fix(nubus): Migrate default users to extension

Allows to chose if system generated mails are sent from `@<domain>` or from `@<component>.<domain>`.

.gitignore

@@ -5,8 +5,8 @@
 .yamllint
 
 # Ignore changes to sample environments
-helmfile/environments/dev/values.yaml.gotmpl
-helmfile/environments/prod/values.yaml.gotmpl
+helmfile/environments/dev/*.yaml.gotmpl
+helmfile/environments/prod/*.yaml.gotmpl
 
 # Ignore in CI generated files
 .kyverno/opendesk.yaml
@@ -14,3 +14,10 @@ helmfile/environments/prod/values.yaml.gotmpl
 
 # Ignore editor backup files
 *~
+
+# Ignore ./log directory and *.log files
+logs
+*.log
+
+# Ignore backup files, e.g. created by the script that eases the local chart development
+*.bak

.gitlab-ci.yml

@@ -15,12 +15,16 @@ include:
     ref: "main"
   - local: "/.gitlab/lint/lint-opendesk.yml"
     rules:
-      - if: "$JOB_OPENDESK_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'"
+      - if: >
+            $JOB_OPENDESK_LINTER_ENABLED == 'false' ||
+            $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'
         when: "never"
       - when: "always"
   - local: "/.gitlab/lint/lint-kyverno.yml"
     rules:
-      - if: "$JOB_KYVERNO_LINTER_ENABLED == 'false' || $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'"
+      - if: >
+            $JOB_OPENDESK_LINTER_ENABLED == 'false' ||
+            $CI_PIPELINE_SOURCE =~ 'tags|merge_request_event|web|trigger|api'
         when: "never"
       - when: "always"
 
@@ -32,9 +36,11 @@ stages:
   - "env-cleanup"
   - "env"
   - "pre-services-deploy"
+  - "migrations-pre"
   - "basic-services-deploy"
   - "component-deploy-stage-1"
   - "component-deploy-stage-2"
+  - "migrations-post"
   - "lint"
   - "tests"
   - "env-stop"
@@ -73,6 +79,12 @@ variables:
     options:
       - "yes"
       - "no"
+  DEPLOY_MIGRATIONS:
+    description: "Deploy K8s job for migrations (pre & post)."
+    value: "no"
+    options:
+      - "yes"
+      - "no"
   DEPLOY_SERVICES:
     description: "Enable Service deployment."
     value: "no"
@@ -80,7 +92,7 @@ variables:
       - "yes"
       - "no"
   DEPLOY_UMS:
-    description: "Enable Univention Management Stack deployment."
+    description: "Enable Nubus deployment."
     value: "no"
     options:
       - "yes"
@@ -204,6 +216,7 @@ env-cleanup:
         done
         kubectl delete pvc --all --namespace ${NAMESPACE};
         kubectl delete jobs --all --namespace ${NAMESPACE};
+        kubectl delete configmaps --all --namespace ${NAMESPACE};
       else
         helmfile destroy --namespace ${NAMESPACE};
       fi
@@ -246,6 +259,30 @@ policies-deploy:
     COMPONENT: "services"
     ADDITIONAL_ARGS: "-l name=opendesk-otterize"
 
+migrations-pre:
+  stage: "migrations-pre"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-pre"
+
+migrations-post:
+  stage: "migrations-post"
+  extends: ".deploy-common"
+  rules:
+    - if: >
+          $CI_PIPELINE_SOURCE =~ "web|schedules|trigger|api" &&
+          $NAMESPACE =~ /.+/ &&
+          ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_MIGRATIONS != "no")
+      when: "on_success"
+  variables:
+    COMPONENT: "migrations-post"
+
 services-deploy:
   stage: "basic-services-deploy"
   extends: ".deploy-common"
@@ -280,7 +317,7 @@ ums-deploy:
           ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_UMS != "no")
       when: "on_success"
   variables:
-    COMPONENT: "univention-management-stack"
+    COMPONENT: "nubus"
 
 ox-deploy:
   stage: "component-deploy-stage-1"

.gitlab/lint/lint-kyverno.yml

@@ -17,12 +17,12 @@ lint-kyverno:
           - "intercom-service"
           - "jitsi"
           - "nextcloud"
+          - "nubus"
           - "open-xchange"
           - "openproject"
           - "openproject-bootstrap"
           - "provisioning"
           - "services"
-          - "univention-management-stack"
           - "xwiki"
   script:
     - "cd ${CI_PROJECT_DIR}/helmfile/apps/${APP}"

.reuse/dep5

@@ -3,8 +3,8 @@ Upstream-Name: openDesk - der Souveräne Arbeitsplatz
 Upstream-Contact: <opendesk@zendis.de>
 Source: https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk
 
-Files: helmfile/environments/default/theme/*
-Copyright: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+Files: helmfile/files/theme/*
+Copyright: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 License: Apache-2.0
 
 Files: helmfile/files/gpg-pubkeys/*

CHANGELOG.md

@@ -1,3 +1,55 @@
+# [0.9.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.8.1...v0.9.0) (2024-07-24)
+
+
+### Bug Fixes
+
+* **collabora:** Update to 24.04.5.1.1. ([8a2d951](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/8a2d951c3b59c3f8ddb508ad8f95798774b7c4b0))
+* **collabora:** Update to 24.04.5.1.2. ([74d444e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/74d444e2d6065082be3ca90373a4d3b1836ea7a8))
+* **docs:** Update workflow.md. ([fd3df7d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fd3df7df6740d8e54b433c039d294843582e8947))
+* **docu:** Update documentation on integration uses cases ([#95](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/95)). ([382af1d](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/382af1dfb966b5d10da4790212d6422a4a8c5618))
+* **helmfile:** Add S3 bucket for migrations. ([972020f](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/972020f946d8238e65b1c1e2942682c797306e1a))
+* **helmfile:** Streamline prefixes for customizable defaults. UPGRADES: See `./docs/migrations.md` for more details. ([26a7641](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/26a7641a5ab764196af6bbe26d97907de86f541e))
+* **jitsi:** Raise memory limit for jicofo and jvb as required by upstream product. ([fe923bb](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/fe923bb9cd58873957adb018c1410d33bb4d8f3a))
+* **keycloak:** Support for custom OIDC Clients and ClientScopes. ([46412d1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/46412d1a9e4547dea8d0da3e322400ea148edf19))
+* **nextcloud:** Support templating of default quota and `*_retention_obligation` settings ([#93](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/93)). ([23ef1d5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/23ef1d557bc0fdf6faac59f7a287f1ef1b302404))
+* **nextcloud:** Update to 28.0.7 including latest apps for 28. ([671f57a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/671f57a809eb4bb791698cda39f7711ac4833334))
+* **nextcloud:** Update to 28.0.7 including the apps, fix admin panel warnings ([#94](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/issues/94)). Updated `cluster.networking.cidr` potentially requires manual migration, see `docs/migrations.md` for details. ([63f8394](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/63f8394e044670a89a642e933600b68ff740a102))
+* **openproject:** Bump to 14.3.0 and update Helm chart to 7.0.0. ([6b609ed](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6b609edc4a60601ca45372b4fc691f0ac7c9ed93))
+* **openproject:** Support for adding token to enable OpenProject Premium. ([dfaf4be](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/dfaf4be640209f5908815cceaf29db591212ddaa))
+* **xwiki:** Add email address mapping to LDAP sync; Fix hostname `null` value in notification links. ([1067e72](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1067e725b3dabce4ddfeb60b4cbe9e5b4d0db0e5))
+* **xwiki:** Remove .rtf and .odt export options as they are currently non functional. ([b806d51](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b806d51311c6d406ea3c93842601ddf5dbd13bb3))
+* **xwiki:** Update to 16.4. ([db7f5d6](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/db7f5d60bdae437cebe58ab10f928a4a348e1ee3))
+* **xwiki:** Update to 16.4.1. ([e54aaab](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e54aaab072f31713b5172e4bab9ba7e9ca9c5c26))
+
+
+### Features
+
+* **authentication:** Avoid that users can open a app they do not have the appropriate LDAP group set for. Implementation is based on role based client scopes. Introducing also an openDesk migration approach with a pre and post deployment stage. ([b4570a9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/b4570a9a873efa6c896fe543ab0ba3b94fd086c0))
+
+## [0.8.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.8.0...v0.8.1) (2024-07-01)
+
+
+### Bug Fixes
+
+* **collabora:** Bump image to 24.04.4.1.1. ([368fe13](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/368fe13ddb080f0c8f42cbd3612a29f818308708))
+* **collabora:** Bump image to 24.04.4.2.1. ([01767d3](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01767d38061259853e4bd8b2eba31d3b04c4e672))
+* **docs:** Add Ports section to getting started. ([c07b25c](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c07b25c4b9a702e214373fe08d95827286ebd866))
+* **docs:** Correction regarding the currently supported ingress controller. ([8514908](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/85149086ae70cb85a1718715747985a3da2a7b64))
+* **docs:** Update regarding the currently supported ingress controller. ([064a5ad](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/064a5ad246ea7217c2fb107787228d7aca9b5028))
+* **element:** Provide the internal cluster domain to `synapse-web`. ([a8692d5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/a8692d5506dc65895a562423d8ddb7da9078fc3a))
+* **helmfile:** Add script to ease local development of platform charts. ([d8f3e05](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/d8f3e05e584116f6196d43e0ea9bb8946ab2e5ab))
+* **helmfile:** Enable SMTP for XWiki and Element/Synapse; Streamline mail sender addresses within platform based on `<localpart>@<component>.<domain>` and allow configuration of `<localpart>`. ([01c5e6b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/01c5e6b359dd5eb42c98e818da301871bea79264))
+* **helmfile:** Include all `.yaml.gotmpl` files for the envs in `environments.yaml`. ([e523434](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e52343440d81c0596177399058b4711cc0d5da67))
+* **helmfile:** Streamline `functional.yaml`. *Upgrade notice:* If you set a non default value for `.Values.portal.enableDeploymentInformation` please change it to `.Values.admin.portal.deploymentInformation.enabled` with this version. ([e89b16a](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/e89b16a747f95be7661b1fd4f5c90acce638542e))
+* **jitsi:** Update PatchJVB bitnami/kubectl image to 1.30.2. ([6ef3641](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/6ef3641d82d88d6fed80652b239bc63115abbf2d))
+* **nubus:** Enable Keycloak's user account console. ([c03e4a5](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c03e4a534090dde46363a7cfab718bb307e22621))
+* **nubus:** Remove doublette ingress annotations. ([890b36e](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/890b36ecbb8c9311b5048d8d6d50ee5acf00ea61))
+* **open-xchange:** Fixing YAML indentation of updater resources ([0ce346b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/0ce346b162feb0bc6fee7f18caee84917117abe1))
+* **openproject:** Bump image to 14.2.0. ([1ad35f1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/1ad35f1e12e236607e3830da6d08010eb465b501))
+* **openproject:** Switch DBInit container image to Alpine based version to reduce footprint. ([c90f7c1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/c90f7c1742d415d5a787ff5832959e2974b77b83))
+* **openproject:** Update PostgreSQL image for DB init to 16.3. ([45e5699](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/45e569955d09c584490e6826651f7564567c1f9b))
+* **services:** Allow Postfix "relayHost" to be empty. ([7268f60](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/7268f607a5839c6e940ce07fa15c1ffec9610d19))
+
 # [0.8.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v0.7.1...v0.8.0) (2024-06-10)
 
 

README.md

@@ -29,16 +29,16 @@ openDesk is a Kubernetes based, open-source and cloud-native digital workplace s
 openDesk currently features the following functional main components:
 
 | Function             | Functional Component        | Component<br/>Version                                                                 | Upstream Documentation                                                                                                                       |
-| -------------------- | --------------------------- | -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| -------------------- | --------------------------- |---------------------------------------------------------------------------------------| -------------------------------------------------------------------------------------------------------------------------------------------- |
 | Chat & collaboration | Element ft. Nordeck widgets | [1.11.67](https://github.com/element-hq/element-desktop/releases/tag/v1.11.67)        | [For the most recent release](https://element.io/user-guide)                                                                                 |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                      | [For the most recent release](https://docs.cryptpad.org/en/)                                                                                 |
 | File management      | Nextcloud                   | [28.0.5](https://nextcloud.com/de/changelog/#28-0-5)                                  | [Nextcloud 28](https://docs.nextcloud.com/)                                                                                                  |
-| Groupware            | OX App Suite                | [8.23](https://documentation.open-xchange.com/appsuite/releases/8.23/)                                         | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
-| Knowledge management | XWiki                       | [15.10.8](https://www.xwiki.org/xwiki/bin/view/Blog/XWiki15108Released)                                        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
+| Groupware            | OX App Suite                | [8.26](https://documentation.open-xchange.com/appsuite/releases/8.26/)                | Online documentation available from within the installed application; [Additional resources](https://www.open-xchange.com/resources/oxpedia) |
+| Knowledge management | XWiki                       | [16.4.1](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.1/)        | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                            |
 | Portal & IAM         | Nubus                       | Product Preview[^1]                                                                   | [Univention's documentation website](https://docs.software-univention.de/n/en/index.html)                                                    |
-| Project management   | OpenProject                 | [14.1.1](https://www.openproject.org/docs/release-notes/14-1-1/)                                               | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
-| Videoconferencing    | Jitsi                       | [2.0.9457](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9457)                          | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
-| Weboffice            | Collabora                   | [24.04.3.1.1](https://www.collaboraoffice.com/collabora-online-24-04-release-notes/)                           | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
+| Project management   | OpenProject                 | [14.4.0](https://www.openproject.org/docs/release-notes/14-4-0/)                      | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                                  |
+| Videoconferencing    | Jitsi                       | [2.0.9646](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9646) | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                                   |
+| Weboffice            | Collabora                   | [24.04.6.2.1](https://www.collaboraoffice.com/code-24-04-release-notes/)              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)               |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

cspell.json

@@ -60,7 +60,21 @@
         "Nordeck",
         "Nubus",
         "Souveräne",
-        "Arbeitsplatz"
+        "Arbeitsplatz",
+        "commandline",
+        "helmfiles",
+        "SMTPS",
+        "IMAPS",
+        "xwiki",
+        "cryptpad",
+        "clamav",
+        "templating",
+        "localpart",
+        "Addressbooks",
+        "filestore",
+        "trashbin",
+        "bootstrap",
+        "configurability"
     ],
     "ignoreWords": [],
     "import": []

dev/README.md

@@ -0,0 +1,36 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Tools for local development</h1>
+
+* [charts-local.py](#charts-localpy)
+  * [Commandline parameter](#commandline-parameter)
+    * [`--branch`](#--branch)
+    * [`--revert`](#--revert)
+
+# charts-local.py
+
+This script helps you on cloning the platform development Helm charts and referencing them directly in the openDesk
+Helmfile deployment for comfortable local test and development. The charts will be cloned into a directory
+parallel created next to the `opendesk` repo containing this documentation and the `charts-local.py` script.
+The name of the chart directory is derived from the branch name you are working with in this `opendesk` repo.
+
+The script will create `.bak` copies of the helmfiles that have been touched.
+
+Run the script with `-h` to get information about the script's parameter on commandline.
+
+## Commandline parameter
+
+### `--branch`
+
+Optional parameter: Defines a branch for the `opendesk` repo to work with. The script will create the branch if it
+does not exist yet. Otherwise it will switch to defined branch.
+
+If parameter is omitted the current branch of the `opendesk` repo will be used.
+
+### `--revert`
+
+Reverts the changes in the helmfiles pointing to the local Helm charts by copying the backup files created by the
+scripts itself back to their original location.

dev/charts-local.py

@@ -0,0 +1,170 @@
+#!/usr/bin/env python3
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+
+import os.path
+import logging
+import yaml
+import sys
+import shutil
+import re
+import configargparse
+
+from pathlib import Path
+from git import Repo
+
+p = configargparse.ArgParser()
+p.add('--branch', env_var='CHART_DEV_BRANCH', help='The branch you want to work with. Will be created by the script if it does not exist yet.')
+p.add('--git_hostname', env_var='GIT_HOSTNAME', default='git@gitlab.opencode.de', help='Set the hostname for the chart git checkouts.')
+p.add('--revert', default=False, action='store_true', help='Set this parameter if you want to revert the referencing of the local helm chart checkout paths in the helmfiles.')
+p.add('--loglevel', env_var='LOGLEVEL', default='DEBUG', help='Set the loglevel: DEBUG, INFO, WARNING, ERROR, CRITICAL-')
+options = p.parse_args()
+
+script_path = os.path.dirname(os.path.realpath(__file__))
+# some static definitions
+log_path = script_path+'/../logs'
+charts_yaml = script_path+'/../helmfile/environments/default/charts.yaml'
+base_repo_path = script_path+'/..'
+base_helmfile = base_repo_path+'/helmfile_generic.yaml'
+helmfile_backup_extension = '.bak'
+
+Path(log_path).mkdir(parents=True, exist_ok=True)
+
+logFormatter = logging.Formatter("%(asctime)s %(levelname)-5.5s %(message)s")
+rootLogger = logging.getLogger()
+rootLogger.setLevel(options.loglevel)
+
+fileHandler = logging.FileHandler("{0}/{1}.log".format(log_path, os.path.basename(__file__)))
+fileHandler.setFormatter(logFormatter)
+rootLogger.addHandler(fileHandler)
+
+consoleHandler = logging.StreamHandler()
+consoleHandler.setFormatter(logFormatter)
+rootLogger.addHandler(consoleHandler)
+
+logging.debug(f"Working with relative paths from script location: {script_path}")
+logging.debug(f"Log directory: {log_path}")
+logging.debug(f"charts.yaml  : {charts_yaml}")
+
+
+def create_or_switch_branch_base_repo():
+    base_repo = Repo(path=base_repo_path)
+    current_branch = base_repo.active_branch.name
+    if not options.branch:
+        branch = current_branch
+        logging.debug(f"No branch specified on commandline, working with current branch: {current_branch}")
+    else:
+        branch = options.branch
+        if branch in base_repo.branches:
+            if branch != current_branch:
+                logging.debug(f"Selected {branch} already exists, switching.")
+                # ToDo: Graceful handle: "Please commit your changes or stash them before you switch branches."
+                base_repo.git.switch(branch)
+            else:
+                logging.debug(f"Already on selected brach {branch}")
+        else:
+            logging.debug(f"Creating branch {branch} and switching")
+            base_repo.git.branch(branch)
+            base_repo.git.switch(branch)
+    return branch
+
+
+def clone_charts_locally(branch, charts):
+    charts_clone_path = script_path+'/../../'+branch.replace('/', '_')
+    charts_dict = {}
+    doublette_dict = {}
+    if os.path.isdir(charts_clone_path):
+        logging.warning(f"Path {charts_clone_path} already exists, will not clone any charts.")
+    else:
+        logging.debug(f"creating directory {charts_clone_path} to clone charts into")
+        Path(charts_clone_path).mkdir(parents=True, exist_ok=True)
+
+    for chart in charts['charts']:
+        if 'opendesk/components/platform-development/charts' in charts['charts'][chart]['repository']:
+            tag = charts['charts'][chart]['version']
+            logging.debug(f"Working on {chart} / tag {tag}")
+            repository = charts['charts'][chart]['repository']
+            git_url = options.git_hostname+':'+repository
+            chart_repo_path = charts_clone_path+'/'+charts['charts'][chart]['name']
+            if git_url in doublette_dict:
+                logging.debug(f"{chart} located at {git_url} is already checked out to {doublette_dict[git_url]}")
+                charts_dict[chart] = doublette_dict[git_url]
+            else:
+                if os.path.isdir(chart_repo_path):
+                    logging.debug(f"Already exists {chart_repo_path} leaving it unmodified")
+                else:
+                    logging.debug(f"Cloning into {chart_repo_path}")
+                    Repo.clone_from(git_url, chart_repo_path)
+                    chart_repo = Repo(path=chart_repo_path)
+                    chart_repo.git.checkout('v'+charts['charts'][chart]['version'])
+                doublette_dict[git_url] = chart_repo_path
+                charts_dict[chart] = chart_repo_path
+    return charts_dict
+
+
+def grep_yaml(file):
+    with open(file, 'r') as file:
+        content = ''
+        for line in file.readlines():
+            if not ': {{' in line and not '- {{' in line:
+                content += line
+    return yaml.safe_load(content)
+
+
+def get_child_helmfiles():
+    child_helmfiles = []
+    root_helmfile = grep_yaml(base_helmfile)
+    for entry in root_helmfile['helmfiles']:
+        child_helmfiles.append(base_repo_path+'/'+entry['path'])
+    return child_helmfiles
+
+
+def process_the_helmfiles(charts_dict, charts):
+    chart_def_prefix = '    chart: "'
+    child_helmfiles = get_child_helmfiles()
+    for child_helmfile in child_helmfiles:
+        child_helmfile_updated = False
+        output = []
+        with open(child_helmfile, 'r') as file:
+            for line in file:
+                if chart_def_prefix in line:
+                    for chart_ident in charts_dict:
+                        if '.Values.charts.'+chart_ident+'.name' in line:
+                            logging.debug(f"found match with {chart_ident} in {line.strip()}")
+                            line = chart_def_prefix+charts_dict[chart_ident]+'/charts/'+charts['charts'][chart_ident]['name']+'" # replaced by local-dev script'+"\n"
+                            child_helmfile_updated = True
+                            break
+                output.append(line)
+        if child_helmfile_updated:
+            child_helmfile_backup = child_helmfile+helmfile_backup_extension
+            if os.path.isfile(child_helmfile_backup):
+                logging.debug("backup {child_helmfile_backup} already exists, will not create a new one.")
+            else:
+                logging.debug(f"creating backup {child_helmfile_backup}.")
+                shutil.copy2(child_helmfile, child_helmfile_backup)
+            logging.debug(f"Updating {child_helmfile}")
+            with open(child_helmfile, 'w') as file:
+                file.writelines(output)
+
+
+def revert_the_helmfiles():
+    child_helmfiles = get_child_helmfiles()
+    for child_helmfile in child_helmfiles:
+        child_helmfile_backup = child_helmfile+helmfile_backup_extension
+        if os.path.isfile(child_helmfile_backup):
+            logging.debug(f"Reverting {child_helmfile} from backup {child_helmfile_backup}")
+            os.rename(child_helmfile_backup, child_helmfile)
+        else:
+            logging.debug(f"Did not found the backup file {child_helmfile_backup}")
+
+##
+## Main program
+##
+if options.revert:
+    revert_the_helmfiles()
+else:
+    branch = create_or_switch_branch_base_repo()
+    with open(charts_yaml, 'r') as file:
+        charts = yaml.safe_load(file)
+    charts_dict = clone_charts_locally(branch, charts)
+    process_the_helmfiles(charts_dict, charts)

dev/requirements.txt

@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+
+configargparse
+pyyaml
+GitPython

docs/components.md

@@ -10,11 +10,11 @@ This section covers the internal system requirements as well as external service
 <!-- TOC -->
 * [Overview](#overview)
 * [Component integration](#component-integration)
-  * [Intercom Service (ICS)](#intercom-service-ics)
+  * [Intercom Service / Silent Login](#intercom-service--silent-login)
   * [Filepicker](#filepicker)
   * [Central Navigation](#central-navigation)
-  * [(Read \& write) Central contacts](#read--write-central-contacts)
-  * [OpenProject file store](#openproject-file-store)
+  * [Central Contacts](#central-contacts)
+  * [File Store (OpenProject -\> Nextcloud)](#file-store-openproject---nextcloud)
 * [Identity data flows](#identity-data-flows)
 * [Provisioning](#provisioning)
 <!-- TOC -->
@@ -33,6 +33,7 @@ they need to be replaced in production deployments.
 | ClamAV (Simple)             | Antivirus engine               | Eval       |
 | Collabora                   | Weboffice                      | Functional |
 | CryptPad                    | Weboffice                      | Functional |
+| dkimpy-milter               | DKIM milter for Postfix        | Eval       |
 | Element                     | Secure communications platform | Functional |
 | Intercom Service            | Cross service data exchange    | Functional |
 | Jitsi                       | Videoconferencing              | Functional |
@@ -56,58 +57,91 @@ Some use cases require inter component integration.
 
 ```mermaid
 flowchart TD
-  OXAppSuiteFrontend-->|SilentLogin, Filepicker, CentralNavigation|IntercomService
-  Element-->|CentralNavigation|IntercomService
-  IntercomService-->|SilentLogin, TokenExchange|IdP
-  IntercomService-->|Filepicker|Nextcloud
-  IntercomService-->|CentralNavigation|Portal
-  OXAppSuiteBackend-->|Filepicker|Nextcloud
-  Nextcloud-->|CentralNavigation|Portal
-  OpenProject-->|CentralNavigation|Portal
-  OpenProject-->|File store|Nextcloud
-  XWiki-->|CentralNavigation|Portal
-  Nextcloud-->|CentralContacts|OXAppSuiteBackend
-  OXAppSuiteFrontend-->|Filepicker|OXAppSuiteBackend
+  OX-AppSuite_Frontend-->|Silent Login, Filepicker, Central Navigation|Intercom_Service
+  Element-->|Silent Login, Central Navigation|Intercom_Service
+  Intercom_Service-->|Silent Login, Token Exchange|IdP
+  Intercom_Service-->|Filepicker|Nextcloud
+  Intercom_Service-->|Central Navigation|Portal
+  OX-AppSuite_Backend-->|Filepicker|Nextcloud
+  Nextcloud-->|Central Navigation|Portal
+  OpenProject-->|Central Navigation|Portal
+  OpenProject-->|File Store|Nextcloud
+  XWiki-->|Central Navigation|Portal
+  Nextcloud-->|Central Contacts|OX-AppSuite_Backend
+  OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
 ```
 
-## Intercom Service (ICS)
+Most details can be found in the upstream documentation that is linked in the respective sections.
 
-The Univention Intercom Service's role is to enable cross-application integration based on browser interaction.
-Handling authentication when the frontend of an application is using the API from another application is often a
+## Intercom Service / Silent Login
+
+The Intercom Service's role is to enable cross-application integration based on the user's browser interaction as handling
+authentication when the frontend of an application has to call the API from another application is often a
 challenge.
-For more details on the ICS please refer to its own [doc](./components/intercom-service.md).
 
-To establish a session with the Intercom Service, the application that wants to use the ICS must initiate a silent
-login.
+To establish a session with the Intercom Service an application can use the silent login feature within an iframe.
 
-Currently only OX AppSuite is using the frontend-based integration, and therefore it is right now the only consumer of
-the ICS API.
+Currently only OX AppSuite and Element are using the frontend based integration.
+
+**Links**
+- [Intercom Service upstream documentation](https://docs.software-univention.de/intercom-service/latest/index.html).
 
 ## Filepicker
 
-The Nextcloud filepicker which is integrated into the OX AppSuite allows you to add attachments or links to files from
-and saving attachments to Nextcloud.
+The Nextcloud filepicker is integrated into the OX AppSuite supporting the following use cases against the respective openDesk instance's Nextcloud:
+- Attaching files from Nextcloud to emails.
+- Adding links of Nextcloud files to emails.
+- Saving attachments from emails into Nextcloud.
+- Attaching files from Nextcloud to calendar entries.
 
-The filepicker is using frontend and backend based integration.
-Frontend-based integration means that OX AppSuite in the browser is communicating with ICS.
-While using backend-based integration, OX AppSuite middleware is communicating with Nextcloud, which is especially used
-when adding a file to an email or storing a file into Nextcloud.
+The filepicker is using frontend and backend based integration:
+- For frontend based integration the OX AppSuite frontend uses the Intercom Service.
+- Backend based integration is coming from OX AppSuite middleware. The middleware is communicating directly with Nextcloud,
+which is used when adding a file to an email or storing a file into Nextcloud, to avoid passing these files through the user's browser.
+
+**Links**
+- [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).
 
 ## Central Navigation
 
-Central navigation is based on an API endpoint in the portal that provides the contents of the portal for a user to
-allow components to render the menu showing all available SWP applications for the user.
+Central navigation is based on an API endpoint in the Nubus portal that returns a JSON containing the contents of the portal for
+a given user. The response from the API endpoint is used in the openDesk applications to render the central navigation.
 
-## (Read & write) Central contacts
+The API can be called by
+- frontend services through the Intercom Service's `/navigation.json` endpoint or
+- backend services directly at the portal's `/univention/portal/navigation.json` endpoint.
 
-Open-Xchange App Suite is used to manage contacts within openDesk. There is an API in the AppSuite that is being used by
-Nextcloud to lookup contacts as well as to create contacts. This is maybe done when a file is shared with a not yet
-available personal contact.
+The central navigation expects the API caller to present a shared secret for authentication and the username for whom the portal
+contents should be returned for.
 
-## OpenProject file store
+A `curl` based request returning the navigation contents looks like this:
 
-By default, Nextcloud is a configured option for storing attachments in OpenProject.
-The file store can be enabled on a per-project level in OpenProject's project admin section.
+```
+curl 'https://portal.<DOMAIN>/univention/portal/navigation.json?base=https%3A//portal.<DOMAIN>&language=de-DE' -u "<USERNAME>:<SHARED_SECRET>"
+```
+
+## Central Contacts
+
+OX App Suite is managing contacts in openDesk. Therefore Nextcloud's PHP backend is using the OX AppSuite's middleware Contacts API to
+- create a new contact in the user's contacts folder when a file is shared with a yet unknown email address.
+- retrieve contacts from the user's contacts folder to support search-as-you-type when starting to share a file.
+
+**Links:**
+- Currently used [OX Contacts API (deprecated)](https://documentation.open-xchange.com/components/middleware/http/8/index.html#!Contacts).
+- New [OX Addressbooks API](https://documentation.open-xchange.com/components/middleware/http/8/index.html#!Addressbooks) the Central Contacts integration will switch to.
+
+## File Store (OpenProject -> Nextcloud)
+
+While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are
+stored within Nextcloud or to link an existing file from your openDesk Nextcloud to a work package.
+
+Therefore openDesk pre-configures the trust between the openDesk instance's OpenProject and Nextcloud during the `openproject-boostrap` deployment step. As prerequisite for that openDesk's Nextcloud contains the `integration_openproject` app.
+
+The file store still needs to be enabled on a per-project level in OpenProject's project admin section.
+
+**Links:**
+- [OpenProject's documentation on Nextcloud integration](https://www.openproject.org/docs/system-admin-guide/integrations/nextcloud/)
+- [OpenProject Integration Nextcloud app](https://apps.nextcloud.com/apps/integration_openproject)
 
 # Identity data flows
 

docs/debugging.md

@@ -52,7 +52,7 @@ Below you will find some wrap-up notes when it comes to debugging openDesk by ad
 
 You can add a container by editing and updating an existing deployment, which is quite comfortable with tools like [Lens](https://k8slens.dev/).
 
-- Select the container you want to make use of as debugging container, in the example below it's `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0`.
+- Select the container you want to make use of as debugging container, in the example below it is `registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest`.
 - Ensure the `shareProcessNamespace` option is enabled for the Pod.
 - Reference the selected container within the `containers` array of the deployment.
 - In case you want to access another containers filesystem, ensure the user/group settings of both containers match.
@@ -64,7 +64,7 @@ The following example can e.g. be used to debug the `openDesk-Nextcloud-PHP` con
       shareProcessNamespace: true
       containers:
         - name: debugging
-          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:1.0.0
+          image: registry.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-debugging-image:latest
           command: ["/bin/bash", "-c", "while true; do echo 'This is a temporary container for debugging'; sleep 5 ; done"]
           securityContext:
             capabilities:
@@ -121,7 +121,7 @@ Now you can add the ephemeral container with:
 ```
 kubectl -n ${NAMESPACE} debug -it --attach=false -c ${EPH_CONTAINER_NAME} --image={DEBUG_IMAGE} ${POD_NAME}
 ```
-and open it's interactive terminal with
+and open its interactive terminal with
 ```
 kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
 ```

docs/enhanced-configuration/idp-federation.md

@@ -44,9 +44,9 @@ We will provide additional documents regarding user provisioning in the future,
   - UDM REST API:
     - Build a provisioning solution by yourself using the [UDM REST API](https://docs.software-univention.de/developer-reference/5.0/en/udm/rest-api.html).
     - The API gives you full control over the contents of the IAM in order to create, update or delete users and groups.
-  - Directory Connector:
+  - Nubus Directory Importer:
     - It is based on a Python one-way directory synchronization for users and groups.
-    - We will provide more details on this approach soon one the tool is made publicly available.
+    - Please find more details in the [upstream product's documentation](https://docs.software-univention.de/nubus-kubernetes-operation/latest/en/howto-connect-external-iam.html).
 - Ad-hoc provisioning (AHP)
   - This feature is currently not available in the openDesk Keycloak, but there are plans by the Supplier Univention to make it available.
   - Ad-hoc provisioning creates an user account on the fly during a users first login.

docs/enhanced-configuration/matrix-federation.md

@@ -37,7 +37,8 @@ If not used it is also set to `opendesk.domain.tld`.
 The following setting can disable federation:
 
 ```yaml
-externalServices:
+functional:
+  externalServices:
     matrix:
       federation:
         enabled: false

docs/enhanced-configuration/separate-mail-matrix-domain.md

@@ -9,6 +9,10 @@ SPDX-License-Identifier: Apache-2.0
 * [Example configuration](#example-configuration)
   * [Mail domain](#mail-domain)
   * [Matrix domain](#matrix-domain)
+    * [DNS](#dns)
+    * [Webserver](#webserver)
+      * [Content Security Policy](#content-security-policy)
+      * [.well-known](#well-known)
 
 # Use case
 
@@ -59,7 +63,9 @@ or via environment variable
 export MATRIX_DOMAIN=my_organization.tld
 ```
 
-This setup requires also a different DNS setup:
+### DNS
+
+The following changes apply to the standard DNS:
 
 | Record name                      | Type | Value                                  | Comment                                                                            |
 | -------------------------------- | ---- | -------------------------------------- | ---------------------------------------------------------------------------------- |
@@ -67,6 +73,14 @@ This setup requires also a different DNS setup:
 
 *Note:* `matrix.opendesk.domain.tld` in the "Value" column can also be the IP address where synapse TLS port is listening to.
 
+### Webserver
+
+#### Content Security Policy
+
+The webserver of `my_organization.tld` should add `*.opendesk.domain.tld` to its CSP header.
+
+#### .well-known
+
 If you want to use other Matrix clients,
 e.g., Element Messenger for [iOS](https://apps.apple.com/de/app/element-messenger/id1083446067)
 or [Android](https://play.google.com/store/apps/details?id=im.vector.app),

docs/getting-started.md

@@ -3,7 +3,7 @@ SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG Ze
 SPDX-License-Identifier: Apache-2.0
 -->
 
-<h1>Getting stated</h1>
+<h1>Getting started</h1>
 
 This documentation should enable you to create your own evaluation instance of openDesk on your Kubernetes cluster.
 
@@ -21,6 +21,9 @@ This documentation should enable you to create your own evaluation instance of o
     * [Container runtime](#container-runtime)
     * [Volumes](#volumes)
   * [Connectivity](#connectivity)
+    * [Ports](#ports)
+      * [Web based user interface](#web-based-user-interface)
+      * [Mail clients](#mail-clients)
     * [Mail/SMTP configuration](#mailsmtp-configuration)
     * [TURN configuration](#turn-configuration)
     * [Certificate issuer](#certificate-issuer)
@@ -29,6 +32,7 @@ This documentation should enable you to create your own evaluation instance of o
   * [Install single app](#install-single-app)
   * [Install single release/chart](#install-single-releasechart)
 * [Access deployment](#access-deployment)
+  * [Using from external repository](#using-from-external-repository)
 * [Uninstall](#uninstall)
 <!-- TOC -->
 
@@ -48,7 +52,7 @@ files.
 > All configuration options and their default values can be found in files at `helmfile/environments/default/`
 
 For the following guide, we will use `dev` as environment, where variables can be set in
-`helmfile/environments/dev/values.yaml`.
+`helmfile/environments/dev/values.yaml.gotmpl`.
 
 ## DNS
 
@@ -57,7 +61,7 @@ For your convenience, we recommend to create a `*.domain.tld` A-Record to your c
 otherwise you need to create an A-Record for each subdomain.
 
 | Record name                   | Type | Value                                              | Additional information                                           |
-| ----------------------- | ---- | -------------------------------------------------- | ---------------------------------------------------------------------------------- |
+|-------------------------------|------|----------------------------------------------------|------------------------------------------------------------------|
 | *.domain.tld                  | A    | IPv4 address of your Ingress Controller            |                                                                  |
 | *.domain.tld                  | AAAA | IPv6 address of your Ingress Controller            |                                                                  |
 | mail.domain.tld               | A    | IPv4 address of your postfix NodePort/LoadBalancer | Optional mail should directly be delivered to openDesk's Postfix |
@@ -65,7 +69,7 @@ otherwise you need to create an A-Record for each subdomain.
 | domain.tld                    | MX   | `10 mail.domain.tld`                               |                                                                  |
 | domain.tld                    | TXT  | `v=spf1 +a +mx +a:mail.domain.tld ~all`            | Optional, use proper MTA record if present                       |
 | _dmarc.domain.tld             | TXT  | `v=DMARC1; p=quarantine`                           | Optional                                                         |
-| _matrix._tcp.domain.tld | SRV  | `1 10 PORT matrix.domain.tld`                      | `PORT` is your NodePort/LoadBalancer port of `opendesk-synapse-federation` service |
+| default._domainkey.domain.tld | TXT  | `v=DKIM1; k=rsa; h=sha256; ...`                    | Optional DKIM settings                                           |
 
 ## Domain
 
@@ -97,7 +101,7 @@ export DOMAIN=domain.tld
 All available apps and their default value can be found in `helmfile/environments/default/workplace.yaml`.
 
 | Component            | Name                        | Default | Description                    |
-|-----------------------------|-------------------------------------|---------|--------------------------------|
+| -------------------- | --------------------------- | ------- | ------------------------------ |
 | Certificates         | `certificates.enabled`      | `true`  | TLS certificates               |
 | ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine               |
 | ClamAV (Simple)      | `clamavSimple.enabled`      | `true`  | Antivirus engine               |
@@ -111,14 +115,14 @@ All available apps and their default value can be found in `helmfile/environment
 | Memcached            | `memcached.enabled`         | `true`  | Cache Database                 |
 | MinIO                | `minio.enabled`             | `true`  | Object Storage                 |
 | Nextcloud            | `nextcloud.enabled`         | `true`  | File share                     |
+| Nubus                | `nubus.enabled`             | `true`  | Identity Management & Portal   |
 | OpenProject          | `openproject.enabled`       | `true`  | Project management             |
 | OX Appsuite          | `oxAppsuite.enabled`        | `true`  | Groupware                      |
 | Provisioning         | `oxConnector.enabled`       | `true`  | Backend provisioning           |
 | Postfix              | `postfix.enabled`           | `true`  | MTA                            |
 | PostgreSQL           | `postgresql.enabled`        | `true`  | Database                       |
 | Redis                | `redis.enabled`             | `true`  | Cache Database                 |
-| Univention Management Stack | `univentionManagementStack.enabled` | `true`  | Identity Management & Portal   |
-| XWiki                       | `xwiki.enabled`                     | `true`  | Knowledgebase                  |
+| XWiki                | `xwiki.enabled`             | `true`  | Knowledge management           |
 
 Exemplary, Jitsi can be disabled like:
 
@@ -191,17 +195,29 @@ If your cluster has not the default `10.0.0.0/8` CIDR configured, you need to pr
 ```yaml
 cluster:
   networking:
-    cidr: "127.0.0.0/8"
+    cidr:
+      - "127.0.0.0/8"
+```
+
+If your load balancer / reverse proxy IPs are not already covered by the above `cidr` you need to
+explicitly configure the related IPs or IP ranges:
+
+```yaml
+cluster:
+  networking:
+    incomingCIDR:
+      - "172.16.0.0/12"
 ```
 
 ### Ingress
 
-By default, the `ingressClassName` is empty to choose your default ingress controller, you may want to customize it by
-setting:
+By default, the `ingressClassName` is empty to choose your default ingress controller. You may want to customize it by
+setting the following attribute to the name of the currently only supported ingress controller `ingress-nginx` (see
+[requirements.md](./requirements.md)) for reference) within your deployment if that is not the clusters default ingress.
 
 ```yaml
 ingress:
-  ingressClassName: "cilium"
+  ingressClassName: "name-of-my-nginx-ingress"
 ```
 
 ### Container runtime
@@ -237,9 +253,34 @@ persistence:
 
 ## Connectivity
 
+### Ports
+
+**Note:** If you use `NodePort` for service exposure, you need to check your deployment for the actual ports.
+
+#### Web based user interface
+
+To use the openDesk functionality with its web based user interface you need to publicly expose the following ports:
+
+| Component          | Description             |  Port | Type |
+| ------------------ | ----------------------- | ----: | ---: |
+| openDesk           | Kubernetes Ingress      |    80 |  TCP |
+| openDesk           | Kubernetes Ingress      |   443 |  TCP |
+| Jitsi Video Bridge | ICE Port for video data | 10000 |  UDP |
+
+#### Mail clients
+
+To connect with mail clients like [Thunderbird](https://www.thunderbird.net/), the following ports need public exposure:
+
+| Component          | Description             |  Port | Type |
+| ------------------ | ----------------------- | ----: | ---: |
+| Dovecot            | IMAPS                   |   993 |  TCP |
+|                    | POP3S                   |   995 |  TCP |
+| Postfix            | SMTP                    |    25 |  TCP |
+|                    | SMTPS                   |   587 |  TCP |
+
 ### Mail/SMTP configuration
 
-To use the full potential of the openDesk, you need to set up an SMTP relay which allows to send emails from
+To use the full potential of the openDesk, you need to set up an SMTP relay which allows sending emails from
 the whole subdomain.
 
 ```yaml
@@ -249,6 +290,20 @@ smtp:
   password: "secret"
 ```
 
+Enabling DKIM signing of emails helps to reduce spam and increases trust.
+openDesk ships dkimpy-milter as Postfix milter for signing mails.
+
+```yaml
+dkimpy:
+  enable: true
+  dkim:
+    key:
+      value: |
+        HzZs08QF1O7UiAkcM9T3U7rePPECtSFvWZIvyKqdg8E=
+    selector: "default"
+    useED25519: true # when false, RSA is used
+```
+
 ### TURN configuration
 
 Some components (Jitsi, Element) use for direct communication a TURN server. You can configure your own TURN server with
@@ -348,8 +403,7 @@ When all apps are successfully deployed and pod status' went to `Running` or `Su
 https://portal.domain.tld
 ```
 
-If you change the subdomain of `univentionManagementStack`, you need to replace `portal`
-by your specified subdomain.
+If you change the subdomain of `nubus`, you need to replace `portal` by your specified subdomain.
 
 **Credentials:**
 

docs/migrations.md

@@ -0,0 +1,129 @@
+<!--
+SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+-->
+
+<h1>Upgrade migrations</h1>
+
+* [Disclaimer](#disclaimer)
+* [Releases upgrades](#releases-upgrades)
+  * [From v0.9.0](#from-v090)
+    * [Manual interaction](#manual-interaction)
+      * [Fileshare configurability](#fileshare-configurability)
+    * [Automated migrations](#automated-migrations)
+      * [Local Postfix as Relay](#local-postfix-as-relay)
+      * [Updated IAM component Nubus](#updated-iam-component-nubus)
+        * [Manual cleanup](#manual-cleanup)
+  * [From v0.8.1](#from-v081)
+    * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
+    * [Updated customizable template attributes](#updated-customizable-template-attributes)
+    * [`migrations` S3 bucket](#migrations-s3-bucket)
+* [Related components and artefacts](#related-components-and-artefacts)
+  * [Development](#development)
+
+# Disclaimer
+
+We do not offer support for upgrades before we reach openDesk 1.0.
+
+Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.
+
+Limitations:
+- We assume that the PV reclaim policy is set to `delete`, so expect that PVs get deleted as soon as the related PVC was deleted and will cover an explicit delete for PVs.
+
+# Releases upgrades
+
+## From v0.9.0
+
+### Manual interaction
+
+#### Fileshare configurability
+
+We provide now some configurability regarding the sharing capabilities of the Nextcloud component.
+
+The new default is different from the standard until now. To keep the current state after the upgrade from 0.9.0 you have to provide the following settings:
+
+```
+functional:
+  filestore:
+    sharing:
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      enableExternalSharing: true
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: false
+```
+
+### Automated migrations
+
+#### Local Postfix as Relay
+
+All components relay outgoing mails to the local Postfix. In order for the configuration to be picked up by all components the following restarts are triggered in the migrations `POST` stage:
+
+- Deployments:
+  - `opendesk-nextcloud-php`
+  - `ums-umc-server`
+- Stateful Sets:
+  - `ums-selfservice-listener`
+  - `opendesk-synapse`
+
+#### Updated IAM component Nubus
+
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The now redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
+upgrade migrations executes the following steps:
+
+- Stage `PRE`:
+  - Delete service `ums-keycloak`, as it will be recreated headless.
+  - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier` in preparation or the next step:
+  - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
+- Stage `POST`:
+  - Restart Keycloak.
+
+##### Manual cleanup
+
+Currently we do not execute possible cleanup steps as part of the migrations POST stage. So you might want to remove the no longer used PVCs after successful upgrade:
+```
+NAMESPACE=<your_namespace>
+kubectl -n ${NAMESPACE} delete pvc shared-data-ums-ldap-server-0
+kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
+```
+
+## From v0.8.1
+
+### Updated `cluster.networking.cidr`
+
+- Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1), please update your setup accordingly if you explicitly set this value.
+- Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
+
+### Updated customizable template attributes
+
+- Action: Please ensure you update you custom deployment values according with the updated default value structure.
+- References:
+  - `functional.` prefix for `authentication.*`, `externalServices.*`, `admin.*` and `filestore.*`, see [functional.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/functional.yaml).
+  - `debug.` prefix for `cleanup.*`, see [debug.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/debug.yaml).
+  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
+  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
+
+### `migrations` S3 bucket
+
+- Action: For self managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
+- Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
+
+# Related components and artefacts
+
+openDesk comes with two upgrade steps as part of the deployment, they can be found in the folder [/helmfile/apps](../helmfile/apps/) as all other components:
+
+- `migrations-pre`: Is the very first app that gets deployed.
+- `migrations-post`: Is the last app that gets deployed.
+
+Both migrations have to be deployed exclusively at their first/last position and not in parallel with other components.
+
+The status of the upgrade migrations is tracked in the ConfigMap `migrations-status`, more details can be found in the [README.md of the related container image](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/README.md).
+
+## Development
+
+When a new upgrade migration is required, ensure to address the following list:
+
+- Update the generated release version file [`global.generated.yaml`](../helmfile/environments/default/global.generated.yaml) at least on the patch level to test the upgrade in your feature branch as well as trigger it in the `develop` branch after the feature branch was merged. The set value gets overwritten during the release process with the release's actual version number.
+- You have to implement the migration logic as a runner script in the [`opendesk-migrations`](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations) image. Please find more instructions in the linked repository.
+- You most likely have to update the [`opendesk-migrations` Helm chart](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations) within the `rules` section of the [`role.yaml`](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/main/charts/opendesk-migrations/templates/role.yaml) to provide the permissions required for the execution of your migration's logic.
+- You have to set the runner's ID you want to execute in the [migrations.yaml.gotmpl](../helmfile/shared/migrations.yaml.gotmpl). See also the `migrations.*` section of [the Helm chart's README.md](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/main/charts/opendesk-migrations/README.md).
+- Update the [`charts.yaml`](../helmfile/environments/default/charts.yaml) and [`images.yaml`](../helmfile/environments/default/images.yaml) to reflect the newer releases of the `opendesk-migrations` Helm chart and container image.

docs/requirements.md

@@ -22,7 +22,7 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 
 - K8s cluster >= 1.24, [CNCF Certified Kubernetes distribution](https://www.cncf.io/certification/software-conformance/)
 - Domain and DNS Service
-- Ingress controller (supported are nginx-ingress, HAProxy)
+- Ingress controller (Ingress NGINX)
 - [Helm](https://helm.sh/) >= v3.9.0
 - [Helmfile](https://helmfile.readthedocs.io/en/latest/) >= **v0.157.0**
 - [HelmDiff](https://github.com/databus23/helm-diff) >= 3.6.0
@@ -34,11 +34,13 @@ openDesk is a Kubernetes only solution and requires an existing Kubernetes (K8s)
 The following minimal requirements are thought for initial evaluation deployment:
 
 | Spec | Value                                                 |
-|------|------------------------------------------------------|
-| CPU  | 8 Cores of x64 or x86 CPU (ARM is not supported yet) |
-| RAM  | 16 GB, recommended 32 GB                             |
+| ---- | ----------------------------------------------------- |
+| CPU  | 12 Cores of x64 or x86 CPU (ARM is not supported yet) |
+| RAM  | 32 GB, more recommended                               |
 | Disk | HDD or SSD, >10 GB                                    |
 
+Check [`scaling.md`](./scaling.md) for more details on resource requirements and scalability.
+
 # Kubernetes
 
 Any self-hosted or managed K8s cluster >= 1.24 listed in
@@ -53,10 +55,11 @@ The deployment is tested against [kubespray](https://github.com/kubernetes-sigs/
 The deployment is intended to use only over HTTPS via a configured FQDN, therefor it is required to have a proper
 configured ingress controller deployed.
 
-**Maintained controllers:**
-- [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress)
+**Supported controllers:**
 - [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx)
-- [HAProxy Kubernetes Ingress Controller](https://github.com/haproxytech/kubernetes-ingress)
+
+Note: The platform development team is evaluating the use of [Gateway API](https://gateway-api.sigs.k8s.io/).
+If you have feedback on that topic, please share it with us.
 
 # Volume provisioner
 
@@ -75,7 +78,9 @@ openDesk certificate management disabled.
 
 # External services
 
-Evaluation the openDesk deployment does not require any external service to start, but features may be limited.
+For development and evaluation of openDesk we bundle some service to start with. Be aware that for production
+deployments you need to make use of your own production grade services, see the
+[external-services.md](./external-services.md) for configuration details.
 
 | Group    | Type                | Version | Tested against        |
 | -------- | ------------------- | ------- | --------------------- |

docs/scaling.md

@@ -7,55 +7,17 @@ SPDX-License-Identifier: Apache-2.0
 
 This document should cover the abilities to scale apps.
 
-<!-- TOC -->
-* [Replicas](#replicas)
-<!-- TOC -->
+# Horizontal scalability
 
-# Replicas
+We are working on generating this document automatically based on the file
+[`replicas.yaml`](../helmfile/environments/default/replicas.yaml) that contains necessary annotations.
+In the meantime this file can be used to check the components scaling support / capabilities.
 
-The Replicas can be increased of almost any component, but is only effective for high-availability or load-balancing for
-apps with a check-mark in `Scaling (effective)` column.
+# Upstream information
 
-Verified positive effects are marked with a check-mark in `Scaling (verified)` column, apps which are not yet tested are
-marked with a gear.
+While scaling services horizontally is the ideal solution, information about vertical scaling is helpful
+when it comes to defining the applications resources, see [`resources.yaml`](../helmfile/environments/default/resources.yaml) for references.
 
+Please find below links to the application's upstream resources about scaling:
 
-| Component                   | Name                                     | Scaling (effective) | Scaling (verified) |
-|-----------------------------|------------------------------------------|:-------------------:|:------------------:|
-| ClamAV                      | `replicas.clamav`                        | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.clamd`                         | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.freshclam`                     |         :x:         |        :x:         |
-|                             | `replicas.icap`                          | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.milter`                        | :white_check_mark:  | :white_check_mark: |
-| Collabora                   | `replicas.collabora`                     | :white_check_mark:  |       :gear:       |
-| CryptPad                    | `replicas.cryptpad`                      | :white_check_mark:  |       :gear:       |
-| Dovecot                     | `replicas.dovecot`                       |         :x:         |       :gear:       |
-| Element                     | `replicas.element`                       | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.matrixNeoBoardWidget`          | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixNeoChoiceWidget`         | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixNeoDateFixBot`           | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixNeoDateFixWidget`        | :white_check_mark:  |       :gear:       |
-|                             | `replicas.matrixUserVerificationService` | :white_check_mark:  |       :gear:       |
-|                             | `replicas.synapse`                       |         :x:         |       :gear:       |
-|                             | `replicas.synapseWeb`                    | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.wellKnown`                     | :white_check_mark:  | :white_check_mark: |
-| Intercom Service            | `replicas.intercomService`               | :white_check_mark:  | :white_check_mark: |
-| Jitsi                       | `replicas.jibri`                         | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jicofo`                        | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jitsi `                        | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jitsiKeycloakAdapter`          | :white_check_mark:  |       :gear:       |
-|                             | `replicas.jvb `                          |         :x:         |        :x:         |
-| Keycloak                    | `replicas.keycloak`                      | :white_check_mark:  |       :gear:       |
-| Memcached                   | `replicas.memcached`                     |       :gear:        |       :gear:       |
-| Minio                       | `replicas.minioDistributed`              | :white_check_mark:  | :white_check_mark: |
-| Nextcloud                   | `replicas.nextcloudApache2`              | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.nextcloudExporter`             | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.nextcloudPHP`                  | :white_check_mark:  | :white_check_mark: |
-| OpenProject                 | `replicas.openproject`                   | :white_check_mark:  | :white_check_mark: |
-| Postfix                     | `replicas.postfix`                       |         :x:         |       :gear:       |
-| Redis                       | `replicas.redis`                         |       :gear:        |       :gear:       |
-| Univention Management Stack |                                          |       :gear:        |       :gear:       |
-|                             | `replicas.umsPortalFrontend`             | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.umsPortalServer`               | :white_check_mark:  | :white_check_mark: |
-|                             | `replicas.umsUdmRestApi`                 | :white_check_mark:  | :white_check_mark: |
-| XWiki                       | `replicas.xwiki`                         |         :x:         |       :gear:       |
+- [OpenProject system requirements](https://www.openproject.org/docs/installation-and-operations/system-requirements/)

docs/workflow.md

@@ -22,8 +22,8 @@ SPDX-License-Identifier: Apache-2.0
       * [Branch workflows](#branch-workflows)
         * [`main`](#main)
         * [`develop`](#develop)
-        * [`docu`](#docu)
-        * [`mntn`](#mntn)
+        * [`docs`](#docs)
+        * [`fix`](#fix)
         * [`feat`](#feat)
       * [Branch names](#branch-names)
       * [Commit messages / Conventional Commits](#commit-messages--conventional-commits)
@@ -169,8 +169,8 @@ The basic facts for the flow are:
   - Developers can create sub-branches from their feature branch(es) as needed.
 - When a *feature* branch gets pushed a Merge Request in `Draft` state is automatically created.
 - We know three types of *feature* branches:
-  - `docu`: Doing just documentation changes
-  - `mntn`: Maintenance of the openDesk software components and minor configurational changes
+  - `docs`: Doing just documentation changes
+  - `fix`: Maintenance of the openDesk software components and minor configurational changes
   - `feat`: All changes that do not fall into the two categories above, especially
     - supplier deliverables and
     - configurational changes that have a significant impact on openDesk users or require migrations[^1]
@@ -185,21 +185,21 @@ gitGraph
     checkout "develop"
     commit id: "QA 'nightly develop'"
     commit id: "  "
-    branch "docu"
-    checkout "docu"
+    branch "docs"
+    checkout "docs"
     commit id: "Documentation commits" type: HIGHLIGHT
     checkout "develop"
-    merge "docu"
+    merge "docs"
     checkout "main"
     merge "develop" tag: "No release"
     checkout "develop"
     commit id: "   "
-    branch "mntn"
-    checkout "mntn"
+    branch "fix"
+    checkout "fix"
     commit id: "Maintenance commits" type: HIGHLIGHT
-    commit id: "QG 'mntn'" type: REVERSE
+    commit id: "QG 'fix'" type: REVERSE
     checkout "develop"
-    merge "mntn"
+    merge "fix"
     commit id: "QA 'release merge'" type: REVERSE
     checkout "main"
     merge "develop" tag: "Patch or minor release"
@@ -231,7 +231,7 @@ The Standard Quality Gate addresses quality assurance steps that should be execu
 1. Linting
    - Blocking
      - Licensing: [reuse](https://github.com/fsfe/reuse-tool)
-     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in the [development](./development.md) docu
+     - openDesk specific: Especially `images.yaml` and `charts.yaml`, find more details in [development.md](./development.md).
    - Non Blocking
      - Security: [Kyverno policy check](../.kyverno) addressing some IT-Grundschutz requirements
      - Formal: Yaml
@@ -277,8 +277,8 @@ This section will explain the workflow for each branch (type) based on the Gitfl
 
 - `QA 'nightly main'`: Execute the SQG based on the most recent release. The upgrade test environment should be a long-standing environment that only gets built from scratch with the previous technical release when something breaks the environment.
 - Merge points: We are using the [Semantic Release convention](https://github.com/semantic-release/semantic-release) which itself is based on the [Semantic Versioning (SemVer) notation](https://semver.org) to automatically create technical releases on the merge points.
-  - "No release": When a merge from `develop` includes only changes from `docu` branches the merge into `main` will only consist of `docs` or `chore` commits. No new release will be generated by that merge.
-  - "Patch or minor release": When changes from `mntn` branches get merged these might contain `fix` or `feat` commits causing a new technical release to be built with an updated version on Patch or Minor level.
+  - "No release": When a merge from `develop` includes only changes from `docs` branches the merge into `main` will only consist of `docs` or `chore` commits. No new release will be generated by that merge.
+  - "Patch or minor release": When changes from `fix` branches get merged these might contain `fix` or `feat` commits causing a new technical release to be built with an updated version on Patch or Minor level.
   - "Minor or major release": When changes from `feat` branches get merged these might contain `feat` commits even with breaking changes, causing a technical release to be built with an updated version on Minor or Major level.
 - "Manual Functional Release Activities": Technical releases are loosely coupled to functional releases. The additional activities for a functional release select an existing technical release as a basis to generate the artifacts required for a functional release, for example:
   - Conduct additional manual explorative and regression tests.
@@ -289,19 +289,19 @@ This section will explain the workflow for each branch (type) based on the Gitfl
 - `QA 'nightly develop'`: Follows the same approach as `QA 'nightly main'` - execute the SQG based in this case on the head revision of the `develop` branch.
 - `QA 'release merge'`: The Merge Request for this merge has to be created manually by members of the platform development team. It should document:
   - That the SQG was successfully executed upon the to-be merged state - it could be done explicitly or based on a `QA 'nightly develop'`
-  - In case of `mntn` changes that usually how no test automation: Changes have been verified by a member of the platform development team.
+  - In case of `fix` changes that usually how no test automation: Changes have been verified by a member of the platform development team.
   - That the changes have been reviewed by at least two members of the platform development team giving their approval on the Merge Request.
-- Merge points (from `docu`, `mntn`, and `feat` branches): No additional activity on these merge points as the QA is ensured before the merge in the just-named branch types.
+- Merge points (from `docs`, `fix`, and `feat` branches): No additional activity on these merge points as the QA is ensured before the merge in the just-named branch types.
 
-##### `docu`
+##### `docs`
 
-Branches of type `docu` only contain the commits themselves and have to adhere to the workflow basic fact that:
+Branches of type `docs` only contain the commits themselves and have to adhere to the workflow basic fact that:
 > All merges into `develop` or `main` require two approvals from the platform development team.
 
-##### `mntn`
+##### `fix`
 
-Besides the actual changes being committed in an `mntn` branch there is only the:
-- `QG 'mntn'`: In addition to validating the actual change the owner of the branch has to ensure the successful execution of the SQG.
+Besides the actual changes being committed in an `fix` branch there is only the:
+- `QG 'fix'`: In addition to validating the actual change the owner of the branch has to ensure the successful execution of the SQG.
 
 ##### `feat`
 
@@ -318,47 +318,29 @@ This branch type requires the most activities on top of the actual development:
 
 #### Branch names
 
-Branches created from the `develop` branch have to adhere to the following notation: `<party[-developer]>/<type>/<component>/<details>`:
+Branches created from the `develop` branch have to adhere to the following notation: `<type>/<responsible_developer>/<details>`:
 
-- `<party[-developer]>`: An identifier for the developing party optionally plus the name of the developer or team working on that branch. The following two-letter shorthand notations should be used for the owner:
-  - Suppliers
-    - `co`: Collabora
-    - `cp`: CryptPad
-    - `el`: Element
-    - `nc`: Nextcloud
-    - `nd`: Nordeck
-    - `op`: OpenProject
-    - `ox`: Open-Xchange
-    - `uv`: Univention
-    - `xw`: XWiki
-  - Other
-    - `pd`: (openDesk) Platform Development
-    - `xx`: Other, not one of the parties mentioned before
-
-- `<type>`: Based on the branch types described in this document valid values for type are
-  - `docu`
-  - `mntn`
+- `<type>`: From the list of branch types explained above:
+  - `docs`
+  - `fix`
   - `feat`
-
-- `<component>`: Valid components are
+- `<responsible_developer>`: Something that makes you identifiable as owner of the branch, e.g. the first letter of your first name followed by your family name.
+- `<details>`: A very short note about what is going to happen in the branch and ideally what component is affected from the following list of components:
   - `helmfile`
   - `ci`
-  - `cross-functional`
   - `docs`
   - `collabora`
   - `cryptpad`
   - `element`
   - `jitsi`
   - `nextcloud`
+  - `nubus`
   - `open-xchange`
   - `openproject`
   - `services`
-  - `univention-management-stack`
   - `xwiki`
 
-- `<details>`: A very short note about what is going to happen in the branch
-
-Example: `pd-tom/fix/open-xchange/bump_to_8.76`.
+Example: `feat/tmueller/bump_nextcloud_to_29.0.0`.
 
 **Note**: The above naming convention is not enforced yet, but please ensure you make use of it.
 
@@ -367,7 +349,7 @@ Example: `pd-tom/fix/open-xchange/bump_to_8.76`.
 Commit messages must adhere to the [Conventional Commit standard](https://www.conventionalcommits.org/en/v1.0.0/#summary). Commits that do not adhere to the standard get rejected by either [Gitlab push rules](https://docs.gitlab.com/ee/user/project/repository/push_rules.html) or the CI.
 
 ```text
-<type>(<scope>): [path/to/issue#1] <short summary>
+<type>(<scope>): [path/to/issue#1] <short summary>.
   │       │              │                │
   │       │              |                └─> Summary in present tense, sentence case, with no period at the end
   │       │              |
@@ -378,7 +360,7 @@ Commit messages must adhere to the [Conventional Commit standard](https://www.co
   └─> Commit Type: chore, ci, docs, feat, fix
 ```
 
-Example: `fix(univention-management-stack): Update standard session timeout of openDesk realm in Keycloak`
+Example: `fix(open-xchange): Bump to 8.26 to heal issue with functional mailbox provisioning.`
 
 **Beware**: The commit messages are an essential part of the [technical releases](https://gitlab.opencode.de/bmi/opendesk/deployment/sovereign-workplace/-/releases) as the release's notes are generated from the messages.
 

helmfile.yaml

@@ -5,13 +5,13 @@
 environments:
   dev:
     values:
-      - "helmfile/environments/dev/values.yaml.gotmpl"
+      - "helmfile/environments/dev/*.yaml.gotmpl"
   test:
     values:
-      - "helmfile/environments/test/values.yaml.gotmpl"
+      - "helmfile/environments/test/*.yaml.gotmpl"
   prod:
     values:
-      - "helmfile/environments/prod/values.yaml.gotmpl"
+      - "helmfile/environments/prod/*.yaml.gotmpl"
 ---
 # yamllint disable
 helmfiles:

helmfile/apps/collabora/values.yaml.gotmpl

@@ -7,7 +7,7 @@ autoscaling:
   enabled: false
 
 collabora:
-  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=65536"
+  extra_params: "--o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/richdocuments/settings/fonts.json"
   username: "collabora-internal-admin"
   password: {{ .Values.secrets.collabora.adminPassword | quote }}
   aliasgroups:
@@ -17,11 +17,11 @@ fullnameOverride: "collabora"
 
 grafana:
   dashboards:
-    enabled: {{ .Values.grafana.dashboards.enabled }}
+    enabled: {{ .Values.monitoring.grafana.dashboards.enabled }}
     labels:
-      {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.labels | toYaml | nindent 6 }}
     annotations:
-      {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }}
+      {{ .Values.monitoring.grafana.dashboards.annotations | toYaml | nindent 6 }}
 
 image:
   repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}"
@@ -88,13 +88,13 @@ podSecurityContext:
 
 prometheus:
   servicemonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
     labels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
   rules:
-    enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
     additionalLabels:
-      {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 6 }}
 
 replicaCount: {{ .Values.replicas.collabora }}
 

helmfile/apps/element/values-element.yaml.gotmpl

@@ -5,15 +5,15 @@
 configuration:
   endToEndEncryption: true
   additionalConfiguration:
-    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+    logout_redirect_url: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout?client_id=matrix&post_logout_redirect_uri=https%3A%2F%2F{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
 
     "net.nordeck.element_web.module.opendesk":
       config:
         banner:
           ics_navigation_json_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/navigation.json"
           ics_silent_url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/silent"
-          portal_logo_svg_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
-          portal_url: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/"
+          portal_logo_svg_url: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+          portal_url: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/"
         custom_css_variables:
           --cpd-color-bg-action-primary-rest: {{ .Values.theme.colors.primary | quote }}
           --cpd-color-text-action-accent: {{ .Values.theme.colors.primary | quote }}

helmfile/apps/element/values-matrix-neodatefix-bot-bootstrap.yaml.gotmpl

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
   username: "meetings-bot"

helmfile/apps/element/values-matrix-user-verification-service-bootstrap.yaml.gotmpl

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 configuration:
   username: "uvs"

helmfile/apps/element/values-synapse-web.yaml.gotmpl

@@ -21,6 +21,7 @@ containerSecurityContext:
 
 global:
   domain: {{ .Values.global.domain | quote }}
+  clusterDomain: {{ .Values.cluster.networking.domain | quote }}
   hosts:
     {{ .Values.global.hosts | toYaml | nindent 4 }}
   imagePullSecrets:

helmfile/apps/element/values-synapse.yaml.gotmpl

@@ -40,11 +40,35 @@ configuration:
               regex: "@.*"
         url: null
         sender_localpart: intercom-service
+      - as_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+        hs_token: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
+        id: ox-appsuite
+        namespaces:
+          users:
+            - exclusive: false
+              regex: "@.*"
+        url: null
+        sender_localpart: ox-appsuite
+
+    presence:
+      enabled: {{ .Values.functional.dataProtection.matrixPresence.enabled }}
+
+    smtp:
+      senderAddress: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      port: 25
+      tls: false
+      starttls: false
+      username: ""
+      password: ""
 
     oidc:
       clientId: "opendesk-matrix"
       clientSecret: {{ .Values.secrets.keycloak.clientSecret.matrix | quote }}
       issuer: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
+      scopes:
+        - "openid"
+        - "opendesk-matrix-scope"
 
     turn:
       sharedSecret: {{ .Values.turn.credentials | quote }}
@@ -84,7 +108,7 @@ containerSecurityContext:
     {{ .Values.seLinuxOptions.synapse | toYaml | nindent 4 }}
 
 federation:
-  enabled: {{ .Values.externalServices.matrix.federation.enabled }}
+  enabled: {{ .Values.functional.externalServices.matrix.federation.enabled }}
   ingress:
     host: "{{ .Values.global.hosts.synapseFederation }}.{{ .Values.global.domain }}"
     enabled: {{ .Values.ingress.enabled }}

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -27,7 +27,7 @@ containerSecurityContext:
     {{ .Values.seLinuxOptions.jitsiKeycloakAdapter | toYaml | nindent 4 }}
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 
 image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}

helmfile/apps/migrations-post/helmfile-child.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-post"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...

helmfile/apps/migrations-post/helmfile.yaml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/migrations-post/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "POST"
+...

helmfile/apps/migrations-pre/helmfile-child.yaml

@@ -0,0 +1,31 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+repositories:
+  # openDesk Migrations
+  # Source:
+  - name: "openproject-migrations-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.migrations.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.migrations.registry }}/\
+      {{ .Values.charts.migrations.repository }}"
+
+releases:
+  - name: "opendesk-migrations-pre"
+    chart: "openproject-migrations-repo/{{ .Values.charts.migrations.name }}"
+    version: "{{ .Values.charts.migrations.version }}"
+    wait: true
+    waitForJobs: true
+    values:
+      - "values.yaml.gotmpl"
+      - "../../shared/migrations.yaml.gotmpl"
+    installed: {{ .Values.migrations.enabled }}
+    timeout: 900
+
+commonLabels:
+  deploy-stage: "component-0"
+  component: "opendesk-migrations"
+...

helmfile/apps/migrations-pre/helmfile.yaml

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+bases:
+  - "../../bases/environments.yaml"
+---
+helmfiles:
+  - path: "./helmfile-child.yaml"
+    values:
+      - {{ toYaml .Values | nindent 8 }}
+...

helmfile/apps/migrations-pre/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+migrations:
+  stage: "PRE"
+...

helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl

@@ -14,7 +14,7 @@ additionalAnnotations:
   intents.otterize.com/service-name: "opendesk-nextcloud-php"
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
 
 configuration:
   administrator:
@@ -35,6 +35,9 @@ configuration:
         value: {{ .Values.cache.nextcloud.password | default .Values.secrets.redis.password | quote }}
     host: {{ .Values.cache.nextcloud.host | quote }}
     port: {{ .Values.cache.nextcloud.port | quote }}
+  collabora:
+    # internalWopiUrl: ""
+    wopiAllowlist: {{ join ", " ( concat .Values.cluster.networking.cidr .Values.cluster.networking.incomingCIDR ) | quote }}
   database:
     host: {{ .Values.databases.nextcloud.host | quote }}
     port: {{ .Values.databases.nextcloud.port | quote }}
@@ -45,7 +48,7 @@ configuration:
         value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
   ldap:
     host: {{ .Values.ldap.host | quote }}
-    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.nextcloud | quote }}
+    password: {{ .Values.secrets.nubus.ldapSearch.nextcloud | quote }}
     adminGroupName: "managed-by-attribute-FileshareAdmin"
   objectstore:
     auth:
@@ -70,14 +73,31 @@ configuration:
       value: "opendesk_username"
     password:
       value: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  sharing:
+    allowLinks: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowMailNotification: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    allowPublicUpload: {{ .Values.functional.filestore.sharing.enableExternalSharing }}
+    enforceLinksPassword: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
+    enforcePasswordProtection: {{ .Values.functional.filestore.sharing.enforceSharingPasswords }}
   smtp:
     auth:
+      enabled: false
       username:
-        value: {{ .Values.smtp.username | quote }}
+        value: ""
       password:
-        value: {{ .Values.smtp.password | quote }}
-    host: {{ .Values.smtp.host | quote }}
-    port: {{ .Values.smtp.port | quote }}
+        value: ""
+    host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    port: 25
+    fromAddress: {{ .Values.smtp.localpartNoReply | quote }}
+    mailDomain: "{{ .Values.global.domain }}"
+    security: ""
+    skipVerifyPeer: true
+  quota:
+    default: "{{ .Values.functional.filestore.quota.default }} GB"
+    retentionObligation:
+      trashbin: {{ .Values.functional.filestore.nextcloud.retentionObligation.trashbin | quote }}
+      versions: {{ .Values.functional.filestore.nextcloud.retentionObligation.versions | quote }}
+
   serverinfo:
     token: {{ .Values.secrets.nextcloud.metricsToken | quote }}
 
@@ -98,11 +118,11 @@ containerSecurityContext:
     {{ .Values.seLinuxOptions.nextcloudManagement | toYaml | nindent 4 }}
 
 debug:
-  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+  loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudManagement.registry | quote }}
-  repository: "{{ .Values.images.nextcloudManagement.repository }}"
+  repository: {{ .Values.images.nextcloudManagement.repository | quote }}
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
   tag: {{ .Values.images.nextcloudManagement.tag | quote }}
 

helmfile/apps/nextcloud/values-nextcloud.yaml.gotmpl

@@ -34,13 +34,13 @@ exporter:
     tag: {{ .Values.images.nextcloudExporter.tag | quote }}
   prometheus:
     serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
       labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudExporter }}
   resources:
     {{ .Values.resources.nextcloudExporter | toYaml | nindent 4 }}
@@ -66,6 +66,7 @@ php:
           value: "nextcloud_user"
         password:
           value: {{ .Values.databases.nextcloud.password | default .Values.secrets.mariadb.nextcloudUser | quote }}
+    trustedProxies: {{ join " " .Values.cluster.networking.cidr | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -84,7 +85,7 @@ php:
   cron:
     successfulJobsHistoryLimit: {{ if .Values.debug.enabled }}"3"{{ else }}"0"{{ end }}
   debug:
-    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"1"{{ end }}
+    loglevel: {{ if .Values.debug.enabled }}"0"{{ else }}"2"{{ end }}
   image:
     registry: {{ .Values.global.imageRegistry | default .Values.images.nextcloudPHP.registry | quote }}
     repository: "{{ .Values.images.nextcloudPHP.repository }}"
@@ -92,13 +93,13 @@ php:
     tag: {{ .Values.images.nextcloudPHP.tag | quote }}
   prometheus:
     serviceMonitor:
-      enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
       labels:
-        {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 8 }}
     prometheusRule:
-      enabled: {{ .Values.prometheus.prometheusRules.enabled }}
+      enabled: {{ .Values.monitoring.prometheus.prometheusRules.enabled }}
       additionalLabels:
-        {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
+        {{ .Values.monitoring.prometheus.prometheusRules.labels | toYaml | nindent 8 }}
   replicaCount: {{ .Values.replicas.nextcloudPHP }}
   resources:
     {{ .Values.resources.nextcloudPHP | toYaml | nindent 4 }}
@@ -107,6 +108,7 @@ apache2:
   configuration:
     php:
       host: "opendesk-nextcloud-php.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}"
+    trustedProxies: {{ join " " .Values.cluster.networking.cidr | quote }}
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -143,4 +145,5 @@ apache2:
   replicaCount: {{ .Values.replicas.nextcloudApache2 }}
   resources:
     {{ .Values.resources.nextcloudApache2 | toYaml | nindent 4 }}
+
 ...

helmfile/apps/nubus/helmfile-child.yaml

@@ -3,15 +3,15 @@
 ---
 repositories:
   # Univention Management Stack Umbrella Chart
-  - name: "ums"
+  - name: "nubus"
     keyring: "../../files/gpg-pubkeys/univention-de.gpg"
-    verify: {{ .Values.charts.ums.verify }}
+    verify: {{ .Values.charts.nubus.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url:
-      "{{ .Values.global.helmRegistry | default .Values.charts.ums.registry }}/\
-      {{ .Values.charts.ums.repository }}"
+      "{{ .Values.global.helmRegistry | default .Values.charts.nubus.registry }}/\
+      {{ .Values.charts.nubus.repository }}"
   # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap-repo"
     keyring: "../../files/gpg-pubkeys/opencode.gpg"
@@ -25,11 +25,13 @@ repositories:
 releases:
   # Univention Management Stack Umbrella Chart
   - name: "ums"
-    chart: "ums/{{ .Values.charts.ums.name }}"
-    version: "{{ .Values.charts.ums.version }}"
+    chart: "nubus/{{ .Values.charts.nubus.name }}"
+    version: "{{ .Values.charts.nubus.version }}"
     values:
-      - "values-umbrella.yaml.gotmpl"
-    installed: {{ .Values.univentionManagementStack.enabled }}
+      - "values-nubus.yaml.gotmpl"
+      - "values-opendesk-customization.yaml.gotmpl"
+      - "values-opendesk-images.yaml.gotmpl"
+    installed: {{ .Values.nubus.enabled }}
     timeout: 900
   # OpenDesk Keycloak Bootstrap Chart
   - name: "opendesk-keycloak-bootstrap"
@@ -39,10 +41,10 @@ releases:
       - "values-opendesk-keycloak-bootstrap.yaml.gotmpl"
     needs:
       - "ums"
-    installed: {{ .Values.univentionManagementStack.enabled }}
+    installed: {{ .Values.nubus.enabled }}
     timeout: 900
 
 commonLabels:
   deploy-stage: "component-1"
-  component: "univention-management-stack"
+  component: "nubus"
 ...

helmfile/apps/nubus/values-nubus.yaml.gotmpl

@@ -0,0 +1,382 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+global:
+  nubusDeployment: true
+  ldap:
+    baseDn: {{ .Values.ldap.baseDn | quote }}
+    domainName: {{ .Values.global.domain | quote }}
+  domain: {{ .Values.global.domain | quote }}
+  ingressClass: {{ .Values.ingress.ingressClassName | default "nginx" | quote }}
+  certManagerIssuer: {{ .Values.certificate.issuerRef.name | quote }}
+  nubusMasterPassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
+  keycloak:
+    realm: {{ .Values.platform.realm | quote }}
+  objectStorage:
+    bucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    connection:
+      host: "minio"
+      port: "9000"
+      protocol: "http"
+  credentialOverride:
+    ldapServer:
+      adminPassword: {{ .Values.secrets.nubus.ldapSecret | quote}}
+    defaultUsers:
+      defaultAdminPassword: {{ .Values.secrets.nubus.defaultAccounts.adminPassword | quote}}
+      defaultUserPassword: {{ .Values.secrets.nubus.defaultAccounts.userPassword | quote}}
+
+  # -- Extensions to load. Add entries to load additional extensions into Nubus.
+  extensions:
+    - name: "ox"
+      image:
+        registry: {{ .Values.images.nubusOxExtension.registry }}
+        repository: {{ .Values.images.nubusOxExtension.repository }}
+        tag: {{ .Values.images.nubusOxExtension.tag }}
+        imagePullPolicy: "IfNotPresent"
+    # TODO: The image configuration has to come from the "images.yaml" file
+    - name: "opendesk"
+      image:
+        registry: "registry.opencode.de"
+        repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
+        imagePullPolicy: "IfNotPresent"
+        tag: "1.2.0@sha256:88be278c7e3da0eeeef08510319c4997b8a62ecdb5e13491f8c4ca8d5640a258"
+
+  # -- Allows to configure the system extensions to load. This is intended for
+  # internal usage, prefer to use `global.extensions` for user configured
+  # extensions.
+  systemExtensions:
+    - name: "portal"
+      image:
+        registry: {{ .Values.images.nubusPortalExtension.registry }}
+        repository: {{ .Values.images.nubusPortalExtension.repository }}
+        tag: {{ .Values.images.nubusPortalExtension.tag }}
+        imagePullPolicy: "IfNotPresent"
+
+ingress:
+  certManager:
+    enabled: false
+  tls:
+    secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+# Nubus bundled services
+postgresql:
+  enabled: false
+  provisioning:
+    enabled: false
+
+minio:
+  enabled: false
+
+# Nubus services which use customer supplied services
+keycloak:
+  keycloak:
+    auth:
+      username: "kcadmin"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+  postgresql:
+    connection:
+      host: {{ .Values.databases.keycloak.host | quote }}
+      port: {{ .Values.databases.keycloak.port | quote }}
+    auth:
+      username: {{ .Values.databases.keycloak.username | quote }}
+      database: {{ .Values.databases.keycloak.name | quote }}
+      credentialSecret:
+        name: "ums-keycloak-postgresql-opendesk-credentials"
+        key: "keycloakDatabasePassword"
+  config:
+    exposeAdminConsole: {{ .Values.debug.enabled }}
+
+nubusGuardian:
+  provisioning:
+    enabled: false
+    config:
+      keycloak:
+        credentialSecret:
+          name: "ums-opendesk-keycloak-credentials"
+          key: "admin_password"
+      managementApi:
+        credentialSecret:
+          name: "ums-opendesk-guardian-client-secret"
+          key: "managementApiClientSecret"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+  postgresql:
+    connection:
+      host: {{ .Values.databases.umsGuardianManagementApi.host | quote }}
+      port: {{ .Values.databases.umsGuardianManagementApi.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+      database: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+      credentialSecret:
+        name: "ums-guardian-postgresql-opendesk-credentials"
+        key: "guardianDatabasePassword"
+
+nubusNotificationsApi:
+  postgresql:
+    connection:
+      host: {{ .Values.databases.umsNotificationsApi.host | quote }}
+      port: {{ .Values.databases.umsNotificationsApi.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsNotificationsApi.username | quote }}
+      database: {{ .Values.databases.umsNotificationsApi.name | quote }}
+      existingSecret: "ums-notifications-api-postgresql-opendesk-credentials"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+
+nubusKeycloakExtensions:
+  keycloak:
+    auth:
+      username: "kcadmin"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+  proxy:
+    ingress:
+      paths:
+        {{- if .Values.debug.enabled }}
+        - pathType: "Prefix"
+          path: "/admin/"
+        {{- end }}
+        - pathType: "Prefix"
+          path: "/realms/"
+        - pathType: "Prefix"
+          path: "/js/"
+        - pathType: "Prefix"
+          path: "/resources/"
+        - pathType: "Prefix"
+          path: "/fingerprintjs"
+      certManager:
+        enabled: false
+      tls:
+        secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+
+  postgresql:
+    connection:
+      host: {{ .Values.databases.keycloakExtension.host | quote }}
+      port: {{ .Values.databases.keycloakExtension.port | quote }}
+    auth:
+      database: {{ .Values.databases.keycloakExtension.name | quote }}
+      username: {{ .Values.databases.keycloakExtension.username | quote }}
+      credentialSecret:
+        name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
+        key: "umcKeycloakExtensionsDatabasePassword"
+  smtp:
+    connection:
+      host: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+      port: 25
+      ssl: false
+      starttls: false
+    auth:
+      enabled: false
+      username: ""
+      credentialSecret:
+        name: "ums-keycloak-extensions-smtp-opendesk-credentials"
+        key: "umcKeycloakExtensionsSmtpPassword"
+  handler:
+    appConfig:
+      logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
+      newDeviceLoginSubject: "New device login on your {{ .Values.theme.texts.productName }} account"
+      mailFrom: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+
+nubusPortalFrontend:
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+nubusPortalListener:
+  portalListener:
+    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    objectStorageCredentialSecret:
+      name: "ums-portal-listener-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"
+
+nubusPortalServer:
+  portalServer:
+    objectStorageEndpoint: {{ .Values.objectstores.nubus.endpoint | default (printf "https://%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
+    objectStorageBucket: {{ .Values.objectstores.nubus.bucket | quote }}
+    objectStorageCredentialSecret:
+      name: "ums-portal-server-minio-opendesk-credentials"
+      accessKeyKey: "access-key-id"
+      secretKeyKey: "secret-key-id"
+    centralNavigation:
+      enabled: true
+      authenticatorSecretName: "ums-opendesk-portal-server-central-navigation"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+nubusUdmRestApi:
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+# NOTE: disabled until the next update.
+nubusProvisioning:
+  enabled: false
+nubusUdmListener:
+  enabled: false
+nubusSelfServiceListener:
+  enabled: true
+  selfserviceListener:
+    umcAdminUser: "default.admin"
+
+# Nubus services
+nubusStackDataUms:
+  stackDataContext:
+    umcPostgresqlHostname: {{ .Values.databases.umsSelfservice.host | quote }}
+    umcPostgresqlUsername: {{ .Values.databases.umsSelfservice.username | quote }}
+    umcMemcachedHostname: {{ .Values.cache.umsSelfservice.host | quote }}
+    umcMemcachedUsername: ""
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    umcHtmlTitle: "openDesk Portal"
+    installUmcPolicies: true
+  nubusUmcServer:
+    memcached:
+      auth:
+        username: ""
+
+# TODO: Remove values when upstreaming fixes
+nubusStackDataSwp:
+  stackDataSwp:
+    {{- if .Values.functional.admin.portal.deploymentInformation.enabled }}
+    systemInformation:
+      deployDate: "Deployed: {{ now | date "2006-01-02T15:04:05-0700" }}"
+      releaseVersion: "Release: {{ .Values.global.systemInformation.releaseVersion }}"
+    {{- end }}
+  stackDataContext:
+    ldapSearchUsers:
+      {{- range $username, $password := .Values.secrets.nubus.ldapSearch }}
+      - username: {{ printf "ldapsearch_%s" $username | quote }}
+        password: {{ $password | quote }}
+        lastname: "LDAP-Search-User"
+      {{- end }}
+    externalMailDomain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+    smtpHost: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+    smtpPort: 25
+    smtpUser: ""
+    smtpStartTls: false
+    ldapBase: {{ .Values.ldap.baseDn }}
+    # FIXME: Should be templated correctly in the future
+    portalRealtimeCollaborationLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.element .Values.global.domain }}
+    portalRealtimeVideoconferenceLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.jitsi .Values.global.domain }}
+    portalManagementProjectLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openproject .Values.global.domain }}
+    portalManagementKnowledgeLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.xwiki .Values.global.domain }}
+    portalGroupwareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.openxchange .Values.global.domain }}
+    portalFileshareLinkBase: {{ printf "https://%s.%s" .Values.global.hosts.nextcloud .Values.global.domain }}
+    portalTitleDE: "openDesk Portal"
+    portalTitleEN: "openDesk Portal"
+    oxDefaultContext: "1"
+
+nubusUmcServer:
+  postgresql:
+    bundled: false
+    connection:
+      host: {{ .Values.databases.umsSelfservice.host | quote }}
+      port: {{ .Values.databases.umsSelfservice.port | quote }}
+    auth:
+      username: {{ .Values.databases.umsSelfservice.username | quote }}
+      database: {{ .Values.databases.umsSelfservice.name | quote }}
+      credentialSecret:
+        name: "ums-umc-server-postgresql-opendesk-credentials"
+        key: "umcServerDatabasePassword"
+  memcached:
+    bundled: false
+    server: {{ .Values.cache.umsSelfservice.host | quote }}
+    auth:
+      credentialSecret:
+        name: "ums-umc-server-memcached-opendesk-credentials"
+        key: "umcServerMemcachedPassword"
+  smtp:
+    credentialSecret:
+      name: "ums-umc-server-smtp-credentials-custom"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+nubusUmcGateway:
+  umcGateway:
+    umcHtmlTitle: "openDesk Portal"
+  ingress:
+    certManager:
+      enabled: false
+    tls:
+      secretName: {{ .Values.ingress.tls.secretName | quote }}
+
+nubusKeycloakBootstrap:
+  keycloak:
+    auth:
+      username: "kcadmin"
+      credentialSecret:
+        name: "ums-opendesk-keycloak-credentials"
+        key: "admin_password"
+  bootstrap:
+    ldapMappers:
+      - ldapAndUserModelAttributeName: "opendeskProjectmanagementAdmin"
+      - ldapAndUserModelAttributeName: "oxContextIDNum"
+    twoFactorAuthentication:
+      enabled: true
+      group: "2fa-users"
+
+# Credential secrets for accessing customer supplied services
+extraSecrets:
+  - name: "ums-opendesk-portal-server-central-navigation"
+    stringData:
+      authenticator.secret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+  - name: "ums-opendesk-guardian-client-secret"
+    stringData:
+      managementApiClientSecret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
+  - name: "ums-opendesk-keycloak-credentials"
+    stringData:
+      admin_password: {{ .Values.secrets.keycloak.adminPassword | quote }}
+  - name: "ums-keycloak-postgresql-opendesk-credentials"
+    stringData:
+      keycloakDatabasePassword: {{ .Values.databases.keycloak.password | default .Values.secrets.postgresql.keycloakUser | quote }}
+  - name: "ums-guardian-postgresql-opendesk-credentials"
+    stringData:
+      guardianDatabasePassword: {{ .Values.databases.umsGuardianManagementApi.password | default .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
+  - name: "ums-notifications-api-postgresql-opendesk-credentials"
+    stringData:
+      password: {{ .Values.databases.umsNotificationsApi.password | default .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
+  - name: "ums-umc-server-postgresql-opendesk-credentials"
+    stringData:
+      umcServerDatabasePassword: {{ .Values.databases.umsSelfservice.password | default .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+  - name: "ums-umc-server-memcached-opendesk-credentials"
+    stringData:
+      umcServerMemcachedPassword: ""
+  - name: "ums-keycloak-extensions-postgresql-opendesk-credentials"
+    stringData:
+      umcKeycloakExtensionsDatabasePassword: {{ .Values.databases.keycloakExtension.password | default .Values.secrets.postgresql.keycloakExtensionUser | quote }}
+  - name: "ums-keycloak-extensions-smtp-opendesk-credentials"
+    stringData:
+      umcKeycloakExtensionsSmtpPassword: ""
+  - name: "ums-portal-server-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-portal-listener-minio-opendesk-credentials"
+    stringData:
+      access-key-id: {{ .Values.objectstores.nubus.username | quote }}
+      secret-key-id: {{ .Values.objectstores.nubus.secretKey | default .Values.secrets.minio.umsUser | quote }}
+  - name: "ums-umc-server-smtp-credentials-custom"
+    stringData:
+      password: ""

helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl

@@ -0,0 +1,220 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+keycloak:
+  enabled: true
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-keycloak"
+  replicaCount: {{ .Values.replicas.keycloak }}
+  resources:
+    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
+
+guardian:
+  authorizationApi:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-authorization-api"
+    resources:
+      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
+  managementApi:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-management-api"
+    resources:
+      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
+  managementUi:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-guardian-management-ui"
+    resources:
+      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}#
+  openPolicyAgent:
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
+    resources:
+      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
+  provisioning:
+    # Using openDesk keycloak provisioning
+    enabled: false
+
+nubusNotificationsApi:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-notifications-api"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
+  resources:
+    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
+
+nubusUmcServer:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-umc-server"
+  replicaCount: {{ .Values.replicas.umsUmcServer }}
+  resources:
+    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
+  selfService:
+    passwordresetEmailBody: |
+        Sehr geehrte Benutzerin, sehr geehrter Benutzer,
+
+        Ihr Benutzername für {domainname} lautet: {username}
+
+        Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
+
+        Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
+        https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
+
+        Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
+        https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
+
+        Mit freundlichen Grüßen
+        Ihr {domainname} Passwort-Service
+
+nubusKeycloakExtensions:
+  handler:
+    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
+    resources:
+      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
+  proxy:
+    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
+    podAnnotations:
+      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
+    resources:
+      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
+
+nubusPortalListener:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-portal-listener"
+  replicaCount: {{ .Values.replicas.umsPortalListener }}
+  resources:
+    {{ .Values.resources.umsPortalListener | toYaml | nindent 4 }}
+  persistence:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.nubus.portalListener | quote }}
+
+nubusPortalServer:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-portal-server"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  replicaCount: {{ .Values.replicas.umsPortalServer }}
+  resources:
+    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
+
+nubusLdapNotifier:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-ldap-notifier"
+  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
+  resources:
+    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
+
+nubusLdapServer:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-ldap-server"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
+  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
+  persistence:
+    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
+    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
+
+nubusPortalFrontend:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-portal-frontend"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
+  resources:
+    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
+  portalFrontend:
+    branding:
+      css: {{ .Values.theme.imagery.portalCss | toJson }}
+      favicon: {{ .Values.theme.imagery.faviconIcoB64 | toJson }}
+      logo: {{ .Values.theme.imagery.logoHeaderSvgB64 | toJson }}
+      backgroundImage: {{ .Values.theme.imagery.logoPortalBackgroundSvgB64 | toJson }}
+
+nubusStackDataUms:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-ums"
+  resources:
+    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
+
+nubusStackDataSwp:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-stack-data-swp"
+  resources:
+    {{ .Values.resources.umsStackDataSwp | toYaml | nindent 4 }}
+
+nubusSelfServiceListener:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-selfservice-listener"
+  resources:
+    {{ .Values.resources.umsSelfserviceListener | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsSelfserviceListener }}
+
+nubusUdmRestApi:
+  additionalAnnotations:
+    intents.otterize.com/service-name: "ums-udm-rest-api"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  resources:
+    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
+  initResources:
+    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
+  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
+
+nubusUmcGateway:
+  replicaCount: {{ .Values.replicas.umsUmcGateway }}
+  resources:
+    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
+
+nubusKeycloakBootstrap:
+  podAnnotations:
+    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  resources:
+    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
+
+nubusProvisioning:
+  serviceAccount:
+    annotations:
+      intended.usage: "compliance"
+  nats:
+    resources:
+      {{ .Values.resources.nubusProvisioning.nats | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-nats"
+    serviceAccount:
+      annotations:
+        intended.usage: "compliance"
+  api:
+    resources:
+      {{ .Values.resources.nubusProvisioning.api | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-api"
+  dispatcher:
+    resources:
+      {{ .Values.resources.nubusProvisioning.dispatcher | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
+  prefill:
+    resources:
+      {{ .Values.resources.nubusProvisioning.prefill | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-prefill"
+  registerConsumers:
+    resources:
+      {{ .Values.resources.nubusProvisioning.registerConsumers | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
+  udmTransformer:
+    resources:
+      {{ .Values.resources.nubusProvisioning.udmTransformer | toYaml | nindent 6 }}
+    additionalAnnotations:
+      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"

helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl

@@ -0,0 +1,241 @@
+# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+keycloak:
+  image:
+    registry: {{ .Values.images.nubusKeycloak.registry }}
+    repository: {{ .Values.images.nubusKeycloak.repository }}
+    tag: {{ .Values.images.nubusKeycloak.tag }}
+
+nubusKeycloakBootstrap:
+  image:
+    registry: {{ .Values.images.nubusKeycloakBootstrap.registry }}
+    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
+    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
+
+nubusKeycloakExtensions:
+    handler:
+      image:
+        registry: {{ .Values.images.nubusKeycloakExtensionHandler.registry }}
+        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
+        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
+
+    proxy:
+      image:
+        registry: {{ .Values.images.nubusKeycloakExtensionProxy.registry }}
+        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
+        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
+
+nubusLdapNotifier:
+  image:
+    registry: {{ .Values.images.nubusLdapNotifier.registry }}
+    repository: {{ .Values.images.nubusLdapNotifier.repository }}
+    tag: {{ .Values.images.nubusLdapNotifier.tag }}
+
+nubusLdapServer:
+  ldapServer:
+    image:
+      registry: {{ .Values.images.nubusLdapServer.registry }}
+      repository: {{ .Values.images.nubusLdapServer.repository }}
+      tag: {{ .Values.images.nubusLdapServer.tag }}
+  dhInitcontainer:
+    image:
+      registry: {{ .Values.images.nubusLdapServerDhInitContainer.registry }}
+      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
+      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
+  waitForDependency:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+
+
+nubusPortalConsumer:
+  portalConsumer:
+    image:
+      registry: {{ .Values.images.nubusPortalConsumer.registry }}
+      repository: {{ .Values.images.nubusPortalConsumer.repository }}
+      tag: {{ .Values.images.nubusPortalConsumer.tag }}
+
+
+nubusNotificationsApi:
+  image:
+    registry: {{ .Values.images.nubusNotificationsApi.registry }}
+    repository: {{ .Values.images.nubusNotificationsApi.repository }}
+    tag: {{ .Values.images.nubusNotificationsApi.tag }}
+
+nubusPortalFrontend:
+  image:
+    registry: {{ .Values.images.nubusPortalFrontend.registry }}
+    repository: {{ .Values.images.nubusPortalFrontend.repository }}
+    tag: {{ .Values.images.nubusPortalFrontend.tag }}
+
+nubusPortalListener:
+  image:
+    registry: {{ .Values.images.nubusPortalListener.registry }}
+    repository: {{ .Values.images.nubusPortalListener.repository }}
+    tag: {{ .Values.images.nubusPortalListener.tag }}
+  waitForDependency:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+
+nubusPortalServer:
+  image:
+    registry: {{ .Values.images.nubusPortalServer.registry }}
+    repository: {{ .Values.images.nubusPortalServer.repository }}
+    tag: {{ .Values.images.nubusPortalServer.tag }}
+
+nubusProvisioning:
+  api:
+    image:
+      registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
+      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
+      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
+  dispatcher:
+    image:
+      registry: {{ .Values.images.nubusProvisioningDispatcher.registry }}
+      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
+      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
+  udmTransformer:
+    image:
+      registry: {{ .Values.images.nubusProvisioningUdmTransformer.registry }}
+      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
+      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
+  prefill:
+    image:
+      registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
+      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
+      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
+  registerConsumers:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+  nats:
+    nats:
+        image:
+            registry: {{ .Values.images.nubusNats.registry }}
+            repository: {{ .Values.images.nubusNats.repository }}
+            tag: {{ .Values.images.nubusNats.tag }}
+    reloader:
+        image:
+            registry: {{ .Values.images.nubusNatsReloader.registry }}
+            repository: {{ .Values.images.nubusNatsReloader.repository }}
+            tag: {{ .Values.images.nubusNatsReloader.tag }}
+    natsBox:
+        image:
+            registry: {{ .Values.images.nubusNatsBox.registry }}
+            repository: {{ .Values.images.nubusNatsBox.repository }}
+            tag: {{ .Values.images.nubusNatsBox.tag }}
+
+nubusProvisioningEventsAndConsumerApi:
+  image:
+    registry: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.registry }}
+    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
+    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
+
+nubusProvisioningPrefill:
+  image:
+    registry: {{ .Values.images.nubusProvisioningPrefill.registry }}
+    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
+    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
+
+nubusUdmListener:
+  image:
+    registry: {{ .Values.images.nubusProvisioningUdmListener.registry }}
+    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
+    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
+
+nubusSelfServiceListener:
+  selfserviceListener:
+    image:
+      registry: {{ .Values.images.nubusSelfserviceListener.registry }}
+      repository: {{ .Values.images.nubusSelfserviceListener.repository }}
+      tag: {{ .Values.images.nubusSelfserviceListener.tag }}
+  selfserviceInvitation:
+    image:
+      registry: {{ .Values.images.nubusSelfserviceInvitation.registry }}
+      repository: {{ .Values.images.nubusSelfserviceInvitation.repository }}
+      tag: {{ .Values.images.nubusSelfserviceInvitation.tag }}
+  waitForDependency:
+    image:
+      registry: {{ .Values.images.nubusWaitForDependency.registry }}
+      repository: {{ .Values.images.nubusWaitForDependency.repository }}
+      tag: {{ .Values.images.nubusWaitForDependency.tag }}
+
+nubusUdmRestApi:
+  # oxPlugin:
+  #   image:
+  #     registry: \{\{ .Values.images.nubusUdmRestApiOxPlugin.registry }}
+  #     repository: \{\{ .Values.images.nubusUdmRestApiOxPlugin.repository }}
+  #     tag: \{\{ .Values.images.nubusUdmRestApiOxPlugin.tag }}
+  # portalPlugin:
+  #   image:
+  #     registry: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.registry }}
+  #     repository: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.repository }}
+  #     tag: \{\{ .Values.images.nubusUdmRestApiPortalPlugin.tag }}
+  udmRestApi:
+    image:
+      registry: {{ .Values.images.nubusUdmRestApi.registry }}
+      repository: {{ .Values.images.nubusUdmRestApi.repository }}
+      tag: {{ .Values.images.nubusUdmRestApi.tag }}
+
+nubusUmcGateway:
+  image:
+    registry: {{ .Values.images.nubusUmcGateway.registry }}
+    repository: {{ .Values.images.nubusUmcGateway.repository }}
+    tag: {{ .Values.images.nubusUmcGateway.tag }}
+
+nubusUmcServer:
+  image:
+    registry: {{ .Values.images.nubusUmcServer.registry }}
+    repository: {{ .Values.images.nubusUmcServer.repository }}
+    tag: {{ .Values.images.nubusUmcServer.tag }}
+
+nubusWaitForDependency:
+  image:
+    registry: {{ .Values.images.nubusWaitForDependency.registry }}
+    repository: {{ .Values.images.nubusWaitForDependency.repository }}
+    tag: {{ .Values.images.nubusWaitForDependency.tag }}
+
+
+nubusGuardian:
+  provisioning:
+    image:
+      registry: {{ .Values.images.nubusGuardianProvisioning.registry }}
+      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
+      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
+  authorizationApi:
+    image:
+      registry: {{ .Values.images.nubusGuardianAuthorizationApi.registry }}
+      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
+      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
+  managementApi:
+    image:
+      registry: {{ .Values.images.nubusGuardianManagementApi.registry }}
+      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
+      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
+  managementUi:
+    image:
+      registry: {{ .Values.images.nubusGuardianManagementUi.registry }}
+      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
+      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
+  openPolicyAgent:
+    image:
+      registry: {{ .Values.images.nubusOpenPolicyAgent.registry }}
+      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
+      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
+
+nubusStackDataUms:
+  image:
+    registry: {{ .Values.images.nubusDataLoader.registry }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}
+
+nubusStackDataSwp:
+  image:
+    registry: {{ .Values.images.nubusDataLoader.registry }}
+    repository: {{ .Values.images.nubusDataLoader.repository }}
+    tag: {{ .Values.images.nubusDataLoader.tag }}

helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl

@@ -17,10 +17,19 @@ image:
   imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
+  custom:
+    clientScopes:
+      {{ .Values.functional.authentication.oidc.clientScopes | toYaml | nindent 6 }}
+    clients:
+      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
+  managed:
+    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
+    # 'guardian-management-api', 'guardian-scripts', 'guardian-ui' clients have been added explicitly for the moment (see further down this file)
+    clients: [ 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
   keycloak:
     adminUser: "kcadmin"
     adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -29,14 +38,19 @@ config:
       enabled: true
       internalBaseUrl: "http://ums-keycloak.{{ .Release.Namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
   twoFactorSettings:
-    additionalGroups: {{ .Values.authentication.twoFactor.groups }}
-  custom:
+    additionalGroups: {{ .Values.functional.authentication.twoFactor.groups }}
+  opendesk:
+    # We use client specific scopes as we bind them to Keycloak role membership which itself is linked
+    # to LDAP group membership to ensure a user cannot access an application without the required
+    # group membership.
+    # ToDo: Ensure all applications verify the token's signature to ensure it is not tampered.
     clientScopes:
       - name: "read_contacts"
         protocol: "openid-connect"
       - name: "write_contacts"
         protocol: "openid-connect"
-      - name: "opendesk"
+      - name: "opendesk-openproject-scope"
+        description: "Scope for the claims required by openDesk's OpenProject instance."
         protocol: "openid-connect"
         protocolMappers:
           - name: "opendesk_useruuid"
@@ -61,6 +75,306 @@ config:
               access.token.claim: true
               claim.name: "opendesk_username"
               jsonType.label: "String"
+          - name: "opendeskProjectmanagementAdmin"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "opendeskProjectmanagementAdmin"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "openproject_admin"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "given name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "firstName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "given_name"
+              jsonType.label: "String"
+          - name: "family name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "lastName"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "family_name"
+              jsonType.label: "String"
+      - name: "opendesk-jitsi-scope"
+        description: "Scope for the claims required by openDesk's Jitsi instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-nextcloud-scope"
+        description: "Scope for the claims required by openDesk's Nextcloud instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+      - name: "opendesk-matrix-scope"
+        description: "Scope for the claims required by openDesk's Matrix instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-xwiki-scope"
+        description: "Scope for the claims required by openDesk's XWiki instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+          - name: "full name"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-full-name-mapper"
+            consentRequired: false
+            config:
+              id.token.claim: true
+              introspection.token.claim: true
+              access.token.claim: true
+              userinfo.token.claim: true
+          - name: "email"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              introspection.token.claim: true
+              userinfo.token.claim: true
+              user.attribute: "email"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "email"
+              jsonType.label: "String"
+      - name: "opendesk-dovecot-scope"
+        description: "Scope for the claims required by openDesk's Dovecot instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+      - name: "opendesk-oxappsuite-scope"
+        description: "Scope for the claims required by openDesk's OX Appuite instance."
+        protocol: "openid-connect"
+        protocolMappers:
+          - name: "context"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "oxContextIDNum"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "context"
+              jsonType.label: "String"
+          - name: "opendesk_useruuid"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_useruuid"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
     clients:
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
@@ -74,7 +388,7 @@ config:
         attributes:
           backchannel.logout.session.required: false
         defaultClientScopes:
-          - "opendesk"
+          - "opendesk-dovecot-scope"
       - name: "opendesk-intercom"
         clientId: "opendesk-intercom"
         protocol: "openid-connect"
@@ -128,7 +442,6 @@ config:
               claim.name: "phoenixusername"
               jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
           - "offline_access"
       - name: "opendesk-jitsi"
         clientId: "opendesk-jitsi"
@@ -142,8 +455,7 @@ config:
         fullScopeAllowed: true
         authorizationServicesEnabled: false
         defaultClientScopes:
-          - "opendesk"
-          - "profile"
+          - "opendesk-jitsi-scope"
       - name: "opendesk-matrix"
         clientId: "opendesk-matrix"
         protocol: "openid-connect"
@@ -152,7 +464,7 @@ config:
         redirectUris:
           - "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*"
           - "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         standardFlowEnabled: true
         directAccessGrantsEnabled: true
         serviceAccountsEnabled: true
@@ -163,14 +475,11 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/_synapse/client/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
-        optionalClientScopes:
-          - "email"
-          - "profile"
-        # This is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID. Unless that
-        # is solved and also is able to use "opendesk-matrix" we keep that dummy client that
+          - "opendesk-matrix-scope"
+      # The following is a temporary OIDC client for matrix, as the OIDC logout still uses "matrix" as client ID.
+      # Unless that is solved and also is able to use "opendesk-matrix" we keep that dummy client that
       - name: "matrix"
         clientId: "matrix"
         protocol: "openid-connect"
@@ -182,7 +491,9 @@ config:
         publicClient: false
         authorizationServicesEnabled: false
         attributes:
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.element }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.synapse }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
+        defaultClientScopes: []
+        optionalClientScopes: []
       - name: "opendesk-nextcloud"
         clientId: "opendesk-nextcloud"
         protocol: "openid-connect"
@@ -190,7 +501,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.ncoidc | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -198,22 +509,9 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/index.php/apps/user_oidc/backchannel-logout/opendesk"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
-          - "email"
+          - "opendesk-nextcloud-scope"
           - "read_contacts"
           - "write_contacts"
       - name: "opendesk-openproject"
@@ -223,7 +521,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -232,23 +530,9 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/auth/keycloak/backchannel-logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "opendeskProjectmanagementAdmin"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "opendeskProjectmanagementAdmin"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "openproject_admin"
-              jsonType.label: "String"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
-          - "email"
-          - "profile"
+          - "opendesk-openproject-scope"
       - name: "opendesk-oxappsuite"
         clientId: "opendesk-oxappsuite"
         protocol: "openid-connect"
@@ -256,7 +540,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -264,21 +548,9 @@ config:
         attributes:
           backchannel.logout.session.required: true
           backchannel.logout.url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/ajax/oidc/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
-        protocolMappers:
-          - name: "context"
-            protocol: "openid-connect"
-            protocolMapper: "oidc-usermodel-attribute-mapper"
-            consentRequired: false
-            config:
-              userinfo.token.claim: true
-              user.attribute: "oxContextIDNum"
-              id.token.claim: true
-              access.token.claim: true
-              claim.name: "context"
-              jsonType.label: "String"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
+          - "opendesk-oxappsuite-scope"
           - "read_contacts"
           - "write_contacts"
       - name: "opendesk-xwiki"
@@ -288,7 +560,7 @@ config:
         secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
         redirectUris:
           - "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         consentRequired: false
         frontchannelLogout: false
         publicClient: false
@@ -296,22 +568,19 @@ config:
         attributes:
           backchannel.logout.session.required: false
           backchannel.logout.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/oidc/authenticator/backchannel_logout"
-          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/*"
+          post.logout.redirect.uris: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/*##https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/*"
         defaultClientScopes:
-          - "opendesk"
-          - "address"
-          - "email"
-          - "profile"
+          - "opendesk-xwiki-scope"
       - name: "guardian-management-api"
         clientId: "guardian-management-api"
-        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
         protocol: "openid-connect"
         publicClient: false
         clientAuthenticatorType: "client-secret"
         secret: {{ .Values.secrets.keycloak.clientSecret.guardian | quote }}
         redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
         fullScopeAllowed: true
         standardFlowEnabled: true
         implicitFlowEnabled: false
@@ -416,19 +685,19 @@ config:
       - name: "guardian-scripts"
         clientId: "guardian-scripts"
         description: ""
-        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        adminUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        adminUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
         surrogateAuthRequired: false
         enabled: true
         alwaysDisplayInConsole: false
         clientAuthenticatorType: "client-secret"
         redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/guardian/*"
         webOrigins:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
         bearerOnly: false
         consentRequired: false
         standardFlowEnabled: true
@@ -505,7 +774,6 @@ config:
               claim.name: "dn"
               jsonType.label: "String"
         defaultClientScopes:
-          - "opendesk"
           - "web-origins"
           - "acr"
           - "roles"
@@ -518,11 +786,11 @@ config:
           - "microprofile-jwt"
       - name: "guardian-ui"
         clientId: "guardian-ui"
-        rootUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-        baseUrl: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+        rootUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+        baseUrl: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
         clientAuthenticatorType: "client-secret"
         redirectUris:
-          - "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/guardian/*"
+          - "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/guardian/*"
         standardFlowEnabled: true
         publicClient: true
         implicitFlowEnabled: false
@@ -594,7 +862,6 @@ config:
               access.token.claim: true
               userinfo.token.claim: false
 
-
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -15,7 +15,7 @@ imagePullSecrets:
 {{- end }}
 
 dovecot:
-  mailDomain: {{ .Values.global.domain | quote }}
+  mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   password: {{ .Values.secrets.dovecot.doveadm | quote }}
   ldap:
     enabled: true
@@ -23,7 +23,7 @@ dovecot:
     port: 389
     base: "dc=swp-ldap,dc=internal"
     dn: "uid=ldapsearch_dovecot,cn=users,dc=swp-ldap,dc=internal"
-    password: {{ .Values.secrets.univentionManagementStack.ldapSearch.dovecot | quote }}
+    password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
   oidc:
     enabled: true
     clientID: "opendesk-dovecot"
@@ -31,14 +31,12 @@ dovecot:
     introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"
-  loginTrustedNetworks: {{ .Values.cluster.networking.cidr | quote }}
+  loginTrustedNetworks: {{ join " " .Values.cluster.networking.cidr | quote }}
 
   submission:
     enabled: true
     ssl: "no"
-    host: "postfix:25"
-
-
+    host: "{{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain }}:25"
 
 certificate:
   secretName: {{ .Values.ingress.tls.secretName | quote }}

helmfile/apps/open-xchange/values-openxchange-bootstrap.yaml.gotmpl

@@ -4,8 +4,8 @@ SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  deletePodsOnSuccessTimeout: {{ .Values.cleanup.deletePodsOnSuccessTimeout }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeBootstrap.registry | quote }}

helmfile/apps/open-xchange/values-openxchange-enterprise-contact-picker.yaml.gotmpl

@@ -23,7 +23,7 @@ appsuite:
             type: "adminDN"
             adminDN:
               dn: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
-              password: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
+              password: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
 
     uiSettings:
       # Enterprise contact picker

helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl

@@ -185,7 +185,7 @@ appsuite:
       com.openexchange.oidc.opLogoutEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/logout"
       com.openexchange.oidc.opTokenEndpoint: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
       com.openexchange.oidc.rpRedirectURIAuth: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/auth"
-      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+      com.openexchange.oidc.rpRedirectURILogout: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
       com.openexchange.oidc.rpRedirectURIPostSSOLogout: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}/appsuite/api/oidc/logout"
       com.openexchange.oidc.ssoLogout: "true"
       com.openexchange.oidc.startDefaultBackend: "true"
@@ -241,6 +241,11 @@ appsuite:
       com.openexchange.file.storage.nextcloud.oauth.url: "http://opendesk-nextcloud-apache2/"
       com.openexchange.file.storage.nextcloud.oauth.webdav.username.strategy: "user"
       com.openexchange.nextcloud.filepicker.includeAccessToken: "false"
+      # Element integration
+      com.openexchange.conference.element.enabled: "true"
+      com.openexchange.conference.element.meetingHostUrl: http://matrix-neodatefix-bot
+      com.openexchange.conference.element.matrixLoginUrl: http://opendesk-synapse-web:8008/_matrix/client/v3/login
+      com.openexchange.conference.element.matrixUuidClaimName: opendesk_useruuid
       # GDPR
       com.openexchange.gdpr.dataexport.enabled: "false"
       com.openexchange.gdpr.dataexport.active: "false"
@@ -259,6 +264,7 @@ appsuite:
       com.openexchange.cookie.hash.salt: {{ .Values.secrets.oxAppsuite.cookieHashSalt | quote }}
       com.openexchange.sessiond.encryptionKey: {{ .Values.secrets.oxAppsuite.sessiondEncryptionKey | quote }}
       com.openexchange.share.cryptKey: {{ .Values.secrets.oxAppsuite.shareCryptKey | quote }}
+      com.openexchange.conference.element.authToken: {{ .Values.secrets.oxAppsuite.synapseAsToken | quote }}
     propertiesFiles:
       /opt/open-xchange/etc/AdminDaemon.properties:
         MASTER_ACCOUNT_OVERRIDE: "true"
@@ -269,7 +275,7 @@ appsuite:
       /opt/open-xchange/etc/ldapauth.properties:
         java.naming.provider.url: "ldap://{{ .Values.ldap.host }}:389/dc=swp-ldap,dc=internal"
         bindDN: "uid=ldapsearch_ox,cn=users,dc=swp-ldap,dc=internal"
-        bindDNPassword: {{ .Values.secrets.univentionManagementStack.ldapSearch.ox | quote }}
+        bindDNPassword: {{ .Values.secrets.nubus.ldapSearch.ox | quote }}
         bindOnly: "false"
       /opt/open-xchange/etc/antivirus.properties:
         com.openexchange.antivirus.enabled: "true"
@@ -311,7 +317,7 @@ appsuite:
       # io.ox/mail//contactCollectOnMailAccess: "true"
       # Dynamic theme
       io.ox/dynamic-theme//mainColor: {{ .Values.theme.colors.primary | quote }}
-      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
+      io.ox/dynamic-theme//logoURL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/icons/logos/domain.svg"
       io.ox/dynamic-theme//topbarBackground: {{ .Values.theme.colors.white | quote }}
       io.ox/dynamic-theme//topbarColor: {{ .Values.theme.colors.black | quote }}
       io.ox/dynamic-theme//listSelected: {{ .Values.theme.colors.primary15 | quote }}
@@ -326,12 +332,13 @@ appsuite:
       oxguardpass: |
         {{ .Values.secrets.oxAppsuite.oxguardMC }}
         {{ .Values.secrets.oxAppsuite.oxguardRC }}
-    redis:
+    redis: &redisConfiguration
       enabled: true
       mode: "standalone"
       hosts:
-        - "redis-master"
+        - "redis-master:6379"
       auth:
+        enabled: true
         password: {{ .Values.secrets.redis.password | quote }}
     image:
       registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeCoreMW.registry | quote }}
@@ -396,20 +403,12 @@ appsuite:
       tag: {{ .Values.images.openxchangeCoreUIMiddleware.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     overrides: {}
-    redis:
-      mode: "standalone"
-      hosts:
-        - "redis-master:6379"
-      auth:
-        enabled: true
-        password: {{ .Values.secrets.redis.password | quote }}
-        # Workaround for a bug in 8.23
-        ca: ""
+    redis: *redisConfiguration
     resources:
       {{ .Values.resources.openxchangeCoreUIMiddleware | toYaml | nindent 6 }}
     updater:
       resources:
-        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 6 }}
+        {{ .Values.resources.openxchangeCoreUIMiddlewareUpdater | toYaml | nindent 8 }}
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
@@ -441,6 +440,7 @@ appsuite:
       registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeDocumentConverter.registry | quote }}
       repository: {{ .Values.images.openxchangeDocumentConverter.repository | quote }}
       tag: {{ .Values.images.openxchangeDocumentConverter.tag | quote }}
+    redis: *redisConfiguration
     resources:
       {{- .Values.resources.openxchangeCoreDocumentConverter | toYaml | nindent 6 }}
     securityContext:
@@ -519,6 +519,7 @@ appsuite:
           endpoint: "."
           accessKey: "."
           secretKey: "."
+    redis: *redisConfiguration
     resources:
       {{- .Values.resources.openxchangeCoreImageConverter | toYaml | nindent 6 }}
     securityContext:
@@ -545,7 +546,8 @@ appsuite:
       - name: {{ . | quote }}
     {{- end }}
     image:
-      repository: "{{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry }}/{{ .Values.images.openxchangeGuardUI.repository }}"
+      registry: {{ .Values.global.imageRegistry | default .Values.images.openxchangeGuardUI.registry | quote }}
+      repository: {{ .Values.images.openxchangeGuardUI.repository | quote }}
       tag: {{ .Values.images.openxchangeGuardUI.tag | quote }}
       pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
     resources:

helmfile/apps/openproject-bootstrap/values.yaml.gotmpl

@@ -11,8 +11,8 @@ global:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
-  keepPVCOnDelete: {{ .Values.cleanup.keepPVCOnDelete }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
 
 config:
   openproject:

helmfile/apps/openproject/values.yaml.gotmpl

@@ -33,14 +33,11 @@ environment:
   OPENPROJECT_OMNIAUTH__DIRECT__LOGIN__PROVIDER: "keycloak"
   OPENPROJECT_PER__PAGE__OPTIONS: "20, 50, 100, 200"
   OPENPROJECT_EMAIL__DELIVERY__METHOD: "smtp"
-  OPENPROJECT_SMTP__AUTHENTICATION: "plain"
-  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "true"
-  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "peer"
   OPENPROJECT_DEFAULT__COMMENT__SORT__ORDER: "desc"
   # Details: https://www.openproject-edge.com/docs/installation-and-operations/configuration/#seeding-ldap-connections
   OPENPROJECT_SEED_LDAP_OPENDESK_HOST: {{ .Values.ldap.host | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_PORT: "389"
-  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.univentionManagementStack.ldapSearch.openproject | quote }}
+  OPENPROJECT_SEED_LDAP_OPENDESK_BINDPASSWORD: {{ .Values.secrets.nubus.ldapSearch.openproject | quote }}
   OPENPROJECT_SEED_LDAP_OPENDESK_SECURITY: "plain_ldap"
   OPENPROJECT_SEED_LDAP_OPENDESK_BINDUSER: "uid=ldapsearch_openproject,cn=users,dc=swp-ldap,dc=internal"
   OPENPROJECT_SEED_LDAP_OPENDESK_BASEDN: "dc=swp-ldap,dc=internal"
@@ -60,17 +57,23 @@ environment:
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_USER: {{ .Values.secrets.openproject.apiAdminUsername | quote }}
   OPENPROJECT_AUTHENTICATION_GLOBAL__BASIC__AUTH_PASSWORD: {{ .Values.secrets.openproject.apiAdminPassword | quote }}
   OPENPROJECT_SOUVAP__NAVIGATION__SECRET: {{ .Values.secrets.centralnavigation.apiKey | quote }}
-  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
-  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.domain | quote }}
-  OPENPROJECT_SMTP__USER__NAME: {{ .Values.smtp.username | quote }}
-  OPENPROJECT_SMTP__PASSWORD: {{ .Values.smtp.password | quote }}
-  OPENPROJECT_SMTP__PORT: {{ .Values.smtp.port | quote }}
+  OPENPROJECT_SOUVAP__NAVIGATION__URL: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json?base=https%3A//{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
+  OPENPROJECT_SMTP__DOMAIN: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
+  OPENPROJECT_SMTP__USER__NAME: ""
+  OPENPROJECT_SMTP__PASSWORD: ""
+  OPENPROJECT_SMTP__PORT: 25
   OPENPROJECT_SMTP__SSL: "false" # (default=false)
-  OPENPROJECT_SMTP__ADDRESS: {{ .Values.smtp.host | quote }}
-  OPENPROJECT_MAIL__FROM: "do-not-reply@{{ .Values.global.domain }}"
-  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.univentionManagementStack .Values.global.domain | quote }}
+  OPENPROJECT_SMTP__ADDRESS: {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  OPENPROJECT_SMTP__AUTHENTICATION: "none"
+  OPENPROJECT_SMTP__ENABLE__STARTTLS__AUTO: "false"
+  OPENPROJECT_SMTP__OPENSSL__VERIFY__MODE: "none"
+  OPENPROJECT_MAIL__FROM: "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  OPENPROJECT_HOME__URL: {{ printf "https://%s.%s/" .Values.global.hosts.nubus .Values.global.domain | quote }}
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_ISSUER: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   OPENPROJECT_OPENID__CONNECT_KEYCLOAK_POST__LOGOUT__REDIRECT__URI: "https://{{ .Values.global.hosts.openproject }}.{{ .Values.global.domain }}/"
+  {{- if .Values.enterprise.openproject.token }}
+  OPENPROJECT_ENTERPRISE__TOKEN: {{ .Values.enterprise.openproject.token | quote }}
+  {{- end }}
 
 image:
   registry: {{ .Values.global.imageRegistry | default .Values.images.openproject.registry | quote }}
@@ -129,7 +132,7 @@ openproject:
     host: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
     identifier: "opendesk-openproject"
     provider: "keycloak"
-    scope: "[openid,opendesk]"
+    scope: "[openid,opendesk-openproject-scope]"
     secret: {{ .Values.secrets.keycloak.clientSecret.openproject | quote }}
     tokenEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token"
     userinfoEndpoint: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/userinfo"

helmfile/apps/provisioning/values-oxconnector.yaml.gotmpl

@@ -19,9 +19,9 @@ oxConnector:
   caCert: "ucctempldapstring"
   debugLevel: {{ if .Values.debug.enabled }}"4"{{ else }}"1"{{ end }}
   domainName: {{ .Values.global.domain | quote }}
-  ldapHost: {{ .Values.ldap.host | quote }}
+  ldapHost: "{{ .Values.ldap.host }}-primary"
   logLevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"WARN"{{ end }}
-  ldapPassword: {{ .Values.secrets.univentionManagementStack.ldapSecret | quote }}
+  ldapPassword: {{ .Values.secrets.nubus.ldapSecret | quote }}
   ldapBaseDn: "dc=swp-ldap,dc=internal"
   ldapHostDn: "cn=admin,dc=swp-ldap,dc=internal"
   tlsMode: "off"

helmfile/apps/services/helmfile-child.yaml

@@ -57,6 +57,17 @@ repositories:
     url: "{{ .Values.global.helmRegistry | default .Values.charts.mariadb.registry }}/\
       {{ .Values.charts.mariadb.repository }}"
 
+  # openDesk dkimpy-milter
+  # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter
+  - name: "dkimpy-repo"
+    keyring: "../../files/gpg-pubkeys/opencode.gpg"
+    verify: {{ .Values.charts.dkimpy.verify }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.dkimpy.registry }}/\
+      {{ .Values.charts.dkimpy.repository }}"
+
   # openDesk Postfix
   # https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-postfix
   - name: "postfix-repo"
@@ -178,6 +189,14 @@ releases:
     installed: {{ .Values.postfix.enabled }}
     timeout: 900
 
+  - name: "opendesk-dkimpy-milter"
+    chart: "dkimpy-repo/{{ .Values.charts.dkimpy.name }}"
+    version: "{{ .Values.charts.dkimpy.version }}"
+    values:
+      - "values-dkimpy.yaml.gotmpl"
+    installed: {{ .Values.dkimpy.enabled }}
+    timeout: 900
+
   - name: "clamav"
     chart: "clamav-repo/{{ .Values.charts.clamav.name }}"
     version: "{{ .Values.charts.clamav.version }}"

helmfile/apps/services/values-certificates.yaml.gotmpl

@@ -12,7 +12,7 @@ issuerRef:
   name: {{ .Values.certificate.issuerRef.name | quote }}
 
 cleanup:
-  keepRessourceOnDelete: {{ .Values.cleanup.keepRessourceOnDelete }}
+  keepRessourceOnDelete: {{ .Values.debug.cleanup.keepRessourceOnDelete }}
 
 wildcard: {{ .Values.certificate.wildcard }}
 ...

helmfile/apps/services/values-dkimpy.yaml.gotmpl

@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+containerSecurityContext:
+  allowPrivilegeEscalation: true
+  capabilities: {}
+  enabled: true
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  privileged: false
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.dkimpy | toYaml | nindent 4 }}
+
+global:
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.dkimpy.registry | quote }}
+  repository: {{ .Values.images.dkimpy.repository | quote }}
+  tag: {{ .Values.images.dkimpy.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+
+configuration:
+  domain: "{{ .Values.global.domain }}{{ if .Values.global.mailDomain }}, {{ .Values.global.mailDomain }}{{ end }}"
+  key:
+    {{ .Values.smtp.dkim.key | toYaml | nindent 4 }}
+  mode: "s"
+  selector: {{ .Values.smtp.dkim.selector }}
+  useED25519: {{ .Values.smtp.dkim.useED25519 }}
+
+replicaCount: {{ .Values.replicas.dkimpy }}
+
+resources:
+  {{ .Values.resources.dkimpy | toYaml | nindent 2 }}
+...

helmfile/apps/services/values-mariadb.yaml.gotmpl

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 cleanup:
-  deletePodsOnSuccess: {{ .Values.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
 
 containerSecurityContext:
   allowPrivilegeEscalation: false
@@ -35,19 +36,32 @@ job:
   retries: 10
   wait: 30
   users:
-    - username: "xwiki_user"
-      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
-    - username: "openxchange_user"
-      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
-    - username: "nextcloud_user"
+    - username: {{ .Values.databases.nextcloud.username | quote }}
       password: {{ .Values.secrets.mariadb.nextcloudUser | quote}}
+      connectionLimit: {{ .Values.databases.nextcloud.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
+    # users for the moment.
+    - username: "openxchange_user"
+    # - username: {{ .Values.databases.xwiki.username | quote }}
+      password: {{ .Values.secrets.mariadb.openxchangeUser | quote }}
+      connectionLimit: {{ .Values.databases.oxAppsuite.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: "xwiki_user"
+    # - username: {{ .Values.databases.oxAppsuite.username | quote }}
+      password: {{ .Values.secrets.mariadb.xwikiUser | quote }}
+      connectionLimit: {{ .Values.databases.xwiki.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
   databases:
-    - name: "xwiki"
-      user: "xwiki_user"
-    - name: "nextcloud"
-      user: "nextcloud_user"
+    - name: {{ .Values.databases.nextcloud.name | quote }}
+      user: {{ .Values.databases.nextcloud.username | quote }}
+    # OX and XWiki are using the db's `root` users (see `database.yaml`). So we are statically referencing their dedicated
+    # users for the moment.
     - name: "openxchange"
       user: "openxchange_user"
+    # - name: {{ .Values.databases.oxAppsuite.name | quote }}
+    #   user: {{ .Values.databases.oxAppsuite.username | quote }}
+    - name: "xwiki"
+      user: "xwiki_user"
+    # - name: {{ .Values.databases.xwiki.name | quote }}
+    #   user: {{ .Values.databases.xwiki.username | quote }}
 
 mariadb:
   rootPassword: {{ .Values.secrets.mariadb.rootPassword | quote }}

helmfile/apps/services/values-minio.yaml.gotmpl

@@ -67,9 +67,9 @@ mode: {{ if gt .Values.replicas.minio 1 }}"distributed"{{ else }}"standalone"{{
 
 metrics:
   serviceMonitor:
-    enabled: {{ .Values.prometheus.serviceMonitors.enabled }}
+    enabled: {{ .Values.monitoring.prometheus.serviceMonitors.enabled }}
     additionalLabels:
-      {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
+      {{ .Values.monitoring.prometheus.serviceMonitors.labels | toYaml | nindent 6 }}
 
 networkPolicy:
   enabled: false
@@ -85,20 +85,48 @@ persistence:
 provisioning:
   enabled: true
   cleanupAfterFinished:
-    enabled: true
+    enabled: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+    seconds: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
   extraCommands:
     - "mc anonymous set download provisioning/ums/portal-assets"
   buckets:
-    - name: {{ .Values.objectstores.openproject.bucket | quote }}
-      versioning: true
-      withLock: false
-    - name: {{ .Values.objectstores.univentionManagementStack.bucket | quote }}
+    - name: {{ .Values.objectstores.migrations.bucket | quote }}
       versioning: false
       withLock: false
     - name: {{ .Values.objectstores.nextcloud.bucket | quote }}
       versioning: true
       withLock: false
+    - name: {{ .Values.objectstores.openproject.bucket | quote }}
+      versioning: true
+      withLock: false
+    - name: {{ .Values.objectstores.nubus.bucket | quote }}
+      versioning: false
+      withLock: false
   policies:
+    - name: "migrations-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::migrations"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::migrations/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+    - name: "nextcloud-bucket-policy"
+      statements:
+        - resources:
+            - "arn:aws:s3:::nextcloud"
+          effect: "Allow"
+          actions:
+            - "s3:*"
+        - resources:
+            - "arn:aws:s3:::nextcloud/*"
+          effect: "Allow"
+          actions:
+            - "s3:*"
     - name: "openproject-bucket-policy"
       statements:
         - resources:
@@ -123,30 +151,12 @@ provisioning:
           effect: "Allow"
           actions:
             - "s3:*"
-    - name: "nextcloud-bucket-policy"
-      statements:
-        - resources:
-            - "arn:aws:s3:::nextcloud"
-          effect: "Allow"
-          actions:
-            - "s3:*"
-        - resources:
-            - "arn:aws:s3:::nextcloud/*"
-          effect: "Allow"
-          actions:
-            - "s3:*"
   users:
-    - username: {{ .Values.objectstores.openproject.username | quote }}
-      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+    - username: {{ .Values.objectstores.migrations.username | quote }}
+      password: {{ .Values.secrets.minio.migrationsUser | quote }}
       disabled: false
       policies:
-        - "openproject-bucket-policy"
-      setPolicies: true
-    - username: {{ .Values.objectstores.univentionManagementStack.username | quote }}
-      password: {{ .Values.secrets.minio.umsUser | quote }}
-      disabled: false
-      policies:
-        - "ums-bucket-policy"
+        - "migrations-bucket-policy"
       setPolicies: true
     - username: {{ .Values.objectstores.nextcloud.username | quote }}
       password: {{ .Values.secrets.minio.nextcloudUser | quote }}
@@ -154,6 +164,18 @@ provisioning:
       policies:
         - "nextcloud-bucket-policy"
       setPolicies: true
+    - username: {{ .Values.objectstores.openproject.username | quote }}
+      password: {{ .Values.secrets.minio.openprojectUser | quote }}
+      disabled: false
+      policies:
+        - "openproject-bucket-policy"
+      setPolicies: true
+    - username: {{ .Values.objectstores.nubus.username | quote }}
+      password: {{ .Values.secrets.minio.umsUser | quote }}
+      disabled: false
+      policies:
+        - "ums-bucket-policy"
+      setPolicies: true
   resources:
     {{ .Values.resources.minio | toYaml | nindent 4 }}
 

helmfile/apps/services/values-otterize.yaml.gotmpl

@@ -41,7 +41,7 @@ apps:
   redis:
     enabled: {{ .Values.redis.enabled }}
   univentionManagementStack:
-    enabled: {{ .Values.univentionManagementStack.enabled }}
+    enabled: {{ .Values.nubus.enabled }}
   xwiki:
     enabled: {{ .Values.xwiki.enabled }}
 

helmfile/apps/services/values-postfix.yaml.gotmpl

@@ -41,7 +41,7 @@ podSecurityContext:
 postfix:
   amavisHost: ""
   amavisPortIn: ""
-  domain: {{ .Values.global.mailDomain | default .Values.global.domain }}
+  domain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   hostname: "postfix"
   inetProtocols: "ipv4"
   milterDefaultAction: "accept"
@@ -49,9 +49,12 @@ postfix:
     - fileName: "sasl_passwd.map"
       content:
         - {{ printf "%s %s:%s" .Values.smtp.host .Values.smtp.username .Values.smtp.password | quote }}
+  {{- if .Values.dkimpy.enabled }}
+  dkimpyHost: "opendesk-dkimpy-milter.{{ .Release.Namespace }}.svc.{{.Values.cluster.networking.domain }}:8892"
+  {{- end }}
   rspamdHost: ""
-  relayHost: {{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}
-  relayNets: {{ .Values.cluster.networking.cidr | quote}}
+  relayHost: {{ if .Values.smtp.host }}{{ printf "[%s]:%d" .Values.smtp.host .Values.smtp.port | quote }}{{ else }}""{{ end }}
+  relayNets: {{ join " " .Values.cluster.networking.cidr | quote }}
   smtpSASLAuthEnable: "yes"
   smtpSASLPasswordMaps: "lmdb:/etc/postfix/sasl_passwd.map"
   smtpUseTLS: "yes"
@@ -67,7 +70,7 @@ postfix:
   {{- else if .Values.clamavSimple.enabled }}
   smtpdMilters: "inet:clamav-simple:7357"
   {{- end }}
-  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain }}
+  virtualMailboxDomains: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
   virtualTransport: "lmtps:dovecot:24"
 
 replicaCount: {{ .Values.replicas.postfix }}

helmfile/apps/services/values-postgresql.yaml.gotmpl

@@ -1,6 +1,10 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
+
 containerSecurityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -17,8 +21,6 @@ containerSecurityContext:
   seLinuxOptions:
     {{ .Values.seLinuxOptions.postgresql | toYaml | nindent 4 }}
 
-job:
-
 podSecurityContext:
   enabled: true
   fsGroup: 1001
@@ -43,36 +45,43 @@ image:
 
 job:
   users:
-    - username: "keycloak_user"
+    - username: {{ .Values.databases.keycloak.username | quote }}
       password: {{ .Values.secrets.postgresql.keycloakUser | quote }}
-    - username: "openproject_user"
+      connectionLimit: {{ .Values.databases.keycloak.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: {{ .Values.databases.openproject.username | quote }}
       password: {{ .Values.secrets.postgresql.openprojectUser | quote }}
-    - username: "keycloak_extensions_user"
+      connectionLimit: {{ .Values.databases.openproject.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: {{ .Values.databases.keycloakExtension.username | quote }}
       password: {{ .Values.secrets.postgresql.keycloakExtensionUser | quote }}
-    - username: "matrix_user"
+      connectionLimit: {{ .Values.databases.keycloakExtension.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: {{ .Values.databases.synapse.username | quote }}
       password: {{ .Values.secrets.postgresql.matrixUser | quote }}
-    - username: "notificationsapi_user"
+      connectionLimit: {{ .Values.databases.synapse.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: {{ .Values.databases.umsNotificationsApi.username | quote }}
       password: {{ .Values.secrets.postgresql.umsNotificationsApiUser | quote }}
-    - username: "guardianmanagementapi_user"
+      connectionLimit: {{ .Values.databases.umsNotificationsApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
       password: {{ .Values.secrets.postgresql.umsGuardianManagementApiUser | quote }}
-    - username: "selfservice_user"
+      connectionLimit: {{ .Values.databases.umsGuardianManagementApi.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
+    - username: {{ .Values.databases.umsSelfservice.username | quote }}
       password: {{ .Values.secrets.postgresql.umsSelfserviceUser | quote }}
+      connectionLimit: {{ .Values.databases.umsSelfservice.connectionLimit | default .Values.databases.defaults.userConnectionLimit }}
   databases:
-    - name: "keycloak"
-      user: "keycloak_user"
-    - name: "keycloak_extensions"
-      user: "keycloak_extensions_user"
-    - name: "openproject"
-      user: "openproject_user"
-    - name: "matrix"
-      user: "matrix_user"
+    - name: {{ .Values.databases.keycloak.name | quote }}
+      user: {{ .Values.databases.keycloak.username | quote }}
+    - name: {{ .Values.databases.keycloakExtension.name | quote }}
+      user: {{ .Values.databases.keycloakExtension.username | quote }}
+    - name: {{ .Values.databases.openproject.name | quote }}
+      user: {{ .Values.databases.openproject.username | quote }}
+    - name: {{ .Values.databases.synapse.name | quote }}
+      user: {{ .Values.databases.synapse.username | quote }}
       additionalParams: "ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0"
-    - name: "guardianmanagementapi"
-      user: "guardianmanagementapi_user"
-    - name: "notificationsapi"
-      user: "notificationsapi_user"
-    - name: "selfservice"
-      user: "selfservice_user"
+    - name: {{ .Values.databases.umsGuardianManagementApi.name | quote }}
+      user: {{ .Values.databases.umsGuardianManagementApi.username | quote }}
+    - name: {{ .Values.databases.umsNotificationsApi.name | quote }}
+      user: {{ .Values.databases.umsNotificationsApi.username | quote }}
+    - name: {{ .Values.databases.umsSelfservice.name | quote }}
+      user: {{ .Values.databases.umsSelfservice.username | quote }}
 
 persistence:
   storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}

helmfile/apps/xwiki/values.yaml.gotmpl

@@ -55,19 +55,24 @@ customConfigs:
     xwiki.authentication.ldap.port: 389
     ## Authentication to the LDAP server
     xwiki.authentication.ldap.bind_DN: "uid=ldapsearch_xwiki,cn=users,dc=swp-ldap,dc=internal"
-    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.univentionManagementStack.ldapSearch.xwiki | quote }}
+    xwiki.authentication.ldap.bind_pass: {{ .Values.secrets.nubus.ldapSearch.xwiki | quote }}
     ## Base DN used for searching for users
     xwiki.authentication.ldap.base_DN: "dc=swp-ldap,dc=internal"
     ## Allow short update cycles of the LDAP group cache
     xwiki.authentication.ldap.groupcache_expiration: 300
+    ## Mapping for XWiki attributes to the respective LDAP attributes
+    xwiki.authentication.ldap.fields_mapping: "last_name=sn,first_name=givenName,email=mailPrimaryAddress"
 
   xwiki.properties:
+    wikiInitializer.initialRequest.xwiki.url: "https://{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}/distribution/"
+    wikiInitializer.initialRequest.xwiki.contextPath: "/"
+    wikiInitializer.initialRequest.xwiki.remoteAddress: "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
     oidc.clientid: "opendesk-xwiki"
     oidc.endpoint.token.auth_method: "client_secret_basic"
     oidc.endpoint.userinfo.method: "GET"
     oidc.logoutMechanism: "rpInitiated"
     oidc.provider: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/opendesk"
-    oidc.scope: "openid,profile,email,address,opendesk"
+    oidc.scope: "openid,opendesk-xwiki-scope"
     oidc.secret: {{ .Values.secrets.keycloak.clientSecret.xwiki | quote }}
     oidc.skipped: false
     oidc.user.nameFormater: "${oidc.user.opendesk_username._clean._lowerCase}"
@@ -78,9 +83,11 @@ customConfigs:
     # yamllint disable-line rule:line-length
     oidc.userinfoclaims: "xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype"
     url.trustedDomains: "{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}"
-    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
-    workplaceServices.base: "https://{{ .Values.global.hosts.univentionManagementStack }}.{{ .Values.global.domain }}"
+    workplaceServices.navigationEndpoint: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}/univention/portal/navigation.json"
+    workplaceServices.base: "https://{{ .Values.global.hosts.nubus }}.{{ .Values.global.domain }}"
     workplaceServices.portalSecret: {{ .Values.secrets.centralnavigation.apiKey | quote }}
+    openoffice.serverType: "0"
+    notifications.emails.live.graceTime: "5"
 
 ingress:
   enabled: {{ .Values.ingress.enabled }}
@@ -122,10 +129,18 @@ postgresql:
   enabled: false
 
 properties:
-  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvg | b64enc }}"
-  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvg | b64enc }}"
+  "attachment:xwiki:FlamingoThemes.Iceberg@logo.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.logoHeaderSvgB64 }}"
+  "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon.svg": "data:image/svg+xml;base64,{{ .Values.theme.imagery.faviconSvgB64 }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon16.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon16PngB64 }}"
   "attachment:xwiki:XWiki.DefaultSkin@icons.xwiki.favicon144.png": "data:image/png;base64,{{ .Values.theme.imagery.favicon144PngB64 }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
+  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
+  ## SMTP settings
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.from": "{{ .Values.smtp.localpartNoReply }}@{{ .Values.global.domain }}"
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.host": {{ printf "%s.%s.svc.%s" "postfix" (.Values.postfix.namespace | default .Release.Namespace) .Values.cluster.networking.domain | quote }}
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.port": 25
+  "property:xwiki:Mail.MailConfig^Mail.SendMailConfigClass.properties": "mail.smtp.starttls.enable=false"
   ## Link LDAP users and users authenticated through OIDC
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.addOIDCObject": 1
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.OIDCIssuer": "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
@@ -150,7 +165,7 @@ properties:
   "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
-    "sn,givenname,uid"
+    "sn,givenname,uid,mailPrimaryAddress"
   ## Restrict user import in the UI to global administrators
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.usersAllowedToImport": "globalAdmin"
   ## Enable group and user synchronization

helmfile/bases/environments.yaml

@@ -10,15 +10,15 @@ environments:
     values:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
-      - "../../environments/dev/values.yaml.gotmpl"
+      - "../../environments/dev/*.yaml.gotmpl"
   test:
     values:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
-      - "../../environments/test/values.yaml.gotmpl"
+      - "../../environments/test/*.yaml.gotmpl"
   prod:
     values:
       - "../../environments/default/*.gotmpl"
       - "../../environments/default/*.yaml"
-      - "../../environments/prod/values.yaml.gotmpl"
+      - "../../environments/prod/*.yaml.gotmpl"
 ...

helmfile/environments/default/charts.yaml

@@ -46,7 +46,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
-    version: "1.1.16"
+    version: "1.1.20"
     verify: true
   cryptpad:
     # providerCategory: "Supplier"
@@ -60,6 +60,18 @@ charts:
     name: "cryptpad"
     version: "0.0.19"
     verify: true
+  dkimpy:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter/opendesk-dkimpy-milter"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dkimpy-milter"
+    name: "opendesk-dkimpy-milter"
+    version: "1.0.0"
+    verify: true
   dovecot:
     # providerCategory: "Platform"
     # providerResponsible: "Open-Xchange"
@@ -78,7 +90,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "3.0.0"
+    version: "3.3.2"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -88,7 +100,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "3.0.0"
+    version: "3.3.2"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -120,7 +132,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-jitsi"
     name: "opendesk-jitsi"
-    version: "1.7.9"
+    version: "1.9.2"
     verify: true
   mariadb:
     # providerCategory: "Platform"
@@ -130,7 +142,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-mariadb"
     name: "mariadb"
-    version: "2.2.1"
+    version: "2.3.1"
     verify: true
   matrixNeoboardWidget:
     # providerCategory: "Platform"
@@ -180,7 +192,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "3.0.0"
+    version: "3.3.2"
     verify: true
   memcached:
     # providerCategory: "Community"
@@ -192,6 +204,16 @@ charts:
     name: "memcached"
     version: "6.7.1"
     verify: true
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/charts/opendesk-element/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/charts/opendesk-migrations"
+    name: "opendesk-migrations"
+    version: "1.2.2"
+    verify: true
   minio:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -210,7 +232,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud"
-    version: "1.5.2"
+    version: "3.1.0"
     verify: true
   nextcloudManagement:
     # providerCategory: "Platform"
@@ -220,7 +242,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-nextcloud"
     name: "opendesk-nextcloud-management"
-    version: "1.5.2"
+    version: "3.1.0"
     verify: true
   nginx:
     # providerCategory: "Community"
@@ -232,6 +254,20 @@ charts:
     name: "nginx"
     version: "15.9.3"
     verify: true
+  nubus:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/charts/nubus"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "19", "3"]
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
+    registry: "artifacts.software-univention.de"
+    repository: "nubus-dev/charts"
+    name: "nubus"
+    version: "0.40.0-pre-jconde-test-users"
+    verify: true
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -240,7 +276,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "1.1.0"
+    version: "2.1.1"
     verify: true
   openproject:
     # providerCategory: "Supplier"
@@ -252,7 +288,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "5.1.4"
+    version: "7.0.0"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -274,7 +310,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/charts-mirror"
     name: "appsuite-public-sector"
-    version: "2.5.3"
+    version: "2.8.78"
     verify: false
   openXchangeAppSuiteBootstrap:
     # providerCategory: "Platform"
@@ -294,7 +330,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-otterize"
     name: "opendesk-otterize"
-    version: "2.0.1"
+    version: "2.1.0"
     verify: true
   oxConnector:
     # providerCategory: "Supplier"
@@ -316,7 +352,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "2.0.5"
+    version: "2.3.0"
     verify: true
   postgresql:
     # providerCategory: "Platform"
@@ -326,7 +362,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postgresql"
     name: "postgresql"
-    version: "2.0.5"
+    version: "2.1.1"
     verify: true
   redis:
     # providerCategory: "Community"
@@ -346,7 +382,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "3.0.0"
+    version: "3.3.2"
     verify: true
   synapseCreateAccount:
     # providerCategory: "Platform"
@@ -356,7 +392,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "3.0.0"
+    version: "3.3.2"
     verify: true
   synapseWeb:
     # providerCategory: "Platform"
@@ -366,31 +402,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "3.0.0"
-    verify: true
-  ums:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/charts/ums"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "12", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "ums"
-    version: "0.16.0"
-    verify: true
-  umsKeycloakBootstrap:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/charts/keycloak-bootstrap"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "1", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
-    name: "keycloak-bootstrap"
-    version: "0.1.0"
+    version: "3.3.2"
     verify: true
   xwiki:
     # providerCategory: "Supplier"
@@ -402,6 +414,6 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.3.0"
+    version: "1.3.1"
     verify: false
 ...

helmfile/environments/default/cluster.yaml

@@ -15,13 +15,17 @@ cluster:
   networking:
     # Kubernetes internal cluster domain.
     domain: "cluster.local"
-    # Kubernetes cluster network CIDR.
-    cidr: "10.0.0.0/8"
+    # Kubernetes cluster network CIDRs.
+    cidr:
+      - "10.0.0.0/8"
+    # IP addresses or IP ranges of the reverse proxy / load balancer to restrict the requesting source
+    # for defined services.
+    incomingCIDR: []
     # Ingress-gateway IP - only relevant for "NodePort" cluster services.
     # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip,
     # you need to provide the public (load-balanced) ingress gateways ip address.
     ingressGatewayIP: ""
-    # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services.
+    # LoadBalancer status field - only relevant for "LoadBalancer" cluster services.
     # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services.
     # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here.
     loadBalancerStatusField: "ip"

helmfile/environments/default/database.yaml

@@ -2,62 +2,76 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 databases:
+  defaults:
+    userConnectionLimit: 100
   keycloak:
     name: "keycloak"
     host: "postgresql"
     port: 5432
     username: "keycloak_user"
     password: ""
+    connectionLimit: ~
   keycloakExtension:
     name: "keycloak_extensions"
     host: "postgresql"
     port: 5432
     username: "keycloak_extensions_user"
     password: ""
+    connectionLimit: ~
   nextcloud:
     name: "nextcloud"
     host: "mariadb"
     port: 3306
     username: "nextcloud_user"
     password: ""
+    connectionLimit: ~
   openproject:
     name: "openproject"
     host: "postgresql"
     port: 5432
     username: "openproject_user"
     password: ""
+    connectionLimit: ~
   oxAppsuite:
-    host: "mariadb"
     name: "configdb"
+    host: "mariadb"
+    port: 3306
     username: "root"
     password: ""
+    connectionLimit: ~
   synapse:
-    host: "postgresql"
     name: "matrix"
+    host: "postgresql"
+    port: 5432
     username: "matrix_user"
     password: ""
-    port: 5432
+    connectionLimit: ~
   umsGuardianManagementApi:
     name: "guardianmanagementapi"
     host: "postgresql"
     port: 5432
     username: "guardianmanagementapi_user"
     password: ""
+    connectionLimit: ~
   umsNotificationsApi:
     name: "notificationsapi"
     host: "postgresql"
     port: 5432
     username: "notificationsapi_user"
     password: ""
+    connectionLimit: ~
   umsSelfservice:
     name: "selfservice"
     host: "postgresql"
     port: 5432
     username: "selfservice_user"
     password: ""
+    connectionLimit: 10
   xwiki:
     name: "xwiki"
     host: "mariadb"
+    port: 3306
     username: "root"
     password: ""
+    connectionLimit: ~
 ...

helmfile/environments/default/debug.yaml

@@ -1,7 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-cleanup:
+debug:
+  cleanup:
     # Keep Pods/Job logs after successful run.
     deletePodsOnSuccess: true
     # When deletePodsOnSuccess is enabled, the pod will be deleted after configured seconds.
@@ -10,7 +11,6 @@ cleanup:
     keepPVCOnDelete: false
     # Keep additional resources, like certificates on deletion of this release.
     keepRessourceOnDelete: true
-debug:
   # should activate debug output in all components and even allow e.g. successfully executed jobs
   # to stay available. This is going to be implemented on a case by case basis when we actually
   # need debugging in a component.

helmfile/environments/default/enterprise.yaml

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+# The variables set in this file are required to upgrade components to their "Enterprise" product variant.
+---
+enterprise:
+  openproject:
+    # Enterprise token must match the deployment's OpenProject host name.
+    token: ""
+...

helmfile/environments/default/functional.yaml

@@ -1,23 +1,62 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
-authentication:
+functional:
+  admin:
+    portal:
+      deploymentInformation:
+        # Disable to not provide and update openDesk release version and deployment timestamp for admins in the portal.
+        enabled: true
+
+  authentication:
     twoFactor:
       # Define a list of groups to enable 2FA for.
       # Note: Removing a group from the list will not disable 2FA for the removed group.
       groups:
         - "Domain Admins"
+    oidc:
+      # Define additional/custom OIDC clients to be created in the 'opendesk' realm of Keycloak.
+      clients: ~
+      # Define additional/custom OIDC client scopes to be created in the 'opendesk' realm of Keycloak.
+      clientScopes: ~
 
-externalServices:
+  externalServices:
     nubus:
       udmRestApi:
-      # Set to 'true' if you don't want to make the UDM REST API from the Nubus stack externally available
+        # Enable to make the UDM REST API from the Nubus stack externally available.
         enabled: false
     matrix:
       federation:
+        # Disable to not support Matrix federation with your installation.
         enabled: true
 
-portal:
-  # Display deployment release and date in portal for admins.
-  enableDeploymentInformation: true
+  filestore:
+    quota:
+      # Set the default quota for all users in GB
+      default: 1
+    # Options related to file sharing, changing these options might require a restart of the `opendesk-nextcloud-php` Pod(s).
+    sharing:
+      # Enables sharing of files with external participants (create external links, send links by mail and allow external upload in shared folders).
+      # If you disable this option existing external shares stop working, when re-enabling it the old shares are available again.
+      enableExternalSharing: false
+      # Enforces passwords to be used on external shares.
+      enforceSharingPasswords: true
+    # Nextcloud specific configuration
+    nextcloud:
+      retentionObligation:
+        # yamllint disable rule:line-length
+        # Set Nextcloud's `trashbin_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#trashbin-retention-obligation
+        trashbin: "auto"
+        # Set Nextcloud's `versions_retention_obligation`
+        # Ref.: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#versions-retention-obligation
+        versions: "auto"
+        # yamllint enable rule:line-length
+
+  dataProtection:
+    matrixPresence:
+      # Enable to allow information about the user presence status to be shared.
+      # Ref.: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#presence
+      enabled: false
+
 ...

helmfile/environments/default/global.generated.yaml

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v0.8.0"
+    releaseVersion: "v0.9.1"
 ...

helmfile/environments/default/global.gotmpl

@@ -23,4 +23,39 @@ global:
   #
   helmRegistry: {{ env "PRIVATE_HELM_REGISTRY_URL" | quote }}
   imageRegistry: {{ env "PRIVATE_IMAGE_REGISTRY_URL" | quote }}
+
+  ## Define ingress/virtualservice host.
+  #
+  hosts:
+    collabora: "collabora"
+    cryptpad: "cryptpad"
+    element: "chat"
+    intercomService: "ics"
+    jitsi: "meet"
+    keycloak: "id"
+    matrixNeoBoardWidget: "matrix-neoboard-widget"
+    matrixNeoChoiceWidget: "matrix-neochoice-widget"
+    matrixNeoDateFixBot: "matrix-neodatefix-bot"
+    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
+    minioApi: "minio"
+    minioConsole: "minio-console"
+    nextcloud: "fs"
+    nubus: "portal"
+    openproject: "project"
+    openxchange: "webmail"
+    synapse: "matrix"
+    synapseFederation: "matrix-federation"
+    whiteboard: "whiteboard"
+    xwiki: "wiki"
+
+  ## Credentials to fetch images from private registry
+  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  imagePullSecrets:
+    - "external-registry"
+
+  ## Define the policy to pull container images.
+  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+  #
+  imagePullPolicy: "IfNotPresent"
 ...

helmfile/environments/default/global.yaml

@@ -1,42 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
-# SPDX-License-Identifier: Apache-2.0
----
-## The global properties are used to configure multiple charts at once.
-#
-global:
-  ## Define ingress/virtualservice host.
-  #
-  hosts:
-    collabora: "collabora"
-    cryptpad: "cryptpad"
-    element: "chat"
-    intercomService: "ics"
-    jitsi: "meet"
-    keycloak: "id"
-    matrixNeoBoardWidget: "matrix-neoboard-widget"
-    matrixNeoChoiceWidget: "matrix-neochoice-widget"
-    matrixNeoDateFixBot: "matrix-neodatefix-bot"
-    matrixNeoDateFixWidget: "matrix-neodatefix-widget"
-    minioApi: "minio"
-    minioConsole: "minio-console"
-    nextcloud: "fs"
-    openproject: "project"
-    openxchange: "webmail"
-    synapse: "matrix"
-    synapseFederation: "matrix-federation"
-    univentionManagementStack: "portal"
-    whiteboard: "whiteboard"
-    xwiki: "wiki"
-
-  ## Credentials to fetch images from private registry
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  #
-  imagePullSecrets:
-    - "external-registry"
-
-  ## Define the policy to pull container images.
-  ## Ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
-  #
-  imagePullPolicy: "IfNotPresent"
-...

helmfile/environments/default/images.yaml

@@ -20,7 +20,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk"
-    tag: "24.04.3.1.1@sha256:c1aa824227ea2b09ddef2ca3561a80282cda61c649b1bbdbbfa343e5a513a5a9"
+    tag: "24.04.6.2.1@sha256:7de9ac6ce5a256b0f74a56a4654acd851502dc9e3ed4d29949ba5642bacae308"
   cryptpad:
     # providerCategory: "Supplier"
     # providerResponsible: "XWiki"
@@ -30,6 +30,14 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad"
     tag: "opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2"
+  dkimpy:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/dkimpy-milter"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/dkimpy-milter"
+    tag: "1.1.0@sha256:f140c7fc3fd9636addc612edd6e10f6aefa69e34ff637c95ce9036a32e44555f"
   dovecot:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -83,7 +91,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9457-2@sha256:eb079f650649c6336dc93eb30cdc086c0b784f5c3fe80ea3441a1f00ebf073f3"
+    tag: "stable-9646@sha256:30173d35449d78f8958eaf4de77e76c534806db0e49bdbb930f8c81e003e5a3b"
   jicofo:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -93,7 +101,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9457-2@sha256:7d3213eea740721755da81ecfd9b500c71c610d04939b26de4434619a66e15e1"
+    tag: "stable-9646@sha256:c2c72b6e4b6655d8758145f5c4d4201265626b7c3c1a03f41c7dda060ca7165d"
   jitsi:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -103,7 +111,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9457-2@sha256:263e2e52934900547f1496eed965e2d3e01e9b8a251844bacbac49deba97f6b2"
+    tag: "stable-9646@sha256:04157797558743fa9c478b76d7332a45c6fbfbe4e34d6550f8716dd8526a1c6c"
   jitsiKeycloakAdapter:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -113,7 +121,7 @@ images:
     # upstreamMirrorStartFrom: ["2023", "12", "14"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20240314@sha256:8abe8209a59c2d646fa3e7136f6a6ea15f3f692106bba92c0e777f8d383edc12"
+    tag: "v20240808@sha256:73db5ae9bb617d076b6a877500dbeece38fd15f8ae933ffadbd72d9aa82ad8da"
   jitsiPatchJVB:
     # providerCategory: "Community"
     # providerResponsible: "Nordeck"
@@ -121,7 +129,7 @@ images:
     # upstreamRepository: "bitnami/kubectl"
     registry: "registry-1.docker.io"
     repository: "bitnami/kubectl"
-    tag: "1.30.1@sha256:8087ef69a8bf8c88ca3a0f36f75f91c281810f6181698f0c35c3318922bd2ab7"
+    tag: "1.30.2@sha256:3ec696e5ce1b79f78eb0eac1fed4ef20fa6584662cdf3c7ad933b0b03b9ce3f6"
   jvb:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -131,7 +139,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9457-2@sha256:2f10f28463e65a13a260d379c4cce62531d66a94bb8dcf2dbe88cdb4cd01b16c"
+    tag: "stable-9646@sha256:22dfb237cdda8142dcf2b141c28d40ec8a675dd379dda5e851dac49e43e677b7"
   mariadb:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -198,6 +206,14 @@ images:
     registry: "registry-1.docker.io"
     repository: "bitnami/memcached"
     tag: "1.6.21-debian-11-r107@sha256:247ec29efd6030960047a623aef025021154662edf6b6d6e88c97936f164d99d"
+  migrations:
+    # providerCategory: "Platform"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry.opencode.de"
+    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
+    tag: "1.2.1@sha256:241561c51dee3ccd4d54cf732020634291f124025946e6be983f850bbf4eb1d3"
   milter:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -221,7 +237,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-apache2"
-    tag: "1.1.21@sha256:ec63d564eb11d7ed213a5ef8719f2b3380e552f1ffb1251470b84c0c8937b7b8"
+    tag: "1.2.0@sha256:f1c64bc7b9d1993a7c79ca73c1594fdea49ef4adf4ebe4286e01ccc1ad9290c7"
   nextcloudExporter:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -237,7 +253,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-management"
-    tag: "1.3.12@sha256:54bb5a90ebe49b33b053e8a7df2fa8d8cb992b17f68a04d08357961c3aded0b0"
+    tag: "1.5.3@sha256:19f5354a951b043327906d8670c0466e2a00317ad0dd4b99d0edf882e213d22f"
   nextcloudPHP:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -245,7 +261,362 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nextcloud-php"
-    tag: "1.8.11@sha256:85b3bbf027c9e6a2ccf411b8e2b3752f6a58a3a14f00fb92ecefd9e7ca0c6954"
+    tag: "1.11.3@sha256:c88af69971e2b2b1ead90db69d6af3355be5309d6c91b2b6a18fac2c6781b760"
+  nubusDataLoader:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/data-loader"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "41", "5"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
+    tag: 0.61.0@sha256:598e9fa176c71a6da90ab200ca52abd88176c8cb22a1bf56fec9cd0daf58f58f
+  nubusGuardianAuthorizationApi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://docker.software-univention.de"
+    # upstreamRepository: "guardian-authorization-api-authorization-api"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api"
+    tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5"
+  nubusGuardianManagementApi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://docker.software-univention.de"
+    # upstreamRepository: "guardian-management-api-management-api"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api"
+    tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2"
+  nubusGuardianManagementUi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://docker.software-univention.de"
+    # upstreamRepository: "guardian-management-ui-management-ui"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
+    tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
+  nubusGuardianProvisioning:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/guardian-init"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "3", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
+    tag: 0.11.0@sha256:c691aecaf2074a9f1cc6ec5277a70792642bd677f0ff58a6278041b2d99c9d51
+  nubusKeycloak:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://docker.software-univention.de"
+    # upstreamRepository: "keycloak-keycloak"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+).+$'
+    # upstreamMirrorStartFrom: ["22", "0", "3"]
+    # TODO: Why is there a newer Keycloak than in Nubus 0.39.1 ?
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
+    # tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
+    registry: docker.software-univention.de
+    repository: keycloak-keycloak
+    tag: 22.0.3-ucs2@sha256:cf11399add8a9e73622fb52aa225a207ebc5b07514b8d634f591e5b540ba9731
+  nubusKeycloakBootstrap:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/keycloak-bootstrap"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "1", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
+    # TODO: Nubus 0.39.1 is using this image twice in different versions
+    # tag: "0.1.0@sha256:351097e9e7b469f2fc149fe612ec6ad515d5e6b081d7e2785bd926a1d77209d2"
+    tag: 0.1.2@sha256:ea462e3e40843215814bddae0668dc56102864d99127ad3c8d9816d741886ac0
+  nubusKeycloakExtensionHandler:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/keycloak-handler"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "0", "3"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
+    tag: 0.10.0@sha256:7aa5bac4821c9226fd74c6a2883f7c24d214b4610d516574866cf933ee1be080
+  nubusKeycloakExtensionProxy:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/keycloak-proxy"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "0", "3"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
+    tag: 0.10.0@sha256:a5f6ae65732f7fb9d7ceae11f1c412b109d230e197075d8a8e1d989c87a0309d
+  nubusLdapNotifier:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/ldap-notifier"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "8", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
+    tag: 0.20.0@sha256:d891fe11075740ff0fe1694b2c5fb72c43ac6d823904af8593e0ab359b9175e0
+  nubusLdapServer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/ldap-server"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "8", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
+    # TODO: Unclear what this is
+    # repository: "bmi/opendesk/components/platform-development/images/temp-nubus-ldap-2.5-upgrade"
+    # tag: "1.1.20@sha256:90f46b8817fa05e6e3ac3b2f053911198675805fb82db8240bfa41239d7e7c61"
+    tag: 0.20.0@sha256:ad73addd9201378fd5c978ab6bfc64bbd23bb279fc065cade9cb2f8e48a9c85f
+  # TODO: Is this at all in use? Did not find this in the 0.39.1 output of Nubus.
+  nubusLdapServerDhInitContainer:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-box'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-box"
+    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
+  nubusNats:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'library/nats'
+    registry: "registry-1.docker.io"
+    repository: "library/nats"
+    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
+  nubusNatsBox:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-box'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-box"
+    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
+  nubusNatsReloader:
+    # providerCategory: 'Community'
+    # providerResponsible: 'Univention'
+    # upstreamRegistry: 'registry-1.docker.io'
+    # upstreamRepository: 'natsio/nats-server-config-reloader'
+    registry: "registry-1.docker.io"
+    repository: "natsio/nats-server-config-reloader"
+    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
+  nubusNotificationsApi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/notifications-api"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
+    tag: 0.33.0@sha256:0ddb81d4789b2f43b55ded46ff88db4b99a68e7b1006e35877f582aac875c9ad
+  nubusOpenPolicyAgent:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://docker.software-univention.de"
+    # upstreamRepository: "guardian-authorization-api-opa"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["1", "0", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa"
+    tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4"
+  nubusOxExtension:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/ox-extension"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "10", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ox-extension"
+    tag: 0.11.0@sha256:2cb5a9683b6ff81b995a5c71da52c2ff8177b662bb0be8f11e9cd0c6b48d8a11
+  # TODO: Not yet in use in Nubus 0.39.1
+  nubusPortalConsumer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-consumer"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "27", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-consumer"
+    tag: "0.27.0@sha256:e86bf827d1e93b61473a0730492f48f8dbf0d056b79dd9ecde7af1612696b144"
+  nubusPortalExtension:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-extension"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "28", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-extension"
+    tag: "0.28.0@sha256:1ec467bebc402265e1c24b3d441c211faad1a025ded41afe8dd4687b7ad5a9a4"
+  nubusPortalFrontend:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-frontend"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
+    tag: 0.33.0@sha256:9cce16009cc478ece11704521347fc4938a3ac5ee4570ac439dd50b08452a3ff
+  nubusPortalListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
+    tag: "0.24.2@sha256:98306b30c99e190ece6633921d9d54297634b0e4ca58ceaf0794c7050f0b8470"
+  nubusPortalServer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/portal-server"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
+    tag: 0.33.1@sha256:82e9002786a9d1ec524c0f386838ac4ee1fa9a581b66d2e353ea57cc01e26a95
+  nubusProvisioningDispatcher:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/provisioning-dispatcher"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "14", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
+    tag: 0.36.0@sha256:34f03f48b4c9b470f9809b5fa6bfd6e96346e3f99ac0a2d7eaeac3cf9a4a633d
+  nubusProvisioningEventsAndConsumerApi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/provisioning-events-and-consumer-api"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "14", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
+    tag: 0.36.0@sha256:69dd2946e7b05384304eeeca50dea645d20f7658d225e7c532381c3bdf2027ce
+  nubusProvisioningPrefill:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/provisioning-prefill"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "14", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
+    tag: 0.36.0@sha256:147406648848c068aacc2cb467633d51c65cddbcaa622c352e5fe5349bf92ce6
+  nubusProvisioningUdmListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/provisioning-udm-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "14", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
+    tag: 0.36.0@sha256:8a960db9ff94b3c8a63be1588e47ccc1f62f3071abdce7ee2ef89afbe2674eed
+  nubusProvisioningUdmTransformer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/provisioning-udm-transformer"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "14", "0"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-transformer"
+    tag: 0.36.0@sha256:8080b55e705391aa2ac9b11db11dc1f984b5626271b2f175bfe26967b857b06d
+  nubusSelfserviceInvitation:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/selfservice-invitation"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "3", "2"]
+    # TODO: Why not mirrored?
+    # registry: "registry.opencode.de"
+    # repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
+    repository: nubus/images/selfservice-invitation
+    registry: artifacts.software-univention.de
+    tag: 0.6.5@sha256:5630c9df3da4134789d2ebafad7de9062375d21547a2074827b680debd7a909e
+  nubusSelfserviceListener:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/selfservice-listener"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "3", "2"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
+    tag: 0.6.5@sha256:a9724fd41cb89a9bdf231ea8699126d2d3503dc894fe9510a1e080ab8408838d
+  # TODO: Removed in Nubus
+  # nubusStackGateway:
+  #   # providerCategory: "Community"
+  #   # providerResponsible: "Univention"
+  #   # upstreamRegistry: "https://registry-1.docker.io"
+  #   # upstreamRepository: "bitnami/nginx"
+  #   registry: "registry-1.docker.io"
+  #   repository: "bitnami/nginx"
+  #   tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
+  nubusUdmRestApi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/udm-rest-api"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "3"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
+    tag: 0.21.0@sha256:f3d189dd0ca619778c907569ddedbdf8772fba26f26cf9e6b8cde2a62618da63
+  nubusUmcGateway:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/umc-gateway"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "7", "3"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
+    tag: 0.27.0@sha256:f0d5831061d9e8c9a47e724d00eeb8902b08f2380d4ca298812e9c1870ff4697
+  nubusUmcServer:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/umc-server"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "7", "3"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
+    tag: 0.27.0@sha256:fa552aa595f75d54b216af4390bd5ea3d5385e6a9a5f558804da3aae9f700acf
+  nubusWaitForDependency:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Univention"
+    # upstreamRegistry: "https://artifacts.software-univention.de"
+    # upstreamRepository: "nubus/images/wait-for-dependency"
+    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
+    # upstreamMirrorStartFrom: ["0", "9", "4"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
+    tag: "0.25.0@sha256:71a4d66fd67db6f92212b1936862b2b0d5a678d412213d74452a9195c2fe67f7"
   opendeskKeycloakBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -253,7 +624,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-keycloak-bootstrap"
-    tag: "1.0.5@sha256:76ccd9a74ae2c2dabb6beaa0192c15b9c06763abbd632cd0f8db68e5d8d5883c"
+    tag: "1.2.1@sha256:f5ce0be27580c6347c5e700c4fa271a811d45d8a0e4b40ffe8a4d0e3d47e670f"
   openproject:
     # providerCategory: "Supplier"
     # providerResponsible: "OpenProject"
@@ -263,7 +634,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "14.1.1@sha256:ce1fabf4d02534990ebb5c934df8fbd227192a529a2e6e81c7feb412bb3eac8b"
+    tag: "14.4.0@sha256:0c1ee5467b5c7888f38eae88a712c2eec6c96995b85f09e0c27705c09f450a70"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -271,7 +642,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-openproject-bootstrap"
-    tag: "1.1.3@sha256:401afe66c418fd130088edbed5cc3b4464dc667eb609f194ea68fd30dcbd1e90"
+    tag: "1.1.4@sha256:2fd97a316114428849aaeef87fb8755274e675830088a93afcafac91bb048d1d"
   openprojectInitDb:
     # providerCategory: "Community"
     # providerResponsible: "OpenProject"
@@ -279,7 +650,7 @@ images:
     # upstreamRepository: "library/postgres"
     registry: "registry-1.docker.io"
     repository: "library/postgres"
-    tag: "16@sha256:1bf73ccae25238fa555100080042f0b2f9be08eb757e200fe6afc1fc413a1b3c"
+    tag: "16.3-alpine3.20@sha256:de3d7b6e4b5b3fe899e997579d6dfe95a99539d154abe03f0b6839133ed05065"
   openxchangeBootstrap:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -297,7 +668,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "6", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-guidedtours"
-    tag: "8.6.3@sha256:6fb8169cba4beb4bd9039f4ce7ab9b29fc02c4991b283824db949fe2b7be34e2"
+    tag: "8.6.5@sha256:cbdea676267011d5c9ef7764fcd23ef432219b61c4f3949ef11ddfc4920873dd"
   openxchangeCoreMW:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -307,7 +678,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "51"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/middleware-public-sector"
-    tag: "8.23.47@sha256:b721bf41d7f06b328e9235a0561436cb678bc2a1a67202f0fa6e1f55956cc0cc"
+    tag: "8.26.38@sha256:ff2dcf50a9d9a801357255f7244173fe9835715fd1852a28e3a8ebb7c0634293"
   openxchangeCoreUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -317,7 +688,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui"
-    tag: "8.23.2@sha256:0cc07053cbb9d7062a17ef807c6a6942a912748243a6f0c63a892d5cb2953351"
+    tag: "8.27.4@sha256:d5b99bfc12baaeb5cbfc332c260ecca5308b6b662fe8acc8cd07479c99a1d148"
   openxchangeCoreUIMiddleware:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -327,7 +698,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "0", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-ui-middleware"
-    tag: "2.0.3@sha256:56fe8afe841105f0725674e36afc6f10f22751e3c21a301a6322834383f2d786"
+    tag: "2.0.4@sha256:e1d647cca13e7c433a9d643aa1a350197511274b239ead100aa1682ffe2fa116"
   openxchangeCoreUserGuide:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -337,7 +708,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "799279"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/core-user-guide"
-    tag: "8.23.941932@sha256:231b13cb795241513d2f54ee4bc628843ae737b5ecceab758aba3658f03de1bd"
+    tag: "8.27.1071402@sha256:764108a8dcb28467dadad1cfd98074a8e174209652de2f009d74fea51bb50d65"
   openxchangeDocumentConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -347,7 +718,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/documentconverter"
-    tag: "8.23.43@sha256:aa9bbce833ae018573997fb07dcaf32bb7c5c4c6a7d6331f3d3156fd5b8d53b3"
+    tag: "8.27.54@sha256:79080b4b766901977532a18ef38af70234a99cf0bf53900c4df3902f24702eb7"
   openxchangeGotenberg:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -367,7 +738,7 @@ images:
     # upstreamMirrorStartFrom: ["4", "2", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/guard-ui"
-    tag: "8.23.0@sha256:0510458017fa028582515ce18c0b12f91ac9e23f0e94e99ac34fd49b07146c01"
+    tag: "8.27.0@sha256:89b81de90a6e7078371d8ea02ab4e1056c512ba515db113daf55b160533f7a73"
   openxchangeImageConverter:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -377,7 +748,7 @@ images:
     # upstreamMirrorStartFrom: ["8", "20", "50"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images-mirror/imageconverter"
-    tag: "8.23.43@sha256:ecc77a569f60e1b14f0d77ec93d891200b89d11eb9d7c26f59fa7696343e20e3"
+    tag: "8.27.55@sha256:f999c8205d83730a064aec13eb98762e1c7354f31f42e0add0136cf15be32dd0"
   openxchangeNextcloudIntegrationUI:
     # providerCategory: "Supplier"
     # providerResponsible: "Open-Xchange"
@@ -415,7 +786,7 @@ images:
     # upstreamRepository: "bmi/opendesk/components/platform-development/images/postfix"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
-    tag: "1.0.0@sha256:61e4661a7323101dfb51c85c5a48c345c75436f3f533176f049d2660d711a8a5"
+    tag: "2.0.0@sha256:5b2432dc09318db172a593bca860887ee9d713b9987db64f8b265f3e08a1d374"
   postgresql:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -479,298 +850,6 @@ images:
     registry: "registry-1.docker.io"
     repository: "rapidfort/haproxy-official"
     tag: "2.6.15-bullseye@sha256:47b6ca4074347788cb414fbf3db35d0c51e9e47af33be46457f95c750540887c"
-  umsDataLoader:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/data-loader"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "41", "5"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/data-loader"
-    tag: "0.45.2@sha256:6e2e054903f361eea5cd54ae6dd3da94380d4a6a11f2628983e2acdbc66d605e"
-  umsGuardianAuthorizationApi:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://docker.software-univention.de"
-    # upstreamRepository: "guardian-authorization-api-authorization-api"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-authorization-api"
-    tag: "2.0.0@sha256:5f194f9385aea5a279e25a57352f7b88a6cc4fa90b3bf04c2c97b9ff2bad70a5"
-  umsGuardianManagementApi:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://docker.software-univention.de"
-    # upstreamRepository: "guardian-management-api-management-api"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-api-management-api"
-    tag: "2.0.0@sha256:61a1ab84efebe2a87d358e8624f8b39073a6071683e7cd77b740a97d464753a2"
-  umsGuardianManagementUi:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://docker.software-univention.de"
-    # upstreamRepository: "guardian-management-ui-management-ui"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-management-ui-management-ui"
-    tag: "2.0.0@sha256:57e2503a4772f0ff656e792a98fadef4d41c248218e6c368f76ce82a892478cf"
-  umsGuardianProvisioning:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/guardian-init"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "3", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-init"
-    tag: "0.4.0@sha256:390e20ad73a91ae2ecc33d91d1f21872a46e6af4d4d09095d1ce18a6d4a3635e"
-  umsKeycloak:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://docker.software-univention.de"
-    # upstreamRepository: "keycloak-keycloak"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+).+$'
-    # upstreamMirrorStartFrom: ["22", "0", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-keycloak"
-    tag: "24.0.3-ucs1@sha256:cc66a1730abdd5abe88ac5cf045b6558f289bf1ae8d077ee884a42d785742f8b"
-  umsKeycloakBootstrap:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/keycloak-bootstrap"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "1", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-bootstrap"
-    tag: "0.1.0@sha256:351097e9e7b469f2fc149fe612ec6ad515d5e6b081d7e2785bd926a1d77209d2"
-  umsKeycloakExtensionHandler:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/keycloak-handler"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "0", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-handler"
-    tag: "0.4.0@sha256:7c2728d6fce0fa6e6cc2a3c196294fcb4fcce0dd246b95ad96bd96325776a004"
-  umsKeycloakExtensionProxy:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/keycloak-proxy"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "0", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/keycloak-proxy"
-    tag: "0.4.0@sha256:d7369d8b9cb177fc19b08452266bf7440b683fd0a15c01baeb5c131db20081bf"
-  umsLdapNotifier:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/ldap-notifier"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "8", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-notifier"
-    tag: "0.10.3@sha256:beb4577e7fdf1e18d3769e62296f210c0651460346dc2325e6cc29f4c671fa71"
-  umsLdapServer:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/ldap-server"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "8", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/ldap-server"
-    tag: "0.10.3@sha256:7742eca27bf1134cf92e6e3571bc2784e2f21a76664fdcab6ae213051db26c05"
-  umsNats:
-    # providerCategory: 'Community'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry-1.docker.io'
-    # upstreamRepository: 'library/nats'
-    registry: "registry-1.docker.io"
-    repository: "library/nats"
-    tag: "2.10.10@sha256:fa26beda8a3187ccefa47afcfe9ea6d0e2f40a57c8f64d70bd63c792d7973938"
-  umsNatsBox:
-    # providerCategory: 'Community'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry-1.docker.io'
-    # upstreamRepository: 'natsio/nats-box'
-    registry: "registry-1.docker.io"
-    repository: "natsio/nats-box"
-    tag: "0.14.2@sha256:c9b8ebaabb2ca4c227feb4f6b856dc72d4775ac3d71f80d2c65aa82303079011"
-  umsNatsReloader:
-    # providerCategory: 'Community'
-    # providerResponsible: 'Univention'
-    # upstreamRegistry: 'registry-1.docker.io'
-    # upstreamRepository: 'natsio/nats-server-config-reloader'
-    registry: "registry-1.docker.io"
-    repository: "natsio/nats-server-config-reloader"
-    tag: "0.14.1@sha256:77dd4c60001ffbf442c6b25592e73b4fca06ea9406c677607192788d80453783"
-  umsNotificationsApi:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/notifications-api"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/notifications-api"
-    tag: "0.20.3@sha256:1e32854d6d4413725870fde26a904da83282b3debea82b386c5753223ecc6a59"
-  umsOpenPolicyAgent:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://docker.software-univention.de"
-    # upstreamRepository: "guardian-authorization-api-opa"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["1", "0", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/guardian-authorization-api-opa"
-    tag: "2.0.0@sha256:56a92a08da5addb951a2b2df09974889295ddde8526e93ad40dd973de1052ad4"
-  umsPortalFrontend:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/portal-frontend"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-frontend"
-    tag: "0.20.3@sha256:4fe6646711efcc07eb4b6e59a57f1d5080cca5f4ec2c960d073e92ecae8be42f"
-  umsPortalListener:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/portal-listener"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-listener"
-    tag: "0.20.7@sha256:8f158b88e0ceb7a5c79d2ad390f6ce851ce0c5ccb675d08d6b6c37f0b21f6177"
-  umsPortalServer:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/portal-server"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/portal-server"
-    tag: "0.20.3@sha256:0ec3db74ce9b7c8706d1534b6dcb464eb016a5de94c3b5bfc49215ccb606715c"
-  umsProvisioningDispatcher:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/provisioning-dispatcher"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "14", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-dispatcher"
-    tag: "0.21.3@sha256:29c5f216ab0f8d12c1e77969de6e82046c0d47e1111838fb0a2dcd9950c0175d"
-  umsProvisioningEventsAndConsumerApi:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/provisioning-events-and-consumer-api"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "14", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-events-and-consumer-api"
-    tag: "0.21.3@sha256:4cb498a64dd40c0963ca1ca382213ad5b8a4de5eb57650946d78ac44b359f43f"
-  umsProvisioningPrefill:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/provisioning-prefill"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "14", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-prefill"
-    tag: "0.21.3@sha256:944ff8558d12c59f3490cba68680281c3fa5468fd6fd011fd002befcb9956973"
-  umsProvisioningUdmListener:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/provisioning-udm-listener"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "14", "0"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/provisioning-udm-listener"
-    tag: "0.21.3@sha256:e1cd42558e44bb72ed5c7798cef711db94df7d10d6895c993ca6412df1d25f02"
-  umsSelfserviceInvitation:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/selfservice-invitation"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "3", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-invitation"
-    tag: "0.4.0@sha256:bd252758576e1733076c78756f04225ebed73d9c48de22440975ef11dd087caf"
-  umsSelfserviceListener:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/selfservice-listener"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "3", "2"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/selfservice-listener"
-    tag: "0.4.0@sha256:0bc0235fd64a19a183f112da73109b54712c2d70fe7fa77c6405beefb7167588"
-  umsStackGateway:
-    # providerCategory: "Community"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://registry-1.docker.io"
-    # upstreamRepository: "bitnami/nginx"
-    registry: "registry-1.docker.io"
-    repository: "bitnami/nginx"
-    tag: "1.25.4@sha256:dd352b597f4c38ae24abec411710f4249fb5c793293c7ed04737db6b41d32d24"
-  umsUdmRestApi:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/udm-rest-api"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/udm-rest-api"
-    tag: "0.9.3@sha256:7cf2fec05a4ff8b7085a35a215edbce1eb9456c1ae140af46257e66d5a6cd6f7"
-  umsUmcGateway:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/umc-gateway"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "7", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-gateway"
-    tag: "0.11.6@sha256:5d7c1a9b74409d2d7c42e08ca87b41cda506e43cad49efbc85a4ed6b8e9c6bc8"
-  umsUmcServer:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/umc-server"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "7", "3"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/umc-server"
-    tag: "0.11.8@sha256:38a87524703a1e11fbb3cd3cc9d90d5b719e92329a0e3ea05c50451105d64ac6"
-  umsWaitForDependency:
-    # providerCategory: "Supplier"
-    # providerResponsible: "Univention"
-    # upstreamRegistry: "https://artifacts.software-univention.de"
-    # upstreamRepository: "nubus/images/wait-for-dependency"
-    # upstreamMirrorTagFilterRegEx: '^(\d+)\.(\d+)\.(\d+)$'
-    # upstreamMirrorStartFrom: ["0", "9", "4"]
-    registry: "registry.opencode.de"
-    repository: "bmi/opendesk/components/supplier/univention/images-mirror/wait-for-dependency"
-    tag: "0.20.3@sha256:d1ccba5fe7448c2bda71c8a93f265a42a000e8dc79fd884e7e6ecdf29ad80efc"
   wellKnown:
     # providerCategory: "Community"
     # providerResponsible: "Element"
@@ -788,5 +867,5 @@ images:
     # upstreamMirrorStartFrom: ["0", "12"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.17-mariadb-jetty-alpine@sha256:9eb67520774c3022aa4485ce348be477f358263b716e647cacd057da3aca9739"
+    tag: "0.19-mariadb-jetty-alpine@sha256:8590ee815bceb7764df681b9239b4606adc5b3750e4eff2d928b62dcd046a623"
 ...

helmfile/environments/default/monitoring.yaml

@@ -1,7 +1,8 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-prometheus:
+monitoring:
+  prometheus:
     serviceMonitors:
       enabled: false
       labels:
@@ -15,8 +16,7 @@ prometheus:
       labels:
         release: "kube-prometheus-stack"
 
-
-grafana:
+  grafana:
     dashboards:
       enabled: false
       labels:

helmfile/environments/default/objectstores.yaml

@@ -1,9 +1,18 @@
-{{/*
-SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
-SPDX-License-Identifier: Apache-2.0
-*/}}
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
 ---
 objectstores:
+  migrations:
+    bucket: "migrations"
+    endpoint: ""
+    region: "eu-west-1"
+    secretKey: ""
+    username: "migration_user"
+    storageClass: "STANDARD"
+    useSSL: true
+    pathStyle: true
+    port: 443
   nextcloud:
     bucket: "nextcloud"
     endpoint: ""
@@ -24,7 +33,7 @@ objectstores:
     username: "openproject_user"
     pathStyle: true
     useIamProfile: false
-  univentionManagementStack:
+  nubus:
     bucket: "ums"
     endpoint: ""
     region: "eu-west-1"

helmfile/environments/default/opendesk_main.gotmpl

@@ -1,49 +1,79 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
+#
+# Note: Currently only single namespace deployments are supported.
 ---
 certificates:
   enabled: true
+  namespace: ~
 clamavDistributed:
   enabled: false
+  namespace: ~
 clamavSimple:
   enabled: true
+  namespace: ~
 collabora:
   enabled: true
+  namespace: ~
 cryptpad:
   enabled: true
+  namespace: ~
+dkimpy:
+  enabled: false
+  namespace: ~
 dovecot:
   enabled: true
+  namespace: ~
 element:
   enabled: true
+  namespace: ~
 home:
   enabled: true
+  namespace: ~
 intercom:
   enabled: true
+  namespace: ~
 jitsi:
   enabled: true
+  namespace: ~
 mariadb:
   enabled: true
+  namespace: ~
 memcached:
   enabled: true
+  namespace: ~
+migrations:
+  enabled: true
+  namespace: ~
 minio:
   enabled: true
+  namespace: ~
 nextcloud:
   enabled: true
+  namespace: ~
+nubus:
+  enabled: true
+  namespace: ~
 openproject:
   enabled: true
+  namespace: ~
 oxAppsuite:
   enabled: true
+  namespace: ~
 oxConnector:
   enabled: true
+  namespace: ~
 postfix:
   enabled: true
+  namespace: ~
 postgresql:
   enabled: true
+  namespace: ~
 redis:
   enabled: true
-univentionManagementStack:
-  enabled: true
+  namespace: ~
 xwiki:
   enabled: true
+  namespace: ~
 ...

helmfile/environments/default/persistence.yaml

@@ -16,7 +16,7 @@ persistence:
     prosody: "1Gi"
     redis: "1Gi"
     synapse: "1Gi"
-    univentionManagementStack:
+    nubus:
       ldapServerData: "1Gi"
       ldapServerShared: "1Gi"
       portalListener: "1Gi"

helmfile/environments/default/replicas.yaml

@@ -1,62 +1,140 @@
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
-# Before increasing the replicas of components, please consult the scaling documentation at "docs/scaling.md" to ensure
-# that scaling of the respective component is possible and has the desired effect.
+# This file contains annotations to (later) generate parts of "docs/scaling.md".
+# When adding new components in here, do not forget to add them as well to
+# `../test/values.yaml.gotmpl` to ensure their linting coverage.
 replicas:
-  # clamav-simple
+  # -- component: Antivirus (ClamAV)
+  # -- scalable: true
+  # -- comment: clamav-simple - supports `ReadWriteOnce` PVCs.
   clamav: 1
-  # clamav-distributed
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
   clamd: 1
-  collabora: 1
-  cryptpad: 1
-  dovecot: 1
-  element: 1
-  # clamav-distributed
+  # -- scalable: true
+  # -- comment: clamav-distributed - You do not want to scale this service, as it just updates the signature files centrally an should be a singleton.
   freshclam: 1
-  # clamav-distributed
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
   icap: 1
-  intercomService: 1
-  jibri: 1
-  jicofo: 1
-  jitsi: 1
-  jitsiKeycloakAdapter: 1
-  jvb: 1
-  keycloak: 1
-  mariadb: 1
-  matrixNeoBoardWidget: 1
-  matrixNeoChoiceWidget: 1
-  matrixNeoDateFixBot: 1
-  matrixNeoDateFixWidget: 1
-  matrixUserVerificationService: 1
-  memcached: 1
-  # clamav-distributed
+  # -- scalable: true
+  # -- comment: clamav-distributed - requires `ReadWriteMany` PVCs.
   milter: 1
-  minio: 1
-  nextcloudApache2: 1
-  nextcloudExporter: 1
-  nextcloudPHP: 1
-  openprojectWeb: 1
-  openprojectWorker: 1
-  oxConnector: 1
+
+  # -- component: Weboffice (Collabora)
+  # -- scalable: true
+  collabora: 1
+
+  # -- component: Pad (CryptPad)
+  # -- scalable: false
+  cryptpad: 1
+
+  # -- component: Groupware (OX AppSuite, OX Dovecot etc.)
+  # -- scalable: false
+  # -- comment: Scalable in openDesk Enterprise only
+  dovecot: 1
+  # -- scalable: false
   postfix: 1
-  postgres: 1
-  redis: 1
+  # -- scalable: true
+  dkimpy: 1
+
+  # -- component: Chat (Element, Synapse)
+  # -- scalable: true
+  element: 1
+  # -- scalable: tbd
+  matrixNeoBoardWidget: 1
+  # -- scalable: tbd
+  matrixNeoChoiceWidget: 1
+  # -- scalable: tbd
+  matrixNeoDateFixBot: 1
+  # -- scalable: tbd
+  matrixNeoDateFixWidget: 1
+  # -- scalable: tbd
+  matrixUserVerificationService: 1
+  # -- scalable: tbd
   synapse: 1
+  # -- scalable: true
   synapseWeb: 1
-  umsKeycloakExtensionsHandler: 1
-  umsKeycloakExtensionsProxy: 1
-  umsLdapNotifier: 1
-  umsLdapServer: 1
-  umsNotificationsApi: 1
-  umsPortalFrontend: 1
-  umsPortalListener: 1
-  umsPortalServer: 1
-  umsSelfserviceListener: 1
-  umsStackGateway: 1
-  umsUdmRestApi: 1
-  umsUmcGateway: 1
-  umsUmcServer: 1
+  # -- scalable: true
   wellKnown: 1
+
+  # -- component: IAM (Nubus)
+  # -- scalable: true
+  intercomService: 1
+  # -- scalable: true
+  keycloak: 1
+  # -- scalable: false
+  # -- comment: Will be removed soon.
+  oxConnector: 1
+  # -- scalable: false
+  # -- comment: Should not be scaled, is an async process.
+  umsKeycloakExtensionsHandler: 1
+  # -- scalable: true
+  umsKeycloakExtensionsProxy: 1
+  # -- scalable: tbd
+  umsLdapNotifier: 1
+  # -- scalable: tbd
+  umsLdapServer: 1
+  # -- scalable: tbd
+  umsNotificationsApi: 1
+  # -- scalable: true
+  umsPortalFrontend: 1
+  # -- scalable: tbd
+  umsPortalListener: 1
+  # -- scalable: true
+  umsPortalServer: 1
+  # -- scalable: tbd
+  umsSelfserviceListener: 1
+  # -- scalable: tbd
+  umsStackGateway: 1
+  # -- scalable: true
+  umsUdmRestApi: 1
+  # -- scalable: tbd
+  umsUmcGateway: 1
+  # -- scalable: tbd
+  umsUmcServer: 1
+
+  # -- component: Video conference (Jitsi)
+  # -- scalable: tbd
+  jibri: 1
+  # -- scalable: tbd
+  jicofo: 1
+  # -- scalable: tbd
+  jitsi: 1
+  # -- scalable: tbd
+  jitsiKeycloakAdapter: 1
+  # -- scalable: tbd
+  jvb: 1
+
+  # -- component: Persistence Layer
+  # -- scalable: false
+  mariadb: 1
+  # -- scalable: false
+  memcached: 1
+  # -- scalable: true
+  minio: 1
+  # -- scalable: false
+  postgres: 1
+  # -- scalable: tbd
+  redis: 1
+
+  # -- component: Filestore (Nextcloud)
+  # -- scalable: true
+  nextcloudApache2: 1
+  # -- scalable: true
+  nextcloudExporter: 1
+  # -- scalable: true
+  nextcloudPHP: 1
+
+  # -- component: Project management (OpenProject)
+  # -- scalable: true
+  openprojectWeb: 1
+  # -- scalable: true
+  # -- comment: Async service working on processing queue content. Can work on queues in parallel (when needed). See [upstream Helm chart documentation](https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/) for details, as e.g. dedicated workers to specific queues are in general possible with OpenProject as well.Share 
+  openprojectWorker: 1
+
+  # -- component: Knowledge management (XWiki)
+  # -- scalable: false
   xwiki: 1
 ...

helmfile/environments/default/resources.yaml

@@ -25,6 +25,13 @@ resources:
     requests:
       cpu: 0.1
       memory: "512Mi"
+  dkimpy:
+    limits:
+      cpu: 99
+      memory: "256Mi"
+    requests:
+      cpu: 0.1
+      memory: "128Mi"
   dovecot:
     limits:
       cpu: 99
@@ -69,10 +76,11 @@ resources:
     requests:
       cpu: 0.1
       memory: "384Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jicofo:
     limits:
       cpu: 99
-      memory: "512Mi"
+      memory: "3584Mi"
     requests:
       cpu: 0.1
       memory: "256Mi"
@@ -90,10 +98,11 @@ resources:
     requests:
       cpu: "10m"
       memory: "48Mi"
+  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jvb:
     limits:
       cpu: 99
-      memory: "768Mi"
+      memory: "3584Mi"
     requests:
       cpu: 0.1
       memory: "384Mi"
@@ -216,6 +225,49 @@ resources:
     requests:
       cpu: 0.1
       memory: "512Mi"
+  nubusProvisioning:
+    nats:
+      limits:
+        cpu: 288
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "128Mi"
+    dispatcher:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    registerConsumers:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    udmTransformer:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    prefill:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "64Mi"
+    api:
+      limits:
+        cpu: 1
+        memory: "1Gi"
+      requests:
+        cpu: 0.1
+        memory: "100Mi"
   openproject:
     limits:
       cpu: 99
@@ -534,7 +586,7 @@ resources:
   umsUmcServer:
     limits:
       cpu: 99
-      memory: "1Gi"
+      memory: "2Gi"
     requests:
       cpu: 0.1
       memory: "256Mi"

helmfile/environments/default/secrets.gotmpl

@@ -18,7 +18,8 @@ secrets:
     cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
     shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
     sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
-  univentionManagementStack:
+    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
+  nubus:
     ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
     ldapSearch:
       keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
@@ -68,10 +69,10 @@ secrets:
     nextcloudUser: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "mariadb" "nextcloud_user" | sha1sum | quote }}
   minio:
     rootPassword: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "root_password" | sha1sum | quote) }}
-    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
-    openxchangeUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openxchange_user" | sha1sum | quote) }}
-    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
+    migrationsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "migrations_user" | sha1sum | quote) }}
     nextcloudUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "nextcloud_user" | sha1sum | quote) }}
+    openprojectUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "openproject_user" | sha1sum | quote) }}
+    umsUser: {{ (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "minio" "ums_user" | sha1sum | quote) }}
   keycloak:
     adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "adminPassword" | sha1sum | quote }}
     clientSecret:

helmfile/environments/default/selinux.yaml

@@ -11,6 +11,7 @@ seLinuxOptions:
   clamd: ~
   collabora: ~
   cryptpad: ~
+  dkimpy: ~
   dovecot: ~
   element: ~
   freshclam: ~
@@ -30,6 +31,7 @@ seLinuxOptions:
   matrixNeoDateFixWidget: ~
   matrixUserVerificationService: ~
   memcached: ~
+  migrations: ~
   milter: ~
   minio: ~
   nextcloudApache2: ~

helmfile/environments/default/smtp.gotmpl

@@ -8,4 +8,18 @@ smtp:
   port: 587
   username: ""
   password: {{ env "SMTP_PASSWORD" | quote }}
+  localpartNoReply: "no-reply"
+
+  # For the following settings to have effect `dkimpy.enabled` must be `true`.
+  dkim:
+    key:
+      # DKIM private key as plaintext value.
+      value: ""
+
+      # DKIM private key from existing secret. As a higher precedence than the plain `value`.
+      secret:
+        name: ""
+        key: ""
+    selector: "rsa"
+    useED25519: false
 ...

helmfile/environments/default/theme.gotmpl

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
+# SPDX-License-Identifier: Apache-2.0
+---
+## The theme properties will be used to set the installations color an images.
+## This is currently not supported by most of the components, but we still
+## want to collect and provide the related information based on the attributes
+## defined in this file.
+#
+theme:
+  ## Define texts
+  #
+  texts:
+    productName: "openDesk"
+
+  ## Define colors
+  #
+  colors:
+    # Element, OX AppSuite, Xwiki
+    primary: "#5e27dd"
+    # OX AppSuite
+    primary15: "#e7dffa"
+    # OX AppSuite
+    black: "#000000"
+    # OX AppSuite, Xwiki
+    white: "#ffffff"
+    # OX AppSuite, Xwiki
+    secondaryGreyLight: "#f5f5f5"
+
+    # Not in use yet
+    primary65: "#9673e9"
+    primary35: "#c7b3f3"
+    secondaryBlue: "#52c1ff"
+    secondaryBlueHighcontrast: "#0c3ff3"
+    secondaryRed: "#ff529e"
+    secondaryYellow: "#ffc700"
+    secondaryGreen: "#00ffcd"
+    secondaryGrey: "#adb3bc"
+
+  ## Define imagery
+  #
+  imagery:
+    # Xwiki
+    faviconSvgB64: {{ readFile "./../../files/theme/favicon.svg" | b64enc | quote }}
+    faviconIcoB64: {{ readFile "./../../files/theme/favicon.ico" | b64enc | quote }}
+    favicon16PngB64: {{ readFile "./../../files/theme/favicon16.png" | b64enc | quote }}
+    favicon144PngB64: {{ readFile "./../../files/theme/favicon144.png" | b64enc | quote }}
+    logoHeaderSvgB64: {{ readFile "./../../files/theme/logoHeader.svg" | b64enc | quote }}
+
+    # Portal
+    logoPortalBackgroundSvgB64: {{ readFile "./../../files/theme/logoPortalBackground.svg" | b64enc | quote }}
+    portalCss: {{ readFile "./../../files/theme/portal.css" | b64enc }}
+
+...

helmfile/environments/test/values.yaml.gotmpl

@@ -18,16 +18,16 @@ persistence:
     mariadb: "42Gi"
     matrixNeoDateFixBot: "42Gi"
     minio: "42Gi"
+    nubus:
+      ldapServerData: "42Gi"
+      ldapServerShared: "42Gi"
+      portalListener: "42Gi"
+      selfserviceListener: "42Gi"
     postfix: "42Gi"
     postgresql: "42Gi"
     prosody: "42Gi"
     redis: "42Gi"
     synapse: "42Gi"
-    univentionManagementStack:
-      ldapServerData: "42Gi"
-      ldapServerShared: "42Gi"
-      portalListener: "42Gi"
-      selfserviceListener: "42Gi"
     xwiki: "42Gi"
 ingress:
   ingressClassName: "kyverno"
@@ -35,17 +35,13 @@ ingress:
     enabled: true
     secretName: "kyverno-tls"
 replicas:
-  # clamav-simple
   clamav: 42
-  # clamav-distributed
   clamd: 42
   collabora: 42
   cryptpad: 42
   dovecot: 42
   element: 42
-  # clamav-distributed
   freshclam: 42
-  # clamav-distributed
   icap: 42
   intercomService: 42
   jibri: 42
@@ -61,7 +57,6 @@ replicas:
   matrixNeoDateFixWidget: 42
   matrixUserVerificationService: 42
   memcached: 42
-  # clamav-distributed
   milter: 42
   minio: 42
   nextcloudApache2: 42

helmfile/files/theme/favicon.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg id="b" width="40" height="40" viewBox="0 0 40 40" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg"><defs id="defs59" /><circle id="c" cx="20" cy="20" r="20" fill="#5e27dd" /><path d="m 34.23,19.98 c 0,2.12 -0.41,3.76 -1.2,4.92 -0.81,1.15 -1.84,1.92 -3.07,2.33 -1.25,0.41 -2.68,0.6 -4.29,0.6 H 19.9 v -9.45 h 3.58 v 6.31 h 2.19 c 1.15,0 2.06,-0.09 2.72,-0.25 0.65,-0.18 1.2,-0.6 1.62,-1.29 0.42,-0.67 0.64,-1.73 0.64,-3.18 0,-1.45 -0.21,-2.49 -0.65,-3.16 -0.42,-0.69 -0.97,-1.11 -1.62,-1.29 -0.67,-0.18 -1.57,-0.26 -2.7,-0.26 h -2.15 v -3.11 h 2.15 c 1.61,0 3.04,0.19 4.29,0.6 1.24,0.39 2.26,1.16 3.07,2.33 0.79,1.15 1.2,2.79 1.2,4.89 z" fill="#ffffff" id="path52" /><path d="m 16.38,19.31 c -0.44,-0.88 -1.09,-1.59 -1.96,-2.1 -0.86,-0.53 -1.85,-0.79 -3,-0.79 -1.15,0 -2.14,0.26 -3,0.79 -0.87,0.51 -1.52,1.22 -1.98,2.1 -0.44,0.86 -0.67,1.8 -0.67,2.82 0,1.02 0.23,1.94 0.67,2.82 0.46,0.86 1.11,1.57 1.98,2.1 0.86,0.51 1.85,0.78 3,0.78 1.15,0 2.14,-0.26 3,-0.78 0.86,-0.53 1.52,-1.24 1.96,-2.1 0.46,-0.88 0.69,-1.82 0.69,-2.82 0,-1 -0.23,-1.96 -0.69,-2.82 z m -1.02,5.14 c -0.34,0.71 -0.85,1.29 -1.52,1.73 -0.69,0.44 -1.48,0.67 -2.42,0.67 C 10.48,26.85 9.67,26.62 9,26.18 8.33,25.74 7.82,25.16 7.48,24.45 7.14,23.73 6.97,22.97 6.97,22.14 6.97,21.31 7.15,20.53 7.48,19.83 7.82,19.11 8.33,18.54 9,18.1 c 0.67,-0.44 1.48,-0.65 2.42,-0.65 0.94,0 1.73,0.21 2.42,0.65 0.67,0.44 1.18,1.01 1.52,1.73 0.34,0.71 0.51,1.48 0.51,2.31 0,0.83 -0.18,1.59 -0.51,2.31 z" fill="#ffffff" id="path54" /></svg>

helmfile/shared/migrations.yaml.gotmpl

@@ -0,0 +1,56 @@
+{{/*
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+SPDX-License-Identifier: Apache-2.0
+*/}}
+---
+global:
+  domain: {{ .Values.global.domain | quote }}
+  hosts:
+    {{ .Values.global.hosts | toYaml | nindent 4 }}
+  imagePullSecrets:
+    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
+
+cleanup:
+  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
+  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}
+
+migrations:
+  runId: 2
+  namespace: {{ .Values.migrations.namespace | default .Release.Namespace | quote }}
+  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
+  failOnUnexpectedState: true
+  environmentDetails:
+    {{ .Values | toYaml | nindent 4 }}
+  cleanup: false
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - "ALL"
+  enabled: true
+  privileged: false
+  runAsUser: 1000
+  runAsGroup: 1000
+  seccompProfile:
+    type: "RuntimeDefault"
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  seLinuxOptions:
+    {{ .Values.seLinuxOptions.migrations | toYaml | nindent 4 }}
+
+image:
+  registry: {{ .Values.global.imageRegistry | default .Values.images.migrations.registry | quote }}
+  repository: {{ .Values.images.migrations.repository | quote }}
+  tag: {{ .Values.images.migrations.tag | quote }}
+  imagePullPolicy: {{ .Values.global.imagePullPolicy |quote }}
+
+job:
+  enabled: true
+
+podSecurityContext:
+  enabled: true
+  fsGroup: 1000
+  fsGroupChangePolicy: "OnRootMismatch"
+
+...

helmfile_generic.yaml

@@ -6,12 +6,14 @@
 #
 helmfiles:
   # Path to the helmfile state file being processed BEFORE releases in this state file
-  - path: "helmfile/apps/services/helmfile-child.yaml"
+  - path: "helmfile/apps/migrations-pre/helmfile-child.yaml"
     values: &values
       - "helmfile/environments/default/*.yaml"
       - "helmfile/environments/default/*.gotmpl"
       - {{ toYaml .Values | nindent 8 }}
-  - path: "helmfile/apps/univention-management-stack/helmfile-child.yaml"
+  - path: "helmfile/apps/services/helmfile-child.yaml"
+    values: *values
+  - path: "helmfile/apps/nubus/helmfile-child.yaml"
     values: *values
   - path: "helmfile/apps/intercom-service/helmfile-child.yaml"
     values: *values
@@ -35,5 +37,7 @@ helmfiles:
     values: *values
   - path: "helmfile/apps/openproject-bootstrap/helmfile-child.yaml"
     values: *values
+  - path: "helmfile/apps/migrations-post/helmfile-child.yaml"
+    values: *values
 missingFileHandler: "Error"
 ...