chore(release): 0.7.0 [skip ci]

# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)

### Bug Fixes

* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](3dc648421b))
* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](b9ac5ecf2d))
* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](e9ec2f3a6e))
* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](2ad027082f))
* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](9be3b78761))
* **univention-management-stack:** Objectstore credentials ([d1bd43f](d1bd43fa95))
* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](fefd2f6cae))
* **univention-management-stack:** Use the NATS related image configuration ([cd22570](cd225703eb))

### Features

* **element:** Add support for Matrix federation ([36139b4](36139b42f1))
* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](e6fe2a7c18))
* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](c7e217208c))

.gitlab-ci.yml

@@ -59,6 +59,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEBUG_ENABLED:
+    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_ALL_COMPONENTS:
     description: "Enable all component deployment (overwrites 'no' setting on component level)."
     value: "no"

CHANGELOG.md

@@ -1,3 +1,24 @@
+# [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
+
+
+### Bug Fixes
+
+* **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
+* **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
+* **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
+* **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
+* **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
+* **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
+* **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
+* **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
+
+
+### Features
+
+* **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
+* **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
+* **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
+
 # [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
 
 

docs/ci.md

@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 -->
 <h1>CI/CD</h1>
 
-This page will cover openDesk automation via Gitlab CI.
+This page covers openDesk deployment automation via Gitlab CI.
 
 <!-- TOC -->
 * [Deployment](#deployment)
@@ -13,29 +13,31 @@ This page will cover openDesk automation via Gitlab CI.
 
 # Deployment
 
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
 
 
-When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
+When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
 
 - `DOMAIN` = The domain to deploy to.
-- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
+- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
+- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
+- `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
 - `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
 
 Based on your input, the following variables will be set:
 - `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
   is not set, the default for `MASTER_PASSWORD` will be used, unless you set
-  `MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
+  `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
 
-You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
 
 # Tests
 
-The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
+The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
-In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
 
-If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
+If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
 `TESTS_BRANCH` while creating a new pipeline.

docs/debugging.md

@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
+* [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
+  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
+  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
   * [MariaDB](#mariadb)
   * [Nextcloud](#nextcloud)
@@ -35,6 +38,94 @@ and set the loglevel for components to "Debug".
 
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 
+# Adding containers to a pod for debugging purposes
+
+During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
+
+This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
+
+Adding a container to a Pod can ease the pain.
+
+Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
+
+## Adding a container to a pod/deployment - Dev/Test only
+
+You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
+
+- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Ensure the `shareProcessNamespace` option is enabled for the Pod.
+- Reference the selected container within the `containers` array of the deployment.
+- In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
+- Save & update the deployment.
+
+The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
+
+```
+      shareProcessNamespace: true
+      containers:
+        - name: debugging
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsUser: 65532
+            runAsGroup: 65532
+            runAsNonRoot: true
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+```
+
+- After the deployment was reloaded open the shell of the debugging container.
+- When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
+- To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
+
+## Temporary/ephemeral containers
+
+Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
+
+Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
+
+For the commands further down this section we set some environment variables first:
+- `NAMESPACE`: The namespace the Pod you want to inspects is running in.
+- `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
+- `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
+- `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
+- `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
+
+e.g.
+
+```
+export EPH_CONTAINER_NAME=debugging
+export NAMESPACE=my_testdeployment
+export DEPLOYMENT_NAME=opendesk-nextcloud-php
+export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
+export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+```
+
+You still need to ensure that your deployment supports process namespace sharing:
+
+```
+kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
+spec:
+  template:
+    spec:
+      shareProcessNamespace: true'
+```
+
+Now you can add the ephemeral container with:
+```
+kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
+```
+and open it's interactive terminal with
+```
+kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
+```
+
 # Components
 
 ## MariaDB

docs/getting-started.md

@@ -10,6 +10,7 @@ This documentation should enable you to create your own evaluation instance of o
 <!-- TOC -->
 * [Requirements](#requirements)
 * [Customize environment](#customize-environment)
+  * [DNS](#dns)
   * [Domain](#domain)
     * [Apps](#apps)
   * [Private registries](#private-registries)
@@ -49,10 +50,24 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 
-## Domain
+## DNS
 
-The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
+The deployment is designed to deploy each application/service under a dedicated subdomain.
-`*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
+For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
+otherwise you need to create an A-Record for each subdomain.
+
+| Record name             | Type | Value                                              | Additional information                                                                  |
+| ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
+| *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                         |
+| *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                         |
+| mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
+| domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                         |
+| domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                              |
+| _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                                |
+| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
+
+## Domain
 
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
 
@@ -68,15 +83,49 @@ The domain have to be set either via `dev` environment
 
 ```yaml
 global:
-  domain: "my.open.desk"
+  domain: "domain.tld"
 ```
 
 or via environment variable
 
 ```shell
-export DOMAIN=my.open.desk
+export DOMAIN=domain.tld
 ```
 
+Additionally, you can announce/specify an alternative domain for mail and chat.
+
+As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
+`*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
+Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
+The required routing have to be implemented by yourself.
+
+The alternative domains have to be set either via `dev` environment
+
+```yaml
+global:
+  mailDomain: "open.desk"
+  synapseDomain: "open.desk"
+```
+
+or via environment variable
+
+```shell
+export MAIL_DOMAIN=open.desk
+export SYNAPSE_DOMAIN=open.desk
+```
+
+If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
+
+| Record name                    | Type | Value                     |
+|--------------------------------|------|---------------------------|
+| _matrix._tcp.SYNAPSE_DOMAIN    | SRV  | `1 10 PORT matrix.DOMAIN` |
+| matrix-fed._tcp.SYNAPSE_DOMAIN | SRV  | `1 10 PORT matrix.DOMAIN` |
+| MAIL_DOMAIN                    | MX   | `10 mail.domain.tld`    |
+
+_Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
+
+_Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
+
 ### Apps
 
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.

helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl

@@ -4,6 +4,7 @@
 configuration:
   bot:
     username: "meetings-bot"
+    homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -1,6 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+clusterDomain: {{ .Values.cluster.networking.domain }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -29,6 +29,7 @@ configuration:
     password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
 
   homeserver:
+    serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
     appServiceConfigs:
       - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
         hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}

helmfile/apps/services/helmfile.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -16,6 +17,17 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
       {{ .Values.charts.otterize.repository }}"
 
+  # openDesk Home
+  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
+  - name: "home-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.home.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
+      {{ .Values.charts.home.repository }}"
+
   # openDesk Certificates
   # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
   - name: "certificates-repo"
@@ -115,6 +127,13 @@ releases:
     installed: {{ .Values.security.otterizeIntents.enabled }}
     timeout: 900
 
+  - name: "opendesk-home"
+    chart: "home-repo/{{ .Values.charts.home.name }}"
+    version: "{{ .Values.charts.home.version }}"
+    values:
+      - "values-home.yaml.gotmpl"
+    installed: {{ .Values.home.enabled }}
+
   - name: "opendesk-certificates"
     chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
     version: "{{ .Values.charts.certificates.version }}"

helmfile/apps/services/values-home.yaml.gotmpl

@@ -0,0 +1,16 @@
+{{/*
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+
+ingress:
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+...

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -41,7 +41,7 @@ podSecurityContext:
 postfix:
   amavisHost: ""
   amavisPortIn: ""
-  domain: {{ .Values.global.domain | quote }}
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
@@ -67,7 +67,7 @@ postfix:
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.domain | quote }}
+  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
   virtualTransport: "lmtps:dovecot:24"
 
 replicaCount: {{ .Values.replicas.postfix }}

helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl

@@ -181,6 +181,7 @@ ldap-server:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+      tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
   ldapServer:
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
@@ -190,6 +191,7 @@ ldap-server:
         {{- range .Values.global.imagePullSecrets }}
         - name: {{ . | quote }}
         {{- end }}
+      tag: {{ .Values.images.umsLdapServer.tag | quote }}
     config:
       domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}"
       ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
@@ -417,10 +419,10 @@ portal-server:
     objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
     centralNavigation:
       enabled: true
-    credentialSecret:
+    objectStorageCredentialSecret:
       name: "ums-portal-server-minio-credentials"
-      accessKeyId: "nubus-s3-access-key-id"
+      accessKeyKey: "nubus-s3-access-key-id"
-      secretAccessKey: "nubus-s3-secret-key-id"
+      secretKeyKey: "nubus-s3-secret-key-id"
 
   extraVolumes:
     - name: authenticator-secret
@@ -535,6 +537,26 @@ provisioning:
           secretKeyRef:
             name: ums-provisioning-prefill-credentials
             key: NATS_PASSWORD
+  nats:
+    nats:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNats.registry | quote }}
+        repository: {{ .Values.images.umsNats.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNats.tag | quote }}
+    natsBox:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsBox.registry | quote }}
+        repository: {{ .Values.images.umsNatsBox.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNatsBox.tag | quote }}
+    reloader:
+      image:
+        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsReloader.registry | quote }}
+        repository: {{ .Values.images.umsNatsReloader.repository | quote }}
+        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+        tag: {{ .Values.images.umsNatsReloader.tag | quote }}
+
 
   ingress:
     host: "localhost"
@@ -587,7 +609,7 @@ stack-data-ums:
     # The openDesk configuration brings its own UMC policies.
     installUmcPolicies: false
     domainname: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.domain | quote }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
     hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
     ldapHost: {{ .Values.ldap.host | quote }}
     ldapBase: {{ .Values.ldap.baseDn | quote }}
@@ -628,7 +650,7 @@ stack-data-swp:
       {{- end }}
 
     externalDomainName: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.domain | quote }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
 
     portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }}
     portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
@@ -760,7 +782,7 @@ udm-rest-api:
     secretRef: ums-udm-rest-api-credentials
     ldap:
       uri: "ldap://ums-ldap-server:389"
-      baseDN: {{ .Values.ldap.baseDn | quote }}
+      baseDn: {{ .Values.ldap.baseDn | quote }}
     tls:
       enabled: false
       secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
@@ -915,10 +937,6 @@ umc-server:
       enabled: false
   memcached:
     bundled: false
-    auth:
-      username: null
-      # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
-      password: "password"
     server: {{ .Values.cache.umsSelfservice.host | quote }}
 
   postgresql:
@@ -1525,7 +1543,7 @@ extraSecrets:
   - name: ums-portal-server-minio-credentials
     stringData:
       nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-      nubus-s3-secret-key-id: {{ .Values.secrets.minio.umsUser | quote }}
+      nubus-s3-secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
   - name: ums-portal-server-authenticator-credentials
     stringData:
       authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}

helmfile/environments/default/charts.yaml

@@ -1,5 +1,5 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 #
 # Please read the /docs/development.md for information about structure and annotations used in this file.
@@ -78,7 +78,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   elementWellKnown:
     # providerCategory: 'Platform'
@@ -88,7 +88,17 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "2.6.7"
+    version: "2.7.1"
+    verify: true
+  home:
+    # providerCategory: 'Platform'
+    # providerResponsible: 'openDesk'
+    # upstreamRegistry: 'registry.opencode.de'
+    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-home'
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
+    name: "opendesk-home"
+    version: "1.0.1"
     verify: true
   intercomService:
     # providerCategory: 'Supplier'
@@ -170,7 +180,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   memcached:
     # providerCategory: 'Community'
@@ -336,7 +346,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   synapseCreateAccount:
     # providerCategory: 'Platform'
@@ -346,7 +356,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   synapseWeb:
     # providerCategory: 'Platform'
@@ -356,7 +366,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "2.6.7"
+    version: "2.7.1"
     verify: true
   ums:
     # providerCategory: 'Supplier'
@@ -370,7 +380,7 @@ charts:
     registry: "registry.souvap-univention.de"
     repository: "souvap/tooling/charts/univention"
     name: "ums"
-    version: "0.11.0"
+    version: "0.12.0"
     verify: true
   umsKeycloakBootstrap:
     # providerCategory: 'Supplier'

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.6.0"
+    releaseVersion: "v0.7.0"
 ...

helmfile/environments/default/global.gotmpl

@@ -11,6 +11,14 @@ global:
   #
   domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
 
+  ## Define mail host
+  #
+  mailDomain: {{ env "MAIL_DOMAIN" | quote }}
+
+  ## Define synapse host
+  #
+  synapseDomain: {{ env "SYNAPSE_DOMAIN" | quote }}
+
   ## Define docker registry address.
   #
   helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}

helmfile/environments/default/images.yaml

@@ -587,6 +587,30 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
     tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
+  umsNats:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'library/nats'
+    registry: "registry-1.docker.io"
+    repository: "library/nats"
+    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
+  umsNatsBox:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-box'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-box"
+    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
+  umsNatsReloader:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-server-config-reloader'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-server-config-reloader"
+    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
   umsNotificationsApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -626,7 +650,7 @@ images:
     # upstreamMirrorStartFrom: ['0', '9', '4']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.20.3@sha256:8960b54477d4a74e8cb52f66264928e0940b725c349cda2a22ede67e216f5f1e"
+    tag: "0.20.7@sha256:8f158b88e0ceb7a5c79d2ad390f6ce851ce0c5ccb675d08d6b6c37f0b21f6177"
   umsPortalServer:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
@@ -708,13 +732,13 @@ images:
   umsUdmRestApi:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry.souvap-univention.de'
+    # upstreamRegistry: 'artifacts.software-univention.de'
-    # upstreamRepository: 'souvap/tooling/images/univention/udm-rest-api'
+    # upstreamRepository: 'nubus/images/udm-rest-api'
     # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '5', '2']
+    # upstreamMirrorStartFrom: ['0', '9', '3']
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.9.2@sha256:3309171c63f46cd3dccd15eb24af5dbb13f8abbc39c95e5a2d24d0d802ea896f"
+    tag: "0.9.3@sha256:7cf2fec05a4ff8b7085a35a215edbce1eb9456c1ae140af46257e66d5a6cd6f7"
   umsUmcGateway:
     # providerCategory: 'Supplier'
     # providerResponsible: 'Univention'

helmfile/environments/default/workplace.yaml

@@ -1,3 +1,4 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -15,6 +16,8 @@ dovecot:
   enabled: true
 element:
   enabled: true
+home:
+  enabled: true
 intercom:
   enabled: true
 jitsi: