repository }}"
-  - name: "ums-portal-listener-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsPortalListener.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalListener.registry }}/\
-      {{ .Values.charts.umsPortalListener.repository }}"
-  - name: "ums-portal-frontend-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsPortalFrontend.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsPortalFrontend.registry }}/\
-      {{ .Values.charts.umsPortalFrontend.repository }}"
-  - name: "ums-umc-gateway-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsUmcGateway.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcGateway.registry }}/\
-      {{ .Values.charts.umsUmcGateway.repository }}"
-  - name: "ums-umc-server-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsUmcServer.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsUmcServer.registry }}/\
-      {{ .Values.charts.umsUmcServer.repository }}"
-  - name: "ums-selfservice-listener-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsSelfserviceListener.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsSelfserviceListener.registry }}/\
-      {{ .Values.charts.umsSelfserviceListener.repository }}"
-  - name: "ums-provisioning-repo"
-    keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.umsProvisioning.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsProvisioning.registry }}/\
-      {{ .Values.charts.umsProvisioning.repository }}"
-
-  # Univention Keycloak Extensions
-  - name: "ums-keycloak-extensions-repo"
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakExtensions.registry }}/\
-      {{ .Values.charts.umsKeycloakExtensions.repository }}"
-  # Univention Keycloak
-  - name: "ums-keycloak-repo"
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-    verify: {{ .Values.charts.umsKeycloak.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloak.registry }}/\
-      {{ .Values.charts.umsKeycloak.repository }}"
-  - name: "ums-keycloak-bootstrap-repo"
-    keyring: "../../files/gpg-pubkeys/souvap-univention-de.gpg"
-    verify: {{ .Values.charts.umsKeycloakBootstrap.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.umsKeycloakBootstrap.registry }}/\
-      {{ .Values.charts.umsKeycloakBootstrap.repository }}"
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
     verify: {{ .Values.charts.opendeskKeycloakBootstrap.verify }}
@@ -175,223 +24,24 @@ repositories:
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.opendeskKeycloakBootstrap.registry }}/\
       {{ .Values.charts.opendeskKeycloakBootstrap.repository }}"
-  # VMWare Bitnami
-  # Source: https://github.com/bitnami/charts/
-  - name: "nginx-repo"
-    keyring: "../../files/gpg-pubkeys/opencode.gpg"
-    verify: {{ .Values.charts.nginx.verify }}
-    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
-    oci: true
-    url: "{{ .Values.global.helmRegistry | default .Values.charts.nginx.registry }}/\
-      {{ .Values.charts.nginx.repository }}"
 
 releases:
-  - name: "ums-keycloak"
+  # Univention Management Stack Umbrella Chart
-    chart: "ums-keycloak-repo/{{ .Values.charts.umsKeycloak.name }}"
+  - name: "ums"
-    version: "{{ .Values.charts.umsKeycloak.version }}"
+    chart: "ums/{{ .Values.charts.ums.name }}"
+    version: "{{ .Values.charts.ums.version }}"
     values:
-      - "values-ums-keycloak.yaml.gotmpl"
+      - "values-umbrella.yaml.gotmpl"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
-
+  # OpenDesk Keycloak Bootstrap Chart
-  - name: "ums-keycloak-extensions"
-    chart: "ums-keycloak-extensions-repo/{{ .Values.charts.umsKeycloakExtensions.name }}"
-    version: "{{ .Values.charts.umsKeycloakExtensions.version }}"
-    values:
-      - "values-ums-keycloak-extensions.yaml.gotmpl"
-    needs:
-      - "ums-keycloak"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-keycloak-bootstrap"
-    chart: "ums-keycloak-bootstrap-repo/{{ .Values.charts.umsKeycloakBootstrap.name }}"
-    version: "{{ .Values.charts.umsKeycloakBootstrap.version }}"
-    values:
-      - "values-ums-keycloak-bootstrap.yaml.gotmpl"
-    needs:
-      - "ums-keycloak"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
   - name: "opendesk-keycloak-bootstrap"
     chart: "opendesk-keycloak-bootstrap-repo/{{ .Values.charts.opendeskKeycloakBootstrap.name }}"
     version: "{{ .Values.charts.opendeskKeycloakBootstrap.version }}"
     values:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
     needs:
-      - "ums-keycloak-bootstrap"
+      - "ums"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-stack-gateway"
-    chart: "nginx-repo/{{ .Values.charts.nginx.name }}"
-    version: "{{ .Values.charts.nginx.version }}"
-    values:
-      - "values-ums-stack-gateway.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-ldap-server"
-    chart: "ums-ldap-server-repo/{{ .Values.charts.umsLdapServer.name }}"
-    version: "{{ .Values.charts.umsLdapServer.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-ldap-server.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-ldap-notifier"
-    chart: "ums-ldap-notifier-repo/{{ .Values.charts.umsLdapNotifier.name }}"
-    version: "{{ .Values.charts.umsLdapNotifier.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-ldap-notifier.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-udm-rest-api"
-    chart: "ums-udm-rest-api-repo/{{ .Values.charts.umsUdmRestApi.name }}"
-    version: "{{ .Values.charts.umsUdmRestApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-udm-rest-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-stack-data-ums"
-    chart: "ums-stack-data-ums-repo/{{ .Values.charts.umsStackDataUms.name }}"
-    version: "{{ .Values.charts.umsStackDataUms.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-stack-data-ums.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-stack-data-swp"
-    chart: "ums-stack-data-swp-repo/{{ .Values.charts.umsStackDataSwp.name }}"
-    version: "{{ .Values.charts.umsStackDataSwp.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-stack-data-swp.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-portal-server"
-    chart: "ums-portal-server-repo/{{ .Values.charts.umsPortalServer.name }}"
-    version: "{{ .Values.charts.umsPortalServer.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-server.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-notifications-api"
-    chart: "ums-notifications-api-repo/{{ .Values.charts.umsNotificationsApi.name }}"
-    version: "{{ .Values.charts.umsNotificationsApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-notifications-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-portal-listener"
-    chart: "ums-portal-listener-repo/{{ .Values.charts.umsPortalListener.name }}"
-    version: "{{ .Values.charts.umsPortalListener.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-listener.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-portal-frontend"
-    chart: "ums-portal-frontend-repo/{{ .Values.charts.umsPortalFrontend.name }}"
-    version: "{{ .Values.charts.umsPortalFrontend.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-portal-frontend.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-umc-gateway"
-    chart: "ums-umc-gateway-repo/{{ .Values.charts.umsUmcGateway.name }}"
-    version: "{{ .Values.charts.umsUmcGateway.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-umc-gateway.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-umc-server"
-    chart: "ums-umc-server-repo/{{ .Values.charts.umsUmcServer.name }}"
-    version: "{{ .Values.charts.umsUmcServer.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-umc-server.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-selfservice-listener"
-    chart: "ums-selfservice-listener-repo/{{ .Values.charts.umsSelfserviceListener.name }}"
-    version: "{{ .Values.charts.umsSelfserviceListener.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-selfservice-listener.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-provisioning"
-    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioning.name }}"
-    version: "{{ .Values.charts.umsProvisioning.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-provisioning.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-provisioning-udm-listener"
-    chart: "ums-provisioning-repo/{{ .Values.charts.umsProvisioningUdmListener.name }}"
-    version: "{{ .Values.charts.umsProvisioningUdmListener.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-provisioning-udm-listener.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-guardian-management-api"
-    chart: "ums-guardian-management-api-repo/{{ .Values.charts.umsGuardianManagementApi.name }}"
-    version: "{{ .Values.charts.umsGuardianManagementApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-management-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-guardian-management-ui"
-    chart: "ums-guardian-management-ui-repo/{{ .Values.charts.umsGuardianManagementUi.name }}"
-    version: "{{ .Values.charts.umsGuardianManagementUi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-management-ui.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-guardian-authorization-api"
-    chart: "ums-guardian-authorization-api-repo/{{ .Values.charts.umsGuardianAuthorizationApi.name }}"
-    version: "{{ .Values.charts.umsGuardianAuthorizationApi.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-guardian-authorization-api.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
-    timeout: 900
-
-  - name: "ums-open-policy-agent"
-    chart: "ums-open-policy-agent-repo/{{ .Values.charts.umsOpenPolicyAgent.name }}"
-    version: "{{ .Values.charts.umsOpenPolicyAgent.version }}"
-    values:
-      - "values-common.yaml.gotmpl"
-      - "values-open-policy-agent.yaml.gotmpl"
     installed: {{ .Values.univentionManagementStack.enabled }}
     timeout: 900
 

helmfile/apps/univention-management-stack/values-common.yaml.gotmpl

@@ -1,25 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-global:
-  configMapUcrDefaults: "ums-stack-data-ums-ucr"
-  configMapUcr: "ums-stack-data-swp-ucr"
-  configMapUcrForced: null
-
-ingress:
-  # Intentionally not using the Ingress configuration of the UMS stack at the
-  # moment, since it does depend on rewriting capabilities of the ingress
-  # controller. Those are encapsulated into the release "stack-gateway" so that
-  # the compatibility with all ingress controllers is increased.
-  enabled: false
-  host: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls:
-    # The TLS configuration is on the "master" Ingress, see "portal-frontend"
-    enabled: false
-    secretName: ""
-
-istio:
-  enabled: false
-
-...

helmfile/apps/univention-management-stack/values-guardian-authorization-api.yaml.gotmpl

@@ -1,61 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianAuthorizationApi:
-  guardianAuthzCorsAllowedOrigins: "*"
-  guardianAuthzAdapterSettingsPort: "env"
-  guardianAuthzAdapterAppPersistencePort: "udm_data"
-  guardianAuthzAdapterPolicyPort: "opa"
-  guardianAuthzAdapterAuthenticationPort: "fast_api_oauth"
-  guardianAuthzLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
-  guardianAuthzLoggingStructured: false
-  guardianAuthzLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
-  home: "/guardian_service_dir"
-  isUniventionAppCenter: 0
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-  opaAdapterUrl: "http://ums-open-policy-agent/"
-  udmDataAdapterUrl: "http://ums-udm-rest-api/udm/"
-  udmDataAdapterUsername: "cn=admin"
-  udmDataAdapterPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianAuthorizationApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianAuthorizationApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianAuthorizationApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-guardian-management-api.yaml.gotmpl

@@ -1,79 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianManagementApi:
-  home: "/guardian_service_dir"
-  isUniventionAppCenter: 0
-  guardianManagementCorsAllowedOrigins: "*"
-  guardianManagementAdapterSettingsPort: "env"
-  guardianManagementAdapterAppPersistencePort: "sql"
-  guardianManagementAdapterConditionPersistencePort: "sql"
-  guardianManagementAdapterContextPersistencePort: "sql"
-  guardianManagementAdapterNamespacePersistencePort: "sql"
-  guardianManagementAdapterPermissionPersistencePort: "sql"
-  guardianManagementAdapterRolePersistencePort: "sql"
-  guardianManagementAdapterCapabilityPersistencePort: "sql"
-  guardianManagementAdapterAuthenticationPort: "fast_api_oauth"
-  guardianManagementAdapterAuthorizationApiUrl: "http://ums-guardian-authorization-api/guardian/authorization"
-  guardianManagementAdapterResourceAuthorizationPort: "always"
-  guardianManagementLoggingLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARNING"{{ end }}
-  guardianManagementLoggingStructured: false
-  guardianManagementLoggingFormat: "<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"
-  guardianManagementBaseUrl: "http://0.0.0.0:8000"
-  oauthAdapterM2mSecretFile: "/var/secrets/oauthAdapterM2mSecret"
-  oauthAdapterM2mSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-  oauthAdapterWellKnownUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080/realms/{{ .Values.platform.realm }}/.well-known/openid-configuration"
-  sqlPersistenceAdapterDialect: "postgresql"
-  sqlPersistenceAdapterDbName: "postgres"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementApi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianManagementApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianManagementApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
-    port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
-    database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
-    password: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-
-resources:
-  {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-guardian-management-ui.yaml.gotmpl

@@ -1,52 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-guardianManagementUi:
-  viteManagementUiAdapterAuthenticationPort: "keycloak"
-  viteManagementUiAdapterDataPort: "api"
-  viteKeycloakAuthenticationAdapterClientId: "guardian-ui"
-  viteApiDataAdapterUri: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/management"
-  viteKeycloakAuthenticationAdapterSsoUri: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-  viteKeycloakAuthenticationAdapterRealm: {{ .Values.platform.realm | quote }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsGuardianManagementUi.registry | quote }}
-  repository: {{ .Values.images.umsGuardianManagementUi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsGuardianManagementUi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  readOnlyRootFilesystem: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl

@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapNotifier.registry | quote }}
-  repository: {{ .Values.images.umsLdapNotifier.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsLdapNotifier.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsLdapNotifier | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 4 }}
-
-volumes:
-  claims:
-    shared-data: "shared-data-ums-ldap-server-0"
-    shared-run: "shared-run-ums-ldap-server-0"
-
-...

helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl

@@ -1,88 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "opendesk-schemas"
-    configMap:
-      name: "ums-stack-data-swp-schemas"
-
-extraVolumeMounts:
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskFileshare.schema"
-    subPath: "opendeskFileshare.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskKnowledgemanagement.schema"
-    subPath: "opendeskKnowledgemanagement.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLearnmanagement.schema"
-    subPath: "opendeskLearnmanagement.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskLivecollaboration.schema"
-    subPath: "opendeskLivecollaboration.schema"
-  - name: "opendesk-schemas"
-    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
-    subPath: "opendeskProjectmanagement.schema"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
-  repository: {{ .Values.images.umsLdapServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsLdapServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-ldapServer:
-  waitForSamlMetadata: true
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-
-persistence:
-  sharedData:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  sharedRun:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}
-
-service:
-  type: "ClusterIP"
-
-resources:
-  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}
-
-...

helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl

@@ -1,50 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsNotificationsApi.registry | quote }}
-  repository: {{ .Values.images.umsNotificationsApi.repository }}
-  pullPolicy: {{ .Values.global.imagePullPolicy }}
-  tag: {{ .Values.images.umsNotificationsApi.tag }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-notificationsapi:
-  apply_database_migrations: "True"
-  dev_mode: "False"
-  environment: "staging"
-  log_level: "DEBUG"
-  sql_echo: "False"
-  api_prefix: "/univention/portal/notifications-api"
-
-postgresql:
-  bundled: false
-  connection:
-    host: {{ .Values.databases.umsNotificationsApi.host | quote }}
-    port: {{ .Values.databases.umsNotificationsApi.port | quote }}
-  auth:
-    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
-    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
-    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-
-resources:
-  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-open-policy-agent.yaml.gotmpl

@@ -1,52 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsOpenPolicyAgent.registry | quote }}
-  repository: {{ .Values.images.umsOpenPolicyAgent.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsOpenPolicyAgent.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-openPolicyAgent:
-  isUniventionAppCenter: 0
-  opaDataBundle: "bundles/GuardianDataBundle.tar.gz"
-  opaPolicyBundle: "bundles/GuardianPolicyBundle.tar.gz"
-  opaPollingMinDelay: 10
-  opaPollingMaxDelay: 15
-  opaGuardianManagementUrl: "http://ums-guardian-management-api/guardian/management"
-
-resources:
-  {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsOpenPolicyAgent | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -293,296 +293,13 @@ config:
         authorizationServicesEnabled: false
         attributes:
           backchannel.logout.session.required: false
-          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/NOT_YET_IMPLEMENTED_DONT_FORGET_TO_DISABLE_FCL_WHEN_BCL_IS_ACTIVATED/backchannel-logout"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
           post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
           - "opendesk"
           - "address"
           - "email"
           - "profile"
-      - name: "guardian-management-api"
-        clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        protocol: "openid-connect"
-        clientAuthenticatorType: "client-secret"
-        secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "Client Host"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientHost"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientHost"
-              jsonType.label: "String"
-          - name: "Client ID"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "client_id"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "client_id"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              userinfo.token.claim: false
-              id.token.claim: false
-              access.token.claim: true
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-cli"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "Client IP Address"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usersessionmodel-note-mapper"
-            consentRequired: false
-            config:
-              user.session.note: "clientAddress"
-              userinfo.token.claim: true
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "clientAddress"
-              jsonType.label: "String"
-      - name: "guardian-scripts"
-        clientId: "guardian-scripts"
-        description: ""
-        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        surrogateAuthRequired: false
-        enabled: true
-        alwaysDisplayInConsole: false
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
-        webOrigins:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        bearerOnly: false
-        consentRequired: false
-        standardFlowEnabled: true
-        implicitFlowEnabled: false
-        directAccessGrantsEnabled: true
-        serviceAccountsEnabled: false
-        publicClient: true
-        frontchannelLogout: false
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-scripts"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              aggregate.attrs: false
-              multivalued: false
-              userinfo.token.claim: false
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-        defaultClientScopes:
-          - "opendesk"
-          - "web-origins"
-          - "acr"
-          - "roles"
-          - "profile"
-          - "email"
-        optionalClientScopes:
-          - "address"
-          - "phone"
-          - "offline_access"
-          - "microprofile-jwt"
-      - name: "guardian-ui"
-        clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-        clientAuthenticatorType: "client-secret"
-        redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-        standardFlowEnabled: true
-        publicClient: true
-        protocol: "openid-connect"
-        fullScopeAllowed: true
-        protocolMappers:
-          - name: "uid"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "uid"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "uid"
-              jsonType.label: "String"
-          - name: "username"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "username"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "preferred_username"
-              jsonType.label: "String"
-          - name: "dn"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: "false"
-              user.attribute: "LDAP_ENTRY_DN"
-              id.token.claim: false
-              access.token.claim: true
-              claim.name: "dn"
-              jsonType.label: "String"
-          - name: "audiencemap"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian-ui"
-              id.token.claim: true
-              access.token.claim: true
-              userinfo.token.claim: true
-          - name: "email"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-property-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "email"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "email"
-              jsonType.label: "String"
-          - name: "guardian-audience"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-audience-mapper"
-            consentRequired: false
-            config:
-              included.client.audience: "guardian"
-              id.token.claim: false
-              access.token.claim: true
-              userinfo.token.claim: false
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/univention-management-stack/values-portal-frontend.yaml.gotmpl

@@ -1,117 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-
-extraIngresses:
-  redirects:
-    # Using "stack-gateway" currently.
-    enabled: false
-    # The TLS configuration is on the "master" Ingress, see below.
-    tls:
-      enabled: false
-  master:
-    # Using "stack-gateway" currently.
-    enabled: false
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-
-  # See "extraVolumeMounts" below
-  custom-favicon:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      - pathType: "Exact"
-        path: "/favicon.ico"
-    tls: {}
-
-extraVolumes:
-  - name: "opendesk-branding"
-    configMap:
-      name: "ums-stack-data-swp-branding"
-
-extraVolumeMounts:
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/favicon.ico"
-    subPath: "favicon.ico"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/css/custom.css"
-    subPath: "custom.css"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/icons/logo.svg"
-    subPath: "logo.svg"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/icons/logo_small_border.svg"
-    subPath: "logo_small_border.svg"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/custom/portal_background_image.png"
-    subPath: "portal_background_image.png"
-  - name: "opendesk-branding"
-    mountPath: "/var/www/html/custom/portal_background_image.svg"
-    subPath: "portal_background_image.svg"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
-  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  # See "extraVolumeMounts" below
-  custom-branding:
-    # Using "stack-gateway" at the moment
-    enabled: false
-    annotations:
-      nginx.ingress.kubernetes.io/configuration-snippet: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/location-snippets: |
-        rewrite ^/univention/portal(/.*)$ $1 break;
-      nginx.org/mergeable-ingress-type: "minion"
-    paths:
-      # This relies on the correct implementation of the matching for paths of
-      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
-      # store-dav.
-      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
-      - pathType: "Prefix"
-        path: "/univention/portal/icons/"
-      - pathType: "Prefix"
-        path: "/univention/portal/custom/"
-    tls: {}
-
-replicaCount: {{ .Values.replicas.umsPortalFrontend }}
-
-resources:
-  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 4 }}
-...

helmfile/apps/univention-management-stack/values-portal-listener.yaml.gotmpl

@@ -1,85 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalListener.registry | quote }}
-  repository: {{ .Values.images.umsPortalListener.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalListener.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-persistence:
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionManagementStack.portalListener | quote }}
-
-portalListener:
-  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  assetsRootPath: "portal-assets"
-  ucsInternalPath: "portal-data"
-
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  portalDefaultDn: {{ printf "%s,%s" "cn=domain,cn=portal,cn=portals,cn=univention" .Values.ldap.baseDn | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUsername: "cn=admin"
-  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
-  tlsMode: "off"
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUsername: "cn=admin"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
-
-resources:
-  {{ .Values.resources.umsPortalListener | toYaml | nindent 2 }}
-
-resourcesDependencyWaiter:
-  {{ .Values.resources.umsPortalListenerDependencies | toYaml | nindent 2 }}
-
-store-dav:
-  bundled: false
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsPortalListener | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl

@@ -1,62 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalServer.registry | quote }}
-  repository: {{ .Values.images.umsPortalServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsPortalServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-portalServer:
-  authMode: "saml"
-  editable: "false"
-  umcGetUrl: "http://ums-umc-server/get"
-  umcSessionUrl: "http://ums-umc-server/get/session-info"
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-  adminGroup: {{ printf "%s,%s" "cn=Domain Admins,cn=groups" .Values.ldap.baseDn | quote }}
-  ucsInternalPath: "portal-data"
-  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
-  centralNavigation:
-    enabled: true
-    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-
-replicaCount: {{ .Values.replicas.umsPortalServer }}
-
-resources:
-  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl

@@ -1,28 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
-  repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsProvisioningUdmListener.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-config:
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  tlsMode: "off"
-  natsHost: "ums-provisioning-nats"
-  natsPort: "4222"
-
-resources:
-  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
-...

helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl

@@ -1,81 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-
-dispatcher:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
-  config:
-    UDM_HOST: "ums-udm-rest-api"
-    UDM_PORT: 9979
-    UDM_USERNAME: "cn=admin"
-
-api:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningEventsAndConsumerApi.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningEventsAndConsumerApi.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  config:
-    rootPath: "/univention/provisioning-api"
-  resources:
-    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
-  
-prefill:
-  image: 
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningPrefill.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningPrefill.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningPrefill.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  resources:
-    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
-
-nats:
-  bundled: true
-  nameOverride: ""
-  resources:
-    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  enabled: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-  sysctls:
-    - name: "net.ipv4.ip_unprivileged_port_start"
-      value: "1"
-
-
-
-...

helmfile/apps/univention-management-stack/values-selfservice-listener.yaml.gotmpl

@@ -1,79 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-image:
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  selfserviceListener:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }}
-    repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
-    tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
-
-  selfserviceInvitation:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
-    repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
-    tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
-
-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-persistence:
-  storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
-  size: {{ .Values.persistence.size.univentionManagementStack.selfserviceListener | quote }}
-
-resources:
-  {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 2 }}
-
-resourcesDependencyWaiter:
-  {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 2 }}
-
-selfserviceListener:
-  ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  notifierServer: {{ .Values.ldap.notifierHost | quote }}
-  umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-  debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
-  tlsMode: "off"
-  umcServerUrl: "http://ums-umc-server"
-  umcAdminUser: "default.admin"
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsSelfserviceListener | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-stack-data-swp.yaml.gotmpl

@@ -1,74 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-additionalAnnotations:
-  intents.otterize.com/service-name: "ums-stack-data-swp"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
-  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsDataLoader.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsStackDataSwp | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
-
-stackDataContext:
-  ldapBase: "dc=swp-ldap,dc=internal"
-  oxDefaultContext: "1"
-  smtpStartTls: true
-  ldapSearchUsers:
-    {{- range $username, $password := .Values.secrets.univentionManagementStack.ldapSearch }}
-    - username: {{ printf "ldapsearch_%s" $username | quote }}
-      password: {{ $password | quote }}
-      lastname: "LDAP-Search-User"
-    {{- end }}
-
-  externalDomainName: {{ .Values.global.domain | quote }}
-  externalMailDomain: {{ .Values.global.domain | quote }}
-
-  portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
-  portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
-  portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
-  portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
-  portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain | quote }}
-  portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain | quote }}
-  portalTitleDE: "{{ .Values.theme.texts.productName }} Portal"
-  portalTitleEN: "{{ .Values.theme.texts.productName }} Portal"
-
-  smtpHost: {{ .Values.smtp.host | quote }}
-  smtpPort: {{ .Values.smtp.port | quote }}
-  smtpUser: {{ .Values.smtp.username | quote }}
-
-  userPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.userPassword | quote }}
-  adminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-
-stackDataSwp:
-  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  systemInformation:
-    deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
-    releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
-  udmApiUser: "cn=admin"
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  loadDevData: true
-
-...

helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl

@@ -1,59 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-additionalAnnotations:
-  intents.otterize.com/service-name: "ums-stack-data-ums"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsDataLoader.registry | quote }}
-  repository: {{ .Values.images.umsDataLoader.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsDataLoader.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsStackDataUms | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsDataLoader | toYaml | nindent 4 }}
-
-stackDataContext:
-  idpSamlMetadataUrlInternal: null
-  umcSamlSchemes: "https"
-  # The openDesk configuration brings its own UMC policies.
-  installUmcPolicies: false
-  domainname: {{ .Values.global.domain | quote }}
-  externalMailDomain: {{ .Values.global.domain | quote }}
-  hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
-  ldapBase: {{ .Values.ldap.baseDn | quote }}
-  ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-  idpSamlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
-  umcSamlSpFqdn: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  idpFqdn: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
-  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
-  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
-  initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
-
-stackDataUms:
-  loadDevData: true
-  udmApiPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-  udmApiUrl: "http://ums-udm-rest-api/udm/"
-  udmApiUser: "cn=admin"
-
-...

helmfile/apps/univention-management-stack/values-store-dav.yaml.gotmpl

@@ -1,65 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStoreDav.registry | quote }}
-  repository: {{ .Values.images.umsStoreDav.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsStoreDav.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-  configHtpasswd:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsConfigHtpasswd.registry | quote }}
-    repository: {{ .Values.images.umsConfigHtpasswd.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsConfigHtpasswd.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-
-persistence:
-  data:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.storeDav | quote }}
-
-resources:
-  {{ .Values.resources.umsStoreDav | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsStoreDav | toYaml | nindent 4 }}
-
-storeDav:
-  auth:
-    basicAuth:
-      portal-listener: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalListener | quote }}
-      portal-server: {{ .Values.secrets.univentionManagementStack.storeDavUsers.portalServer | quote }}
-
-...

helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl

@@ -1,67 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "attribute-to-group-mapper-hook"
-    configMap:
-      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
-
-extraVolumeMounts:
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
-    subPath: "AttributeToGroupMapper.py"
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
-    subPath: "flag_to_group_mapping.json"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
-  repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUdmRestApi.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-
-replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}
-
-udmRestApi:
-  # TODO: Stub value currently
-  caCert: ""
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-
-...

helmfile/apps/univention-management-stack/values-umc-gateway.yaml.gotmpl

@@ -1,64 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "entrypoint-swp-patches"
-    configMap:
-      name: "ums-stack-data-swp-umc-gateway-entrypoint"
-      defaultMode: 0555
-  - name: "announcements-customization"
-    configMap:
-      name: "ums-stack-data-swp-umc-server-announcements"
-      defaultMode: 0444
-
-extraVolumeMounts:
-  - name: "entrypoint-swp-patches"
-    mountPath: "/entrypoint.d/90-swp.sh"
-    subPath: "90-swp.sh"
-  - name: "announcements-customization"
-    mountPath:
-      "/usr/share/univention-management-console-frontend/js/dijit/themes\
-      /umc/icons/16x16/udm-portals-announcement.png"
-    subPath: "udm-portals-announcement.png"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcGateway.registry | quote }}
-  repository: {{ .Values.images.umsUmcGateway.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUmcGateway.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-resources:
-  {{ .Values.resources.umsUmcGateway | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 4 }}
-
-...

helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl

@@ -1,109 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-extraVolumes:
-  - name: "certificates"
-    secret:
-      secretName: "opendesk-certificates-tls"
-  - name: "entrypoint-swp-patches"
-    configMap:
-      name: "ums-stack-data-swp-umc-server-entrypoint"
-      defaultMode: 0555
-  - name: "self-service-emails"
-    configMap:
-      name: "ums-stack-data-swp-self-service-emails"
-      defaultMode: 0444
-  - name: "attribute-to-group-mapper-hook"
-    configMap:
-      name: "ums-stack-data-swp-attribute-to-group-mapper-hook"
-  - name: "announcements-customization"
-    configMap:
-      name: "ums-stack-data-swp-umc-server-announcements"
-      defaultMode: 0444
-
-extraVolumeMounts:
-  - name: "certificates"
-    mountPath: "/var/secrets/ssl"
-  - name: "entrypoint-swp-patches"
-    mountPath: "/entrypoint.d/90-customization.sh"
-    subPath: "90-customization.sh"
-  - name: "self-service-emails"
-    mountPath: "/usr/share/univention-self-service/email_bodies"
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/lib/python3/dist-packages/univention/admin/hooks.d/AttributeToGroupMapper.py"
-    subPath: "AttributeToGroupMapper.py"
-  - name: "attribute-to-group-mapper-hook"
-    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
-    subPath: "flag_to_group_mapping.json"
-  - name: "announcements-customization"
-    mountPath: "/usr/share/univention-management-console/modules/udm-portals-announcement.xml"
-    subPath: "udm-portals-announcement.xml"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsUmcServer.registry | quote }}
-  repository: {{ .Values.images.umsUmcServer.repository | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  tag: {{ .Values.images.umsUmcServer.tag | quote }}
-  pullSecrets:
-    {{- range .Values.global.imagePullSecrets }}
-    - name: {{ . | quote }}
-    {{- end }}
-
-memcached:
-  bundled: false
-  auth:
-    username: null
-    password: null
-  server: {{ .Values.cache.umsSelfservice.host | quote }}
-
-postgresql:
-  bundled: false
-  auth:
-    username: {{ .Values.databases.umsSelfservice.username | quote }}
-    database: {{ .Values.databases.umsSelfservice.name | quote }}
-    password: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-    postgresPassword: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
-  connection:
-    host: {{ .Values.databases.umsSelfservice.host | quote }}
-    port: {{ .Values.databases.umsSelfservice.port | quote }}
-
-resources:
-  {{ .Values.resources.umsUmcServer | toYaml | nindent 2 }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 4 }}
-
-umcServer:
-  certPemFile: "/var/secrets/ssl/tls.crt"
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  smtpSecret: {{ .Values.smtp.password | quote }}
-  privateKeyFile: "/var/secrets/ssl/tls.key"
-
-...

helmfile/apps/univention-management-stack/values-ums-keycloak-bootstrap.yaml.gotmpl

@@ -1,83 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  registry: {{ .Values.global.imageRegistry | quote }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakBootstrap.registry | quote }}
-  repository: {{ .Values.images.umsKeycloakBootstrap.repository | quote }}
-  tag: {{ .Values.images.umsKeycloakBootstrap.tag | quote }}
-  imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-
-cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
-
-config:
-  keycloak:
-    adminUser: "kcadmin"
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-    realm: {{ .Values.platform.realm | quote }}
-    intraCluster:
-      enabled: true
-      internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
-    loginLinks:
-      - link_number: 1
-        language: "de"
-        description: "Passwort vergessen?"
-        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-      - link_number: 1
-        language: "en"
-        description: "Forgot password?"
-        href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-  ums:
-    ldap:
-      internalHostname: {{ .Values.ldap.host | quote }}
-      baseDN: {{ .Values.ldap.baseDn | quote }}
-      readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
-      readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
-      mappers:
-        - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
-        - ldapAndUserModelAttributeName: "oxContextIDNum"
-    saml:
-      serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  twoFactorAuthentication:
-    enabled: true
-    group: "2fa-users"
-
-containerSecurityContext:
-  enabled: true
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  readOnlyRootFilesystem: false
-  privileged: false
-  runAsGroup: 1000
-  runAsNonRoot: true
-  runAsUser: 1000
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 4 }}
-
-podAnnotations:
-  intents.otterize.com/service-name: "ums-keycloak-bootstrap"
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1000
-  fsGroupChangePolicy: "Always"
-
-resources:
-  {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 2 }}
-
-...

helmfile/apps/univention-management-stack/values-ums-keycloak-extensions.yaml.gotmpl

@@ -1,111 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  keycloak:
-    host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
-    adminUsername: "kcadmin"
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-    adminRealm: "master"
-    realm: {{ .Values.platform.realm | quote }}
-  postgresql:
-    connection:
-      host: {{ .Values.databases.keycloakExtension.host | quote }}
-      port: {{ .Values.databases.keycloakExtension.port }}
-    auth:
-      database: {{ .Values.databases.keycloakExtension.name | quote }}
-      username: {{ .Values.databases.keycloakExtension.username | quote }}
-      password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
-handler:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionHandler.registry | quote }}
-    repository: {{ .Values.images.umsKeycloakExtensionHandler.repository | quote }}
-    tag: {{ .Values.images.umsKeycloakExtensionHandler.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
-  appConfig:
-    captchaProtectionEnable: false
-    deviceProtectionEnable: true
-    ipProtectionEnable: true
-    logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-    newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-    smtpPassword: {{ .Values.smtp.password | quote }}
-    smtpHost: {{ .Values.smtp.host | quote }}
-    smtpPort: {{ .Values.smtp.port | quote }}
-    smtpUsername: {{ .Values.smtp.username | quote }}
-    mailFrom: "noreply@{{ .Values.global.domain }}"
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    readOnlyRootFilesystem: true
-    privileged: false
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
-  resources:
-    {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 4 }}
-postgresql:
-  enabled: false
-proxy:
-  appConfig:
-    logLevel: {{ if .Values.debug.enabled }}"debug"{{ else }}"warn"{{ end }}
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloakExtensionProxy.registry | quote }}
-    repository: {{ .Values.images.umsKeycloakExtensionProxy.repository | quote }}
-    tag: {{ .Values.images.umsKeycloakExtensionProxy.tag | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-  imagePullSecrets: {{ .Values.global.imagePullSecrets }}
-  ingress:
-    annotations:
-      nginx.org/proxy-buffer-size: "8k"
-      nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
-    paths:
-      {{- if .Values.debug.enabled }}
-      - pathType: "Prefix"
-        path: "/admin"
-      {{- end }}
-      - pathType: "Prefix"
-        path: "/realms"
-      - pathType: "Prefix"
-        path: "/resources"
-      - pathType: "Prefix"
-        path: "/fingerprintjs"
-      - pathType: "Exact"
-        path: "/univention/meta.json"
-        backend:
-          service:
-            name: "ums-stack-gateway"
-            port:
-              name: "http"
-
-    enabled: {{ .Values.ingress.enabled }}
-    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-    host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    tls:
-      enabled: {{ .Values.ingress.tls.enabled }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-        - "ALL"
-    seccompProfile:
-      type: "RuntimeDefault"
-    privileged: false
-    readOnlyRootFilesystem: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
-    seLinuxOptions:
-      {{ .Values.seLinuxOptions.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
-  resources:
-    {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 4 }}
-...

helmfile/apps/univention-management-stack/values-ums-keycloak.yaml.gotmpl

@@ -1,64 +0,0 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
----
-global:
-  domain: {{ .Values.global.domain | quote }}
-  hosts:
-    {{ .Values.global.hosts | toYaml | nindent 4 }}
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsKeycloak.registry | quote }}
-  repository: {{ .Values.images.umsKeycloak.repository | quote }}
-  tag: {{ .Values.images.umsKeycloak.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-config:
-  admin:
-    password: {{ .Values.secrets.keycloak.adminPassword | quote }}
-  database:
-    host: {{ .Values.databases.keycloak.host | quote }}
-    port: {{ .Values.databases.keycloak.port }}
-    user: {{ .Values.databases.keycloak.username | quote }}
-    database: {{ .Values.databases.keycloak.name | quote }}
-    password: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
-  logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-  enableMetrics: true
-  # The availability of the admin console is already restricted through the path settings in the Keycloak Extensions
-  # Proxy which is used in openDesk. The setting here is just relevant when Keycloak endpoints are exposed directly
-  # through an own ingress.
-  exposeAdminConsole: false
-
-containerSecurityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  seccompProfile:
-    type: "RuntimeDefault"
-  privileged: false
-  readOnlyRootFilesystem: false
-  runAsUser: 1000
-  runAsGroup: 1000
-  runAsNonRoot: true
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 4 }}
-
-podSecurityContext:
-  fsGroup: 1000
-  fsGroupChangePolicy: "OnRootMismatch"
-
-theme:
-  univentionTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/theme.css"
-  univentionCustomTheme: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/css/custom.css"
-  favIcon: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/favicon.ico"
-
-replicaCount: {{ .Values.replicas.keycloak }}
-
-resources:
-  {{ .Values.resources.umsKeycloak | toYaml | nindent 2 }}
-
-...

helmfile/apps/univention-management-stack/values-ums-stack-gateway.yaml.gotmpl

@@ -1,301 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-License-Identifier: Apache-2.0
----
-global:
-  imagePullSecrets:
-    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
-
-fullnameOverride: "ums-stack-gateway"
-
-image:
-  registry: {{ .Values.global.imageRegistry | default .Values.images.umsStackGateway.registry | quote }}
-  repository: {{ .Values.images.umsStackGateway.repository | quote }}
-  tag: {{ .Values.images.umsStackGateway.tag | quote }}
-  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-
-ingress:
-  annotations:
-    # Ensure that the ingress controller can handle responses with plenty of
-    # headers. This is a requirement from the UDM Rest API.
-    nginx.org/proxy-buffer-size: "64k"
-    nginx.org/proxy-buffers: "4 128k"
-  enabled: {{ .Values.ingress.enabled }}
-  extraTls:
-    - hosts:
-        - {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-      secretName: {{ .Values.ingress.tls.secretName | quote }}
-  hostname: {{ printf "%s.%s" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
-  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  tls: false
-
-podSecurityContext:
-  enabled: true
-  fsGroup: 1001
-
-containerSecurityContext:
-  enabled: true
-  runAsUser: 1001
-  runAsGroup: 0
-  runAsNonRoot: true
-  privileged: false
-  readOnlyRootFilesystem: false
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-  seccompProfile:
-    type: "RuntimeDefault"
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsStackGateway | toYaml | nindent 4 }}
-
-service:
-  type: "ClusterIP"
-
-serviceAccount:
-  create: true
-
-fullnameOverride: "ums-stack-gateway"
-
-# The content of the "serverBlock" does resemble the Ingress configuration of
-# the UMS components. The "location" entries do intentionally reflect precisely
-# the respective paths which are configured.
-serverBlock: |
-  server {
-    listen 8080;
-
-    proxy_http_version 1.1;
-
-    proxy_set_header Host $http_host;
-
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
-    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
-    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-
-    ## portal-frontend
-    # The frontend does not own "/univention/portal" nor
-    # "/univention/selfservice", only these two bits
-    location = /univention/portal/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/portal/index.html {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location = /univention/selfservice/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    # The following prefixes are owned by the frontend
-    location /univention/portal/css/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/fonts/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/i18n/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/media/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/js/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/portal/oidc/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/css/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/fonts/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/i18n/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/media/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/js/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-    location /univention/selfservice/oidc/ {
-      rewrite ^/univention/selfservice(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80;
-    }
-
-
-    ## frontend redirects
-    location = / {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/ {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/portal {
-       absolute_redirect off;
-       return 302 /univention/portal/;
-    }
-    location = /univention/selfservice {
-       absolute_redirect off;
-       return 302 /univention/selfservice/;
-    }
-
-
-    ## portal-server
-    location = /univention/portal/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/selfservice/portal.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-    location = /univention/portal/navigation.json {
-      proxy_pass http://ums-portal-server:80;
-    }
-
-
-    ## object storage (minio)
-    location /univention/portal/icons/entries/ {
-      rewrite ^/univention/portal(/icons/entries/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-    location /univention/portal/icons/logos/ {
-      rewrite ^/univention/portal(/icons/logos/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-    location /univention/selfservice/icons/entries/ {
-      rewrite ^/univention/selfservice(/icons/entries/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-    location /univention/selfservice/icons/logos/ {
-      rewrite ^/univention/selfservice(/icons/logos/.*)$ /ums/portal-assets$1 break;
-      proxy_pass http://minio:9000;
-    }
-
-
-    ## udm-rest-api
-    location /univention/udm/ {
-      # The UDM Rest API does return on some endpoints a lot of headers
-      proxy_busy_buffers_size 128k;
-      proxy_buffers 4 128k;
-      proxy_buffer_size 64k;
-
-      rewrite ^/univention(/udm/.*)$ $1 break;
-      proxy_pass http://ums-udm-rest-api:80;
-    }
-
-
-    ## umc-gateway
-    location = /univention/languages.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/meta.json {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location = /univention/theme.css {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/js/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/login/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/management/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-    location /univention/themes/ {
-      proxy_pass http://ums-umc-gateway:80;
-    }
-
-
-    ## umc-server
-    location = /univention/auth {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-      proxy_set_header X-UMC-HTTPS 'on';
-    }
-    location /univention/logout {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/saml {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-      proxy_set_header X-UMC-HTTPS 'on';
-    }
-    location /univention/get {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/set {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/command {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-    location /univention/upload {
-      rewrite ^/univention(/.*)$ $1 break;
-      proxy_pass http://ums-umc-server:80;
-    }
-
-
-    ## notifications-api
-    location /univention/portal/notifications-api/ {
-      rewrite ^/univention/portal/notifications-api(/.*)$ $1 break;
-      proxy_pass http://ums-notifications-api:80;
-    }
-
-    ## openDesk branding
-    location = /favicon.ico {
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location /univention/portal/custom/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-    location /univention/portal/icons/ {
-      rewrite ^/univention/portal(/.*)$ $1 break;
-      proxy_pass http://ums-portal-frontend:80/;
-    }
-
-    ## guardian
-    location /univention/guardian/management-ui {
-      proxy_pass http://ums-guardian-management-ui:80/univention/guardian/management-ui;
-    }
-    location /guardian/opa {
-      rewrite ^/guardian/opa(/.*)$ $1 break;
-      proxy_pass http://ums-open-policy-agent:80/;
-    }
-    location /guardian/management {
-      proxy_pass http://ums-guardian-management-api:80/guardian/management;
-    }
-    location /guardian/authorization {
-      proxy_pass http://ums-guardian-authorization-api:80/guardian/authorization;
-    }
-
-  }
-
-...

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -62,21 +62,21 @@ customConfigs:
     xwiki.authentication.ldap.groupcache_expiration: 300
 
   xwiki.properties:
-    oidc.endpoint.authorization: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/auth"
-    oidc.endpoint.token: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-    oidc.endpoint.userinfo: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"
-    oidc.endpoint.logout: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
-    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
-    oidc.scope: "openid,profile,email,address,opendesk"
-    oidc.endpoint.userinfo.method: "GET"
-    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
-    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
-    # yamllint disable-line rule:line-length
-    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     oidc.clientid: "opendesk-xwiki"
     oidc.endpoint.token.auth_method: "client_secret_basic"
-    oidc.skipped: false
+    oidc.endpoint.userinfo.method: "GET"
     oidc.logoutMechanism: "rpInitiated"
+    oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
+    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
+    oidc.skipped: false
+    oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
+    oidc.user.subjectFormater: "${oidc.user.opendesk_username._lowerCase}"
+    # Using the claims below some user based information can be passed through OIDC to XWiki that partitially has an
+    # impact on the user experience. E.g. you can define the default editor for the user `xwiki_user_editor` or if
+    # the `xwiki_user_usertype` is advanced or simple.
+    # yamllint disable-line rule:line-length
+    oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
     workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"

helmfile/environments/default/charts.yaml

@@ -1,7 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 #
 # Please read the /docs/development.md for information about structure and annotations used in this file.
+# yamllint disable rule:line-length
 ---
 charts:
   certificates:
@@ -22,7 +24,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "opendesk-clamav"
-    version: "4.0.1"
+    version: "4.0.5"
     verify: true
   clamavSimple:
     # providerCategory: 'Platform'
@@ -32,7 +34,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "clamav-simple"
-    version: "4.0.1"
+    version: "4.0.5"
     verify: true
   collabora:
     # providerCategory: 'Supplier'
@@ -272,7 +274,8 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.2.37"
+    version: "2.4.49"
+    verify: false
   openXchangeAppSuiteBootstrap:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -291,7 +294,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "1.7.5"
+    version: "2.0.0"
     verify: true
   oxConnector:
     # providerCategory: 'Supplier'
@@ -365,53 +368,19 @@ charts:
     name: "opendesk-synapse-web"
     version: "2.6.7"
     verify: true
-  umsGuardianAuthorizationApi:
+  ums:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
     # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/guardian-authorization-api'
+    # upstreamRepository: 'souvap/tooling/charts/univention/ums'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ['0', '0', '1']
-    registry: "registry.opencode.de"
+    # registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "guardian-authorization-api"
+    registry: "registry.souvap-univention.de"
-    version: "0.1.0"
+    repository: "souvap/tooling/charts/univention"
-    verify: true
+    name: "ums"
-  umsGuardianManagementApi:
+    version: "0.11.0"
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/guardian-management-api'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '0', '1']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "guardian-management-api"
-    version: "0.1.0"
-    verify: true
-  umsGuardianManagementUi:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/guardian-management-ui'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '0', '1']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "guardian-management-ui"
-    version: "0.1.0"
-    verify: true
-  umsKeycloak:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention-keycloak/ums-keycloak'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '0', '3']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ums-keycloak"
-    version: "1.0.5"
     verify: true
   umsKeycloakBootstrap:
     # providerCategory: 'Supplier'
@@ -425,198 +394,6 @@ charts:
     name: "ums-keycloak-bootstrap"
     version: "1.0.1"
     verify: true
-  umsKeycloakExtensions:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/keycloak-extensions'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '0', '3']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "keycloak-extensions"
-    version: "0.2.1"
-    verify: true
-  umsLdapNotifier:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/ldap-notifier'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '7', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ldap-notifier"
-    version: "0.8.2"
-    verify: true
-  umsLdapServer:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/ldap-server'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '7', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ldap-server"
-    version: "0.8.2"
-    verify: true
-  umsNotificationsApi:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/notifications-api'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "notifications-api"
-    version: "0.9.2"
-    verify: true
-  umsOpenPolicyAgent:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/open-policy-agent'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '0', '1']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "open-policy-agent"
-    version: "0.1.0"
-    verify: true
-  umsPortalFrontend:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/portal-frontend'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "portal-frontend"
-    version: "0.14.0"
-    verify: true
-  umsPortalListener:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/portal-listener'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "portal-listener"
-    version: "0.14.0"
-    verify: true
-  umsPortalServer:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/portal-server'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "portal-server"
-    version: "0.14.0"
-    verify: true
-  umsProvisioning:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/provisioning'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '5']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "provisioning"
-    version: "0.14.0"
-    verify: true
-  umsProvisioningUdmListener:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/udm-listener'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '5']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "udm-listener"
-    version: "0.14.0"
-    verify: true
-  umsSelfserviceListener:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/selfservice-listener'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '3', '1']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "selfservice-listener"
-    version: "0.3.1"
-    verify: true
-  umsStackDataSwp:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/stack-data-swp'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '41', '8']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "stack-data-swp"
-    version: "0.44.0"
-    verify: true
-  umsStackDataUms:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/stack-data-ums'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '41', '8']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "stack-data-ums"
-    version: "0.44.0"
-    verify: true
-  umsUdmRestApi:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/udm-rest-api'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '4', '3']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "udm-rest-api"
-    version: "0.5.2"
-    verify: true
-  umsUmcGateway:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/umc-gateway'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '6', '4']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "umc-gateway"
-    version: "0.6.4"
-    verify: true
-  umsUmcServer:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention/umc-server'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '6', '4']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "umc-server"
-    version: "0.6.4"
-    verify: true
   xwiki:
     # providerCategory: 'Supplier'
     # providerResponsible: 'XWiki'

helmfile/environments/default/global.generated.yaml

@@ -1,7 +1,7 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.5.80"
+    releaseVersion: "v0.5.81"
 ...

helmfile/environments/default/global.yaml

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
@@ -9,9 +10,7 @@ global:
   hosts:
     collabora: "collabora"
     cryptpad: "cryptpad"
-    dimension: "integration"
     element: "chat"
-    etherpad: "etherpad"
     intercomService: "ics"
     jitsi: "meet"
     keycloak: "id"

helmfile/environments/default/images.yaml

@@ -46,7 +46,7 @@ images:
     # upstreamMirrorStartFrom: ['1', '8', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
+    tag: "1.11.0@sha256:633cc31a4c312cdb072136247ac382463ddbc458a5c57e139241394acee9baaf"
   freshclam:
     # providerCategory: 'Community'
     # providerResponsible: 'openDesk'
@@ -148,7 +148,7 @@ images:
     # upstreamMirrorStartFrom: ['1', '4', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
+    tag: "1.14.0@sha256:1a00f33ed5f560e55b06011b2f81696fd8230820f6980edb826768af0e0b41d9"
   matrixNeoChoiceWidget:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Nordeck'
@@ -220,7 +220,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.16@sha256:c36aaef5dfbd44b702f351ea1a875180caa537c90520d4f4fe69ea28357d85a9"
+    tag: "1.1.19@sha256:ebe4e1187a474739794115ec97ba3759cf61fcc2967fc799ff1ec4e7ba0a4243"
   nextcloudExporter:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -236,7 +236,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.6@sha256:4ebe6aa3fc67aa7c2c39035db9f63bfcd398ff980f43ef903dd916acaf88c241"
+    tag: "1.3.10@sha256:ed038316eb84e42716c7c31d7275cddc1125781cbb7583e716a978b9407ba738"
   nextcloudPHP:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -244,7 +244,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.5@sha256:4fee6fc29fc1b34c069a37fbcf99d1e2a257053971035d248defe9624bea36e7"
+    tag: "1.8.9@sha256:9da3810989c60a3913f9ab366442925d39011a41c9f761ea05650de5935a4514"
   opendeskKeycloakBootstrap:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -262,7 +262,7 @@ images:
     # upstreamMirrorStartFrom: ['13', '1', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "13.3.1@sha256:7e5a2cbd3d9f2db65e977797c0f7669b83f8e1b21bf0687ee20d19cbd1b55b7a"
+    tag: "13.4.1@sha256:b72d3e841fa4da03fc284e0ef7c56e763a9b04188f4219e527d9de93ccc49fe3"
   openprojectBootstrap:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -296,7 +296,7 @@ images:
     # upstreamMirrorStartFrom: ['8', '6', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
+    tag: "8.6.3@sha256:6fb8169cba4beb4bd9039f4ce7ab9b29fc02c4991b283824db949fe2b7be34e2"
   openxchangeCoreMW:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -306,7 +306,7 @@ images:
     # upstreamMirrorStartFrom: ['8', '20', '51']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.20.51@sha256:4a9cc9d6745b09a9ace2475fbbacfeff2ca66db02b6314eb8e035f28e28574a8"
+    tag: "8.22.52@sha256:dab45b0e308b8d5c6c5cb5ec5be9d711f55e7aa87375c4b08ab178287bb7b769"
   openxchangeCoreUI:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -316,7 +316,7 @@ images:
     # upstreamMirrorStartFrom: ['8', '20', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.20.1@sha256:a8bdf83b1179ca9126bcd4e5301b818aafec5e8ac6ff25914603d74a137b65dc"
+    tag: "8.22.1@sha256:4b581d8fb3761156a5dd81a2cebc1c7a0382652d01ba6ee933527f9899b41768"
   openxchangeCoreUIMiddleware:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -326,7 +326,7 @@ images:
     # upstreamMirrorStartFrom: ['2', '0', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
+    tag: "2.0.2@sha256:eafcc0242b3fd93a777077c136b9e87fe03b163988731c15f0d3cd2ba39a2165"
   openxchangeCoreUserGuide:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -336,7 +336,7 @@ images:
     # upstreamMirrorStartFrom: ['8', '20', '799279']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.20.799279@sha256:075c917a7e5ebfe57c07c3c21485ee672554616252d5c57f829f443ca987e75b"
+    tag: "8.22.909960@sha256:dbd3f3a37c2d0a2885234cee53d79bf69015392c1381433c008694b4b99ddf30"
   openxchangeDocumentConverter:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -346,17 +346,17 @@ images:
     # upstreamMirrorStartFrom: ['8', '20', '50']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.20.50@sha256:bd11b4e5a62377aab79ebc0ebbe8da0bf54d42ce9a8ae64db0c84608570edf9f"
+    tag: "8.22.49@sha256:21ab0b52fa54fb5be969c4c689e4b7724b7bf9ee79b1bf166ab27d8c67e3a6b6"
   openxchangeGotenberg:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
     # upstreamRegistry: 'registry.open-xchange.com'
-    # upstreamRepository: 'appsuite-public-sector/3rdparty/gotenberg'
+    # upstreamRepository: 'appsuite-public-sector/gotenberg'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ['7', '9', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
-    tag: "8.0.3@sha256:1f4979e8cfde1c69f28c24604d19b3a11cf95c59b2a73db957c5af0a27a30ce8"
+    tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
   openxchangeGuardUI:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -366,7 +366,7 @@ images:
     # upstreamMirrorStartFrom: ['4', '2', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "4.2.2@sha256:c2ff375fa3dc359c555570f5216a5451966d9b7165934980acb1bf60363b59c8"
+    tag: "8.22.0@sha256:89c18129a2bdffe24587494e96ad12e95c01c25cd7a6a7b177afc75fec70415c"
   openxchangeImageConverter:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -376,7 +376,7 @@ images:
     # upstreamMirrorStartFrom: ['8', '20', '50']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.20.50@sha256:590a8a4c583057f6bb071247c2f8b8566c79d5d219482dcaa452b30c944c876b"
+    tag: "8.22.49@sha256:42841719c515b21f5d6e18296116fe690ac63f82f5acfa877652c2639911f127"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Open-Xchange'
@@ -396,7 +396,7 @@ images:
     # upstreamMirrorStartFrom: ['2', '2', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.2.1@sha256:cf5dc3754dfdf41844f619b0c3178d0406de3ce8dd51317ed706cb329d338fc8"
+    tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
   oxConnector:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -486,7 +486,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '41', '5']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.44.0@sha256:c08d619880537c03ebdcdc19fa9746bf5098e3810d85487d47676f3846c6b16c"
+    tag: "0.45.2@sha256:6e2e054903f361eea5cd54ae6dd3da94380d4a6a11f2628983e2acdbc66d605e"
   umsGuardianAuthorizationApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -517,6 +517,16 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
     tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
+  umsGuardianProvisioning:
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRepository: 'souvap/tooling/images/univention/guardian-init'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['0', '3', '0']
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
+    tag: "0.3.0@sha256:6ce026307cace794b33dddc616e37025974707b5c94fc52cff100b769cba722b"
   umsKeycloak:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -546,7 +556,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '0', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.2.0@sha256:ed3a391cb32b9bb9408a4b8e9839b6ee89cbab60149732cd51165a871a91c54d"
+    tag: "0.3.1@sha256:98871e8d5acfe6bfa6ea7d140197ae41585cfb06c71514ffcf6e98df8315b9ee"
   umsKeycloakExtensionProxy:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -556,7 +566,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '0', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.2.0@sha256:8b924ab47771b9aee07384e3d13106406d49b1e7ef7fc46648adb1f0fb401327"
+    tag: "0.3.1@sha256:e6c2130310798e286cea84bf5226709021c12663fb9e8ca30f29515151741fa5"
   umsLdapNotifier:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -566,7 +576,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '8', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
+    tag: "0.10.3@sha256:beb4577e7fdf1e18d3769e62296f210c0651460346dc2325e6cc29f4c671fa71"
   umsLdapServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -576,7 +586,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '8', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
+    tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
   umsNotificationsApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -586,7 +596,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.9.4@sha256:f058398d68c38039bb168af6d60d016f66fffde83a02f0b8f62124ebf2fed4d9"
+    tag: "0.20.3@sha256:1e32854d6d4413725870fde26a904da83282b3debea82b386c5753223ecc6a59"
   umsOpenPolicyAgent:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -606,7 +616,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.19.0@sha256:7c80f703faf720da159c405a140c1029fd8c12def61653737e2a772982012d5c"
+    tag: "0.20.3@sha256:4fe6646711efcc07eb4b6e59a57f1d5080cca5f4ec2c960d073e92ecae8be42f"
   umsPortalListener:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -616,7 +626,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.19.0@sha256:7fff6db5151b9aecffdfcd429b6eefb36a96ca14c5384183aa4246b5c0c8b133"
+    tag: "0.20.3@sha256:8960b54477d4a74e8cb52f66264928e0940b725c349cda2a22ede67e216f5f1e"
   umsPortalServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -626,7 +636,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.19.0@sha256:9a19e3a0990fba1dd2cdb1fd96ab53dcfba23717291ca1b0c87d8ed19b4c2c46"
+    tag: "0.20.3@sha256:0ec3db74ce9b7c8706d1534b6dcb464eb016a5de94c3b5bfc49215ccb606715c"
   umsProvisioningDispatcher:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -636,7 +646,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
+    tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d"
   umsProvisioningEventsAndConsumerApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -646,7 +656,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
+    tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f"
   umsProvisioningPrefill:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -656,7 +666,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
+    tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973"
   umsProvisioningUdmListener:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -666,7 +676,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
+    tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02"
   umsSelfserviceInvitation:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -676,7 +686,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '3', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.3.2@sha256:8dd90d8669e206232edff37aca73c528344ad453ad0154f36cca0561bf1999a2"
+    tag: "0.4.0@sha256:bd252758576e1733076c78756f04225ebed73d9c48de22440975ef11dd087caf"
   umsSelfserviceListener:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -686,7 +696,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '3', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
-    tag: "0.3.2@sha256:de0fc94cab436e982219d9c883a2353d91de583d5cf75046902847df4b451e28"
+    tag: "0.4.0@sha256:0bc0235fd64a19a183f112da73109b54712c2d70fe7fa77c6405beefb7167588"
   umsStackGateway:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -694,7 +704,7 @@ images:
     # upstreamRepository: 'bitnami/nginx'
     registry: "registry-1.docker.io"
     repository: "bitnami/nginx"
-    tag: "1.25.3@sha256:40ce0d6b8f5fc174a4df8c59c8893164c540192ee862cb7253650a30d9dc3b73"
+    tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
   umsUdmRestApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -704,7 +714,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '5', '2']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
+    tag: "0.9.2@sha256:3309171c63f46cd3dccd15eb24af5dbb13f8abbc39c95e5a2d24d0d802ea896f"
   umsUmcGateway:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -714,7 +724,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '7', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
+    tag: "0.11.6@sha256:5d7c1a9b74409d2d7c42e08ca87b41cda506e43cad49efbc85a4ed6b8e9c6bc8"
   umsUmcServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -724,7 +734,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '7', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
+    tag: "0.11.6@sha256:f598a39206cf1acc901876e5d54b6c6e47980e979b5e29677f7738c3acaf75d3"
   umsWaitForDependency:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -734,7 +744,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
+    tag: "0.20.3@sha256:d1ccba5fe7448c2bda71c8a93f265a42a000e8dc79fd884e7e6ecdf29ad80efc"
   wellKnown:
     # providerCategory: 'Community'
     # providerResponsible: 'Element'
@@ -748,9 +758,9 @@ images:
     # providerResponsible: 'XWiki'
     # upstreamRegistry: 'git.xwikisas.com:5050'
     # upstreamRepository: 'xwikisas/swp/xwiki'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-.+$'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)-mariadb.+$'
     # upstreamMirrorStartFrom: ['0', '12']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.14-mariadb-jetty-alpine@sha256:276e871e3938bf80a86a0e1e63751c843920ccd260848badafec8689410ded80"
+    tag: "0.17-mariadb-jetty-alpine@sha256:9eb67520774c3022aa4485ce348be477f358263b716e647cacd057da3aca9739"
 ...

helmfile/environments/default/replicas.yaml

@@ -44,9 +44,19 @@ replicas:
   redis: 1
   synapse: 1
   synapseWeb: 1
+  umsKeycloakExtensionsHandler: 1
+  umsKeycloakExtensionsProxy: 1
+  umsLdapNotifier: 1
+  umsLdapServer: 1
+  umsNotificationsApi: 1
   umsPortalFrontend: 1
+  umsPortalListener: 1
   umsPortalServer: 1
+  umsSelfserviceListener: 1
+  umsStackGateway: 1
   umsUdmRestApi: 1
+  umsUmcGateway: 1
+  umsUmcServer: 1
   wellKnown: 1
   xwiki: 1
 ...

helmfile/environments/default/resources.yaml

@@ -396,6 +396,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsLdapServerInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsNotificationsApi:
     limits:
       cpu: 99
@@ -494,6 +501,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsStackGateway:
+    limits:
+      cpu: 99
+      memory: "64Mi"
+    requests:
+      cpu: 0.1
+      memory: "16Mi"
   umsUdmRestApi:
     limits:
       cpu: 99
@@ -501,6 +515,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   umsUmcGateway:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -1,5 +1,6 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -29,6 +30,21 @@ secrets:
     storeDavUsers:
       portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
       portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+    provisioning:
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+  nats:
+    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
+
   postgresql:
     postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
     keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
@@ -77,10 +93,8 @@ secrets:
     jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
     jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
     jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
-  etherpad:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
   whiteboard:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
   centralnavigation:
     apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
   redis:

helmfile/environments/default/security.yaml

@@ -7,4 +7,9 @@ security:
   clusterPostfix:
     enabled: false
     namespace: ""
+  ingressController:
+    podSelector:
+      matchLabels:
+        app.kubernetes.io/name: "ingress-nginx"
+    namespace: "ingress-nginx"
 ...

helmfile/environments/default/selinux.yaml

@@ -7,6 +7,7 @@
 ---
 seLinuxOptions:
   clamavSimple: ~
+  clamav: ~
   clamd: ~
   collabora: ~
   cryptpad: ~

helmfile/environments/test/values.yaml.gotmpl

@@ -75,9 +75,19 @@ replicas:
   redis: 42
   synapse: 42
   synapseWeb: 42
+  umsKeycloakExtensionsHandler: 42
+  umsKeycloakExtensionsProxy: 42
+  umsLdapNotifier: 42
+  umsLdapServer: 42
+  umsNotificationsApi: 42
   umsPortalFrontend: 42
+  umsPortalListener: 42
   umsPortalServer: 42
+  umsSelfserviceListener: 42
+  umsStackGateway: 42
   umsUdmRestApi: 42
+  umsUmcGateway: 42
+  umsUmcServer: 42
   wellKnown: 42
   xwiki: 42
 ...