fix: update keycloak-bootstrap and keycloak-extensions

# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)

### Bug Fixes

* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](3dc648421b))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](b9ac5ecf2d))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](e9ec2f3a6e))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](2ad027082f))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](9be3b78761))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](d1bd43fa95))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](fefd2f6cae))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](cd225703eb))

### Features

* **element:** Add support for Matrix federation ([36139b4](36139b42f1))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](e6fe2a7c18))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](c7e217208c))

.gitlab-ci.yml

@@ -26,6 +26,7 @@ include:
 
 stages:
   - ".pre"
+  - "renovate"
   - "scan"
   - "automr"
   - "env-cleanup"
@@ -59,6 +60,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEBUG_ENABLED:
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ALL_COMPONENTS:
     description: "Enable all component deployment (overwrites 'no' setting on component level)."
     value: "no"
@@ -143,6 +150,12 @@ variables:
     options:
       - "yes"
       - "no"
+  RUN_RENOVATE:
+    description: "Triggers the Renovate based check for dependency updates."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   TESTS_BRANCH:
     description: "Branch of E2E-tests on which the test pipeline is triggered"
     value: "main"
@@ -533,12 +546,15 @@ avscan-start:
 
 # Overwrite shared settings
 .common-semantic-release:
-  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release-patched:1.0.0"
   tags: []
 
 conventional-commits-linter:
   rules:
-    - if: "$JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'"
+    - if: >
+          $RUN_RENOVATE == "yes" ||
+          $JOB_CONVENTIONAL_COMMITS_LINTER_ENABLED == 'false' ||
+          $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event'
       when: "never"
     - when: "always"
 
@@ -617,4 +633,20 @@ release:
     - "semantic-release"
   needs:
     - "generate-docs"
+
+renovate:
+  rules:
+    - if: $RUN_RENOVATE == "yes"
+      when: "on_success"
+  # The `-full` image does not install the dependencies on the fly, that is our preferred approach
+  image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/renovate/renovate:37.356-full"
+  variables:
+    RENOVATE_CONFIG_FILE: "${CI_PROJECT_DIR}/.renovate/config.yaml"
+    RENOVATE_ENDPOINT: "${CI_API_V4_URL}"
+    # Increase the renovatebot log level on stdout
+    LOG_LEVEL: "DEBUG"
+  script:
+    - "renovate ${RENOVATE_EXTRA_FLAGS}"
+  stage: "renovate"
+
 ...

.gitlab/lint/lint-opendesk.yml

@@ -7,6 +7,10 @@ include:
 lint-opendesk:
   extends: ".lint-common"
   image: "${OPENDESK_CI_CLI_IMAGE}"
+  rules:
+    - if: $RUN_RENOVATE == "yes"
+      when: "never"
+    - when: "always"
   script:
     - "node /app/src/index.js sort-all -d ${CI_PROJECT_DIR}/helmfile"
     - "git diff --exit-code"

.kyverno/policies/template-image-registries.yaml

@@ -24,10 +24,10 @@ spec:
         pattern:
           spec:
             =(ephemeralContainers):
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
             =(initContainers):
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
             containers:
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
   validationFailureAction: "audit"
 ...

.renovate/config.yaml

@@ -0,0 +1,89 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+# Platform type of repository
+platform: "gitlab"
+
+# Enable onboarding merge request
+onboarding: false
+
+# If set to true: keep repository data between runs instead of deleting the data
+persistRepoData: false
+
+# Controls Renovate's behavior regarding repository config files such as renovate.json
+requireConfig: "ignored"
+
+# List of Repositories
+# See: https://docs.renovatebot.com/configuration-options/
+repositories:
+  - repository: "bmi/opendesk/deployment/opendesk"
+    # Set the branch to read current dependency state from, this is especially useful during
+    # renovate setup when looking into your feature branch or when your default branch is
+    # not the one you want to check on.
+    baseBranches: [ "develop" ]
+    # baseBranches: [ 'develop' ]
+    # Prefix to use for all branch names created by renovate bot (default: "renovate/")
+    branchPrefix: "renovate/"
+    # Lowercase merge request and commit titles ("never" = leave titles untouched )
+    commitMessageLowerCase: "never"
+    # Commit scope to use if Semantic Commits are enabled (fix(<scope>)...)
+    semanticCommitScope: "ci"
+    # Commit type to use if Semantic Commits are enabled (default: "chore")
+    semanticCommitType: "chore"
+    # Include package files only within these defined paths
+    includePaths:
+      - "helmfile/environments/default/images.yaml"
+      - "helmfile/environments/default/charts.yaml"
+    customManagers:
+      - customType: "regex"
+        fileMatch:
+          - "helmfile/environments/default/images.yaml"
+        datasourceTemplate: "docker"
+        matchStrings:
+          # yamllint disable rule:line-length
+          - ' providerResponsible: "(?<depType>.+?)"[\s\S]+? upstreamRegistry: "(?<registryUrl>.+?)"[\s\S]+? upstreamRepository: "(?<depName>.+?)"[\s\S]+? tag: "(?<currentValue>[^@]+)@(?<currentDigest>sha256:[a-f0-9]+)"'
+          # yamllint enable rule:line-length
+      - customType: "regex"
+        fileMatch:
+          - "helmfile/environments/default/charts.yaml"
+        datasourceTemplate: "docker"
+        matchStrings:
+          # yamllint disable rule:quoted-strings
+          - ' providerResponsible: "(?<depType>.+?)"[\s\S]+? upstreamRegistry: "(?<registryUrl>.+?)"[\s\S]+? upstreamRepository: "(?<depName>.+?)"[\s\S]+? version: "(?<currentValue>.+?)"'
+          # yamllint enable rule:line-length
+    # Rules for matching packages
+    packageRules:
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "openDesk" ]
+        groupName: "Platform"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Collabora" ]
+        groupName: "Collabora"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Element" ]
+        groupName: "Element"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Nordeck" ]
+        groupName: "Nordeck"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Open-Xchange" ]
+        groupName: "Open-Xchange"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "OpenProject" ]
+        groupName: "OpenProject"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "OpenProject" ]
+        groupName: "OpenProject"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "Univention" ]
+        groupName: "Univention"
+      - matchDatasources: [ "docker" ]
+        matchDepTypes: [ "XWiki" ]
+        groupName: "XWiki"
+    # Add merge request labels
+    labels:
+      - "renovate"
+    # Enable custom regex manager only
+    enabledManagers:
+      - "custom.regex"
+...

CHANGELOG.md

@@ -1,3 +1,24 @@
+# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
+
+
+### Bug Fixes
+
+* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
+* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
+* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
+* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
+* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
+* **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
+* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
+* **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
+
+
+### Features
+
+* **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
+* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
+* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
+
 # [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
 
 

README.md

@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -22,8 +23,8 @@ SPDX-License-Identifier: Apache-2.0
 
 # Overview
 
-openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
+openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
-Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
+*Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
 
 openDesk currently features the following functional main components:
 
@@ -31,11 +32,11 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
-| File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Project management   | OpenProject                 | [14.0.1](https://www.openproject.org/docs/release-notes/14-0-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
 | Videoconferencing    | Jitsi                       | [2.0.8922](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_8922)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
 | Weboffice            | Collabora                   | [23.05.9.4.1](https://www.collaboraoffice.com/collabora-online-23-05-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
@@ -71,6 +72,7 @@ Of course, further development also includes enhancing the documentation itself.
 
 # Advanced customization
 
+- [Enhanced Configuration](./docs/enhanced-configuration.md)
 - [External services](./docs/external-services.md)
 - [Security](./docs/security.md)
 - [Scaling](./docs/scaling.md)
@@ -116,7 +118,7 @@ This project uses the following license: Apache-2.0
 
 # Copyright
 
-Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+Copyright (C) 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 
 # Footnotes
 

docs/ci.md

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 -->
 <h1>CI/CD</h1>
 
-This page will cover openDesk automation via Gitlab CI.
+This page covers openDesk deployment automation via Gitlab CI.
 
 <!-- TOC -->
 * [Deployment](#deployment)
@@ -13,29 +13,30 @@ This page will cover openDesk automation via Gitlab CI.
 
 # Deployment
 
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
 
+When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
 
-When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
+- `DOMAIN`: Primary domain for your deployment making the openDesk services available e.g. as `https://portal.DOMAIN`.
-
+- `MAIL_DOMAIN`: (optional) Domain for the users mail addresses, defaults to `DOMAIN`.
-- `DOMAIN` = The domain to deploy to.
+- `MATRIX_DOMAIN`: (optional) Domain for the users Matrix IDs, defaults to `DOMAIN`.
-- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
+- `NAMESPACE`: Namespace of your K8s cluster openDesk will be installed to.
-- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
+- `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`.
 
 Based on your input, the following variables will be set:
-- `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
+- `MASTER_PASSWORD:`: `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
   is not set, the default for `MASTER_PASSWORD` will be used, unless you set
-  `MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
+  `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
 
-You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
 
 # Tests
 
-The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
-In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
 
-If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.

docs/debugging.md

@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
+* [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
+  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
+  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
   * [MariaDB](#mariadb)
   * [Nextcloud](#nextcloud)
@@ -35,6 +38,94 @@ and set the loglevel for components to "Debug".
 
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 
+# Adding containers to a pod for debugging purposes
+
+During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
+
+This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
+
+Adding a container to a Pod can ease the pain.
+
+Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
+
+## Adding a container to a pod/deployment - Dev/Test only
+
+You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
+
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Ensure the `shareProcessNamespace` option is enabled for the Pod.
+- Reference the selected container within the `containers` array of the deployment.
+- In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
+- Save & update the deployment.
+
+The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
+
+```
+      shareProcessNamespace: true
+      containers:
+        - name: debugging
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsUser: 65532
+            runAsGroup: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+```
+
+- After the deployment was reloaded open the shell of the debugging container.
+- When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
+- To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
+
+## Temporary/ephemeral containers
+
+Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
+
+Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
+
+For the commands further down this section we set some environment variables first:
+- `NAMESPACE`: The namespace the Pod you want to inspects is running in.
+- `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
+- `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
+- `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
+- `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
+
+e.g.
+
+```
+export EPH_CONTAINER_NAME=debugging
+export NAMESPACE=my_testdeployment
+export DEPLOYMENT_NAME=opendesk-nextcloud-php
+export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
+export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+```
+
+You still need to ensure that your deployment supports process namespace sharing:
+
+```
+kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
+spec:
+  template:
+    spec:
+      shareProcessNamespace: true'
+```
+
+Now you can add the ephemeral container with:
+```
+kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
+```
+and open it's interactive terminal with
+```
+kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
+```
+
 # Components
 
 ## MariaDB

docs/enhanced-configuration.md

@@ -0,0 +1,14 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Enhanced configuration use cases for openDesk</h1>
+
+# Overview
+
+The follownig enhanced configuration use cases are described in separate documents.
+
+- [Separate mail & Matrix domain](enhanced-configuration/separate-mail-matrix-domain.md)
+- [Federation with external identity provider](enhanced-configuration/idp-federation.md)
+- [Matrix federation](enhanced-configuration/matrix-federation.md)

docs/enhanced-configuration/idp-federation.md

@@ -0,0 +1,157 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Federation with external identity provider (IdP)</h1>
+
+* [Context](#context)
+* [Prerequisites](#prerequisites)
+  * [User accounts](#user-accounts)
+  * [External IdP with OIDC](#external-idp-with-oidc)
+* [Example configuration](#example-configuration)
+  * [Versions](#versions)
+  * [Example values](#example-values)
+  * [Keycloak admin console access](#keycloak-admin-console-access)
+  * [Your organizations IdP](#your-organizations-idp)
+    * [Separate realm](#separate-realm)
+    * [OIDC Client](#oidc-client)
+  * [openDesk IdP](#opendesk-idp)
+
+# Context
+
+Most organizations already have an Identity and Access Management (IAM) of their own that includes an identity provider (IdP) for single-sign-on to internal or external web applications.
+
+This document shows how to configure your organizations IdP as well as the openDesk IdP to allow account federation to support single-sign-on to openDesk based on your organization's login.
+
+# Prerequisites
+
+## User accounts
+
+Beside the configuration it is required that the user accounts with the same name exist within openDesk. This prerequisite is outside the scope of this document.
+
+We will provide additional documents regarding user provisioning in the future, so here's just an overview regarding potential scenarios:
+
+- Manual user management
+  - That is a lightweight way for testing your IdP federation setup or in case you just have a small amount of users to manage.
+  - Just create and maintain you user(s) in openDesk and ensure the username in your IAM and openDesk is identical.
+- User import
+  - If you need to create more than just a couple of test accounts you can use the [openDesk User Importer](https://gitlab.opencode.de/bmi/opendesk/tooling/user-import) that utilizes the UDM REST API for user account creation.
+  - Downsides: Managing groups and deleting accounts needs to be done manually.
+- Automated Pre-provisioning:
+  - Pre-provisioning users and groups including de-provisioning (deleting) accounts is the best practise as it ensures that openDesk is in sync with your organization's IAM.
+  - There are at least two ways of implementing the pre-provisioning:
+  - UDM REST API:
+    - Build a provisioning solution by yourself using the [UDM REST API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html).
+    - The API gives you full control over the contents of the IAM in order to create, update or delete users and groups.
+  - Directory Connector:
+    - It is based on a Python one-way directory synchronization for users and groups.
+    - We will provide more details on this approach soon one the tool is made publicly available.
+- Ad-hoc provisioning (AHP)
+  - This feature is currently not available in the openDesk Keycloak, but there are plans by the Supplier Univention to make it available.
+  - Ad-hoc provisioning creates an user account on the fly during a users first login.
+  - While AHP this is a nice approach for a quick start with openDesk it has various downsides:
+    - Users are just created after their first login, so you cannot find your colleagues in the openDesk apps unless they already logged in.
+    - A user account would never be deactivated or deleted in openDesk.
+    - Group memberships are not transferred.
+
+## External IdP with OIDC
+
+This document focusses on the OIDC federation between an external IdP and the openDesk IdP. It makes use of the OpenID Connect (OIDC) protocol, so your external IdP must support OIDC.
+
+# Example configuration
+
+## Versions
+
+The example was tested with openDesk v0.7.0 using its integrated Keycloak v24.0.3, as external IdP we also used an openDesk deployment of the same version but created a separate realm for proper separation of the configuration.
+
+## Example values
+
+The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+
+- `idp.organization.tld`: hostname for your organization's IdP
+- `id.opendesk.tld`: hostname for the openDesk IdP, so openDesk is obviously deployed at `opendesk.tld`
+- `fed-test-idp-realm`: realm name for your organizations IdP
+- `opendesk-federation-client`: OIDC client for the openDesk federation that is defined in your organizations IdP
+- `auto-federate-idp`: Identifier of your organizations IdP's configuration within the openDesk Keycloak.
+- `auto-federate-flow`: Identifier of the required additional login flow to be created and referenced in the openDesk Keycloak.
+
+## Keycloak admin console access
+
+To access the admin console of Keycloak in an openDesk deployment you need to add a route for `/admin` to the Keycloak's ingress. This is done automatically if you deploy openDesk with `debug.enabled: true` but beware that this will also cause a lot of log output across all openDesk pods.
+
+The admin console will be available at:
+- Organization's IdP: https://idp.organization.tld/admin/master/console/
+- openDesk IdP: https://id.opendesk.tld/admin/master/console/
+
+For the following configuration steps login with user `kcadmin` and grab the password from the `ums-keycloak` pod's `KEYCLOAK_ADMIN_PASSWORD` variable.
+
+## Your organizations IdP
+
+As we use the Keycloak of another openDesk instance to simulate your organization's IdP in this example, especially URL paths within the Keycloak might differ if you use different products.
+
+Please let us know about your experiences or differences you came accross.
+
+### Separate realm
+
+To not interfere with an existing configuration for our test scenario we create a separate realm:
+
+- `Create realm` (from realm selection drop down menu in the left upper corner)
+- *Realm name*: `fed-test-idp-realm`
+- `Create`
+
+### OIDC Client
+
+If you just created the `fed-test-idp-realm` your are already in the admin screen for the realm, if not use the realm selection drop down menu in the left upper corner to switch to the realm.
+
+- *Clients* > *Create Client*
+  - Client create wizard page 1:
+    - *Client type*: `OpenID Connect`
+    - *Client-ID*: `opendesk-federation-client`
+    - *Name*: `openDesk @ your organization` (is the descriptive text of the client that might show up in you IdP's UI and therefore should explain what the client is used for)
+  - Client create wizard page 2:
+    - *Client authentication*: `On`
+    - *Authorization*: `Off` (default)
+    - *Authentication flow*: leave defaults
+	    - `Standard flow`
+	    - `Direct access grants`
+  - Client create wizard page 3:
+    - *Valid Redirect URLs*: `https://id.opendesk.tld/realms/opendesk/broker/auto-federate-idp/endpoint`
+  - When completed with *Save* you get to the detailed client configured that also needs some updates:
+    - Tab *Settings* > Section *Logout settings*
+      - *Front channel logout*: `Off`
+      - *Back channel logout URL*: `https://id.opendesk.tld/realms/opendesk/protocol/openid-connect/logout/backchannel-logout`
+    - Tab *Credentials*
+      - Copy the *Client Secret* as we need it for the configuration of the openDesk IdP to be used in the openDesk IdP, as well as the *Client-ID*.
+
+## openDesk IdP
+
+The following configuration is taking place in the Keycloak realm `opendesk`.
+
+- *Authentication* > *Create flow*
+  - *Name*: `auto-federate-flow`
+  - *Flow type*: `Basic flow`
+  - *Create*
+  - *Add execution*: Add `Detect existing broker user` and set it to `Required`
+  - *Add step*: `Automatically set existing user` and set it to `Required`
+
+- *Identity providers* > *User-defined* > *OpenID Connect 1.0*
+  - *Alias*: `auto-federate-idp` (used in our example)
+  - *Display Name*: Descriptive Name in case you do not forcefully redirect the user to the IdP that name is shown in the login screen for manual selection.
+  - *Use discovery endpoint*: `On` (default)
+  - *Discovery endpoint*: `https://idp.organization.tld/realms/fed-test-idp-realm/.well-known/openid-configuration` - this URL may look different if you do not use Keycloak or a different Keycloak version as IdP in your organization
+    - In case the IdP metadata could not be auto-discovered you will get an error.
+    - If everything is fine you can review the discovered metadata for your IdP by clicking on *Show metadata*.
+  - *Client authentication*: `Client secret sent as post` (default)
+  - *Client ID*: Use the client ID you took form your organization's IdP config (`opendesk-federation-client` in this example)
+  - *Client Secret*: Use the secret you took form your organization's IdP config
+  - When completed with *Add* you get to the detailed IdP configured that also needs some updates (you may need to open the *Advanced* section to access some settings)
+	- *Backchannel logout*: `On`
+	- *Disable user info*: `On`
+    - *First login flow override*: `auto-federate-flow`
+
+- In case you want to forcefully redirect all users to your organizations IdP (disabling login with local openDesk accounts):
+  - *Authentication* > `2fa-browser`
+    - Click on the cogwheel next to the *Identitify Provider Redirector*
+      - *Alias*: `auto-federate-idp`
+      - *Default Identity Provider*: `auto-federate-idp`

docs/enhanced-configuration/matrix-federation.md

@@ -0,0 +1,32 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Matrix federation</h1>
+
+* [Use case](#use-case)
+* [Example configuration](#example-configuration)
+  * [DNS setup](#dns-setup)
+
+# Use case
+
+By default you only can chat with users that also have an account within your openDesk installation. The Element chat application and its server component Synapse are based on the Matrix protocol that supports federation with other Matrix servers to communicate with the users with accounts on these servers.
+
+# Example configuration
+
+The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+
+- `opendesk.domain.tld`: the mandatory `DOMAIN` setting for your deployment resulting in `https://chat.opendesk.domain.tld` to access the Element chat.
+- `my_organization.tld`: an optional alternative domain used for mail and/or Matrix. If not used it is also set to `opendesk.domain.tld`.
+
+## DNS setup
+
+If you want to federate with other Matrix instances, you need to have both SRV records:
+
+| Record name                         | Type | Value                                  | Additional Information                                                             |
+| ----------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
+| _matrix._tcp.my_organization.tld    | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+| matrix-fed._tcp.my_organization.tld | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+
+*Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.

docs/enhanced-configuration/separate-mail-matrix-domain.md

@@ -0,0 +1,68 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Separate domains for mail and or matrix</h1>
+
+* [Use case](#use-case)
+* [Example configuration](#example-configuration)
+  * [Mail domain](#mail-domain)
+  * [Matrix domain](#matrix-domain)
+
+# Use case
+
+As communication over mail and chat can go beyond the borders of your openDesk installation you may want to use different domains for the mail and/or matrix.
+
+# Example configuration
+
+The following values are used in this example documentation. Please ensure when you come across such a value even if it is part of a URL hostname or path that you adapt it where needed to your setup:
+
+- `opendesk.domain.tld`: the mandatory `DOMAIN` setting for your deployment resulting in `https://mail.opendesk.domain.tld` to access emails and `https://chat.opendesk.domain.tld` to access the Element chat that is based on the Matrix protocol.
+- `my_organization.tld`: the alternative domain used for mail and/or Matrix.
+
+## Mail domain
+
+By default all email addresses in openDesk are created based on the `DOMAIN` you specified for your deployment. In our example resulting in the users having `<username>@opendesk.domain.tld` as mail addresses. In case you prefer the users to send and receive emails with another domain you can set that one using the optional `MAIL_DOMAIN` in the deployment:
+
+```yaml
+global:
+  mailDomain: "my_organization.tld"
+```
+
+or via environment variable
+
+```shell
+export MAIL_DOMAIN=my_organization.tld
+```
+
+This of course requires the MX record for the domain to point to the mail host for your openDesk deployment. Optionally add the SPF and DMARC records.
+
+| Record name                | Type | Value                                            |
+| -------------------------- | ---- | ------------------------------------------------ |
+| my_organization.tld        | MX   | `10 mail.opendesk.domain.tld`                    |
+| my_organization.tld        | TXT  | `v=spf1 +a +mx +a:mail.opendesk.domain.tld ~all` |
+| _dmarc.my_organization.tld | TXT  | `v=DMARC1; p=quarantine`                         |
+
+## Matrix domain
+
+Similar to the specific domain for email addresses you may want to specify a domain that differs from your deployment's default `DOMAIN` to define your users Matrix IDs. Use the `MATRIX_DOMAIN` to do so:
+
+```yaml
+global:
+  matrixDomain: "my_organization.tld"
+```
+
+or via environment variable
+
+```shell
+export MATRIX_DOMAIN=my_organization.tld
+```
+
+This setup requires also a different DNS setup:
+
+| Record name                      | Type | Value                                  | Comment                                                                            |
+| -------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
+| _matrix._tcp.my_organization.tld | SRV  | `1 10 PORT matrix.opendesk.domain.tld` | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+
+*Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.

docs/getting-started.md

@@ -10,6 +10,7 @@ This documentation should enable you to create your own evaluation instance of o
 <!-- TOC -->
 * [Requirements](#requirements)
 * [Customize environment](#customize-environment)
+  * [DNS](#dns)
   * [Domain](#domain)
     * [Apps](#apps)
   * [Private registries](#private-registries)
@@ -49,10 +50,24 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 
-## Domain
+## DNS
 
-The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
+The deployment is designed to deploy each application/service under a dedicated subdomain.
-`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
+For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
+otherwise you need to create an A-Record for each subdomain.
+
+| Record name             | Type | Value                                              | Additional information                                                             |
+| ----------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                    |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                    |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                   |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                    |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                         |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                           |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+
+## Domain
 
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
 
@@ -68,13 +83,13 @@ The domain have to be set either via `dev` environment
 
 ```yaml
 global:
-  domain: "my.open.desk"
+  domain: "domain.tld"
 ```
 
 or via environment variable
 
 ```shell
-export DOMAIN=my.open.desk
+export DOMAIN=domain.tld
 ```
 
 ### Apps
@@ -129,13 +144,13 @@ prefer the use of a private image registry anyway you can configure such for
 
 ```yaml
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: "my_private_registry.domain.tld"
 ```
 
 alternatively you can use an environment variable:
 
 ```shell
-export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
+export PRIVATE_IMAGE_REGISTRY_URL=my_private_registry.domain.tld
 ```
 
 If authentication is required, you can reference imagePullSecrets as following:

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -4,6 +4,7 @@
 configuration:
   bot:
     username: "meetings-bot"
+    homeserver: {{ .Values.global.matrixDomain | default .Values.global.domain }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -1,6 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+clusterDomain: {{ .Values.cluster.networking.domain }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -29,6 +29,7 @@ configuration:
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
+    serverName: {{ .Values.global.matrixDomain | default .Values.global.domain }}
     appServiceConfigs:
       - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
@@ -112,4 +113,6 @@ replicaCount: {{ .Values.replicas.synapse }}
 resources:
   {{ .Values.resources.synapse | toYaml | nindent 2 }}
 
+tls:
+  secretName: {{ if .Values.global.matrixDomain }}"opendesk-certificates-synapse-tls"{{ else }}"opendesk-certificates-tls"{{ end }}
 ...

helmfile/apps/services/helmfile.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -16,6 +17,17 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
       {{ .Values.charts.otterize.repository }}"
 
+  # openDesk Home
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
+  - name: "home-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.home.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"
+
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
   - name: "certificates-repo"
@@ -115,6 +127,13 @@ releases:
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
+  - name: "opendesk-home"
+    chart: "home-repo/{{ .Values.charts.home.name }}"
+    version: "{{ .Values.charts.home.version }}"
+    values:
+      - "values-home.yaml.gotmpl"
+    installed: {{ .Values.home.enabled }}
+
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 ---
 global:
   domain: {{ .Values.global.domain | quote }}
+  synapseDomain: {{ .Values.global.matrixDomain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
 

helmfile/apps/services/values-home.yaml.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+ingress:
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -41,7 +41,7 @@ podSecurityContext:
 postfix:
   amavisHost: ""
   amavisPortIn: ""
-  domain: {{ .Values.global.domain | quote }}
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
@@ -67,7 +67,7 @@ postfix:
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.domain | quote }}
+  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
   virtualTransport: "lmtps:dovecot:24"
 
 replicaCount: {{ .Values.replicas.postfix }}

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -181,6 +181,7 @@ ldap-server:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+      tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
   ldapServer:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
@@ -190,6 +191,7 @@ ldap-server:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+      tag: {{ .Values.images.umsLdapServer.tag | quote }}
     config:
       domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}"
       ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
@@ -417,10 +419,10 @@ portal-server:
     objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
     centralNavigation:
       enabled: true
-    credentialSecret:
+    objectStorageCredentialSecret:
       name: "ums-portal-server-minio-credentials"
-      accessKeyId: "nubus-s3-access-key-id"
+      accessKeyKey: "nubus-s3-access-key-id"
-      secretAccessKey: "nubus-s3-secret-key-id"
+      secretKeyKey: "nubus-s3-secret-key-id"
 
   extraVolumes:
     - name: authenticator-secret
@@ -535,6 +537,26 @@ provisioning:
           secretKeyRef:
             name: ums-provisioning-prefill-credentials
             key: NATS_PASSWORD
+  nats:
+    nats:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNats.registry | quote }}
+        repository: {{ .Values.images.umsNats.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNats.tag | quote }}
+    natsBox:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsBox.registry | quote }}
+        repository: {{ .Values.images.umsNatsBox.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNatsBox.tag | quote }}
+    reloader:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsReloader.registry | quote }}
+        repository: {{ .Values.images.umsNatsReloader.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNatsReloader.tag | quote }}
+
 
   ingress:
     host: "localhost"
@@ -587,7 +609,7 @@ stack-data-ums:
     # The openDesk configuration brings its own UMC policies.
     installUmcPolicies: false
     domainname: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.domain | quote }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
     ldapHost: {{ .Values.ldap.host | quote }}
     ldapBase: {{ .Values.ldap.baseDn | quote }}
@@ -628,7 +650,7 @@ stack-data-swp:
       {{- end }}
 
     externalDomainName: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.domain | quote }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
 
     portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }}
     portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
@@ -760,7 +782,7 @@ udm-rest-api:
     secretRef: ums-udm-rest-api-credentials
     ldap:
       uri: "ldap://ums-ldap-server:389"
-      baseDN: {{ .Values.ldap.baseDn | quote }}
+      baseDn: {{ .Values.ldap.baseDn | quote }}
     tls:
       enabled: false
       secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
@@ -915,10 +937,6 @@ umc-server:
       enabled: false
   memcached:
     bundled: false
-    auth:
-      username: null
-      # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
-      password: "password"
     server: {{ .Values.cache.umsSelfservice.host | quote }}
 
   postgresql:
@@ -1035,14 +1053,27 @@ keycloak-bootstrap:
     deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
     keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
 
-  config:
   keycloak:
-      adminUser: "kcadmin"
+    connection:
-      adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      baseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    auth:
+      username: "kcadmin"
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
       realm: {{ .Values.platform.realm | quote }}
-      intraCluster:
+  ldap:
-        enabled: true
+    baseDn: {{ .Values.ldap.baseDn | quote }}
-        internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    connection:
+      host: {{ .Values.ldap.host | quote }}
+      port: "389"
+      protocol: "ldap"
+    auth:
+      bindDn: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
+      password: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
+
+  bootstrap:
+    ldapMappers:
+      - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
+      - ldapAndUserModelAttributeName: "oxContextIDNum"
     loginLinks:
       - link_number: 1
         language: "de"
@@ -1052,21 +1083,14 @@ keycloak-bootstrap:
         language: "en"
         description: "Forgot password?"
         href: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/#/selfservice/passwordforgotten"
-    ums:
-      ldap:
-        internalHostname: {{ .Values.ldap.host | quote }}
-        baseDN: {{ .Values.ldap.baseDn | quote }}
-        readUserDN: "uid=ldapsearch_keycloak,cn=users,dc=swp-ldap,dc=internal"
-        readUserPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.keycloak | quote }}
-        mappers:
-          - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
-          - ldapAndUserModelAttributeName: "oxContextIDNum"
-      saml:
-        serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
     twoFactorAuthentication:
       enabled: true
       group: "2fa-users"
 
+  config:
+    saml:
+      serviceProviderHostname: "{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+
   containerSecurityContext:
     enabled: true
     allowPrivilegeEscalation: false
@@ -1097,10 +1121,12 @@ keycloak-bootstrap:
 keycloak-extensions:
   enabled: true
   keycloak:
-    host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+    connection:
-    adminUsername: "kcadmin"
+      host: "ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
-    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
+    auth:
-    adminRealm: "master"
+      username: "kcadmin"
+      password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+      masterRealm: "master"
       realm: {{ .Values.platform.realm | quote }}
   postgresql:
     connection:
@@ -1110,6 +1136,13 @@ keycloak-extensions:
       database: {{ .Values.databases.keycloakExtension.name | quote }}
       username: {{ .Values.databases.keycloakExtension.username | quote }}
       password: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+  smtp:
+    connection:
+      host: {{ .Values.smtp.host | quote }}
+      port: {{ .Values.smtp.port | quote }}
+    auth:
+      username: {{ .Values.smtp.username | quote }}
+      password: {{ .Values.smtp.password | quote }}
   handler:
     replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
     podAnnotations:
@@ -1127,10 +1160,10 @@ keycloak-extensions:
       ipProtectionEnable: true
       logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
       newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
-      smtpPassword: {{ .Values.smtp.password | quote }}
+      # smtpPassword: {{ .Values.smtp.password | quote }}
-      smtpHost: {{ .Values.smtp.host | quote }}
+      # smtpHost: {{ .Values.smtp.host | quote }}
-      smtpPort: {{ .Values.smtp.port | quote }}
+      # smtpPort: {{ .Values.smtp.port | quote }}
-      smtpUsername: {{ .Values.smtp.username | quote }}
+      # smtpUsername: {{ .Values.smtp.username | quote }}
       mailFrom: "noreply@{{ .Values.global.domain }}"
     securityContext:
       allowPrivilegeEscalation: false
@@ -1525,7 +1558,7 @@ extraSecrets:
   - name: ums-portal-server-minio-credentials
     stringData:
       nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-      nubus-s3-secret-key-id: {{ .Values.secrets.minio.umsUser | quote }}
+      nubus-s3-secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: ums-portal-server-authenticator-credentials
     stringData:
       authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}

helmfile/environments/default/charts.yaml

@@ -1,5 +1,5 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
 # Please read the /docs/development.md for information about structure and annotations used in this file.
@@ -7,356 +7,366 @@
 ---
 charts:
   certificates:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-certificates/opendesk-certificates'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates/opendesk-certificates"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
     name: "opendesk-certificates"
-    version: "2.1.3"
+    version: "2.2.0"
     verify: true
   clamav:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-clamav/opendesk-clamav'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav/opendesk-clamav"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "opendesk-clamav"
     version: "4.0.5"
     verify: true
   clamavSimple:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-clamav/clamav-simple'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav/clamav-simple"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-clamav"
     name: "clamav-simple"
     version: "4.0.5"
     verify: true
   collabora:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Collabora'
+    # providerResponsible: "Collabora"
-    # upstreamRegistry: 'ghcr.io/collaboraonline/charts'
+    # upstreamRegistry: "https://ghcr.io/collaboraonline/charts"
-    # upstreamRepository: 'collabora-online'
+    # upstreamRepository: "collabora-online"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['1', '1', '8']
+    # upstreamMirrorStartFrom: ["1", "1", "8"]
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
     version: "1.1.11"
     verify: true
   cryptpad:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'XWiki'
+    # providerResponsible: "XWiki"
-    # upstreamRegistry: 'ghcr.io/cryptpad/helm'
+    # upstreamRegistry: "https://ghcr.io/cryptpad/helm"
-    # upstreamRepository: 'cryptpad'
+    # upstreamRepository: "cryptpad"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['0', '0', '17']
+    # upstreamMirrorStartFrom: ["0", "0", "17"]
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "cryptpad"
     version: "0.0.18"
     verify: true
   dovecot:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'Open-Xchange'
+    # providerResponsible: "Open-Xchange"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-dovecot/dovecot'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot/dovecot"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
     version: "1.3.10"
     verify: true
   element:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-element"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   elementWellKnown:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-well-known'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-well-known"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "2.6.7"
+    version: "2.7.1"
+    verify: true
+  home:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
+    name: "opendesk-home"
+    version: "1.0.1"
     verify: true
   intercomService:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Univention'
+    # providerResponsible: "Univention"
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: "https://registry.souvap-univention.de"
-    # upstreamRepository: 'souvap/tooling/charts/intercom-service/intercom-service'
+    # upstreamRepository: "souvap/tooling/charts/intercom-service/intercom-service"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['2', '0', '1']
+    # upstreamMirrorStartFrom: ["2", "0", "1"]
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
     version: "2.0.1"
     verify: true
   jitsi:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-jitsi/opendesk-jitsi'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi/opendesk-jitsi"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
     version: "1.7.8"
     verify: true
   mariadb:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-mariadb/mariadb'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb/mariadb"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
     name: "mariadb"
     version: "2.2.1"
     verify: true
   matrixNeoboardWidget:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neoboard-widget"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neoboard-widget"
     version: "3.5.0"
     verify: true
   matrixNeochoiseWidget:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neochoice-widget"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neochoice-widget"
     version: "3.5.0"
     verify: true
   matrixNeodatefixBot:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-bot"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-bot"
     version: "3.5.0"
     verify: true
   matrixNeodatefixWidget:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets/matrix-neodatefix-widget"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-matrix-widgets"
     name: "matrix-neodatefix-widget"
     version: "3.5.0"
     verify: true
   matrixUserVerificationService:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-matrix-user-verification-service"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   memcached:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/memcached'
+    # upstreamRepository: "bitnamicharts/memcached"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "memcached"
     version: "6.7.1"
     verify: true
   minio:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/minio'
+    # upstreamRepository: "bitnamicharts/minio"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "minio"
     version: "12.10.11"
     verify: true
   nextcloud:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
     version: "1.5.2"
     verify: true
   nextcloudManagement:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
     # packageName=bmi/opendesk/components/platform-development/charts/opendesk-nextcloud/opendesk-nextcloud-management
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
     version: "1.5.2"
     verify: true
   nginx:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/nginx'
+    # upstreamRepository: "bitnamicharts/nginx"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "nginx"
     version: "15.9.3"
     verify: true
   opendeskKeycloakBootstrap:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap/opendesk-keycloak-bootstrap"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
     version: "1.0.7"
     verify: true
   openproject:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'openProject'
+    # providerResponsible: "openProject"
-    # upstreamRegistry: 'ghcr.io'
+    # upstreamRegistry: "https://ghcr.io"
-    # upstreamRepository: 'opf/helm-charts/openproject'
+    # upstreamRepository: "opf/helm-charts/openproject"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['3', '0', '2']
+    # upstreamMirrorStartFrom: ["3", "0", "2"]
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
     version: "4.2.1"
     verify: true
   openprojectBootstrap:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap/opendesk-openproject-bootstrap"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-openproject-bootstrap"
     name: "opendesk-openproject-bootstrap"
     version: "1.3.0"
     verify: true
   openXchangeAppSuite:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Open-Xchange'
+    # providerResponsible: "Open-Xchange"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['2', '2', '37']
+    # upstreamMirrorStartFrom: ["2", "2", "37"]
-    # upstreamRegistry: 'registry.open-xchange.com'
+    # upstreamRegistry: "https://registry.open-xchange.com"
-    # upstreamRepository: 'appsuite-public-sector/charts/appsuite-public-sector'
+    # upstreamRepository: "appsuite-public-sector/charts/appsuite-public-sector"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
     version: "2.5.3"
     verify: false
   openXchangeAppSuiteBootstrap:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap/opendesk-open-xchange-bootstrap"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-open-xchange-bootstrap"
     name: "opendesk-open-xchange-bootstrap"
     version: "1.3.4"
     verify: true
   otterize:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-otterize/opendesk-otterize'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize/opendesk-otterize"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
     version: "2.0.1"
     verify: true
   oxConnector:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'Univention'
+    # providerResponsible: "Univention"
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: "https://registry.souvap-univention.de"
-    # upstreamRepository: 'souvap/tooling/charts/univention/ox-connector'
+    # upstreamRepository: "souvap/tooling/charts/univention/ox-connector"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['0', '4', '2']
+    # upstreamMirrorStartFrom: ["0", "4", "2"]
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "ox-connector"
     version: "0.4.2"
     verify: true
   postfix:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-postfix/postfix'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix/postfix"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
     version: "2.0.5"
     verify: true
   postgresql:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-postgresql/postgresql'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql/postgresql"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql"
     name: "postgresql"
     version: "2.0.5"
     verify: true
   redis:
-    # providerCategory: 'Community'
+    # providerCategory: "Community"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: 'bitnamicharts/redis'
+    # upstreamRepository: "bitnamicharts/redis"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/external/charts/bitnami-charts"
     name: "redis"
     version: "18.6.1"
     verify: true
   synapse:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   synapseCreateAccount:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-create-account"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   synapseWeb:
-    # providerCategory: 'Platform'
+    # providerCategory: "Platform"
-    # providerResponsible: 'openDesk'
+    # providerResponsible: "openDesk"
-    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRegistry: "https://registry.opencode.de"
-    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-web'
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-synapse-web"
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   ums:
     # providerCategory: 'Supplier'
@@ -365,33 +375,19 @@ charts:
     # upstreamRepository: 'souvap/tooling/charts/univention/ums'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ['0', '0', '1']
-    # registry: "registry.opencode.de"
-    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    registry: "registry.souvap-univention.de"
-    repository: "souvap/tooling/charts/univention"
-    name: "ums"
-    version: "0.11.0"
-    verify: true
-  umsKeycloakBootstrap:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/charts/univention-keycloak-bootstrap/ums-keycloak-bootstrap'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['1', '0', '1']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ums-keycloak-bootstrap"
+    name: "ums"
-    version: "1.0.1"
+    version: "0.13.0"
     verify: true
   xwiki:
-    # providerCategory: 'Supplier'
+    # providerCategory: "Supplier"
-    # providerResponsible: 'XWiki'
+    # providerResponsible: "XWiki"
-    # upstreamRegistry: 'git.xwikisas.com:5050/xwikisas/swp/xwiki/contrib-xwiki-helm'
+    # upstreamRegistry: "https://git.xwikisas.com:5050/xwikisas/swp/xwiki/contrib-xwiki-helm"
-    # upstreamRepository: 'xwiki'
+    # upstreamRepository: "xwiki"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorTagFilterRegEx: "^(\d+)\.(\d+)\.(\d+)$"
-    # upstreamMirrorStartFrom: ['1', '2', '4']
+    # upstreamMirrorStartFrom: ["1", "2", "4"]
-    registry: "registry.opencode.de"
+    registry: "https://registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
     version: "1.3.0"

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.6.0"
+    releaseVersion: "v0.7.0"
 ...

helmfile/environments/default/global.gotmpl

@@ -11,6 +11,14 @@ global:
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
 
+  ## Define mail host
+  #
+  mailDomain: {{ env "MAIL_DOMAIN" | quote }}
+
+  ## Define synapse host
+  #
+  matrixDomain: {{ env "MATRIX_DOMAIN" | quote }}
+
   ## Define docker registry address.
   #
   helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}

helmfile/environments/default/workplace.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -15,6 +16,8 @@ dovecot:
   enabled: true
 element:
   enabled: true
+home:
+  enabled: true
 intercom:
   enabled: true
 jitsi:

helmfile/environments/test/values.yaml.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: "my_private_registry.domain.tld"
   imagePullSecrets:
     - "kyverno-test"
   imagePullPolicy: "kyverno"