fix(univention-management-stack): Update otterize helm chart

fix(univention-management-stack): Use nubus umbrella helm chart
fix(univention-management-stack): add Guardian provisioning job image
2025-12-08 00:11:38 +01:00 · 2024-04-07 22:02:30 +02:00 · 2024-04-07 17:15:17 +02:00 · 2024-04-05 18:09:05 +02:00 · 2024-04-05 12:42:22 +02:00
29 changed files with 168 additions and 388 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -28,13 +28,12 @@ stages:
  - ".pre"
  - "scan"
  - "automr"
  - "lint"
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
  - "basic-services-deploy"
  - "component-deploy-stage-1"
  - "component-deploy-stage-2"
  - "lint"
  - "tests"
  - "env-stop"
  - ".post"
@@ -59,12 +58,6 @@ variables:
    options:
      - "yes"
      - "no"
  DEBUG_ENABLED:
    description: "Allows to set `debug.enabled` to true for a deployment, needs to be supported by stage specific configuration containting: `debug.enabled: {{ env \"DEBUG_ENABLED\" | default false }}`"
    value: "no"
    options:
      - "yes"
      - "no"
  DEPLOY_ALL_COMPONENTS:
    description: "Enable all component deployment (overwrites 'no' setting on component level)."
    value: "no"
@@ -168,7 +161,7 @@ variables:
      fi;
    - >
      echo "Installing ${COMPONENT} into ${NAMESPACE} namespace as ${HELMFILE_ENVIRONMENT} environment on ${CLUSTER}"
-    - "helmfile --namespace ${NAMESPACE} apply --suppress-diff ${ADDITIONAL_ARGS}"
+    - "helmfile --namespace ${NAMESPACE} apply --suppress-diff"
  tags:
    - "docker"
    - "kubernetes"
@@ -225,19 +218,6 @@ env-start:
      --dry-run=client -o yaml | kubectl apply -f -
  stage: "env"
 policies-deploy:
  stage: "pre-services-deploy"
  extends: ".deploy-common"
  rules:
    - if: >
          $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" &&
          $NAMESPACE =~ /.+/ &&
          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_SERVICES != "no")
      when: "on_success"
  variables:
    COMPONENT: "services"
    ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 services-deploy:
  stage: "basic-services-deploy"
  extends: ".deploy-common"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,41 +1,3 @@
 # [0.7.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.6.0...v0.7.0) (2024-05-06)
 ### Bug Fixes
 * **ci:** Add debug option. Has to be supported by stage specific configuration containing: `debug.enabled: {{ env "DEBUG_ENABLED" | default false }}` ([3dc6484](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3dc648421b80d4e170a11792604be127a3960c0e))
 * **element:** Provide the internal cluster domain to synapse web ([b9ac5ec](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b9ac5ecf2def57bba0070f1c2f4a01449808f106))
 * **univention-management-stack:** Add the image configuration for NATS ([e9ec2f3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e9ec2f3a6e51975ccdbd6d3575b5fc6a909502aa))
 * **univention-management-stack:** Fix [#55](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/55), [#35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/35) by updating chart "ums" to 0.11.2 and image "portal-listener" to 0.20.6; To update an existing installation you need to manually delete the `ums-portal-listener` stateful set before the update: `kubectl -n <your_namespace> delete statefulsets ums-portal-listener` ([2ad0270](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/2ad027082f4cb958d68d7728d8db05f786dba0f0))
 * **univention-management-stack:** Migrate UDM-REST-API image to new Univention registry ([9be3b78](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/9be3b78761610db0274572d5a7c526aa34d0615f))
 * **univention-management-stack:** Objectstore credentials ([d1bd43f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d1bd43fa957accdb70f0cda69983e0490ac6cfa0))
 * **univention-management-stack:** Update Helm chart to 0.12.0 including required changes to openDesk Helmfile deployment. ([fefd2f6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fefd2f6cae3617ba1f00ef0c5fa3a80cde1d6ba1))
 * **univention-management-stack:** Use the NATS related image configuration ([cd22570](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cd225703ebe67bc78faa878080639dd7cc1845a9))
 ### Features
 * **element:** Add support for Matrix federation ([36139b4](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/36139b42f1df9785b8414059bf70dc3e37616e8a))
 * **helmfile:** Introduce additional variables for mailDomain and synapseDomain ([e6fe2a7](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e6fe2a7c18581f637d6bd4d0553d558f753dadd2))
 * **services:** Add opendesk-home service, which redirects on domain to portal ([c7e2172](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c7e217208c4cb812cc23f9aa5ea42fcb77ea7c3a))
 # [0.6.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.81...v0.6.0) (2024-04-11)
 ### Bug Fixes
 * **helmfile:** Improve support for external Objectstore, and fix issue with DoveCot storageClassName ([1b748b6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1b748b6bf63d75fc5232c90407a3fa885c2dd3c8)), closes [#57](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/57) [#60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/60) [#56](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/56)
 * **nextcloud:** Bump to 28.0.4 ([cb33a92](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/cb33a929ef7c13a9a578e56a631951292d14d0e4))
 * **univention-management-stack:** add Guardian provisioning job image ([79c52d0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/79c52d014cec188d010a2827bb63b2635abafb2c))
 * **univention-management-stack:** Update UMC to 0.11.8 ([5e3f4fa](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5e3f4faade2ea02e51f260d1d614296a6a484848))
 * **univention-management-stack:** Use umbrella helm chart ([10ecb44](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/10ecb44aa675d2f139aaec6fe8d4246fa1d3dd40))
 * **xwiki:** Bump to 15.10.8 and enable OIDC backchannel logout ([c395d35](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c395d35dd77bbec5e6b7d01768533f87af843560))
 ### Features
 * **open-xchange:** Bump to 8.23 and remove Istio prerequisite ([3be3564](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/3be3564ec7168a1a2d72b58f11da84e89e81911d))
 ## [0.5.81](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.5.80...v0.5.81) (2024-03-28)
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ openDesk currently features the following functional main components:
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.59](https://github.com/element-hq/element-desktop/releases/tag/v1.11.59)                                 | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | Cryptpad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.4](https://nextcloud.com/de/changelog/#28-0-4)                                                           | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
-| Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Groupware            | OX Appsuite                 | [8.22](https://documentation.open-xchange.com/appsuite/releases/8.22/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
 | Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                                            | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
 | Project management   | OpenProject                 | [13.4.1](https://www.openproject.org/docs/release-notes/13-4-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 -->
 <h1>CI/CD</h1>
-This page covers openDesk deployment automation via Gitlab CI.
+This page will cover openDesk automation via Gitlab CI.
 <!-- TOC -->
 * [Deployment](#deployment)
@@ -13,31 +13,30 @@ This page covers openDesk deployment automation via Gitlab CI.
 # Deployment
-The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a GitLab instance of your choice.
+The project includes a `.gitlab-ci.yml` that allows you to execute the deployment from a Gitlab instance of your choice.
-When starting the pipeline through the GitLab UI, you will be queried for some variables plus the following ones:
+When starting the pipeline through the Gitlab UI, you will be queried for some variables plus the following ones:
 - `DOMAIN` = The domain to deploy to.
- `MAIL_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Mail, defaults to `DOMAIN`.
+- `ISTIO_DOMAIN` = istio.`DOMAIN`
- `SYNAPSE_DOMAIN` = (optional) Specify domain (f.e. root FQDN) for Synapse, defaults to `DOMAIN`.
+- `NAMESPACE`: Defines into which namespace of your K8s cluster the SWP will be installed
 - `NAMESPACE`: Defines into which namespace of your K8s cluster openDesk will be installed
 - `MASTER_PASSWORD_WEB_VAR`: Overwrites value of `MASTER_PASSWORD`
 Based on your input, the following variables will be set:
 - `MASTER_PASSWORD` = `MASTER_PASSWORD_WEB_VAR`. If `MASTER_PASSWORD_WEB_VAR`
  is not set, the default for `MASTER_PASSWORD` will be used, unless you set
-  `MASTER_PASSWORD` as a masked CI/CD variable in GitLab to supersede the default.
+  `MASTER_PASSWORD` as a masked CI/CD variable in Gitlab to supersede the default.
-You might want to set credential variables in the GitLab project at `Settings` > `CI/CD` > `Variables`.
+You might want to set credential variables in the Gitlab project at `Settings` > `CI/CD` > `Variables`.
 # Tests
-The GitLab CI pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another GitLab project.
+The gitlab-ci pipeline contains a job named `run-tests` that can trigger a test suite pipeline on another gitlab project.
 The `DEPLOY_`-variables are used to determine which components should be tested.
-In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this GitLab project's CI variables
+In order for the trigger to work, the variable `TESTS_PROJECT_URL` has to be set on this gitlab project's CI variables
 that can be found at `Settings` -> `CI/CD` -> `Variables`. The variable should have this format:
 `<domain of gitlab>/api/v4/projects/<id>`.
-If the branch of the test pipeline is not `main` this can be set with the `.gitlab-ci.yml` variable
+If the branch of the test pipeline is not `main` this can be set with the .gitlab-ci.yml variable
 `TESTS_BRANCH` while creating a new pipeline.
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -6,9 +6,6 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Enable debugging](#enable-debugging)
 * [Adding containers to a pod for debugging purposes](#adding-containers-to-a-pod-for-debugging-purposes)
  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
  * [MariaDB](#mariadb)
  * [Nextcloud](#nextcloud)
@@ -38,94 +35,6 @@ and set the loglevel for components to "Debug".
 **Note:** All containers should write their log output to STDOUT, if you find (valuable) logs inside a container, please let us know!
 # Adding containers to a pod for debugging purposes
 During test or development you come across the need to execute tools, browse or even change things in the filesystem of another container.
 This can be a challenge the more security hardened container images are, because there are no debugging tools available and sometimes not even a shell.
 Adding a container to a Pod can ease the pain.
 Below you will find some wrap-up notes when it comes to debugging openDesk by adding debug containers. Of course there are a lot of more detailled resources out in the wild.
 ## Adding a container to a pod/deployment - Dev/Test only
 You can add a container by editing and updating an existing deployment, which is quite comforable with tools like [Lens](https://k8slens.dev/).
 - Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
 - Ensure the `shareProcessNamespace` option is enabled for the Pod.
 - Reference the selected container within the `containers` array of the deployment.
 - In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
 - Save & update the deployment.
 The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` container, in case you want to modify files, don't forget to set `readOnlyRootFilesystem` to `true` on the PHP container.
 ```
      shareProcessNamespace: true
      containers:
        - name: debugging
          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
          command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
          securityContext:
            capabilities:
              drop:
                - ALL
            privileged: false
            runAsUser: 65532
            runAsGroup: 65532
            runAsNonRoot: true
            readOnlyRootFilesystem: false
            allowPrivilegeEscalation: false
            seccompProfile:
              type: RuntimeDefault
 ```
 - After the deployment was reloaded open the shell of the debugging container.
 - When you've been successful you will see the processes of both/all containers in the pod when doing a `ps aux`.
 - To access another containers filesystem just select the PID of a process from the other container an do a `cd /proc/<selected_process_id>/root`
 ## Temporary/ephemeral containers
 Interesting read we picked most of the details below from: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
 Sometimes you do not want to add a container permanently to your existing deployment. In that case you could use [ephemeral containers](https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/).
 For the commands further down this section we set some environment variables first:
 - `NAMESPACE`: The namespace the Pod you want to inspects is running in.
 - `DEPLOYMENT_NAME`: The name of the deployment responsible for spawning the Pod you want to inspect within the prementioned namespace.
 - `POD_NAME`: The name of the Pod you want to inspect within the prementioned namespace.
 - `EPH_CONTAINER_NAME`: Chose the name for the container, "debugging" seem obvious.
 - `DEBUG_IMAGE`: The image you want to make use of for debugging purposes.
 e.g.
 ```
 export EPH_CONTAINER_NAME=debugging
 export NAMESPACE=my_testdeployment
 export DEPLOYMENT_NAME=opendesk-nextcloud-php
 export POD_NAME=opendesk-nextcloud-php-6686d47cfb-7vtmf
 export DEBUG_IMAGE=registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
 ```
 You still need to ensure that your deployment supports process namespace sharing:
 ```
 kubectl -n ${NAMESPACE} patch deployment ${DEPLOYMENT_NAME} --patch '
 spec:
  template:
    spec:
      shareProcessNamespace: true'
 ```
 Now you can add the ephemeral container with:
 ```
 kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
 ```
 and open it's interactive terminal with
 ```
 kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
 ```
 # Components
 ## MariaDB
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -10,7 +10,6 @@ This documentation should enable you to create your own evaluation instance of o
 <!-- TOC -->
 * [Requirements](#requirements)
 * [Customize environment](#customize-environment)
  * [DNS](#dns)
  * [Domain](#domain)
    * [Apps](#apps)
  * [Private registries](#private-registries)
@@ -50,25 +49,11 @@ files.
 For the following guide, we will use `dev` as environment, where variables can be set in
 `helmfile/environments/dev/values.yaml`.
 ## DNS
 The deployment is designed to deploy each application/service under a dedicated subdomain.
 For your convenience, we recommend to create a `*.domain.tld` A-Record to your cluster ingress controller,
 otherwise you need to create an A-Record for each subdomain.
 | Record name             | Type | Value                                              | Additional information                                                                  |
 | ----------------------- | ---- | -------------------------------------------------- | --------------------------------------------------------------------------------------- |
 | *.domain.tld            | A    | IPv4 address of your Ingress Controller            |                                                                                         |
 | *.domain.tld            | AAAA | IPv6 address of your Ingress Controller            |                                                                                         |
 | mail.domain.tld         | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
 | mail.domain.tld         | AAAA | IPv6 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix                        |
 | domain.tld              | MX   | `10 mail.domain.tld`                               |                                                                                         |
 | domain.tld              | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                                              |
 | _dmarc.domain.tld       | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                                                |
 | _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | The `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service. |
 ## Domain
 The deployment is designed to deploy each app under a subdomains. For your convenience, we recommend to create a
 `*.domain.tld` A-Record to your cluster ingress controller, otherwise you need to create an A-Record for each subdomain.
 A list of all subdomains can be found in `helmfile/environments/default/global.yaml`.
 All subdomains can be customized. For example, _Nextcloud_ can be changed to `files.domain.tld` in `dev` environment:
@@ -83,49 +68,29 @@ The domain have to be set either via `dev` environment
 ```yaml
 global:
-  domain: "domain.tld"
+  domain: "my.open.desk"
 istio:
  domain: "istio.my.open.desk"
 ```
 or via environment variable
 ```shell
-export DOMAIN=domain.tld
+export DOMAIN=my.open.desk
 export ISTIO_DOMAIN=istio.my.open.desk
 ```
-Additionally, you can announce/specify an alternative domain for mail and chat.
+When you configure each subdomain individually, you can set `global.domain` and `istio.domain` to the same value.
-As an example, if your domain is `domain.tld` and you want to send mails with this domain, then you can deploy openDesk to
+Istio is only used for Open-Xchange Appsuite 8, when you don't want to install it, you can disable Istio:
 `*.opendesk.domain.tld` and send mail as `default.user@domain.tld`.
 Webmail will be accessed via `mail.opendesk.domain.tld` in this scenario.
 The required routing have to be implemented by yourself.
 The alternative domains have to be set either via `dev` environment
 ```yaml
-global:
+istio:
-  mailDomain: "open.desk"
+  enabled: false
-  synapseDomain: "open.desk"
+oxAppsuite:
  enabled: false
 ```
 or via environment variable
 ```shell
 export MAIL_DOMAIN=open.desk
 export SYNAPSE_DOMAIN=open.desk
 ```
 If you want to federate with other Matrix instances, you need to add an SRV record to signal Matrix delegation.
 | Record name                    | Type | Value                     |
 |--------------------------------|------|---------------------------|
 | _matrix._tcp.SYNAPSE_DOMAIN    | SRV  | `1 10 PORT matrix.DOMAIN` |
 | matrix-fed._tcp.SYNAPSE_DOMAIN | SRV  | `1 10 PORT matrix.DOMAIN` |
 | MAIL_DOMAIN                    | MX   | `10 mail.domain.tld`    |
 _Hint:_ Replace `SYNAPSE_DOMAIN`, `MAIL_DOMAIN` and `DOMAIN` with proper values of your domain settings.
 _Hint:_ `matrix.DOMAIN` can also be an IP address where synapse tls port is listening to.
 ### Apps
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
--- a/docs/requirements.md
+++ b/docs/requirements.md
@@ -28,6 +28,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
 - Volume provisioner supporting RWO (read-write-once)
 - Certificate handling with [cert-manager](https://cert-manager.io/)
 - [Istio](https://istio.io/) is currently required to deploy and operate OX AppSuite8
 # Hardware
@@ -55,9 +56,13 @@ configured ingress controller deployed.
 **Maintained controllers:**
 - [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
 - [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
 - [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
 **Community Supported:**
 - [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
 When you want to use Open-Xchange Appsuite 8, you need to deploy and configure additionally [Istio](https://istio.io/)
 # Volume provisioner
 Initial evaluation deployment requires a `ReadWriteOnce` volume provisioner. For local deployment a local- or hostPath-
--- a/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-bot.yaml.gotmpl
@@ -12,7 +12,7 @@ configuration:
  bot:
    username: "meetings-bot"
    displayname: "Terminplaner Bot"
-  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+  openxchangeBaseUrl: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  strings:
    breakoutSessionWidgetName: "Breakoutsessions"
    calendarRoomName: "Terminplaner"
--- a/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
+++ b/helmfile/apps/element/values-matrix-neodatefix-widget.yaml.gotmpl
@@ -4,7 +4,6 @@
 configuration:
  bot:
    username: "meetings-bot"
    homeserver: {{ .Values.global.synapseDomain | default .Values.global.domain }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
--- a/helmfile/apps/element/values-synapse-web.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse-web.yaml.gotmpl
@@ -1,8 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 clusterDomain: {{ .Values.cluster.networking.domain }}
 containerSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
--- a/helmfile/apps/element/values-synapse.yaml.gotmpl
+++ b/helmfile/apps/element/values-synapse.yaml.gotmpl
@@ -29,7 +29,6 @@ configuration:
    password: {{ .Values.databases.synapse.password | default .Values.secrets.postgresql.matrixUser | quote }}
  homeserver:
    serverName: {{ .Values.global.synapseDomain | default .Values.global.domain }}
    appServiceConfigs:
      - as_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
        hs_token: {{ .Values.secrets.intercom.synapseAsToken | quote }}
--- a/helmfile/apps/intercom-service/values.yaml.gotmpl
+++ b/helmfile/apps/intercom-service/values.yaml.gotmpl
@@ -27,7 +27,7 @@ global:
 ics:
  secret: {{ .Values.secrets.intercom.secret | quote }}
  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
-  originRegex: "{{ .Values.global.domain }}"
+  originRegex: "{{ .Values.istio.domain }}|{{ .Values.global.domain }}"
  keycloak:
    realm: {{ .Values.platform.realm | quote }}
  default:
@@ -49,7 +49,7 @@ ics:
    password: {{ .Values.cache.intercomService.password | default .Values.secrets.redis.password | quote }}
  openxchange:
    oci: true
-    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    audience: "opendesk-oxappsuite"
  nextcloud:
    audience: "opendesk-nextcloud"
--- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
+++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl
@@ -9,6 +9,7 @@ global:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  istioDomain: {{ .Values.istio.domain }}
 additionalAnnotations:
  intents.otterize.com/service-name: "opendesk-nextcloud-php"
@@ -54,7 +55,7 @@ configuration:
      secretKey:
        value: {{ .Values.objectstores.nextcloud.secretKey | default .Values.secrets.minio.nextcloudUser | quote }}
    bucket: {{ .Values.objectstores.nextcloud.bucket | quote }}
-    host: {{ .Values.objectstores.nextcloud.endpoint | quote }}
+    host: {{ .Values.objectstores.nextcloud.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
    region: {{ .Values.objectstores.nextcloud.region | quote }}
    storageClass: {{ .Values.objectstores.nextcloud.storageClass | quote }}
    port: {{ .Values.objectstores.nextcloud.port | quote }}
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -4,7 +4,7 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
-  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+  hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  mysql:
    host: {{ .Values.databases.oxAppsuite.host | quote }}
    database: {{ .Values.databases.oxAppsuite.name | quote }}
@@ -13,6 +13,9 @@ global:
      password: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
      rootPassword: {{ .Values.databases.oxAppsuite.password | default .Values.secrets.mariadb.rootPassword | quote }}
 istio:
  enabled: {{ .Values.istio.enabled }}
 nextcloud-integration-ui:
  image:
    registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeNextcloudIntegrationUI.registry | quote }}
@@ -74,22 +77,18 @@ appsuite:
  switchboard:
    enabled: false
  istio:
-    enabled: false
+    enabled: {{ .Values.istio.enabled }}
-  ingress:
+    ingressGateway:
-    enabled: {{ .Values.ingress.enabled }}
+      name: "opendesk-gateway-istio-gateway"
    ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
    tls:
      enabled: true
      existingSecret: {{ .Values.ingress.tls.secretName | quote }}
    appsuite:
      hosts:
-        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-    dav:
+    virtualServices:
-      hosts:
+      appsuite:
-        - "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+        hosts:
-    routes:
+          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
-      trailslash:
+      dav:
-        enabled: false
+        hosts:
          - "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
  core-mw:
    enabled: true
    asConfig:
@@ -100,7 +99,7 @@ appsuite:
        oidcPath: "/oidc"
    masterAdmin: "admin"
    masterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
-    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+    hostname: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
    serviceAccount:
      create: true
    features:
@@ -169,9 +168,9 @@ appsuite:
      com.openexchange.oidc.opJwkSetEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/certs"
      com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
      com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
-      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/auth"
+      com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/auth"
      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/logout"
+      com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/appsuite/api/oidc/logout"
      com.openexchange.oidc.ssoLogout: "true"
      com.openexchange.oidc.startDefaultBackend: "true"
      com.openexchange.oidc.userLookupClaim: "opendesk_username"
@@ -367,7 +366,7 @@ appsuite:
    enabled: true
    ingress:
      hosts:
-        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+        - host: "{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
      enabled: false
    imagePullSecrets:
    {{- range .Values.global.imagePullSecrets }}
@@ -386,8 +385,6 @@ appsuite:
      auth:
        enabled: true
        password: {{ .Values.secrets.redis.password | quote }}
        # Workaround for a bug in 8.23
        ca: ""
    resources:
      {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
      updater:
--- a/helmfile/apps/openproject/values.yaml.gotmpl
+++ b/helmfile/apps/openproject/values.yaml.gotmpl
@@ -155,7 +155,7 @@ resources:
 s3:
  enabled: true
  endpoint: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
-  host: {{ .Values.objectstores.openproject.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+  host: {{ (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
  pathStyle: {{ .Values.objectstores.openproject.pathStyle | quote }}
  region: {{ .Values.objectstores.openproject.region | quote }}
  bucketName: {{ .Values.objectstores.openproject.bucket | quote }}
--- a/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl
@@ -33,7 +33,7 @@ oxConnector:
  oxMasterAdmin: "admin"
  oxMasterPassword: {{ .Values.secrets.oxAppsuite.adminPassword | quote }}
  oxSmtpServer: "smtp://127.0.0.1:587"
-  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
+  oxSoapServer: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}"
 resources:
  {{ .Values.resources.oxConnector | toYaml | nindent 2 }}
--- a/helmfile/apps/services/helmfile.yaml
+++ b/helmfile/apps/services/helmfile.yaml
@@ -1,4 +1,3 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -17,17 +16,6 @@ repositories:
    url: "{{ .Values.global.helmRegistry | default .Values.charts.otterize.registry }}/\
      {{ .Values.charts.otterize.repository }}"
  # openDesk Home
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-home
  - name: "home-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.home.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.home.registry }}/\
      {{ .Values.charts.home.repository }}"
  # openDesk Certificates
  # Source: https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-certificates
  - name: "certificates-repo"
@@ -72,6 +60,17 @@ repositories:
    url: "{{ .Values.global.helmRegistry | default .Values.charts.postfix.registry }}/\
      {{ .Values.charts.postfix.repository }}"
  # openDesk Istio Resources
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-istio-resources
  - name: "istio-resources-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.istioResources.verify }}
    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.istioResources.registry }}/\
      {{ .Values.charts.istioResources.repository }}"
  # openDesk ClamAV
  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-clamav
  - name: "clamav-repo"
@@ -127,13 +126,6 @@ releases:
    installed: {{ .Values.security.otterizeIntents.enabled }}
    timeout: 900
  - name: "opendesk-home"
    chart: "home-repo/{{ .Values.charts.home.name }}"
    version: "{{ .Values.charts.home.version }}"
    values:
      - "values-home.yaml.gotmpl"
    installed: {{ .Values.home.enabled }}
  - name: "opendesk-certificates"
    chart: "certificates-repo/{{ .Values.charts.certificates.name }}"
    version: "{{ .Values.charts.certificates.version }}"
@@ -198,6 +190,14 @@ releases:
    installed: {{ .Values.clamavSimple.enabled }}
    timeout: 900
  - name: "opendesk-gateway"
    chart: "istio-resources-repo/{{ .Values.charts.istioResources.name }}"
    version: "{{ .Values.charts.istioResources.version }}"
    values:
      - "values-istio-gateway.yaml.gotmpl"
    installed: {{ .Values.istio.enabled }}
    timeout: 900
  - name: "minio"
    chart: "minio-repo/{{ .Values.charts.minio.name }}"
    version: "{{ .Values.charts.minio.version }}"
--- a/helmfile/apps/services/values-certificates.yaml.gotmpl
+++ b/helmfile/apps/services/values-certificates.yaml.gotmpl
@@ -11,6 +11,14 @@ global:
 issuerRef:
  name: {{ .Values.certificate.issuerRef.name | quote }}
 {{- if .Values.istio.enabled }}
 istio:
  enabled: {{ .Values.istio.enabled }}
  domain: {{ .Values.istio.domain | quote }}
  issuerRef:
    name: {{ .Values.istio.issuerRef.name | quote }}
 {{- end }}
 cleanup:
  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
--- a/helmfile/apps/services/values-home.yaml.gotmpl
+++ b/helmfile/apps/services/values-home.yaml.gotmpl
@@ -1,16 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  domain: {{ .Values.global.domain | quote }}
  hosts:
    {{ .Values.global.hosts | toYaml | nindent 4 }}
 ingress:
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...
--- a/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
+++ b/helmfile/apps/services/values-istio-gateway.yaml.gotmpl
@@ -0,0 +1,12 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 global:
  domain: {{ .Values.istio.domain | quote }}
  hosts:
    openxchange: {{ .Values.global.hosts.openxchange | quote }}
 tls:
  httpsRedirect: false
  secretName: "{{ .Values.istio.domain }}-tls"
 ...
--- a/helmfile/apps/services/values-postfix.yaml.gotmpl
+++ b/helmfile/apps/services/values-postfix.yaml.gotmpl
@@ -41,7 +41,7 @@ podSecurityContext:
 postfix:
  amavisHost: ""
  amavisPortIn: ""
-  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+  domain: {{ .Values.global.domain | quote }}
  hostname: "postfix"
  inetProtocols: "ipv4"
  milterDefaultAction: "accept"
@@ -67,7 +67,7 @@ postfix:
  {{- else if .Values.clamavSimple.enabled }}
  smtpdMilters: "inet:clamav-simple:7357"
  {{- end }}
-  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
+  virtualMailboxDomains: {{ .Values.global.domain | quote }}
  virtualTransport: "lmtps:dovecot:24"
 replicaCount: {{ .Values.replicas.postfix }}
--- a/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -253,7 +253,7 @@ config:
        clientAuthenticatorType: "client-secret"
        secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
        redirectUris:
-          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*"
          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        consentRequired: false
        frontchannelLogout: false
@@ -261,8 +261,8 @@ config:
        authorizationServicesEnabled: false
        attributes:
          backchannel.logout.session.required: true
-          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
+          backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.istio.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
        protocolMappers:
          - name: "context"
            protocol: "openid-connect"
--- a/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
+++ b/helmfile/apps/univention-management-stack/values-umbrella.yaml.gotmpl
@@ -181,7 +181,6 @@ ldap-server:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
      tag: {{ .Values.images.umsWaitForDependency.tag | quote }}
  ldapServer:
    image:
      registry: {{ .Values.global.imageRegistry | default .Values.images.umsLdapServer.registry | quote }}
@@ -191,7 +190,6 @@ ldap-server:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
      tag: {{ .Values.images.umsLdapServer.tag | quote }}
    config:
      domainName: "{{ .Release.Namespace }}.{{ .Values.global.domain}}"
      ldapBaseDn: {{ .Values.ldap.baseDn | quote }}
@@ -419,10 +417,10 @@ portal-server:
    objectStorageBucket: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
    centralNavigation:
      enabled: true
-    objectStorageCredentialSecret:
+    credentialSecret:
      name: "ums-portal-server-minio-credentials"
-      accessKeyKey: "nubus-s3-access-key-id"
+      accessKeyId: "nubus-s3-access-key-id"
-      secretKeyKey: "nubus-s3-secret-key-id"
+      secretAccessKey: "nubus-s3-secret-key-id"
  extraVolumes:
    - name: authenticator-secret
@@ -537,26 +535,6 @@ provisioning:
          secretKeyRef:
            name: ums-provisioning-prefill-credentials
            key: NATS_PASSWORD
  nats:
    nats:
      image:
        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNats.registry | quote }}
        repository: {{ .Values.images.umsNats.repository | quote }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
        tag: {{ .Values.images.umsNats.tag | quote }}
    natsBox:
      image:
        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsBox.registry | quote }}
        repository: {{ .Values.images.umsNatsBox.repository | quote }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
        tag: {{ .Values.images.umsNatsBox.tag | quote }}
    reloader:
      image:
        registry: {{ .Values.global.imageRegistry | default .Values.images.umsNatsReloader.registry | quote }}
        repository: {{ .Values.images.umsNatsReloader.repository | quote }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
        tag: {{ .Values.images.umsNatsReloader.tag | quote }}
  ingress:
    host: "localhost"
@@ -609,7 +587,7 @@ stack-data-ums:
    # The openDesk configuration brings its own UMC policies.
    installUmcPolicies: false
    domainname: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    externalMailDomain: {{ .Values.global.domain | quote }}
    hostname: {{ .Values.global.hosts.univentionManagementStack | quote }}
    ldapHost: {{ .Values.ldap.host | quote }}
    ldapBase: {{ .Values.ldap.baseDn | quote }}
@@ -650,9 +628,9 @@ stack-data-swp:
      {{- end }}
    externalDomainName: {{ .Values.global.domain | quote }}
-    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    externalMailDomain: {{ .Values.global.domain | quote }}
-    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain | quote }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.istio.domain | quote }}
    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain | quote }}
    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain | quote }}
    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain | quote }}
@@ -782,7 +760,7 @@ udm-rest-api:
    secretRef: ums-udm-rest-api-credentials
    ldap:
      uri: "ldap://ums-ldap-server:389"
-      baseDn: {{ .Values.ldap.baseDn | quote }}
+      baseDN: {{ .Values.ldap.baseDn | quote }}
    tls:
      enabled: false
      secretName: "portal.{{ .Release.Namespace }}.gaia.open-desk.cloud"
@@ -937,6 +915,10 @@ umc-server:
      enabled: false
  memcached:
    bundled: false
    auth:
      username: null
      # This is also used by the umc-server Helm chart to generate a secret. The secrets content is represented as an environment variable. If said variable is empty, the container fails to start due to an entrypoint script erroring on a nullish value for the environment variable SELF_SERVICE_MEMCACHED_SECRET.
      password: "password"
    server: {{ .Values.cache.umsSelfservice.host | quote }}
  postgresql:
@@ -1543,7 +1525,7 @@ extraSecrets:
  - name: ums-portal-server-minio-credentials
    stringData:
      nubus-s3-access-key-id: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-      nubus-s3-secret-key-id: {{ .Values.objectstores.univentionManagementStack.secretKey | default .Values.secrets.minio.umsUser | quote }}
+      nubus-s3-secret-key-id: {{ .Values.secrets.minio.umsUser | quote }}
  - name: ums-portal-server-authenticator-credentials
    stringData:
      authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
--- a/helmfile/environments/default/charts.yaml
+++ b/helmfile/environments/default/charts.yaml
@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 #
 # Please read the /docs/development.md for information about structure and annotations used in this file.
@@ -14,7 +14,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-certificates"
    name: "opendesk-certificates"
-    version: "2.1.3"
+    version: "2.1.1"
    verify: true
  clamav:
    # providerCategory: 'Platform'
@@ -68,7 +68,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
    name: "dovecot"
-    version: "1.3.10"
+    version: "1.3.8"
    verify: true
  element:
    # providerCategory: 'Platform'
@@ -78,7 +78,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-element"
-    version: "2.7.1"
+    version: "2.6.7"
    verify: true
  elementWellKnown:
    # providerCategory: 'Platform'
@@ -88,17 +88,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-well-known"
-    version: "2.7.1"
+    version: "2.6.7"
    verify: true
  home:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
    # upstreamRegistry: 'registry.opencode.de'
    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-home'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-home"
    name: "opendesk-home"
    version: "1.0.1"
    verify: true
  intercomService:
    # providerCategory: 'Supplier'
@@ -112,6 +102,16 @@ charts:
    name: "intercom-service"
    version: "2.0.1"
    verify: true
  istioResources:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
    # upstreamRegistry: 'registry.opencode.de'
    # upstreamRepository: 'bmi/opendesk/components/platform-development/charts/opendesk-istio-resources/istio-gateway'
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-istio-resources"
    name: "istio-gateway"
    version: "2.0.1"
    verify: true
  jitsi:
    # providerCategory: 'Platform'
    # providerResponsible: 'openDesk'
@@ -180,7 +180,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-matrix-user-verification-service"
-    version: "2.7.1"
+    version: "2.6.7"
    verify: true
  memcached:
    # providerCategory: 'Community'
@@ -210,7 +210,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud"
-    version: "1.5.2"
+    version: "1.5.0"
    verify: true
  nextcloudManagement:
    # providerCategory: 'Platform'
@@ -220,7 +220,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
    name: "opendesk-nextcloud-management"
-    version: "1.5.2"
+    version: "1.5.0"
    verify: true
  nginx:
    # providerCategory: 'Community'
@@ -274,7 +274,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
    name: "appsuite-public-sector"
-    version: "2.5.3"
+    version: "2.4.49"
    verify: false
  openXchangeAppSuiteBootstrap:
    # providerCategory: 'Platform'
@@ -294,7 +294,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
    name: "opendesk-otterize"
-    version: "2.0.1"
+    version: "2.0.0"
    verify: true
  oxConnector:
    # providerCategory: 'Supplier'
@@ -346,7 +346,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse"
-    version: "2.7.1"
+    version: "2.6.7"
    verify: true
  synapseCreateAccount:
    # providerCategory: 'Platform'
@@ -356,7 +356,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-create-account"
-    version: "2.7.1"
+    version: "2.6.7"
    verify: true
  synapseWeb:
    # providerCategory: 'Platform'
@@ -366,7 +366,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
    name: "opendesk-synapse-web"
-    version: "2.7.1"
+    version: "2.6.7"
    verify: true
  ums:
    # providerCategory: 'Supplier'
@@ -380,7 +380,7 @@ charts:
    registry: "registry.souvap-univention.de"
    repository: "souvap/tooling/charts/univention"
    name: "ums"
-    version: "0.12.0"
+    version: "0.11.0"
    verify: true
  umsKeycloakBootstrap:
    # providerCategory: 'Supplier'
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.7.0"
+    releaseVersion: "v0.5.81"
 ...
--- a/helmfile/environments/default/global.gotmpl
+++ b/helmfile/environments/default/global.gotmpl
@@ -11,14 +11,6 @@ global:
  #
  domain: {{ env "DOMAIN" | default "souvap.cloud" | quote }}
  ## Define mail host
  #
  mailDomain: {{ env "MAIL_DOMAIN" | quote }}
  ## Define synapse host
  #
  synapseDomain: {{ env "SYNAPSE_DOMAIN" | quote }}
  ## Define docker registry address.
  #
  helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -306,7 +306,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '51']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.23.47@sha256:b721bf41d7f06b328e9235a0561436cb678bc2a1a67202f0fa6e1f55956cc0cc"
+    tag: "8.22.52@sha256:dab45b0e308b8d5c6c5cb5ec5be9d711f55e7aa87375c4b08ab178287bb7b769"
  openxchangeCoreUI:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -316,7 +316,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '1']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.23.2@sha256:0cc07053cbb9d7062a17ef807c6a6942a912748243a6f0c63a892d5cb2953351"
+    tag: "8.22.1@sha256:4b581d8fb3761156a5dd81a2cebc1c7a0382652d01ba6ee933527f9899b41768"
  openxchangeCoreUIMiddleware:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -326,7 +326,7 @@ images:
    # upstreamMirrorStartFrom: ['2', '0', '0']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.0.3@sha256:56fe8afe841105f0725674e36afc6f10f22751e3c21a301a6322834383f2d786"
+    tag: "2.0.2@sha256:eafcc0242b3fd93a777077c136b9e87fe03b163988731c15f0d3cd2ba39a2165"
  openxchangeCoreUserGuide:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -336,7 +336,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '799279']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.23.941932@sha256:231b13cb795241513d2f54ee4bc628843ae737b5ecceab758aba3658f03de1bd"
+    tag: "8.22.909960@sha256:dbd3f3a37c2d0a2885234cee53d79bf69015392c1381433c008694b4b99ddf30"
  openxchangeDocumentConverter:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -346,7 +346,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '50']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.23.43@sha256:aa9bbce833ae018573997fb07dcaf32bb7c5c4c6a7d6331f3d3156fd5b8d53b3"
+    tag: "8.22.49@sha256:21ab0b52fa54fb5be969c4c689e4b7724b7bf9ee79b1bf166ab27d8c67e3a6b6"
  openxchangeGotenberg:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -366,7 +366,7 @@ images:
    # upstreamMirrorStartFrom: ['4', '2', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.23.0@sha256:0510458017fa028582515ce18c0b12f91ac9e23f0e94e99ac34fd49b07146c01"
+    tag: "8.22.0@sha256:89c18129a2bdffe24587494e96ad12e95c01c25cd7a6a7b177afc75fec70415c"
  openxchangeImageConverter:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -376,7 +376,7 @@ images:
    # upstreamMirrorStartFrom: ['8', '20', '50']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.23.43@sha256:ecc77a569f60e1b14f0d77ec93d891200b89d11eb9d7c26f59fa7696343e20e3"
+    tag: "8.22.49@sha256:42841719c515b21f5d6e18296116fe690ac63f82f5acfa877652c2639911f127"
  openxchangeNextcloudIntegrationUI:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Open-Xchange'
@@ -587,30 +587,6 @@ images:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
    tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
  umsNats:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
    # upstreamRegistry: 'registry-1.docker.io'
    # upstreamRepository: 'library/nats'
    registry: "registry-1.docker.io"
    repository: "library/nats"
    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
  umsNatsBox:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
    # upstreamRegistry: 'registry-1.docker.io'
    # upstreamRepository: 'natsio/nats-box'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-box"
    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
  umsNatsReloader:
    # providerCategory: 'Community'
    # providerResponsible: 'Univention'
    # upstreamRegistry: 'registry-1.docker.io'
    # upstreamRepository: 'natsio/nats-server-config-reloader'
    registry: "registry-1.docker.io"
    repository: "natsio/nats-server-config-reloader"
    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
  umsNotificationsApi:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -650,7 +626,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '9', '4']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.20.7@sha256:8f158b88e0ceb7a5c79d2ad390f6ce851ce0c5ccb675d08d6b6c37f0b21f6177"
+    tag: "0.20.3@sha256:8960b54477d4a74e8cb52f66264928e0940b725c349cda2a22ede67e216f5f1e"
  umsPortalServer:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -732,13 +708,13 @@ images:
  umsUdmRestApi:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'artifacts.software-univention.de'
+    # upstreamRegistry: 'registry.souvap-univention.de'
-    # upstreamRepository: 'nubus/images/udm-rest-api'
+    # upstreamRepository: 'souvap/tooling/images/univention/udm-rest-api'
    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ['0', '9', '3']
+    # upstreamMirrorStartFrom: ['0', '5', '2']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.9.3@sha256:7cf2fec05a4ff8b7085a35a215edbce1eb9456c1ae140af46257e66d5a6cd6f7"
+    tag: "0.9.2@sha256:3309171c63f46cd3dccd15eb24af5dbb13f8abbc39c95e5a2d24d0d802ea896f"
  umsUmcGateway:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
@@ -758,7 +734,7 @@ images:
    # upstreamMirrorStartFrom: ['0', '7', '3']
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.11.8@sha256:38a87524703a1e11fbb3cd3cc9d90d5b719e92329a0e3ea05c50451105d64ac6"
+    tag: "0.11.6@sha256:f598a39206cf1acc901876e5d54b6c6e47980e979b5e29677f7738c3acaf75d3"
  umsWaitForDependency:
    # providerCategory: 'Supplier'
    # providerResponsible: 'Univention'
--- a/helmfile/environments/default/istio.gotmpl
+++ b/helmfile/environments/default/istio.gotmpl
@@ -0,0 +1,15 @@
 {{/*
 SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 istio:
  enabled: true
  domain: {{ env "ISTIO_DOMAIN" | default "souvap.cloud" | quote }}
  virtualService:
    enabled: false
  gateway:
    enabled: true
  issuerRef:
    name: "letsencrypt-istio-prod"
 ...
--- a/helmfile/environments/default/workplace.yaml
+++ b/helmfile/environments/default/workplace.yaml
@@ -1,4 +1,3 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
@@ -16,8 +15,6 @@ dovecot:
  enabled: true
 element:
  enabled: true
 home:
  enabled: true
 intercom:
  enabled: true
 jitsi:
Author	SHA1	Message	Date
Dominik Kaminski	4a23e39b6a	fix(univention-management-stack): Update otterize helm chart	2024-04-07 22:02:30 +02:00
Thorsten Roßner	81ed9d9094	fix(univention-management-stack): Use nubus umbrella helm chart	2024-04-07 17:15:17 +02:00
Jaime Conde	9df91c4ee4	fix(univention-management-stack): add Guardian provisioning job image	2024-04-05 18:09:05 +02:00
Andreas Niemann	5f9036bd64	fix(univention-management-stack): Update UMC to 0.11.6 This change is a preparatory step towards the integration of the upcoming umbrella chart. It updates both the chart and images to the current release and adjusts the value files accordingly.	2024-04-05 12:42:22 +02:00