chore(release): 0.5.81 [skip ci]

## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28) ### Bug Fixes * **docs:** Various updates ([50e2638](50e263866b)) * **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](0fd4a26c71)) * **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](0aa4cfb46f)) * **nextcloud:** Bump to 28.0.3 ([34d2c05](34d2c05959)) * **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](5f9d015f0b)) * **open-xchange:** Bump to 8.22 ([5ebf291](5ebf291a4d)) * **openproject:** Bump OpenProject to 13.4.0 ([d565c05](d565c057dd)) * **openproject:** Bump version to 13.4.1 ([7cc3964](7cc39647d8)) * **services:** Update Otterize Policies ([42f63e3](42f63e3992)) * **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](5a39e8725b)) * **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](8e889db63e)) * **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](a41ddd5451)) * **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](8c97bcf994))
fix(nextcloud): Rename default shared folder to __Shared_with_me__
2025-12-07 07:51:38 +01:00 · 2024-03-28 10:46:46 +00:00 · 2024-03-28 09:42:26 +01:00 · 2024-03-27 09:45:22 +01:00 · 2024-03-26 13:53:50 +00:00 · 2024-03-26 14:39:46 +01:00
26 changed files with 469 additions and 219 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
@@ -11,6 +12,7 @@ include:
  - local: "/.gitlab/generate/generate-docs.yml"
  - project: "${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    file: "gitlab/environments.yaml"
+    ref: "main"
  - local: "/.gitlab/lint/lint-opendesk.yml"
    rules:
      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
@@ -18,7 +20,7 @@ include:
      - when: "always"
  - local: "/.gitlab/lint/lint-kyverno.yml"
    rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|triggers'"
        when: "never"
      - when: "always"

@@ -41,14 +43,15 @@ variables:
    description: "The name of namespaces to deploy to."
    value: ""
  CLUSTER:
-    description: "Define which cluster to use. Cluster must be defined in gitlab/environments.yaml of
-      sovereign-workplace-env included above."
+    description: "Which cluster to use. Cluster must be defined in `gitlab/environments.yaml` of the
+        repo that is included above using the env var `PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG`:
+        ${PROJECT_PATH_CUSTOM_ENVIRONMENT_CONFIG}"
    value: "dev"
  MASTER_PASSWORD_WEB_VAR:
-    description: "Optional: Provide a passphrase to be used for password generation."
+    description: "Optional: Provide a seed to be used for generation of all internal secrets. Same seed will result in same secrets."
    value: ""
  ENV_STOP_BEFORE:
-    description: "Stop environment/delete namespace for the deployment"
+    description: "Stop environment/delete namespace for the deployment."
    value: "no"
    options:
      - "yes"
@@ -451,7 +454,7 @@ avscan-prepare:
          $CI_PIPELINE_SOURCE =~ "push|merge_request_event"
      when: "always"
    - when: "never"
-  image: "external-registry.souvap-univention.de/docker-remote/mikefarah/yq"
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/mikefarah/yq"
  script:
    - |
      cat << 'EOF' > dynamic-scans.yml
@@ -565,7 +568,7 @@ release:
    - |
      echo -e "\n[INFO] Writing data to helm value file..."
      cat <<EOF >helmfile/environments/default/global.generated.yaml
-      # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+      # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
      # SPDX-License-Identifier: Apache-2.0
      ---
      global:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,22 @@
+## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
+
+
+### Bug Fixes
+
+* **docs:** Various updates ([50e2638](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/50e263866be8b51ef295ebf8025c3117821a2b6c))
+* **element:** Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([0fd4a26](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0fd4a26c711fb345b79cdff1c775d7ef20335768))
+* **helmfile:** Fix OpenAPI validations for Kubernetes v1.28 ([0aa4cfb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0aa4cfb46f793369a472a736b28eea834a545439))
+* **nextcloud:** Bump to 28.0.3 ([34d2c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/34d2c059596466f8f7d6d09c2855c595391a7e0d))
+* **nextcloud:** Rename default shared folder to `__Shared_with_me__` ([5f9d015](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5f9d015f0b98579d652fd4172e74835ed67ccf11))
+* **open-xchange:** Bump to 8.22 ([5ebf291](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5ebf291a4dbe88a09c0afe2befa6140ad33bf30b))
+* **openproject:** Bump OpenProject to 13.4.0 ([d565c05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d565c057ddb7b348f7a829e0f931b1ea448b454b))
+* **openproject:** Bump version to 13.4.1 ([7cc3964](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7cc39647d89538630bac9caa158c47b5cb8d2c45))
+* **services:** Update Otterize Policies ([42f63e3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/42f63e399230495c83f934e07beb9fc950ef5e29))
+* **univention-management-stack:** Add missing authenticator secret mount to portal-server ([5a39e87](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5a39e8725b6454591f552f87f12535201e52df7c))
+* **univention-management-stack:** Update LDAP server for BSI base security compliance ([8e889db](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8e889db63eaf05b24cc23838545f63d969232c65))
+* **univention-management-stack:** Update ldap-notifier and ldap-server ([a41ddd5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a41ddd5451a9fbd3c6319827fee3eaffbd931271))
+* **univention-management-stack:** Update provisioning charts, images and helm value to add authentication ([8c97bcf](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8c97bcf994487281ae94e6d66c73f4a11c08a0be))
+
 ## [0.5.80](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.79...v0.5.80) (2024-03-11)


--- a/README.md
+++ b/README.md
@@ -32,10 +32,10 @@ openDesk currently features the following functional main components:
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.2](https://nextcloud.com/de/changelog/#28-0-2)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
-| Groupware            | OX Appsuite                 | [8.20](https://documentation.open-xchange.com/appsuite/releases/8.20/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Groupware            | OX Appsuite                 | [8.22](https://documentation.open-xchange.com/appsuite/releases/8.22/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.4](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15104Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [13.3.1](https://www.openproject.org/docs/release-notes/13-3-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |

--- a/docs/components.md
+++ b/docs/components.md
@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->
 <h1>Components</h1>
@@ -34,7 +35,6 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
-| Dovecot                     | Mail backend                   | Functional |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -44,7 +44,8 @@ they need to be replaced in production deployments.
 | Nextcloud                   | File share                     | Functional |
 | OpenProject                 | Project management             | Functional |
 | OX Appsuite                 | Groupware                      | Functional |
-| Provisioning                | Backend provisioning           | Functional |
+| OX Dovecot                  | Mail backend (IMAP)            | Functional |
+| Provisioning (OX Connector) | Groupware provisioning         | Functional |
 | Postfix                     | MTA                            | Eval       |
 | PostgreSQL                  | Database                       | Eval       |
 | Redis                       | Cache Database                 | Eval       |
--- a/docs/development.md
+++ b/docs/development.md
@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->

@@ -32,7 +33,7 @@ flowchart TD
    D-->G[images.yaml]
    D-->H[global.*]
    D-->I[secrets.yaml\nreplicas.yaml\nresources.yaml\n...]
-    A-->|overwrite defaults with\nyour environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
+    A-->|overwrite defaults with your\ndeployment/environment specific values|E[./helmfile/environments/*your_environment*/values.yaml.gotmpl]
 ```

 The `helmfile.yaml` in the root folder is the basis for the whole deployment. It references the app specific `helmfile.yaml` files as well as some
@@ -96,13 +97,13 @@ Example:

 ## Renovate

- See also: https://gitlab.opencode.de/bmi/opendesk/tooling/renovate-opencode
+Uses a regular expression to match the values of the following attributes:

-Uses a regular expression to match the values of the attributes
- `# upstreamRegistry`
- `# upstreamRepository`
+- `registry`
+- `repository`
 - `tag`
-check for newer versions of the given artefact and create a MR containing the newest version's tag (and digest).
+
+Checks for newer versions of the given artefact and creates a MR containing the newest version's tag (and digest).

 ## Mirroring

--- a/docs/workflow.md
+++ b/docs/workflow.md
@@ -1,5 +1,6 @@
 <!--
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 -->

@@ -139,17 +140,19 @@ As a standard, the openDesk platform development team uses [reuse.software](http

 openDesk uses Apache 2.0 as the license for their work. A typical reuse copyright and license header looks like this:
 ```
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ```
 As the way to mark the license header as a comment differs between the various filetypes, please find matching examples for the types all across the [deployment automation repository](https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/deployment/sovereign-workplace).

+**Remark**: If there is already an existing `SPDX-FileCopyrightText` please just add the one from the above example.
+
 ## Development workflow

 ### Disclaimer

 openDesk consists only of community products, so there is no SLA to receive service updates or backports of critical security fixes. This has two consequences:
- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backend paid versions.
+- In production scenarios, you should replace the community versions of the functional components with supported, SLA-backed paid versions.
 - openDesk aims to always update to the latest available releases of the community components and we therefore have rolling technical releases.

 ### Workflow
@@ -225,22 +228,28 @@ gitGraph

 The Standard Quality Gate addresses quality assurance steps that should be executed within each of the mentioned quality gates in the workflow.

+1. Linting
+   - Blocking
+     - Licening: [reuse](https://github.com/fsfe/reuse-tool)
+     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
+   - Non Blocking
+     - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
+     - Formal: Yaml
 1. Deploy the full openDesk stack from scratch:
   - All deployment steps must be successful (green)
   - All tests from the end-to-end test set must be successful
-2. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
+1. Update deployment[^3] of the full openDesk stack and apply the quality measures from the step #1:
   - Deploy the current merge target baseline (`develop` or `main`)
   - Update deploy from your QA branch into the instance from the previous step
-3. No showstopper found regarding
+1. No showstopper found regarding
   - SBOM compliance[^4]
   - Malware check
   - CVE check[^5]
   - Kubescape scan[^5]
-   - Kyverno policy check (also covering some basic requirements from IT-Grundschutz)[^5]

-Steps #1 and #2 from above are executed as GitLab CI and therefore documented within GitLab.
+Steps #1 to #3 from above are executed as GitLab CI and therefore documented within GitLab.

-Step #3 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.
+Step #4 is focussed on security and was not fully implemented yet. Its main objective is to check for regressions. That step is just the second step of a security check and monitoring chain as shown below. While some checks can be executed against the static artefacts (e.g. container images) other might require an up-and-running instance. These are especially located in the third step below which is not yet implemented.

 ```mermaid
 flowchart TD
--- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
+++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl
@@ -68,7 +68,6 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
-      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -117,7 +116,6 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
-      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -140,7 +138,6 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
-      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
@@ -164,7 +161,6 @@ jitsi:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities: {}
-      enabled: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsGroup: 0
--- a/helmfile/apps/open-xchange/helmfile.yaml
+++ b/helmfile/apps/open-xchange/helmfile.yaml
@@ -6,7 +6,7 @@ bases:
 ---
 repositories:
  # openDesk Dovecot
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-dovecot
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dovecot
  - name: "dovecot-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.dovecot.verify }}
@@ -18,6 +18,8 @@ repositories:

  # Open-Xchange
  - name: "open-xchange-repo"
+    keyring: "../../files/gpg-pubkeys/open-xchange-com.gpg"
+    verify: {{ .Values.charts.openXchangeAppSuite.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
@@ -25,7 +27,7 @@ repositories:
      {{ .Values.charts.openXchangeAppSuite.repository }}"

  # openDesk Open-Xchange Bootstrap
-  # Source: https://gitlab.opencode.de/bmi/opendesk/components/charts/opendesk-open-xchange-bootstrap
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap
  - name: "open-xchange-bootstrap-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.openXchangeAppSuiteBootstrap.verify }}
--- a/helmfile/apps/services/values-otterize.yaml.gotmpl
+++ b/helmfile/apps/services/values-otterize.yaml.gotmpl
@@ -45,6 +45,10 @@ apps:
  xwiki:
    enabled: {{ .Values.xwiki.enabled }}

+ingressController:
+  {{ .Values.security.ingressController | toYaml | nindent 2 }}
+
+
 extraApps:
  clusterPostfix:
    enabled: {{ .Values.security.clusterPostfix.enabled }}
--- a/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-notifier.yaml.gotmpl
@@ -16,9 +16,6 @@ resources:

 securityContext:
  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
--- a/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-ldap-server.yaml.gotmpl
@@ -23,7 +23,20 @@ extraVolumeMounts:
    mountPath: "/var/lib/univention-ldap-local/local-schema/opendeskProjectmanagement.schema"
    subPath: "opendeskProjectmanagement.schema"

-image:
+extraSecrets:
+  - name: ums-stack-openldap-credentials
+    stringData:
+      adminPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+
+waitForDependency:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
+    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
+
+ldapServer:
+  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
    repository: {{ .Values.images.umsLdapServer.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -33,56 +46,47 @@ image:
      - name: {{ . | quote }}
      {{- end }}

-  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-    repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
-
-ldapServer:
-  waitForSamlMetadata: true
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  config:
+    domainName: "univention-organization.intranet"
    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
+    samlMetadataUrl: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+    samlMetadataUrlInternal: {{ printf "http://ums-keycloak.%s.svc.%s:8080/realms/%s/protocol/saml/descriptor" .Release.Namespace .Values.cluster.networking.domain .Values.platform.realm | quote }}
+    samlServiceProviders: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
+  credentialSecret:
+    name: ums-stack-openldap-credentials
+    key: adminPassword
      
 persistence:
-  sharedData:
  storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
  size: {{ .Values.persistence.size.univentionManagementStack.ldapServerData | quote }}
-  sharedRun:
-    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
-    size: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsLdapServer | toYaml | nindent 4 }}
-
-service:
-  type: "ClusterIP"
+legacy:
+  sharedRunSize: {{ .Values.persistence.size.univentionManagementStack.ldapServerShared | quote }}

 resources:
  {{ .Values.resources.umsLdapServer | toYaml | nindent 2 }}

+initResources:
+  {{ .Values.resources.umsLdapServerInit | toYaml | nindent 2 }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 102
+  fsGroupChangePolicy: "Always"
+  sysctls:
+    - name: "net.ipv4.ip_unprivileged_port_start"
+      value: "1"
+
+containerSecurityContext:
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  runAsUser: 101
+  runAsGroup: 102
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
 ...
--- a/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-notifications-api.yaml.gotmpl
@@ -28,6 +28,7 @@ postgresql:
    username: {{ .Values.databases.umsNotificationsApi.username | quote }}
    database: {{ .Values.databases.umsNotificationsApi.name | quote }}
    password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+    existingSecret: "ums-notifications-api-postgresql-credentials"

 resources:
  {{ .Values.resources.umsNotificationsApi | toYaml | nindent 2 }}
@@ -47,4 +48,8 @@ securityContext:
  seLinuxOptions:
    {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 4 }}

+extraSecrets:
+  - name: ums-notifications-api-postgresql-credentials
+    stringData:
+      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
 ...
--- a/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-portal-server.yaml.gotmpl
@@ -21,42 +21,55 @@ portalServer:
  ucsInternalPath: "portal-data"
  objectStorageEndpoint: {{ .Values.objectstores.univentionManagementStack.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
-  objectStorageAccessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-  objectStorageSecretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
  centralNavigation:
    enabled: true
-    authenticatorSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+    
+  credentialSecret:
+    name: "ums-portal-server-minio-credentials"

 replicaCount: {{ .Values.replicas.umsPortalServer }}

 resources:
  {{ .Values.resources.umsPortalServer | toYaml | nindent 2 }}

-securityContext:
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+  sysctls:
+    - name: "net.ipv4.ip_unprivileged_port_start"
+      value: "1"
+
+containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
  seccompProfile:
    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 4 }}
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true

+
+extraSecrets:
+  - name: ums-portal-server-minio-credentials
+    stringData:
+      accessKeyId: {{ .Values.objectstores.univentionManagementStack.username | quote }}
+      secretAccessKey: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: ums-portal-server-authenticator-credentials
+    stringData:
+      authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+
+extraVolumes:
+  - name: authenticator-secret
+    secret:
+      secretName: ums-portal-server-authenticator-credentials
+
+extraVolumeMounts:
+  - name: authenticator-secret
+    mountPath: "/var/secrets/authenticator.secret"
+    subPath: "authenticator.secret"
 ...
--- a/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning-udm-listener.yaml.gotmpl
@@ -22,6 +22,11 @@ config:
  tlsMode: "off"
  natsHost: "ums-provisioning-nats"
  natsPort: "4222"
+  natsUser: "udmlistener"
+  natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+  internalApiHost: "ums-provisioning-api"
+  eventsUsernameUdm: "udmproducer"
+  eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}

 resources:
  {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
--- a/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-provisioning.yaml.gotmpl
@@ -4,23 +4,6 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---

-dispatcher:
-  image:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
-    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
-    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
-    pullSecrets:
-      {{- range .Values.global.imagePullSecrets }}
-      - name: {{ . | quote }}
-      {{- end }}
-  resources:
-    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
-  config:
-    UDM_HOST: "ums-udm-rest-api"
-    UDM_PORT: 9979
-    UDM_USERNAME: "cn=admin"
-
 api:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -35,6 +18,24 @@ api:
    rootPath: "/univention/provisioning-api"
  resources:
    {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
+  credentialSecretName: "ums-provisioning-api-credentials"
+
+dispatcher:
+  image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningDispatcher.registry | quote }}
+    repository: {{ .Values.images.umsProvisioningDispatcher.repository | quote }}
+    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    tag: {{ .Values.images.umsProvisioningDispatcher.tag | quote }}
+    pullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+      - name: {{ . | quote }}
+      {{- end }}
+  resources:
+    {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 80
+  credentialSecretName: "ums-provisioning-dispatcher-credentials"
  
 prefill:
  image: 
@@ -48,13 +49,152 @@ prefill:
      {{- end }}
  resources:
    {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+  config:
+    UDM_HOST: "ums-udm-rest-api"
+    UDM_PORT: 80
+  credentialSecretName: "ums-provisioning-prefill-credentials"

 nats:
-  bundled: true
+  affinity: ""
  nameOverride: ""
+  bundled: true
+  connection:
+    host: "ums-provisioning-nats"
+    port: 4222
+  config:
+    authorization:
+      enabled: true
+      users:
+        - user: "$NATS_USER"
+          password: "$NATS_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_API_USER"
+          password: "$NATS_API_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_DISPATCHER_USER"
+          password: "$NATS_DISPATCHER_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_PREFILL_USER"
+          password: "$NATS_PREFILL_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_UDMLISTENER_USER"
+          password: "$NATS_UDMLISTENER_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
+        - user: "$NATS_ADMIN_USER"
+          password: "$NATS_ADMIN_PASSWORD"
+          permissions:
+            publish: ">"
+            subscribe: ">"
  resources:
    {{ .Values.resources.umsProvisioningNats | toYaml | nindent 4 }}

+  extraEnvVars:
+    - name: NATS_USER
+      value: "master_admin"
+    - name: NATS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-nats-credentials
+          key: admin_password
+    - name: NATS_ADMIN_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: ADMIN_NATS_USER
+    - name: NATS_ADMIN_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: ADMIN_NATS_PASSWORD
+    - name: NATS_API_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: NATS_USER
+    - name: NATS_API_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-api-credentials
+          key: NATS_PASSWORD
+    - name: NATS_DISPATCHER_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-dispatcher-credentials
+          key: NATS_USER
+    - name: NATS_DISPATCHER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-dispatcher-credentials
+          key: NATS_PASSWORD
+    - name: NATS_PREFILL_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-prefill-credentials
+          key: NATS_USER
+    - name: NATS_PREFILL_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-prefill-credentials
+          key: NATS_PASSWORD
+    - name: NATS_UDMLISTENER_USER
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-udmlistener-credentials
+          key: NATS_USER
+    - name: NATS_UDMLISTENER_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: ums-provisioning-udmlistener-credentials
+          key: NATS_PASSWORD
+
+extraSecrets:
+  - name: ums-provisioning-nats-credentials
+    stringData:
+      admin_password: {{ .Values.secrets.nats.natsAdminPassword }}
+  - name: ums-provisioning-api-credentials
+    stringData:
+      NATS_USER: "api"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
+      ADMIN_NATS_USER: "admin"
+      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
+      UDM_HOST: "udm-rest-api"
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+      DISPATCHER_USERNAME: "dispatcher"
+      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+      EVENTS_USERNAME_UDM: "udmproducer"
+      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
+  - name: ums-provisioning-dispatcher-credentials
+    stringData:
+      NATS_USER: "dispatcher"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
+      DISPATCHER_USERNAME: "dispatcher"
+      DISPATCHER_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherPassword }}
+  - name: ums-provisioning-prefill-credentials
+    stringData:
+      NATS_USER: "prefill"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+  - name: ums-provisioning-udmlistener-credentials
+    stringData:
+      NATS_USER: "udmlistener"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-stack-data-ums.yaml.gotmpl
@@ -49,6 +49,10 @@ stackDataContext:
  ldapSamlSpUrls: {{ printf "https://%s.%s%s" .Values.global.hosts.univentionManagementStack .Values.global.domain "/univention/saml/metadata" | quote }}
  initialPasswordAdministrator: {{ .Values.secrets.univentionManagementStack.systemAccounts.administratorPassword | quote }}
  initialPasswordSysIdpUser: {{ .Values.secrets.univentionManagementStack.systemAccounts.sysIdpUserPassword | quote }}
+  umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
+  umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
+  umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
+  umcMemcachedUsername: "selfservice"

 stackDataUms:
  loadDevData: true
--- a/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-udm-rest-api.yaml.gotmpl
@@ -14,7 +14,38 @@ extraVolumeMounts:
    mountPath: "/usr/share/attribute-to-group-mapper/flag_to_group_mapping.json"
    subPath: "flag_to_group_mapping.json"

-image:
+resources:
+  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
+
+initResources:
+  {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 2 }}
+
+replicaCount: {{ .Values.replicas.umsUdmRestApi }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "Always"
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+
+udmRestApi:
+  secretRef: ums-udm-rest-api-credentials
+  ldap:
+    uri: "ldap://{{ .Values.ldap.host }}:389"
+    baseDN: {{ .Values.ldap.baseDn | quote }}
+  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.umsUdmRestApi.registry | quote }}
    repository: {{ .Values.images.umsUdmRestApi.repository | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
@@ -24,44 +55,10 @@ image:
      - name: {{ . | quote }}
      {{- end }}

-resources:
-  {{ .Values.resources.umsUdmRestApi | toYaml | nindent 2 }}
-
-replicaCount: {{ .Values.replicas.umsUdmRestApi }}
-
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - "ALL"
-    add:
-      - "CHOWN"
-      - "DAC_OVERRIDE"
-      - "FOWNER"
-      - "FSETID"
-      - "KILL"
-      - "SETGID"
-      - "SETUID"
-      - "SETPCAP"
-      - "NET_BIND_SERVICE"
-      - "NET_RAW"
-      - "SYS_CHROOT"
-  privileged: false
-  seccompProfile:
-    type: "RuntimeDefault"
-  readOnlyRootFilesystem: false
-  runAsUser: 0
-  runAsGroup: 0
-  runAsNonRoot: false
-  seLinuxOptions:
-    {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 4 }}
-
-udmRestApi:
-  # TODO: Stub value currently
-  caCert: ""
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+extraSecrets:
+  - name: ums-udm-rest-api-credentials
+    stringData:
+      ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      machine.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}

 ...
--- a/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umc-server.yaml.gotmpl
@@ -53,7 +53,8 @@ memcached:
  bundled: false
  auth:
    username: null
-    password: null
+    # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
+    password: "password"
  server: {{ .Values.cache.umsSelfservice.host | quote }}

 postgresql:
@@ -99,10 +100,11 @@ securityContext:

 umcServer:
  certPemFile: "/var/secrets/ssl/tls.crt"
-  # TODO: Secret should be entered without b64enc
-  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
-  # TODO: Secret should be entered without b64enc
-  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | b64enc | quote }}
+  caCert: "Cg=="
+  certPem: "Cg=="
+  privateKey: "Cg=="
+  ldapSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
  smtpSecret: {{ .Values.smtp.password | quote }}
  privateKeyFile: "/var/secrets/ssl/tls.key"

--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -1,7 +1,9 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 #
 # Please read the /docs/development.md for information about structure and annotations used in this file.
+# yamllint disable rule:line-length
 ---
 charts:
  certificates:
@@ -22,7 +24,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "opendesk-clamav"
-    version: "4.0.1"
+    version: "4.0.5"
    verify: true
  clamavSimple:
    # providerCategory: 'Platform'
@@ -32,7 +34,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
    name: "clamav-simple"
-    version: "4.0.1"
+    version: "4.0.5"
    verify: true
  collabora:
    # providerCategory: 'Supplier'
@@ -272,7 +274,8 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.2.37"
+    version: "2.4.49"
+    verify: false
  openXchangeAppSuiteBootstrap:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
@@ -291,7 +294,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
    name: "opendesk-otterize"
-    version: "1.7.5"
+    version: "1.7.9"
    verify: true
  oxConnector:
    # providerCategory: 'Supplier'
@@ -365,6 +368,18 @@ charts:
    name: "opendesk-synapse-web"
    version: "2.6.7"
    verify: true
+  ums:
+    # providerCategory: 'Supplier'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRepository: 'souvap/tooling/charts/univention/ums'
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ['0', '0', '1']
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    name: "ums"
+    version: "0.7.5"
+    verify: true
  umsGuardianAuthorizationApi:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -447,7 +462,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ldap-notifier"
-    version: "0.8.2"
+    version: "0.10.1"
    verify: true
  umsLdapServer:
    # providerCategory: 'Supplier'
@@ -459,7 +474,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "ldap-server"
-    version: "0.8.2"
+    version: "0.10.1"
    verify: true
  umsNotificationsApi:
    # providerCategory: 'Supplier'
@@ -471,7 +486,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "notifications-api"
-    version: "0.9.2"
+    version: "0.20.1"
    verify: true
  umsOpenPolicyAgent:
    # providerCategory: 'Supplier'
@@ -495,7 +510,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "portal-frontend"
-    version: "0.14.0"
+    version: "0.20.1"
    verify: true
  umsPortalListener:
    # providerCategory: 'Supplier'
@@ -507,7 +522,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "portal-listener"
-    version: "0.14.0"
+    version: "0.20.1"
    verify: true
  umsPortalServer:
    # providerCategory: 'Supplier'
@@ -519,7 +534,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "portal-server"
-    version: "0.14.0"
+    version: "0.20.1"
    verify: true
  umsProvisioning:
    # providerCategory: 'Supplier'
@@ -531,7 +546,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "provisioning"
-    version: "0.14.0"
+    version: "0.20.2"
    verify: true
  umsProvisioningUdmListener:
    # providerCategory: 'Supplier'
@@ -543,7 +558,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "udm-listener"
-    version: "0.14.0"
+    version: "0.20.2"
    verify: true
  umsSelfserviceListener:
    # providerCategory: 'Supplier'
@@ -567,7 +582,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "stack-data-swp"
-    version: "0.44.0"
+    version: "0.45.1"
    verify: true
  umsStackDataUms:
    # providerCategory: 'Supplier'
@@ -579,7 +594,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "stack-data-ums"
-    version: "0.44.0"
+    version: "0.45.1"
    verify: true
  umsUdmRestApi:
    # providerCategory: 'Supplier'
@@ -591,7 +606,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "udm-rest-api"
-    version: "0.5.2"
+    version: "0.9.0"
    verify: true
  umsUmcGateway:
    # providerCategory: 'Supplier'
@@ -603,7 +618,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "umc-gateway"
-    version: "0.6.4"
+    version: "0.11.2"
    verify: true
  umsUmcServer:
    # providerCategory: 'Supplier'
@@ -615,7 +630,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "umc-server"
-    version: "0.6.4"
+    version: "0.11.2"
    verify: true
  xwiki:
    # providerCategory: 'Supplier'
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -1,7 +1,7 @@
-# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.5.80"
+    releaseVersion: "v0.5.81"
 ...
--- a/helmfile/environments/default/global.yaml
+++ b/helmfile/environments/default/global.yaml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 ## The global properties are used to configure multiple charts at once.
@@ -9,9 +10,7 @@ global:
  hosts:
    collabora: "collabora"
    cryptpad: "cryptpad"
-    dimension: "integration"
    element: "chat"
-    etherpad: "etherpad"
    intercomService: "ics"
    jitsi: "meet"
    keycloak: "id"
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -46,7 +46,7 @@ images:
    # upstreamMirrorStartFrom: ['1', '8', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.10.0@sha256:050f4fd6aafdf988033486f3e75545b664edb60163f6a639cb1209aec6ed9387"
+    tag: "1.11.0@sha256:633cc31a4c312cdb072136247ac382463ddbc458a5c57e139241394acee9baaf"
  freshclam:
    # providerCategory: 'Community'
    # providerResponsible: 'openDesk'
@@ -148,7 +148,7 @@ images:
    # upstreamMirrorStartFrom: ['1', '4', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/matrix-neoboard-widget"
-    tag: "1.12.0@sha256:2b2913cef614f2a81faea1997d9372b01347dadc3100d574b766df997d5ef2d5"
+    tag: "1.14.0@sha256:1a00f33ed5f560e55b06011b2f81696fd8230820f6980edb826768af0e0b41d9"
  matrixNeoChoiceWidget:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Nordeck'
@@ -220,7 +220,7 @@ images:
    # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.16@sha256:c36aaef5dfbd44b702f351ea1a875180caa537c90520d4f4fe69ea28357d85a9"
+    tag: "1.1.18@sha256:234e1c4267006bf3ae8294e88da7de14291b9f80b53572490377f3e7ec80adec"
  nextcloudExporter:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
@@ -236,7 +236,7 @@ images:
    # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.6@sha256:4ebe6aa3fc67aa7c2c39035db9f63bfcd398ff980f43ef903dd916acaf88c241"
+    tag: "1.3.9@sha256:7c5065ae5397973825aabd695d81085918e4ad4e67f7cafbf08de1159adbba5e"
  nextcloudPHP:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
@@ -244,7 +244,7 @@ images:
    # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.5@sha256:4fee6fc29fc1b34c069a37fbcf99d1e2a257053971035d248defe9624bea36e7"
+    tag: "1.8.8@sha256:c4fdc1917fecd945de4d7379cb2ad906dfc6d4d54ec437862a209237d668ac59"
  opendeskKeycloakBootstrap:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
@@ -262,7 +262,7 @@ images:
    # upstreamMirrorStartFrom: ['13', '1', '1']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "13.3.1@sha256:7e5a2cbd3d9f2db65e977797c0f7669b83f8e1b21bf0687ee20d19cbd1b55b7a"
+    tag: "13.4.1@sha256:b72d3e841fa4da03fc284e0ef7c56e763a9b04188f4219e527d9de93ccc49fe3"
  openprojectBootstrap:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
@@ -296,7 +296,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '6', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.0@sha256:6c20780f8c609636f2182c41709e2ee26586b4a23679fd13b15875a5f443445b"
+    tag: "8.6.3@sha256:6fb8169cba4beb4bd9039f4ce7ab9b29fc02c4991b283824db949fe2b7be34e2"
  openxchangeCoreMW:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -306,7 +306,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '51']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.20.51@sha256:4a9cc9d6745b09a9ace2475fbbacfeff2ca66db02b6314eb8e035f28e28574a8"
+    tag: "8.22.52@sha256:dab45b0e308b8d5c6c5cb5ec5be9d711f55e7aa87375c4b08ab178287bb7b769"
  openxchangeCoreUI:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -316,7 +316,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '1']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.20.1@sha256:a8bdf83b1179ca9126bcd4e5301b818aafec5e8ac6ff25914603d74a137b65dc"
+    tag: "8.22.1@sha256:4b581d8fb3761156a5dd81a2cebc1c7a0382652d01ba6ee933527f9899b41768"
  openxchangeCoreUIMiddleware:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -326,7 +326,7 @@ images:
    # upstreamMirrorStartFrom: ['2', '0', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.0.0@sha256:8082edf30498a3ac1715f2d9b3e406f240ea586e2616b97f40c207ef55dff11f"
+    tag: "2.0.2@sha256:eafcc0242b3fd93a777077c136b9e87fe03b163988731c15f0d3cd2ba39a2165"
  openxchangeCoreUserGuide:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -336,7 +336,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '799279']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.20.799279@sha256:075c917a7e5ebfe57c07c3c21485ee672554616252d5c57f829f443ca987e75b"
+    tag: "8.22.909960@sha256:dbd3f3a37c2d0a2885234cee53d79bf69015392c1381433c008694b4b99ddf30"
  openxchangeDocumentConverter:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -346,17 +346,17 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '50']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.20.50@sha256:bd11b4e5a62377aab79ebc0ebbe8da0bf54d42ce9a8ae64db0c84608570edf9f"
+    tag: "8.22.49@sha256:21ab0b52fa54fb5be969c4c689e4b7724b7bf9ee79b1bf166ab27d8c67e3a6b6"
  openxchangeGotenberg:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
    # upstreamRegistry: 'registry.open-xchange.com'
-    # upstreamRepository: 'appsuite-public-sector/3rdparty/gotenberg'
+    # upstreamRepository: 'appsuite-public-sector/gotenberg'
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
    # upstreamMirrorStartFrom: ['7', '9', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/gotenberg"
-    tag: "8.0.3@sha256:1f4979e8cfde1c69f28c24604d19b3a11cf95c59b2a73db957c5af0a27a30ce8"
+    tag: "8.2.0@sha256:ec5afe8eea496d3bef6c42291fde9c203c20e8a68189a2314ef876e9c0e67680"
  openxchangeGuardUI:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -366,7 +366,7 @@ images:
    # upstreamMirrorStartFrom: ['4', '2', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "4.2.2@sha256:c2ff375fa3dc359c555570f5216a5451966d9b7165934980acb1bf60363b59c8"
+    tag: "8.22.0@sha256:89c18129a2bdffe24587494e96ad12e95c01c25cd7a6a7b177afc75fec70415c"
  openxchangeImageConverter:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -376,7 +376,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '50']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.20.50@sha256:590a8a4c583057f6bb071247c2f8b8566c79d5d219482dcaa452b30c944c876b"
+    tag: "8.22.49@sha256:42841719c515b21f5d6e18296116fe690ac63f82f5acfa877652c2639911f127"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -396,7 +396,7 @@ images:
    # upstreamMirrorStartFrom: ['2', '2', '1']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/public-sector-ui"
-    tag: "2.2.1@sha256:cf5dc3754dfdf41844f619b0c3178d0406de3ce8dd51317ed706cb329d338fc8"
+    tag: "2.3.0@sha256:a557816ee55500ecc3b46b60f0440ea66c7f0d90e888ce3b0df8a9acdd72acbe"
  oxConnector:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -566,7 +566,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '8', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.8.2@sha256:bb7d76fb5299e9d019aa61b5397af15063a5b341fcf2b74c65db679ca5fa873f"
+    tag: "0.10.1@sha256:940eb9c20c53f90aa477699c0393242a7064d974a856d714ad151069e8d12af4"
  umsLdapServer:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -576,7 +576,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '8', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.8.2@sha256:abcaec050875a8605befe13cce78f9f8eb28aa3c1764e281a8540b2a3db4a5da"
+    tag: "0.10.1@sha256:5ae54faec6074c4653ef837158262dd6e7b7ff414f8d8722e35f929543a6a6ef"
  umsNotificationsApi:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -586,7 +586,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '9', '4']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.9.4@sha256:f058398d68c38039bb168af6d60d016f66fffde83a02f0b8f62124ebf2fed4d9"
+    tag: "0.20.1@sha256:c1176da0ecd3d964b7caaea0d9e583d7644c7a7dbdb08c0ecd85df88e0f27321"
  umsOpenPolicyAgent:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -606,7 +606,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '9', '4']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.19.0@sha256:7c80f703faf720da159c405a140c1029fd8c12def61653737e2a772982012d5c"
+    tag: "0.20.1@sha256:fc7d1d7b22b83037ac6d54b2cc1baaefc78175cdc86557cfc121eda469832b59"
  umsPortalListener:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -616,7 +616,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '9', '4']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.19.0@sha256:7fff6db5151b9aecffdfcd429b6eefb36a96ca14c5384183aa4246b5c0c8b133"
+    tag: "0.20.1@sha256:e93f256f736223edceaac50831cee062b4b8fee0a46f27175e6ea0c506620358"
  umsPortalServer:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -626,7 +626,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '9', '4']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.19.0@sha256:9a19e3a0990fba1dd2cdb1fd96ab53dcfba23717291ca1b0c87d8ed19b4c2c46"
+    tag: "0.20.1@sha256:db5d79b64dc1b8678401d32a1a695b217d7677e7578738f0eec90467c7b5ae05"
  umsProvisioningDispatcher:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -636,7 +636,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '14', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.14.0@sha256:2b51c4f2c71e044c67b036ab9084cb30330a7d38aae02a81ddf08752534ffa6f"
+    tag: "0.20.2@sha256:738a8a6028ede63d22369ec58ac4834a0b34445cac216cb9475c24ccb1eaed1e"
  umsProvisioningEventsAndConsumerApi:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -646,7 +646,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '14', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.14.0@sha256:c27f585d77fa030b0663ca6c5799ae1a7950f30e34e08407c295451af0a6b653"
+    tag: "0.20.2@sha256:46523693c84e5e6639e9762a43b1dbfa98954391da268c70a152b76e26d9c6c2"
  umsProvisioningPrefill:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -656,7 +656,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '14', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.14.0@sha256:f781373c3df8db73dcb87e5390deabe3f948054e15d9e107a556185773d473b0"
+    tag: "0.20.2@sha256:47143e4a3bb68c814dd7017b273b138c061a5bbb0f7e71c32ba45b2c15f1d831"
  umsProvisioningUdmListener:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -666,7 +666,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '14', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.14.0@sha256:90875ae80579651555c19db4badd474d7750b7322ab309d7812b40971a6813c5"
+    tag: "0.20.2@sha256:011c73748fb406ad68e35be683da79429b420e1e42a39733b342632eb3efec2d"
  umsSelfserviceInvitation:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -704,7 +704,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '5', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.5.2@sha256:94c8294130f6a187bb850bcaeb314a09c5aa48ab97e3f419fbeb6ddbd39a3246"
+    tag: "0.9.0@sha256:f5589a1a885e9f96d98304148bac5a40dfd4350ee40205a29b8798b29ae0a7db"
  umsUmcGateway:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -714,7 +714,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '7', '3']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.9.0@sha256:e15b59b851b3cae2bdfde1a9de707bfbc64a124db98a8d9ac7965d7d3827519b"
+    tag: "0.11.2@sha256:13edaa88ded4b3389ef36d0215ad19ea093ae962f8de9b4b178550e02de06277"
  umsUmcServer:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -724,7 +724,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '7', '3']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.9.0@sha256:7ef0f6a3a3024120a4dae6f0bd44fc531c88ca0b5893465d0bdbd96b5a9c87ea"
+    tag: "0.11.2@sha256:866b8c3d2845653c68316458d7a24901b0493d2e2b83d50e0932adc42cda1706"
  umsWaitForDependency:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -734,7 +734,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '9', '4']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.14.0@sha256:fda3f99be59614115997a55ad5887bf8f6482de4c8e168706aac3e42575b4915"
+    tag: "0.20.1@sha256:8b3d7195223de10ce6ac2649a363eed073dad9bb277c0d8d2d1c0f1613e0d5a7"
  wellKnown:
    # providerCategory: 'Community'
    # providerResponsible: 'Element'
--- a/helmfile/environments/default/resources.yaml
+++ b/helmfile/environments/default/resources.yaml
@@ -396,6 +396,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
+  umsLdapServerInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
  umsNotificationsApi:
    limits:
      cpu: 99
@@ -501,6 +508,13 @@ resources:
    requests:
      cpu: 0.1
      memory: "256Mi"
+  umsUdmRestApiInit:
+    limits:
+      cpu: 99
+      memory: "1Gi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
  umsUmcGateway:
    limits:
      cpu: 99
--- a/helmfile/environments/default/secrets.gotmpl
+++ b/helmfile/environments/default/secrets.gotmpl
@@ -1,5 +1,6 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
@@ -29,6 +30,21 @@ secrets:
    storeDavUsers:
      portalServer: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-server" "store-dav" | sha1sum | quote }}
      portalListener: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "portal-listener" "store-dav" | sha1sum | quote }}
+    provisioning:
+      apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
+      apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
+      apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
+      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
+      prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
+      prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
+      udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
+      dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
+      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+      udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
+      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+  nats:
+    natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
+
  postgresql:
    postgresUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "postgres_user" | sha1sum | quote }}
    keycloakUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "postgres" "keycloak_user" | sha1sum | quote }}
@@ -77,10 +93,8 @@ secrets:
    jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
    jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
    jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
-  etherpad:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
  whiteboard:
-    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "etherpad" "apiKey" | sha1sum | quote }}
+    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}
  centralnavigation:
    apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "centralnavigation" "api_key" | sha1sum | quote }}
  redis:
--- a/helmfile/environments/default/security.yaml
+++ b/helmfile/environments/default/security.yaml
@@ -7,4 +7,9 @@ security:
  clusterPostfix:
    enabled: false
    namespace: ""
+  ingressController:
+    podSelector:
+      matchLabels:
+        app.kubernetes.io/name: "ingress-nginx"
+    namespace: "ingress-nginx"
 ...
--- a/helmfile/environments/default/selinux.yaml
+++ b/helmfile/environments/default/selinux.yaml
@@ -7,6 +7,7 @@
 ---
 seLinuxOptions:
  clamavSimple: ~
+  clamav: ~
  clamd: ~
  collabora: ~
  cryptpad: ~
Author	SHA1	Message	Date
Thorsten Roßner	f94e9c4930	chore(release): 0.5.81 [skip ci] ## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28) ### Bug Fixes * docs: Various updates ([`50e2638`](`50e263866b`)) * element: Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 ([`0fd4a26`](`0fd4a26c71`)) * helmfile: Fix OpenAPI validations for Kubernetes v1.28 ([`0aa4cfb`](`0aa4cfb46f`)) * nextcloud: Bump to 28.0.3 ([`34d2c05`](`34d2c05959`)) * nextcloud: Rename default shared folder to `__Shared_with_me__` ([`5f9d015`](`5f9d015f0b`)) * open-xchange: Bump to 8.22 ([`5ebf291`](`5ebf291a4d`)) * openproject: Bump OpenProject to 13.4.0 ([`d565c05`](`d565c057dd`)) * openproject: Bump version to 13.4.1 ([`7cc3964`](`7cc39647d8`)) * services: Update Otterize Policies ([`42f63e3`](`42f63e3992`)) * univention-management-stack: Add missing authenticator secret mount to portal-server ([`5a39e87`](`5a39e8725b`)) * univention-management-stack: Update LDAP server for BSI base security compliance ([`8e889db`](`8e889db63e`)) * univention-management-stack: Update ldap-notifier and ldap-server ([`a41ddd5`](`a41ddd5451`)) * univention-management-stack: Update provisioning charts, images and helm value to add authentication ([`8c97bcf`](`8c97bcf994`))	2024-03-28 10:46:46 +00:00
Thorsten Roßner	5f9d015f0b	fix(nextcloud): Rename default shared folder to `__Shared_with_me__`	2024-03-28 09:42:26 +01:00
Oliver Günther	7cc39647d8	fix(openproject): Bump version to 13.4.1	2024-03-27 09:45:22 +01:00
Sebastian König-Festl	8c97bcf994	fix(univention-management-stack): Update provisioning charts, images and helm value to add authentication	2024-03-26 13:53:50 +00:00
Andreas Niemann	5a39e8725b	fix(univention-management-stack): Add missing authenticator secret mount to portal-server	2024-03-26 14:39:46 +01:00
Thorsten Roßner	34d2c05959	fix(nextcloud): Bump to 28.0.3	2024-03-26 10:37:49 +00:00
Dominik Kaminski	42f63e3992	fix(services): Update Otterize Policies	2024-03-26 09:42:07 +00:00
Andreas Niemann	81105d1e94	chore(univention-management-stack): Add ums umbrella chart to get it covered by the Open CoDE mirror.	2024-03-26 07:26:42 +01:00
Andreas Niemann	a41ddd5451	fix(univention-management-stack): Update ldap-notifier and ldap-server	2024-03-22 12:45:14 +01:00
Andreas Niemann	8e889db63e	fix(univention-management-stack): Update LDAP server for BSI base security compliance	2024-03-21 08:28:06 +01:00
Thorsten Roßner	5ebf291a4d	fix(open-xchange): Bump to 8.22	2024-03-20 13:54:17 +00:00
Oliver Günther	d565c057dd	fix(openproject): Bump OpenProject to 13.4.0	2024-03-20 13:46:43 +01:00
Thorsten Roßner	50e263866b	fix(docs): Various updates	2024-03-18 16:06:11 +01:00
Milton Moura	0fd4a26c71	fix(element): Update Element Web to v1.11.59 with widget sync fix and NeoBoard v1.14.0 Signed-off-by: Milton Moura <miltonmoura@gmail.com>	2024-03-15 11:37:09 -01:00
Thorsten Roßner	0aa4cfb46f	fix(helmfile): Fix OpenAPI validations for Kubernetes v1.28	2024-03-14 12:17:31 +01:00