fix: enable and set up provisioning

# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)

### Bug Fixes

* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](3dc648421b))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](b9ac5ecf2d))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](e9ec2f3a6e))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](2ad027082f))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](9be3b78761))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](d1bd43fa95))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](fefd2f6cae))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](cd225703eb))

### Features

* **element:** Add support for Matrix federation ([36139b4](36139b42f1))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](e6fe2a7c18))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](c7e217208c))

.gitlab-ci.yml

@@ -59,6 +59,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEBUG_ENABLED:
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ALL_COMPONENTS:
     description: "Enable all component deployment (overwrites 'no' setting on component level)."
     value: "no"
@@ -533,7 +539,7 @@ avscan-start:
 
 # Overwrite shared settings
 .common-semantic-release:
-  image: "registry.souvap-univention.de/souvap/tooling/images/semantic-release-patched:latest"
+  image: "registry.opencode.de/bmi/opendesk/components/platform-development/images/semantic-release-patched:1.0.0"
   tags: []
 
 conventional-commits-linter:

.kyverno/policies/template-image-registries.yaml

@@ -24,10 +24,10 @@ spec:
         pattern:
           spec:
             =(ephemeralContainers):
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
             =(initContainers):
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
             containers:
-              - image: "external-registry.souvap-univention.de/*"
+              - image: "my_private_registry.domain.tld/*"
   validationFailureAction: "audit"
 ...

CHANGELOG.md

@@ -1,3 +1,24 @@
+# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
+
+
+### Bug Fixes
+
+* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
+* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
+* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
+* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
+* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
+* **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
+* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
+* **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
+
+
+### Features
+
+* **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
+* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
+* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
+
 # [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
 
 

README.md

@@ -1,4 +1,5 @@
 <!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 -->
@@ -22,8 +23,8 @@ SPDX-License-Identifier: Apache-2.0
 
 # Overview
 
-openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the "Projektgruppe für
-Aufbau ZenDiS" of Germany's Federal Ministry of the Interior.
+openDesk is a Kubernetes based, open-source and cloud-native digital workplace suite provided by the
+*Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH*.
 
 openDesk currently features the following functional main components:
 
@@ -31,7 +32,7 @@ openDesk currently features the following functional main components:
 | -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
-| File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
+| File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
 | Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
@@ -116,7 +117,7 @@ This project uses the following license: Apache-2.0
 
 # Copyright
 
-Copyright (C) 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+Copyright (C) 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 
 # Footnotes
 

docs/ci.md

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 -->
 <h1>CI/CD</h1>
 
-This page will cover openDesk automation via Gitlab CI.
+This page covers openDesk deployment automation via Gitlab CI.
 
 <!-- TOC -->
 * [Deployment](#deployment)
@@ -13,29 +13,31 @@ This page will cover openDesk automation via Gitlab CI.
 
 # Deployment
 
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
 
 
-When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
+When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
 
 - `DOMAIN` = The domain to deploy to.
-- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
+- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
+- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
+- `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
 - `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
 
 Based on your input, the following variables will be set:
 - `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
   is not set, the default for `MASTER_PASSWORD` will be used, unless you set
-  `MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
+  `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
 
-You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
 
 # Tests
 
-The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
-In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
 
-If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.

docs/debugging.md

@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
+* [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
+  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
+  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
   * [MariaDB](#mariadb)
   * [Nextcloud](#nextcloud)
@@ -35,6 +38,94 @@ and set the loglevel for components to "Debug".
 
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 
+# Adding containers to a pod for debugging purposes
+
+During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
+
+This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
+
+Adding a container to a Pod can ease the pain.
+
+Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
+
+## Adding a container to a pod/deployment - Dev/Test only
+
+You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
+
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Ensure the `shareProcessNamespace` option is enabled for the Pod.
+- Reference the selected container within the `containers` array of the deployment.
+- In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
+- Save & update the deployment.
+
+The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
+
+```
+      shareProcessNamespace: true
+      containers:
+        - name: debugging
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsUser: 65532
+            runAsGroup: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+```
+
+- After the deployment was reloaded open the shell of the debugging container.
+- When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
+- To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
+
+## Temporary/ephemeral containers
+
+Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
+
+Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
+
+For the commands further down this section we set some environment variables first:
+- `NAMESPACE`: The namespace the Pod you want to inspects is running in.
+- `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
+- `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
+- `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
+- `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
+
+e.g.
+
+```
+export EPH_CONTAINER_NAME=debugging
+export NAMESPACE=my_testdeployment
+export DEPLOYMENT_NAME=opendesk-nextcloud-php
+export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
+export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+```
+
+You still need to ensure that your deployment supports process namespace sharing:
+
+```
+kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
+spec:
+  template:
+    spec:
+      shareProcessNamespace: true'
+```
+
+Now you can add the ephemeral container with:
+```
+kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
+```
+and open it's interactive terminal with
+```
+kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
+```
+
 # Components
 
 ## MariaDB

docs/getting-started.md

@@ -10,6 +10,7 @@ This documentation should enable you to create your own evaluation instance of o
 <!-- TOC -->
 * [Requirements](#requirements)
 * [Customize environment](#customize-environment)
+  * [DNS](#dns)
   * [Domain](#domain)
     * [Apps](#apps)
   * [Private registries](#private-registries)
@@ -49,10 +50,24 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 
-## Domain
+## DNS
 
-The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
-`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
+The deployment is designed to deploy each application/service under a dedicated subdomain.
+For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
+otherwise you need to create an A-Record for each subdomain.
+
+| Record name             | Type | Value                                              | Additional information                                                                  |
+| ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                         |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                         |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                         |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                              |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                                |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
+
+## Domain
 
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
 
@@ -68,15 +83,49 @@ The domain have to be set either via `dev` environment
 
 ```yaml
 global:
-  domain: "my.open.desk"
+  domain: "domain.tld"
 ```
 
 or via environment variable
 
 ```shell
-export DOMAIN=my.open.desk
+export DOMAIN=domain.tld
 ```
 
+Additionally, you can announce/specify an alternative domain for mail and chat.
+
+As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
+`*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
+Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
+The required routing have to be implemented by yourself.
+
+The alternative domains have to be set either via `dev` environment
+
+```yaml
+global:
+  mailDomain: "open.desk"
+  synapseDomain: "open.desk"
+```
+
+or via environment variable
+
+```shell
+export MAIL_DOMAIN=open.desk
+export SYNAPSE_DOMAIN=open.desk
+```
+
+If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
+
+| Record name                    | Type | Value                     |
+|--------------------------------|------|---------------------------|
+| _matrix._tcp.SYNAPSE_DOMAIN    | SRV  | `1 10 PORT matrix.DOMAIN` |
+| matrix-fed._tcp.SYNAPSE_DOMAIN | SRV  | `1 10 PORT matrix.DOMAIN` |
+| MAIL_DOMAIN                    | MX   | `10 mail.domain.tld`    |
+
+_Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
+
+_Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
+
 ### Apps
 
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
@@ -129,13 +178,13 @@ prefer the use of a private image registry anyway you can configure such for
 
 ```yaml
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: "my_private_registry.domain.tld"
 ```
 
 alternatively you can use an environment variable:
 
 ```shell
-export PRIVATE_IMAGE_REGISTRY_URL=external-registry.souvap-univention.de/sovereign-workplace
+export PRIVATE_IMAGE_REGISTRY_URL=my_private_registry.domain.tld
 ```
 
 If authentication is required, you can reference imagePullSecrets as following:

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -4,6 +4,7 @@
 configuration:
   bot:
     username: "meetings-bot"
+    homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -1,6 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+clusterDomain: {{ .Values.cluster.networking.domain }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -29,6 +29,7 @@ configuration:
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
+    serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
     appServiceConfigs:
       - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}

helmfile/apps/services/helmfile.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -16,6 +17,17 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
       {{ .Values.charts.otterize.repository }}"
 
+  # openDesk Home
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
+  - name: "home-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.home.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"
+
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
   - name: "certificates-repo"
@@ -115,6 +127,13 @@ releases:
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
+  - name: "opendesk-home"
+    chart: "home-repo/{{ .Values.charts.home.name }}"
+    version: "{{ .Values.charts.home.version }}"
+    values:
+      - "values-home.yaml.gotmpl"
+    installed: {{ .Values.home.enabled }}
+
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"

helmfile/apps/services/values-home.yaml.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+ingress:
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -41,7 +41,7 @@ podSecurityContext:
 postfix:
   amavisHost: ""
   amavisPortIn: ""
-  domain: {{ .Values.global.domain | quote }}
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
@@ -67,7 +67,7 @@ postfix:
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.domain | quote }}
+  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
   virtualTransport: "lmtps:dovecot:24"
 
 replicaCount: {{ .Values.replicas.postfix }}

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -181,6 +181,7 @@ ldap-server:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+      tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
   ldapServer:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
@@ -190,6 +191,7 @@ ldap-server:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+      tag: {{ .Values.images.umsLdapServer.tag | quote }}
     config:
       domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}"
       ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
@@ -417,10 +419,10 @@ portal-server:
     objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
     centralNavigation:
       enabled: true
-    credentialSecret:
+    objectStorageCredentialSecret:
       name: "ums-portal-server-minio-credentials"
-      accessKeyId: "nubus-s3-access-key-id"
-      secretAccessKey: "nubus-s3-secret-key-id"
+      accessKeyKey: "nubus-s3-access-key-id"
+      secretKeyKey: "nubus-s3-secret-key-id"
 
   extraVolumes:
     - name: authenticator-secret
@@ -438,7 +440,7 @@ portal-server:
     {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
 
 provisioning:
-  enabled: false
+  enabled: true
   api:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningEventsAndConsumerApi.registry | quote }}
@@ -449,6 +451,10 @@ provisioning:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    config:
+      rootPath: "/univention/provisioning-api"
+    resources:
+      {{ .Values.resources.umsProvisioningEventsAndConsumerApi | toYaml | nindent 4 }}
     credentialSecretName: "ums-provisioning-api-credentials"
   dispatcher:
     image:
@@ -460,6 +466,10 @@ provisioning:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 4 }}
+    config:
+      UDM_HOST: "ums-udm-rest-api"
     credentialSecretName: "ums-provisioning-dispatcher-credentials"
   prefill:
     image:
@@ -471,7 +481,26 @@ provisioning:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 4 }}
+    config:
+      UDM_HOST: "ums-udm-rest-api"
     credentialSecretName: "ums-provisioning-prefill-credentials"
+  register_consumers:
+    image:
+      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
+      repository: {{ .Values.images.umsWaitForDependency.repository }}
+      pullPolicy: {{ .Values.global.imagePullPolicy }}
+      tag: {{ .Values.images.umsWaitForDependency.tag }}
+      pullSecrets:
+        {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . | quote }}
+        {{- end }}
+    resources:
+      {{ .Values.resources.umsProvisioningRegisterConsumer | toYaml | nindent 4 }}
+    credentialSecretName: "ums-provisioning-register-consumers-credentials"
+    jsonSecretName: "ums-provisioning-register-consumers-json-secrets"
+    provisioningApiBaseUrl: "http://ums-provisioning-api/internal/admin/v1/subscriptions"
   nats:
     config:
       authorization:
@@ -497,6 +526,17 @@ provisioning:
             permissions:
               publish: ">"
               subscribe: ">"
+          - user: "$NATS_UDMLISTENER_USER"
+            password: "$NATS_UDMLISTENER_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+          - user: "$NATS_ADMIN_USER"
+            password: "$NATS_ADMIN_PASSWORD"
+            permissions:
+              publish: ">"
+              subscribe: ">"
+
     extraEnvVars:
       - name: NATS_USER
         value: "admin"
@@ -535,6 +575,37 @@ provisioning:
           secretKeyRef:
             name: ums-provisioning-prefill-credentials
             key: NATS_PASSWORD
+      - name: NATS_UDMLISTENER_USER
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-udm-listener-credentials
+            key: NATS_USER
+      - name: NATS_UDMLISTENER_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: ums-provisioning-udm-listener-credentials
+            key: NATS_PASSWORD
+
+  nats:
+    nats:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNats.registry | quote }}
+        repository: {{ .Values.images.umsNats.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNats.tag | quote }}
+    natsBox:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsBox.registry | quote }}
+        repository: {{ .Values.images.umsNatsBox.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNatsBox.tag | quote }}
+    reloader:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsReloader.registry | quote }}
+        repository: {{ .Values.images.umsNatsReloader.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNatsReloader.tag | quote }}
+
 
   ingress:
     host: "localhost"
@@ -542,7 +613,7 @@ provisioning:
       enabled: false
 
 udm-listener:
-  enabled: false
+  enabled: true
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.umsProvisioningUdmListener.registry | quote }}
     repository: {{ .Values.images.umsProvisioningUdmListener.repository | quote }}
@@ -559,9 +630,17 @@ udm-listener:
     ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
     ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
     ldapPort: "389"
-    notifierServer: "ums-ldap-notifier"
+    notifierServer: {{ .Values.ldap.notifierHost | quote }}
     tlsMode: "off"
     natsHost: "ums-provisioning-nats"
+    natsUser: "udmlistener"
+    natsPassword: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
+    eventsUsernameUdm: "udmproducer"
+    eventsPasswordUdm: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
+    internalApiHost: "ums-provisioning-api"
+
+  resources:
+    {{ .Values.resources.umsProvisioningUdmListener | toYaml | nindent 4 }}
 
 stack-data-ums:
   enabled: true
@@ -587,7 +666,7 @@ stack-data-ums:
     # The openDesk configuration brings its own UMC policies.
     installUmcPolicies: false
     domainname: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.domain | quote }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
     ldapHost: {{ .Values.ldap.host | quote }}
     ldapBase: {{ .Values.ldap.baseDn | quote }}
@@ -628,7 +707,7 @@ stack-data-swp:
       {{- end }}
 
     externalDomainName: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.domain | quote }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
 
     portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }}
     portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
@@ -676,27 +755,19 @@ selfservice-listener:
   podAnnotations:
     intents.otterize.com/service-name: "ums-selfservice-listener"
   image:
+    registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
+    repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
+    tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
     pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     pullSecrets:
       {{- range .Values.global.imagePullSecrets }}
       - name: {{ . | quote }}
       {{- end }}
 
-    selfserviceListener:
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceListener.registry | quote }}
-      repository: {{ .Values.images.umsSelfserviceListener.repository | quote }}
-      tag: {{ .Values.images.umsSelfserviceListener.tag | quote }}
-
-    selfserviceInvitation:
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsSelfserviceInvitation.registry | quote }}
-      repository: {{ .Values.images.umsSelfserviceInvitation.repository | quote }}
-      tag: {{ .Values.images.umsSelfserviceInvitation.tag | quote }}
-
-    waitForDependency:
-      registry: {{ .Values.global.imageRegistry | default .Values.images.umsWaitForDependency.registry | quote }}
-      repository: {{ .Values.images.umsWaitForDependency.repository | quote }}
-      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
-      tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
+  config:
+    provisioningApiBaseUrl: "http://ums-provisioning-api"
+    umcServerUrl: "http://ums-umc-server"
+  credentialSecretName: "ums-selfservice-listener-credentials"
 
   persistence:
     storageClassName: {{ .Values.persistence.storageClassNames.RWO | quote }}
@@ -705,24 +776,8 @@ selfservice-listener:
   resources:
     {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
 
-  resourcesDependencyWaiter:
-    {{ .Values.resources.umsSelfserviceListenerDependencies | toYaml | nindent 4 }}
-
   replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
 
-  selfserviceListener:
-    ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
-    ldapHost: {{ .Values.ldap.host | quote }}
-    ldapHostDn: {{ printf "%s,%s" "cn=admin" .Values.ldap.baseDn | quote }}
-    ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    machineSecret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
-    notifierServer: {{ .Values.ldap.notifierHost | quote }}
-    umcAdminPassword: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
-    debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
-    tlsMode: "off"
-    umcServerUrl: "http://ums-umc-server"
-    umcAdminUser: "default.admin"
-
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -760,7 +815,7 @@ udm-rest-api:
     secretRef: ums-udm-rest-api-credentials
     ldap:
       uri: "ldap://ums-ldap-server:389"
-      baseDN: {{ .Values.ldap.baseDn | quote }}
+      baseDn: {{ .Values.ldap.baseDn | quote }}
     tls:
       enabled: false
       secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
@@ -915,10 +970,6 @@ umc-server:
       enabled: false
   memcached:
     bundled: false
-    auth:
-      username: null
-      # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
-      password: "password"
     server: {{ .Values.cache.umsSelfservice.host | quote }}
 
   postgresql:
@@ -1525,27 +1576,54 @@ extraSecrets:
   - name: ums-portal-server-minio-credentials
     stringData:
       nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-      nubus-s3-secret-key-id: {{ .Values.secrets.minio.umsUser | quote }}
+      nubus-s3-secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: ums-portal-server-authenticator-credentials
     stringData:
       authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
   - name: ums-provisioning-api-credentials
     stringData:
       NATS_USER: "api"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiNatsPassword }}
+      ADMIN_NATS_USER: "admin"
+      ADMIN_NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminNatsPassword }}
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+      EVENTS_USERNAME_UDM: "udmproducer"
+      EVENTS_PASSWORD_UDM: {{ .Values.secrets.univentionManagementStack.provisioning.udmProducerPassword }}
   - name: ums-provisioning-dispatcher-credentials
     stringData:
-      UDM_USERNAME: "cn=admin"
-      UDM_PASSWORD: "password"
       NATS_USER: "dispatcher"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.dispatcherNatsPassword }}
   - name: ums-provisioning-prefill-credentials
     stringData:
       NATS_USER: "prefill"
-      NATS_PASSWORD: "password"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillNatsPassword }}
+      UDM_USERNAME: "cn=admin"
+      UDM_PASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+      PREFILL_USERNAME: "prefill"
+      PREFILL_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.prefillPassword }}
+  - name: ums-provisioning-udm-listener-credentials
+    stringData:
+      NATS_USER: "udmlistener"
+      NATS_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.udmListenerNatsPassword }}
   - name: ums-provisioning-nats-credentials
     stringData:
       admin_password: "nimda"
+  - name: ums-provisioning-register-consumers-credentials
+    stringData:
+      ADMIN_USERNAME: "admin"
+      ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.provisioning.apiAdminPassword }}
+  - name: ums-provisioning-register-consumers-json-secrets
+    stringData:
+      selfservice-listener.json: |
+        {
+          "name": "selfservice-listener",
+          "realms_topics": [["udm", "users/user"]],
+          "request_prefill": true,
+          "password": {{ .Values.secrets.univentionManagementStack.selfserviceListener.provisioningApiPassword | quote }}
+        }
   - name: ums-udm-rest-api-credentials
     stringData:
       ldap.secret: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
@@ -1560,4 +1638,10 @@ extraSecrets:
     stringData:
       KEYCLOAK_ADMIN_PASSWORD: {{ .Values.secrets.keycloak.adminPassword | quote }}
       GUARDIAN_MANAGEMENT_API_CLIENT_SECRET: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  - name: "ums-selfservice-listener-credentials"
+    stringData:
+      UMC_ADMIN_USER: "default.admin"
+      UMC_ADMIN_PASSWORD: {{ .Values.secrets.univentionManagementStack.defaultAccounts.adminPassword | quote }}
+      PROVISIONING_API_USERNAME: "selfservice-listener"
+      PROVISIONING_API_PASSWORD: {{ .Values.secrets.univentionManagementStack.selfserviceListener.provisioningApiPassword | quote }}
 ...

helmfile/environments/default/charts.yaml

@@ -1,5 +1,5 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
 # Please read the /docs/development.md for information about structure and annotations used in this file.
@@ -78,7 +78,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   elementWellKnown:
     # providerCategory: 'Platform'
@@ -88,7 +88,17 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "2.6.7"
+    version: "2.7.1"
+    verify: true
+  home:
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-home'
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
+    name: "opendesk-home"
+    version: "1.0.1"
     verify: true
   intercomService:
     # providerCategory: 'Supplier'
@@ -170,7 +180,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   memcached:
     # providerCategory: 'Community'
@@ -336,7 +346,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   synapseCreateAccount:
     # providerCategory: 'Platform'
@@ -346,7 +356,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   synapseWeb:
     # providerCategory: 'Platform'
@@ -356,7 +366,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   ums:
     # providerCategory: 'Supplier'
@@ -365,12 +375,16 @@ charts:
     # upstreamRepository: 'souvap/tooling/charts/univention/ums'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ['0', '0', '1']
+    # TODO: return back mirror registry and repository before merging
     # registry: "registry.opencode.de"
     # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     registry: "registry.souvap-univention.de"
     repository: "souvap/tooling/charts/univention"
     name: "ums"
-    version: "0.11.0"
+    # TODO: Needs an update once the previous MR is merged
+    # See: https://git.knut.univention.de/univention/customers/dataport/upx/ums-stack/-/merge_requests/32
+    # version: "0.12.1"
+    version: "0.12.1-pre-acaceres-update-dependencies"
     verify: true
   umsKeycloakBootstrap:
     # providerCategory: 'Supplier'

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.6.0"
+    releaseVersion: "v0.7.0"
 ...

helmfile/environments/default/global.gotmpl

@@ -11,6 +11,14 @@ global:
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
 
+  ## Define mail host
+  #
+  mailDomain: {{ env "MAIL_DOMAIN" | quote }}
+
+  ## Define synapse host
+  #
+  synapseDomain: {{ env "SYNAPSE_DOMAIN" | quote }}
+
   ## Define docker registry address.
   #
   helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}

helmfile/environments/default/images.yaml

@@ -220,7 +220,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.19@sha256:ebe4e1187a474739794115ec97ba3759cf61fcc2967fc799ff1ec4e7ba0a4243"
+    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
   nextcloudExporter:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -236,7 +236,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.10@sha256:ed038316eb84e42716c7c31d7275cddc1125781cbb7583e716a978b9407ba738"
+    tag: "1.3.12@sha256:54bb5a90ebe49b33b053e8a7df2fa8d8cb992b17f68a04d08357961c3aded0b0"
   nextcloudPHP:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -244,7 +244,7 @@ images:
     # upstreamRepository: 'bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php'
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.9@sha256:9da3810989c60a3913f9ab366442925d39011a41c9f761ea05650de5935a4514"
+    tag: "1.8.11@sha256:85b3bbf027c9e6a2ccf411b8e2b3752f6a58a3a14f00fb92ecefd9e7ca0c6954"
   opendeskKeycloakBootstrap:
     # providerCategory: 'Platform'
     # providerResponsible: 'openDesk'
@@ -536,7 +536,7 @@ images:
     # upstreamMirrorStartFrom: ['22', '0', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
-    tag: "23.0.7-ucs1@sha256:94b34cf3d9266435cf03549b58f874219ecbe9c38c18a070fea403d0cdd2bfc4"
+    tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
   umsKeycloakBootstrap:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -587,6 +587,30 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
     tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
+  umsNats:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'library/nats'
+    registry: "registry-1.docker.io"
+    repository: "library/nats"
+    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
+  umsNatsBox:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-box'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-box"
+    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
+  umsNatsReloader:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-server-config-reloader'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-server-config-reloader"
+    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
   umsNotificationsApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -626,7 +650,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.20.3@sha256:8960b54477d4a74e8cb52f66264928e0940b725c349cda2a22ede67e216f5f1e"
+    tag: "0.20.7@sha256:8f158b88e0ceb7a5c79d2ad390f6ce851ce0c5ccb675d08d6b6c37f0b21f6177"
   umsPortalServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -646,7 +670,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d"
+    tag: "0.25.0@sha256:c6c9d1e4a46222105ded32c8e87cb2e9b19945592a9ada4e6c13e6942d721694"
   umsProvisioningEventsAndConsumerApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -656,7 +680,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f"
+    tag: "0.25.0@sha256:f0382154126421e4078beede3ce2579f61859da64c497cb5c93acc693bf71647"
   umsProvisioningPrefill:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -666,7 +690,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973"
+    tag: "0.25.0@sha256:a5beae74c2575fa20d305ae635bc0c2bba64a9b1173819f8ddd4cca3fb59f6a4"
   umsProvisioningUdmListener:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -676,7 +700,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '14', '0']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02"
+    tag: "0.25.0@sha256:b67e31d11461d02bc211117408ded3c0428d224b056f26734add7c024d5f710a"
   umsSelfserviceInvitation:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -684,19 +708,15 @@ images:
     # upstreamRepository: 'souvap/tooling/images/univention/selfservice-invitation'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
     # upstreamMirrorStartFrom: ['0', '3', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.4.0@sha256:bd252758576e1733076c78756f04225ebed73d9c48de22440975ef11dd087caf"
-  umsSelfserviceListener:
-    # providerCategory: 'Supplier'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/images/univention/selfservice-listener'
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '3', '2']
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
-    tag: "0.4.0@sha256:0bc0235fd64a19a183f112da73109b54712c2d70fe7fa77c6405beefb7167588"
+    # TODO: return back mirror registry and repository before merging
+#    registry: "registry.opencode.de"
+#    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
+    registry: "registry.souvap-univention.de"
+    repository: "souvap/tooling/images/univention/selfservice-invitation"
+    # TODO: Needs an update once the previous MR is merged
+    # See: https://git.knut.univention.de/univention/customers/dataport/upx/selfservice-listener/-/merge_requests/16
+    # version: "0.5.0"
+    tag: "0.5.0-pre-acaceres-migrate-self-service-listener-to-provisioning-service@sha256:68b342badcaa0def19e6396bb23ffabf3e140ee2a3a39d37e7a5dc4cbba8362b"
   umsStackGateway:
     # providerCategory: 'Community'
     # providerResponsible: 'Univention'
@@ -708,13 +728,13 @@ images:
   umsUdmRestApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'souvap/tooling/images/univention/udm-rest-api'
+    # upstreamRegistry: 'artifacts.software-univention.de'
+    # upstreamRepository: 'nubus/images/udm-rest-api'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '5', '2']
+    # upstreamMirrorStartFrom: ['0', '9', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.9.2@sha256:3309171c63f46cd3dccd15eb24af5dbb13f8abbc39c95e5a2d24d0d802ea896f"
+    tag: "0.9.3@sha256:7cf2fec05a4ff8b7085a35a215edbce1eb9456c1ae140af46257e66d5a6cd6f7"
   umsUmcGateway:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'

helmfile/environments/default/resources.yaml

@@ -466,6 +466,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  umsProvisioningRegisterConsumer:
+    limits:
+      cpu: 0.5
+      memory: "256Mi"
+    requests:
+      cpu: 0.25
+      memory: "128Mi"
   umsProvisioningNats:
     limits:
       cpu: 99
@@ -480,13 +487,6 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
-  umsSelfserviceListenerDependencies:
-    limits:
-      cpu: 99
-      memory: "1Gi"
-    requests:
-      cpu: 0.1
-      memory: "256Mi"
   umsStackDataUms:
     limits:
       cpu: 99

helmfile/environments/default/secrets.gotmpl

@@ -34,14 +34,13 @@ secrets:
       apiNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "nats" | sha1sum | quote }}
       apiAdminNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "apiAdmin" "nats" | sha1sum | quote }}
       apiAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "api" "admin_api" | sha1sum | quote }}
-      dispatcherPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "dispatcher_service" | sha1sum | quote }}
       prefillPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "prefill_service" | sha1sum | quote }}
       prefillNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "prefill" "nats" | sha1sum | quote }}
       udmProducerPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmproducer" "events_api" | sha1sum | quote }}
       dispatcherNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "dispatcher" "nats" | sha1sum | quote }}
-      dispatcherUdmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
       udmListenerNatsPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "udmlistener" "nats" | sha1sum | quote }}
-      udmPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "udm" | sha1sum | quote }}
+    selfserviceListener:
+      provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "selfservice-listener" "selfservice-listener" | sha1sum | quote }}
   nats:
     natsAdminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "admin" "nats" | sha1sum | quote }}
 

helmfile/environments/default/workplace.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -15,6 +16,8 @@ dovecot:
   enabled: true
 element:
   enabled: true
+home:
+  enabled: true
 intercom:
   enabled: true
 jitsi:

helmfile/environments/test/values.yaml.gotmpl

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  imageRegistry: "external-registry.souvap-univention.de/sovereign-workplace"
+  imageRegistry: "my_private_registry.domain.tld"
   imagePullSecrets:
     - "kyverno-test"
   imagePullPolicy: "kyverno"