fix(docs): Update Nubus version to 1.5.1

fix(docs): Fix debug option
fix(static-files): Update Helm chart to v4.0.1 to support longer domain names
2025-12-08 08:21:40 +01:00 · 2025-01-13 13:57:25 +01:00 · 2025-01-09 10:41:25 +01:00 · 2025-01-09 07:05:49 +01:00 · 2025-01-08 14:52:58 +01:00 · 2025-01-08 07:52:43 +01:00
31 changed files with 1250 additions and 1283 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,12 +1,11 @@
 # SPDX-FileCopyrightText: 2024-2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
    ref: "v2.4.8"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
      - "ci/release-automation/semantic-release.yml"
  - local: "/.gitlab/generate/generate-docs.yml"
@@ -32,7 +31,6 @@ stages:
  - ".pre"
  - "renovate"
  - "scan"
  - "automr"
  - "env-cleanup"
  - "env"
  - "pre-services-deploy"
--- a/.gitlab/common/common.yml
+++ b/.gitlab/common/common.yml
@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: Apache-2.0
 ---
 variables:
-  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.5.6\
+  OPENDESK_CI_CLI_IMAGE: "registry.opencode.de/bmi/opendesk/tooling/opendesk-ci-cli:2.7.1\
-    @sha256:2e5ed5e4f7870c8f72314805de0e295660578af8f1bb6da7546fe413b0efd3a0"
+    @sha256:f09e36a4ad4b3a3a9ed260d6f36293002e39866a877c0a6b1efa16a88b8fd107"
-  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.11\
+  OPENDESK_LINT_IMAGE: "registry.opencode.de/bmi/opendesk/components/platform-development/images/ci-lint:1.0.14\
-    @sha256:5673584a8f1bb3e3941a7a27647fdeb768d2250b69fe3df2f36a0ec6ac21d981"
+    @sha256:34d2a96e5fc25155abd48fef4d335b131c71d8cbc00ad531df0cae9918b9f2ab"
 .common:
  cache: {}
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -31,7 +31,11 @@ lint-kyverno:
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
      -d ${CI_PROJECT_DIR}/helmfile/environments
      -x ${CI_PROJECT_DIR}/.kyverno/_overwrite.yaml
    - "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
    - >
      node /app/opendesk-ci-cli/src/index.js remove-empty-keys
      -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml
    - "cd ${CI_PROJECT_DIR}/.kyverno"
    # Test optional
    - >
--- a/.kyverno/_overwrite.yaml
+++ b/.kyverno/_overwrite.yaml
@@ -0,0 +1,6 @@
 # SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
 # SPDX-License-Identifier: Apache-2.0
 ---
 replicas:
  umsLdapServerPrimary: 2
 ...
--- a/README.md
+++ b/README.md
@@ -30,12 +30,12 @@ openDesk currently features the following functional main components:
 | Function             | Functional Component        | Component<br/>Version                                                                                | Upstream Documentation                                                                                                                |
 | -------------------- | --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.87](https://github.com/element-hq/element-desktop/releases/tag/v1.11.87)                       | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89)                       | [For the most recent release](https://element.io/user-guide)                                                                          |
 | Diagram editor       | CryptPad ft. diagrams.net   | [5.6.0](https://github.com/cryptpad/cryptpad/releases/tag/5.6.0)                                     | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
 | File management      | Nextcloud                   | [29.0.8](https://nextcloud.com/de/changelog/#29-0-8)                                                 | [Nextcloud 29](https://docs.nextcloud.com/)                                                                                           |
 | Groupware            | OX App Suite                | [8.30](https://documentation.open-xchange.com/appsuite/releases/8.30/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
 | Knowledge management | XWiki                       | [16.4.4](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.4.4/)                       | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.4.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
 | Project management   | OpenProject                 | [15.1.0](https://www.openproject.org/docs/release-notes/15-1-0/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
 | Videoconferencing    | Jitsi                       | [2.0.9823](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9823)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
 | Weboffice            | Collabora                   | [24.04.9.2](https://www.collaboraoffice.com/code-24-04-release-notes/)                               | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -5,6 +5,7 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Architecture</h1>
 <!-- TOC -->
 * [Overview](#overview)
 * [Nubus (IAM)](#nubus-iam)
 * [Authentication](#authentication)
@@ -37,6 +38,7 @@ SPDX-License-Identifier: Apache-2.0
  * [XWiki (Knowledge management)](#xwiki-knowledge-management)
 * [Application specific user accounts](#application-specific-user-accounts)
 * [Footnotes](#footnotes)
 <!-- TOC -->
 openDesk is designed as a [Kubernetes](https://kubernetes.io) deployment.
--- a/docs/architecture/apis.md
+++ b/docs/architecture/apis.md
@@ -51,6 +51,10 @@ This chapter presents APIs available in openDesk grouped by applications.
  * [Matrix Server-Server API](#matrix-server-server-api)
  * [Matrix Push Gateway API](#matrix-push-gateway-api)
  * [Matrix Identity Service API](#matrix-identity-service-api)
  * [Matrix React SDK Module API](#matrix-react-sdk-module-api)
  * [Matrix Widget API](#matrix-widget-api)
  * [NeoBoard Data Model API](#neoboard-data-model-api)
  * [NeoDateFix REST API](#neodatefix-rest-api)
 * [Knowledge management - XWiki](#knowledge-management---xwiki)
  * [REST API](#rest-api-1)
  * [Scripting API](#scripting-api)
@@ -647,7 +651,56 @@ Following are APIs used by the Project management application:
 While Jitsi is available as standalone videoconferencing in openDesk, it is also used in [Element as videoconferencing backend](https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md).
-![APIs of Element and Jitsi providing Communication Service](./apis_images/ChatVC-overview.png)
+```mermaid
 ---
  config:
    class:
      hideEmptyMembersBox: true
 ---
 classDiagram
    class CommunicationService["Communication Service"] {
        <<interface>>
    }
    class MxChat["Element Matrix Chat"] {
        <<interface>>
    }
    class JitsiVideoConference["Jitsi Video Conference"] {
        <<interface>>
    }
    CommunicationService <|.. MxChat
    CommunicationService <|.. JitsiVideoConference
    MxChat <-- JitsiVideoConference
    class MxAppServiceApi["Matrix Application Service API"]
    class MxClientServerApi["Matrix Client Server API"]
    class MxServerServerApi["Matrix Server Server API"]
    class MxPushGatewayApi["Matrix Push Gateway API"]
    class MxIdentityServiceApi["Matrix Identity Service API"]
    class MxRtc["Matrix RTC"]
    class MxElementWebModuleApi["Matrix React SDK Module API"]
    class MxWidgetApi["Matrix Widget API"]
    class NeoBoardDataModelApi["NeoBoard Data Model API"]
    class NeoDateFixRestApi["NeoDateFix REST API"]
    MxChat *-- MxAppServiceApi
    MxChat *-- MxClientServerApi
    MxChat *-- MxServerServerApi
    MxChat *-- MxPushGatewayApi
    MxChat *-- MxIdentityServiceApi
    MxChat *-- MxRtc
    MxChat *-- MxElementWebModuleApi
    MxChat *-- MxWidgetApi
    class JitsiIframeApi["Jitsi iFrame API"]
    class JitsiMeetApi["Jitsi Meet API"]
    class JitsiMeetReactSdk["Jitsi Meet React SDK"]
    JitsiVideoConference *-- JitsiIframeApi
    JitsiVideoConference *-- JitsiMeetApi
    JitsiVideoConference *-- JitsiMeetReactSdk
 ```
 Following are APIs used by the Chat application:
@@ -741,6 +794,74 @@ Following are APIs used by the Chat application:
 | Supported standards            | [Matrix](https://spec.matrix.org/latest/identity-service-api/)                                                                               |
 | Documentation                  | [Synapse](https://element-hq.github.io/synapse/latest/) is the reference implementation of the Matrix protocol, see standard for API details |
 ## Matrix React SDK Module API
 | Name                           | Matrix React SDK Module API                                                                                                                                                                                                        |
 | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Purpose                        | The module system in Element Web is a way to add or modify functionality of Element Web itself, bundled at compile time for the app.                                                                                               |
 | Versioning                     | [Releases in the Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api/releases); [Dependency in `package.json` in Element (Chat Web-UI)](https://github.com/element-hq/element-web/blob/develop/package.json) |
 | Authentication                 | n/a - used as a library                                                                                                                                                                                                            |
 | In openDesk provided by        | Element (Chat Web-UI)                                                                                                                                                                                                              |
 | Transport protocol             | n/a - used as a library                                                                                                                                                                                                            |
 | Usage within component         | [Element (Chat-Web-UI) Modules](https://github.com/nordeck/element-web-modules/)                                                                                                                                                   |
 | Usage within openDesk          | none                                                                                                                                                                                                                               |
 | Usage for external integration | n/a - uses as a library                                                                                                                                                                                                            |
 | Parallel access                | Allowed                                                                                                                                                                                                                            |
 | Message protocol               | n/a - used as a library                                                                                                                                                                                                            |
 | Supported standards            | n/a - Element (Chat Web-UI) specific                                                                                                                                                                                               |
 | Documentation                  | [Element (Chat Web-UI) Documentation](https://github.com/element-hq/element-web/blob/develop/docs/modules.md); [matrix-react-sdk-module-api Git repository](https://github.com/matrix-org/matrix-react-sdk-module-api)             |
 ## Matrix Widget API
 | Name                           | Matrix Widget API                                                                                                                                                                                                    |
 | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Purpose                        | Matrix Widgets are HTML and Javascript content / applications that can be embedded within, and communicate with Matrix clients.                                                                                      |
 | Versioning                     | n/a                                                                                                                                                                                                                  |
 | Authentication                 | Widgets request capabilities. They must be confirmed by a user or by the [Widget Lifecycle Module](https://github.com/nordeck/element-web-modules/blob/main/packages/element-web-widget-lifecycle-module/README.md). |
 | In openDesk provided by        | Element (Chat Web-UI)                                                                                                                                                                                                |
 | Transport protocol             | [HTML window.postMessage API](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)                                                                                                                   |
 | Usage within component         | [NeoDateFix](https://github.com/nordeck/matrix-meetings/), [NeoBoard](https://github.com/nordeck/matrix-neoboard), [NeoChoice](https://github.com/nordeck/matrix-poll)                                                                                                    |
 | Usage within openDesk          | none                                                                                                                                                                                                                 |
 | Usage for external integration | none                                                                                                                                                                                                                 |
 | Parallel access                | Allowed                                                                                                                                                                                                              |
 | Message protocol               | JSON                                                                                                                                                                                                                 |
 | Supported standards            | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764)                                                                                                                                    |
 | Documentation                  | [Matrix - MSC2764](https://github.com/matrix-org/matrix-spec-proposals/pull/2764)                                                                                                                                    |
 ## NeoBoard Data Model API
 | Name                           | NeoBoard Data Model API                                                                                                               |
 | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
 | Purpose                        | The NeoBoard data model can be used to generate whiteboard documents.                                                                 |
 | Versioning                     | `version` field in the [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/blob/main/docs/model/export-format.md#fields) |
 | Authentication                 | n/a                                                                                                                                   |
 | In openDesk provided by        | [NeoBoard](https://github.com/nordeck/matrix-neoboard)                                                                                |
 | Transport protocol             | n/a                                                                                                                                   |
 | Usage within component         | [NeoBoard](https://github.com/nordeck/matrix-neoboard)                                                                                |
 | Usage within openDesk          | none                                                                                                                                  |
 | Usage for external integration | none                                                                                                                                  |
 | Parallel access                | n/a                                                                                                                                   |
 | Message protocol               | JSON                                                                                                                                  |
 | Supported standards            | n/a                                                                                                                                   |
 | Documentation                  | [NeoBoard data model](https://github.com/nordeck/matrix-neoboard/tree/main/docs/model)                                                |
 ## NeoDateFix REST API
 | Name                           | NeoDateFix REST API                                                                                                                                |
 | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Purpose                        | Can be used to query and set up NeoDateFix Matrix meetings.                                                                                        |
 | Versioning                     | Path segment in the [Meetings Bot API](https://github.com/nordeck/matrix-meetings/blob/main/docs/data-model.md#http-api)                           |
 | Authentication                 | n/a                                                                                                                                                |
 | In openDesk provided by        | [NeoDateFix](https://github.com/nordeck/matrix-meetings)                                                                                           |
 | Transport protocol             | HTTP(S)                                                                                                                                            |
 | Usage within component         | [NeoDateFix](https://github.com/nordeck/matrix-meetings)                                                                                           |
 | Usage within openDesk          | Used by OX to sync calendar entries to NeoDateFix                                                                                                  |
 | Usage for external integration | none                                                                                                                                               |
 | Parallel access                | n/a                                                                                                                                                |
 | Message protocol               | JSON                                                                                                                                               |
 | Supported standards            | n/a                                                                                                                                                |
 | Documentation                  | [NeoDateFix ADR001](https://github.com/nordeck/matrix-meetings/blob/main/docs/adrs/adr001-use-the-widget-api-to-interact-with-the-meetings-bot.md) |
 # Knowledge management - XWiki
 Following are APIs used by the Knowledge management application:
@@ -804,7 +925,7 @@ Following are APIs used by the Knowledge management application:
 ## JavaScript API
-| Name                           | Javascript API                                                                               |
+| Name                           | JavaScript API                                                                               |
 | ------------------------------ | -------------------------------------------------------------------------------------------- |
 | Purpose                        | Include dynamic components in XWiki/web pages                                                |
 | Versioning                     |                                                                                              |
--- a/docs/architecture/apis_images/ChatVC-overview.png
+++ b/docs/architecture/apis_images/ChatVC-overview.png
--- a/docs/data-storage.md
+++ b/docs/data-storage.md
@@ -95,8 +95,8 @@ XWiki,PersistentVolume,1
 | **OpenProject**      | PostgreSQL   | Yes      | Application's main database                                                                | `openproject`                                  |                                                       |
 |                      | S3           | Yes      | Attachments, custom styles                                                                 | `openproject`                                  |                                                       |
 |                      | Memcached    | No       | Cache                                                                                      |                                                |                                                       |
-|                      | PVC          | No       | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs               | `openproject-<web|worker>-*-tmp`               | `/tmp`                                                |
+|                      | PVC          | No       | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs               | `openproject-<web/worker>-*-tmp`               | `/tmp`                                                |
-|                      |              | No       | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs               | `openproject-<web|worker>-app-*-tmp`           | `/app/tmp`                                            |
+|                      |              | No       | PVC backed `emptyDir` as K8s cannot set the sticky bit on standard emptyDirs               | `openproject-<web/worker>-app-*-tmp`           | `/app/tmp`                                            |
 | **Open-Xchange**     | MariaDB      | Yes      | Application's control database to coordiate dynamically created ones                       | `configdb`                                     |                                                       |
 |                      |              | Yes      | Dynamically creates databases of schema `PRIMARYDB_n`containing multiple contexts          | `PRIMARYDB_*`                                  |                                                       |
 |                      |              | Yes      | OX Guard related settings                                                                  | `oxguard*`                                     |                                                       |
@@ -113,5 +113,5 @@ Additionally, the following persistent volumes are mounted by pods that serve as
 | ---------- | ---------------- | ------------ | --------------------------- | --------------------- |
 | MariaDB    | `mariadb-*`      | `data`       | `data-mariadb-0`            | `/var/lib/mysql`      |
 | MinIO      | `minio-*-*`      | `data`       | `minio`                     | `/bitnami/minio/data` |
-| PostgreSQK | `postgresql-*`   | `data`       | `data-postgresql-0`         | `/mnt/postgresql`     |
+| PostgreSQL | `postgresql-*`   | `data`       | `data-postgresql-0`         | `/mnt/postgresql`     |
 | Redis      | `redis-master-*` | `redis-data` | `redis-data-redis-master-0` | `/data`               |
--- a/docs/debugging.md
+++ b/docs/debugging.md
@@ -12,6 +12,7 @@ SPDX-License-Identifier: Apache-2.0
  * [Adding a container to a pod/deployment - Dev/Test only](#adding-a-container-to-a-poddeployment---devtest-only)
  * [Temporary/ephemeral containers](#temporaryephemeral-containers)
 * [Components](#components)
  * [Helmfile](#helmfile)
  * [MariaDB](#mariadb)
  * [Nextcloud](#nextcloud)
  * [OpenProject](#openproject)
@@ -29,7 +30,7 @@ We for sure do not want to reinvent the wheel, so we might link to external sour
 information where available.
 > **Warning**<br>
-> You should never enable the debug option in production environments! By looking up `debug.enable` in the deployment, you
+> You should never enable the debug option in production environments! By looking up `debug.enabled` in the deployment, you
 will find the various places changes are applied when enabling debugging. So, outside of development and test
 environments, you should use them thoughtfully and carefully if needed.
@@ -38,7 +39,7 @@ environments, you should use them thoughtfully and carefully if needed.
 Check the openDesk [`debug.yaml.gotmpl`](../helmfile/environments/default/debug.yaml.gotmpl) and set for your deployment
 ```
 debug:
-  enable: true
+  enabled: true
 ```
 This will result in:
@@ -142,6 +143,15 @@ kubectl -n ${NAMESPACE} attach -it -c ${EPH_CONTAINER_NAME} ${POD_NAME}
 # Components
 ## Helmfile
 When refactoring the Helmfile structure you want to ensure that there are not unintended mistakes by e.g. `diff`
 comparing the output of Helmfile from before and after the change by calling:
 ```shell
 helmfile template -e dev >output_to_compare.yaml
 ```
 ## MariaDB
 When using the openDesk bundled MariaDB, you can explore the database(s) using the MariaDB interactive terminal from the Pod's command line: `mariadb -u root -p`. On the password prompt, provide the value for `MARIADB_ROOT_PASSWORD` found in the Pod's environment.
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -41,7 +41,7 @@ deploy openDesk onto your Kubernetes infrastructure.
 # Requirements
-Detailed system requirements are covered on the [requirements](requirements.md) page.
+Detailed system requirements are covered on the [requirements](./docs/requirements.md) page.
 # Customize environment
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -7,10 +7,13 @@ SPDX-License-Identifier: Apache-2.0
 <!-- TOC -->
 * [Disclaimer](#disclaimer)
-* [openDesk supported upgrade path](#opendesk-supported-upgrade-path)
+* [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
-* [Releases upgrade details](#releases-upgrade-details)
+* [Manual update steps](#manual-update-steps)
-  * [From v1.0.0](#from-v100)
+  * [From v1.1.0: Manual checks/steps](#from-v110-manual-checkssteps)
-    * [Pre-upgrade: Manual checks/steps from v1.0.0](#pre-upgrade-manual-checkssteps-from-v100)
+    * [Pre-upgrade](#pre-upgrade)
      * [Helmfile new secret: `secrets.nubus.masterpassword`](#helmfile-new-secret-secretsnubusmasterpassword)
  * [From v1.0.0: Manual checks/steps](#from-v100-manual-checkssteps)
    * [Pre-upgrade](#pre-upgrade-1)
      * [Helmfile Cleanup: Restructured `/helmfile/files/theme` folder](#helmfile-cleanup-restructured-helmfilefilestheme-folder)
      * [Helmfile Cleanup: Consistent use of `*.yaml.gotmpl`](#helmfile-cleanup-consistent-use-of-yamlgotmpl)
      * [Helmfile Cleanup: Prefixing certain app directories with `opendesk-`](#helmfile-cleanup-prefixing-certain-app-directories-with-opendesk-)
@@ -20,8 +23,7 @@ SPDX-License-Identifier: Apache-2.0
      * [openDesk defaults (new): Enforce login](#opendesk-defaults-new-enforce-login)
      * [openDesk defaults (changed): Jitsi room history enabled](#opendesk-defaults-changed-jitsi-room-history-enabled)
      * [External requirements: Redis 7.4](#external-requirements-redis-74)
-    * [Automated migrations from v1.0.0](#automated-migrations-from-v100)
+  * [From v0.9.0: Manual checks/steps](#from-v090-manual-checkssteps)
  * [From v0.9.0](#from-v090)
    * [Pre-upgrade: Manual steps](#pre-upgrade-manual-steps)
      * [Configuration Cleanup: Removal of unnecessary OX-Profiles in Nubus](#configuration-cleanup-removal-of-unnecessary-ox-profiles-in-nubus)
      * [Configuration Cleanup: Updated `global.imagePullSecrets`](#configuration-cleanup-updated-globalimagepullsecrets)
@@ -30,52 +32,68 @@ SPDX-License-Identifier: Apache-2.0
      * [Changed openDesk defaults: File-share configurability](#changed-opendesk-defaults-file-share-configurability)
      * [Changed openDesk defaults: Updated default subdomains in `global.hosts`](#changed-opendesk-defaults-updated-default-subdomains-in-globalhosts)
      * [Changed openDesk defaults: Dedicated group for access to the UDM REST API](#changed-opendesk-defaults-dedicated-group-for-access-to-the-udm-rest-api)
-    * [Automated migrations from v0.9.0](#automated-migrations-from-v090)
+    * [Post-upgrade](#post-upgrade)
    * [Post-upgrade: Manual steps](#post-upgrade-manual-steps)
      * [Configuration Improvement: Separate user permission for using Video Conference component](#configuration-improvement-separate-user-permission-for-using-video-conference-component)
      * [Optional Cleanup](#optional-cleanup)
-  * [From v0.8.1](#from-v081)
+  * [From v1.1.0: Manual checks/steps](#from-v110-manual-checkssteps-1)
-    * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
+    * [Pre-upgrade](#pre-upgrade-2)
-    * [Updated customizable template attributes](#updated-customizable-template-attributes)
+      * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
-    * [`migrations` S3 bucket](#migrations-s3-bucket)
+      * [Updated customizable template attributes](#updated-customizable-template-attributes)
-* [Related components and artifacts](#related-components-and-artifacts)
+      * [`migrations` S3 bucket](#migrations-s3-bucket)
 * [Automated migrations - Details](#automated-migrations---details)
  * [From v1.1.0: Automated migrations](#from-v110-automated-migrations)
  * [From v0.9.0: Automated migrations](#from-v090-automated-migrations)
  * [Related components and artifacts](#related-components-and-artifacts)
  * [Development](#development)
 <!-- TOC -->
 # Disclaimer
-With openDesk 1.0, we aim to offer hassle-free updates/upgrades.
+Starting with openDesk 1.0, we aim to offer hassle-free updates/upgrades.
-But openDesk requires a defined upgrade path that is described in the section [openDesk supported upgrade path](#opendesk-supported-upgrade-path).
+Therefore openDesk contains automated migrations between versions to lower the requirements for manual interaction. These automated migrations can have limitations in the way that they need a certain openDesk version to be installed causing a mandatory upgrade path that is described in the section [Automated migrations](#automated-migrations).
-Some upgrades even require manual interaction, which are referenced in the aforementioned section and described further down this document.
+Manual checks and possible activities are also required by openDesk updates, they are described in the section [Manual update steps](#manual-update-steps).
-> **Known limitations:**<br>
+> **Note**<br>
 > Please be sure you read / follow the requirements before you update / upgrade thoroughly.
 > **Known limitations**<br>
 > We assume that the PV reclaim policy is set to `delete`, resulting in PVs getting deleted as soon as the related PVC was deleted; we will not address explicit deletion for PVs.
-# openDesk supported upgrade path
+# Automated migrations - Overview and mandatory upgrade path
-When updating your openDesk installation you have to install the releases listed below in the sequential order from
+The following table gives an overview of the mandatory upgrade path of openDesk for the automated migrations to work as expected.
 the lowest version number you are already on to the more current version you are looking to install.
-Explanation of the table's columns:
+To upgrade existing deployments, you cannot skip any version mentioned in the column *Mandatory version*. When a version number is not fully defined (e.g. `v1.1.x`), you can install any version matching the given schema.
 - *Coming from*: Check the column for the release you are currently on.
 - *Mandatory release*: Defines which release(s) support the upgrade from your currently installed version.
 - *Automatic migration*: Summary of, or link to openDesk's automatic migration details.
 - *Manual activities*: Reference to required manual steps to upgrade your openDesk installation to the *Mandatory release*.
-| Coming from   | Mandatory (minimum) release | Manual steps required                                                             | Details                       |
+| Mandatory version |
-| ------------- | --------------------------- | --------------------------------------------------------------------------------- | ----------------------------- |
+| ----------------- |
-| v1.0.0        | v1.1.0                      | [Before upgrade](#pre-upgrade-manual-checkssteps-from-v100)                       | See [From v1.0.0](#from-v100) |
+| v1.1.x            |
-| v0.9.0        | v1.0.0                      | [Before](#pre-upgrade-manual-steps) & [After upgrade](#post-upgrade-manual-steps) | See [From v0.9.0](#from-v090) |
+| v1.0.0            |
-| v0.8.1        | v0.9.0                      | Initializes migration system                                                      | See [From v0.8.1](#from-v081) |
+| v0.9.0            |
-| not supported | v0.8.1                      | First release that supporting updates                                             |                               |
+| v0.8.1            |
-# Releases upgrade details
+> **Note**<br>
 > Be sure you check out the table in the release version you are going to install, an not the one that is currently installed.
-## From v1.0.0
+When interested in more details about the automated migrations, please read section [Automated migrations - Details](#automated-migrations---details).
-### Pre-upgrade: Manual checks/steps from v1.0.0
+# Manual update steps
 Be sure you check all the sections for the releases your are going to update your current deployment from.
 ## From v1.1.0: Manual checks/steps
 ### Pre-upgrade
 #### Helmfile new secret: `secrets.nubus.masterpassword`
 A not yet templated secret was discovered in the Nubus deployment that is now defined in [`secrets.yaml.gotmpl`](../helmfile/environments/default/theme.yaml.gotmpl) with the key `secrets.nubus.masterpassword`. If you define your own secrets, please be sure this new secret is set to the value of the `MASTER_PASSWORD` environment variable used in your deployment.
 ## From v1.0.0: Manual checks/steps
 ### Pre-upgrade
 #### Helmfile Cleanup: Restructured `/helmfile/files/theme` folder
@@ -236,18 +254,7 @@ The update from openDesk 1.0.0 contains Redis 7.4.1, like the other openDesk bun
 Please ensure for the Redis you are using that it is updated to at least 7.4 to support the requirement of OX App Suite.
-### Automated migrations from v1.0.0
+## From v0.9.0: Manual checks/steps
 With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
 openDesk's automated migrations takes care of this upgrade requirement described here for
 [Nubus 1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.5.1/en/changelog.html#migrate-existing-ldap-server-to-mirror-mode-readiness),
 creating the config map with the mentioned label.
 > **Note**<br>
 > Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
 ## From v0.9.0
 ### Pre-upgrade: Manual steps
@@ -433,16 +440,7 @@ The IAMs admin account `Administrator` is a member of this group by default, but
 If you need other accounts to use the API, please assign them to the aforementioned group.
-### Automated migrations from v0.9.0
+### Post-upgrade
 The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
 The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
 > **Note**<br>
 > Details can be found in [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
 ### Post-upgrade: Manual steps
 #### Configuration Improvement: Separate user permission for using Video Conference component
@@ -472,14 +470,16 @@ kubectl -n ${NAMESPACE} delete pvc shared-run-ums-ldap-server-0
 kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
 ```
-## From v0.8.1
+## From v1.1.0: Manual checks/steps
-### Updated `cluster.networking.cidr`
+### Pre-upgrade
 #### Updated `cluster.networking.cidr`
 - Action: `cluster.networking.cidr` is now an array (was a string until 0.8.1); please update your setup accordingly if you explicitly set this value.
 - Reference:[cluster.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/cluster.yaml)
-### Updated customizable template attributes
+#### Updated customizable template attributes
 - Action: Please update your custom deployment values according to the updated default value structure.
 - References:
@@ -488,12 +488,34 @@ kubectl -n ${NAMESPACE} delete pvc ox-connector-ox-contexts-ox-connector-0
  - `monitoring.` prefix for `prometheus.*` and `graphana.*`, see [monitoring.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/monitoring.yaml).
  - `smtp.` prefix for `localpartNoReply`, see [smtp.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/smtp.yaml).
-### `migrations` S3 bucket
+#### `migrations` S3 bucket
 - Action: For self-managed/external S3/object storages, please ensure you add a bucket `migrations` to your S3.
 - Reference: `objectstores.migrations` in [objectstores.yaml](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/-/blob/main/helmfile/environments/default/objectstores.yaml)
-# Related components and artifacts
+# Automated migrations - Details
 ## From v1.1.0: Automated migrations
 With openDesk v1.1.0 the IAM stack supports HA LDAP primary as well as scalable LDAP secondary pods.
 openDesk's automated migrations takes care of this upgrade requirement described here for
 [Nubus 1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/1.5.1/en/changelog.html#migrate-existing-ldap-server-to-mirror-mode-readiness),
 creating the config map with the mentioned label.
 > **Note**<br>
 > Details can be found in [run_3.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
 ## From v0.9.0: Automated migrations
 The `migrations-pre` and `migrations-post` jobs in the openDesk deployment address the automated migration tasks.
 The permissions required to execute the migrations can be found in the migration's Helm chart [`role.yaml'](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-migrations/-/blob/v1.3.5/charts/opendesk-migrations/templates/role.yaml?ref_type=tags#L29)
 > **Note**<br>
 > Details can be found in [run_2.py](https://gitlab.opencode.de/bmi/opendesk/components/platform-development/images/opendesk-migrations/-/blob/main/odmigs-python/odmigs_runs/run_3.py).
 ## Related components and artifacts
 openDesk comes with two upgrade steps as part of the deployment; they can be found in the folder [/helmfile/apps](../helmfile/apps/) as all other components:
--- a/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/nubus/helmfile-child.yaml.gotmpl
@@ -44,8 +44,6 @@ releases:
    version: "{{ .Values.charts.nubus.version }}"
    values:
      - "values-nubus.yaml.gotmpl"
      - "values-opendesk-customization.yaml.gotmpl"
      - "values-opendesk-images.yaml.gotmpl"
      {{ range .Values.customization.release.ums }}
      - {{ . }}
      {{ end }}
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -53,7 +53,7 @@ ics:
  secret: {{ .Values.secrets.intercom.secret | quote }}
  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  originRegex: "{{ .Values.global.domain }}"
-  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"opendesk_username"{{ end }}
+  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"opendesk_useruuid"{{ else }}"opendesk_username"{{ end }}
  usernameClaim: "opendesk_username"
  keycloak:
    realm: {{ .Values.platform.realm | quote }}
--- a/helmfile/apps/nubus/values-nubus.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-nubus.yaml.gotmpl
--- a/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-customization.yaml.gotmpl
@@ -1,728 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 keycloak:
  enabled: true
  ingress:
    enabled: false
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloak | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak"
  replicaCount: {{ .Values.replicas.keycloak }}
  resources:
    {{ .Values.resources.umsKeycloak | toYaml | nindent 4 }}
 nubusGuardian:
  authorizationApi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-authorization-api"
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    replicaCount: {{ .Values.replicas.umsGuardianAuthorizationApi }}
    resources:
      {{ .Values.resources.umsGuardianAuthorizationApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianAuthorizationApi | toYaml | nindent 8 }}
  managementApi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-api"
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    replicaCount: {{ .Values.replicas.umsGuardianManagementApi }}
    resources:
      {{ .Values.resources.umsGuardianManagementApi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementApi | toYaml | nindent 8 }}
  managementUi:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-guardian-management-ui"
    replicaCount: {{ .Values.replicas.umsGuardianManagementUi }}
    resources:
      {{ .Values.resources.umsGuardianManagementUi | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsGuardianManagementUi | toYaml | nindent 8 }}
  openPolicyAgent:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    podSecurityContext:
      fsGroup: 1000
      fsGroupChangePolicy: "Always"
    podAnnotations:
      intents.otterize.com/service-name: "ums-ums-open-policy-agent"
    replicaCount: {{ .Values.replicas.umsGuardianOpenPolicyAgent }}
    resources:
      {{ .Values.resources.umsOpenPolicyAgent | toYaml | nindent 6 }}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: RuntimeDefault
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsGuardianOpenPolicyAgent | toYaml | nindent 8 }}
  provisioning:
    # Using openDesk keycloak provisioning
    enabled: false
 nubusNotificationsApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-notifications-api"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsNotificationsApi | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
    create: true
  replicaCount: {{ .Values.replicas.umsNotificationsApi }}
  resources:
    {{ .Values.resources.umsNotificationsApi | toYaml | nindent 4 }}
 nubusUmcServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-umc-server"
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  containerSecurityContextInit:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  containerSecurityContextSssd:
    enabled: true
    allowPrivilegeEscalation: true
    capabilities:
      drop:
        - "ALL"
      add:
        - "DAC_OVERRIDE"
        - "SETGID"
        - "AUDIT_WRITE"
        - "SETUID"
        - "CHOWN"
        - "SETPCAP"
        - "FOWNER"
        - "FSETID"
        - "KILL"
        - "MKNOD"
        - "NET_BIND_SERVICE"
        - "SYS_CHROOT"
    runAsUser: 0
    runAsGroup: 0
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: false
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcServer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  proxy:
    replicaCount: {{ .Values.replicas.umsUmcServerProxy }}
  replicaCount: {{ .Values.replicas.umsUmcServer }}
  resources:
    {{ .Values.resources.umsUmcServer | toYaml | nindent 4 }}
  selfService:
    passwordresetEmailBody: |
        Sehr geehrte Benutzerin, sehr geehrter Benutzer,
        Ihr Benutzername für {domainname} lautet: {username}
        Sie erhalten diese Nachricht, da Sie Ihr Passwort zurücksetzen möchten oder weil Ihr Benutzer neu im System angelegt wurde.
        Klicken Sie bitte auf den folgenden Link, um Ihr Passwort zu setzen:
        https://{fqdn}/univention/portal/#/selfservice/newpassword/?token={token}&username={username}
        Der genannte Link ist nur 48 Stunden gültig, danach fordern Sie ihn bitte erneut an unter:
        https://{fqdn}/univention/portal/#/selfservice/passwordforgotten
        Mit freundlichen Grüßen
        Ihr {domainname} Passwort-Service
 nubusKeycloakExtensions:
  enabled: true
  handler:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsHandler }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-handler"
    resources:
      {{ .Values.resources.umsKeycloakExtensionHandler | toYaml | nindent 6 }}
    securityContext:
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
  proxy:
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    replicaCount: {{ .Values.replicas.umsKeycloakExtensionsProxy }}
    podAnnotations:
      intents.otterize.com/service-name: "ums-keycloak-extensions-proxy"
    resources:
      {{ .Values.resources.umsKeycloakExtensionProxy | toYaml | nindent 6 }}
    securityContext:
      seccompProfile:
        type: "RuntimeDefault"
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsKeycloakExtensionHandler | toYaml | nindent 8 }}
 nubusPortalConsumer:
  portalConsumer:
    image:
      pullSecrets:
        {{- range .Values.global.imagePullSecrets }}
        - name: {{ . | quote }}
        {{- end }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-portal-consumer"
  replicaCount: {{ .Values.replicas.umsPortalConsumer }}
  resources:
    {{ .Values.resources.umsPortalConsumer | toYaml | nindent 4 }}
  resourcesWaitForDependency:
    {{ .Values.resources.umsPortalConsumerDependencies | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.portalConsumer | quote }}
  securityContext:
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalConsumer | toYaml | nindent 6 }}
  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
    - name: "trusted-cert-secret-volume"
      secret:
        secretName: "opendesk-certificates-ca-tls"
        items:
          - key: "ca.crt"
            path: "ca-certificates.crt"
          - key: "ca.crt"
            path: "cacert.pem"
  extraVolumeMounts:
    - name: "trusted-cert-secret-volume"
      mountPath: "/etc/ssl/certs/ca-certificates.crt"
      subPath: "ca-certificates.crt"
  waitForDependency:
    extraVolumeMounts:
      - name: "trusted-cert-secret-volume"
        readOnly: true
        mountPath: "/etc/ssl/certs/ca-certificates.crt"
        subPath: "ca-certificates.crt"
      - name: "trusted-cert-secret-volume"
        readOnly: true
        mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
        subPath: "cacert.pem"
    extraEnvVars:
      - name: "REQUESTS_CA_BUNDLE"
        value: "/etc/ssl/certs/ca-certificates.crt"
      - name: "DEFAULT_CA_BUNDLE_PATH"
        value: "/etc/ssl/certs/ca-certificates.crt"
      - name: "SSL_CERT_FILE"
        value: "/etc/ssl/certs/ca-certificates.crt"
  {{- end }}
 nubusUdmListener:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 102
    runAsGroup: 65534
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUdmListener | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmListener }}
  resources:
    {{ .Values.resources.umsUdmListener | toYaml | nindent 4 }}
 nubusPortalServer:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-server"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalServer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
    create: true
  replicaCount: {{ .Values.replicas.umsPortalServer }}
  resources:
    {{ .Values.resources.umsPortalServer | toYaml | nindent 4 }}
  {{- if .Values.certificate.selfSigned }}
  extraVolumes:
    - name: "trusted-cert-crt-secret-volume"
      secret:
        secretName: "opendesk-certificates-ca-tls"
        items:
          - key: "ca.crt"
            path: "ca-certificates.crt"
          - key: "ca.crt"
            path: "cacert.pem"
  extraVolumeMounts:
    - name: "trusted-cert-crt-secret-volume"
      readOnly: true
      mountPath: "/etc/ssl/certs/ca-certificates.crt"
      subPath: "ca-certificates.crt"
    - name: "trusted-cert-crt-secret-volume"
      readOnly: true
      mountPath: "/usr/local/lib/python3.11/dist-packages/certifi/cacert.pem"
      subPath: "cacert.pem"
    - name: "trusted-cert-crt-secret-volume"
      readOnly: true
      mountPath: "/usr/lib/python3/dist-packages/botocore/cacert.pem"
      subPath: "cacert.pem"
    - name: "trusted-cert-crt-secret-volume"
      readOnly: true
      mountPath: "/usr/lib/python3/dist-packages/certifi/cacert.pem"
      subPath: "cacert.pem"
  {{- end }}
 nubusLdapNotifier:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 101
    runAsGroup: 102
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsLdapNotifier | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-ldap-notifier"
  replicaCount: {{ .Values.replicas.umsLdapNotifier }}
  resources:
    {{ .Values.resources.umsLdapNotifier | toYaml | nindent 4 }}
 nubusLdapServer:
  global:
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
  replicaCountPrimary: {{ .Values.replicas.umsLdapServerPrimary }}
  replicaCountSecondary: {{ .Values.replicas.umsLdapServerSecondary }}
  replicaCountProxy: {{ .Values.replicas.umsLdapServerProxy }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-ldap-server"
  serviceAccount:
    create: true
  initResources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  resources: {{ .Values.resources.umsLdapServer | toYaml | nindent 4 }}
  persistence:
    storageClass: {{ .Values.persistence.storageClassNames.RWO | quote }}
    size: {{ .Values.persistence.size.nubus.ldapServerData | quote }}
  extraVolumes:
    - name: "migration-scripts"
      secret:
        secretName: "ums-ldap-server-migration"
        defaultMode: 0555
  extraVolumeMounts:
    - name: "migration-scripts"
      mountPath: "/entrypoint.d/30-purge.sh"
      subPath: "30-purge.sh"
    - name: "migration-scripts"
      mountPath: "/entrypoint.d/95-slapadd-24-ldiff.sh"
      subPath: "95-slapadd-24-ldif.sh"
  extraSecrets:
    - name: "ums-ldap-server-migration"
      stringData:
        30-purge.sh: |
          #!/usr/bin/env bash
          me=$(basename "$0")
          echo "- Running ${me}"
          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
            echo "- Cleaning up /var/lib/univention-ldap."
            cd /var/lib/univention-ldap
            rm -rf internal
            rm -rf ldap
            ls -l
          else
            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
          fi
        95-slapadd-24-ldif.sh: |
          #!/usr/bin/env bash
          me=$(basename "$0")
          echo "- Running ${me}"
          ls -l /var/lib/univention-ldap
          if [ -f /var/lib/univention-ldap/ldap-24-export.ldif ]; then
            echo "- slapadd-ing /var/lib/univention-ldap/ldap-24-export.ldif"
            ls -l /var/lib/univention-ldap/
            rm -rf /var/lib/univention-ldap/ldap
            rm -rf /var/lib/univention-ldap/internal
            echo "- deleted /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
            ls -l /var/lib/univention-ldap/
            mkdir /var/lib/univention-ldap/ldap
            mkdir /var/lib/univention-ldap/internal
            echo "- created /var/lib/univention-ldap/ldap and /var/lib/univention-ldap/internal"
            ls -l /var/lib/univention-ldap/
            /usr/sbin/slapadd -v -l /var/lib/univention-ldap/ldap-24-export.ldif
            echo "- slapadd executed"
            ls -l /var/lib/univention-ldap/
            mv /var/lib/univention-ldap/ldap-24-export.ldif /var/lib/univention-ldap/ldap-24-export.ldif-imported
            echo "- import file renamed"
            ls -l /var/lib/univention-ldap/
          else
            echo "- File /var/lib/univention-ldap/ldap-24-export.ldif not found."
          fi
 nubusPortalFrontend:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-portal-frontend"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsPortalFrontend | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
    create: true
  replicaCount: {{ .Values.replicas.umsPortalFrontend }}
  resources:
    {{ .Values.resources.umsPortalFrontend | toYaml | nindent 4 }}
  portalFrontend:
    branding:
      css: {{ .Values.theme.styles.portal.main | toJson }}
      # Requires .ico, .svg does not work.
      favicon: {{ .Values.theme.imagery.portal.faviconIco | toJson }}
      # The actual `logo` is set in customizing image, the logo down here is for for waiting spinner.
      logo: {{ .Values.theme.imagery.portal.waitingSpinnerSvg | toJson }}
      backgroundImage: {{ .Values.theme.imagery.portal.logoBackgroundSvg | toJson }}
 nubusStackDataUms:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsStackDataUms | toYaml | nindent 6 }}
  pullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-stack-data-ums"
  resources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
  initResources:
    {{ .Values.resources.umsStackDataUms | toYaml | nindent 4 }}
 nubusSelfServiceConsumer:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsSelfserviceConsumer | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-selfservice-listener"
  resources:
    {{ .Values.resources.umsSelfserviceConsumer | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsSelfserviceConsumer }}
 nubusUdmRestApi:
  additionalAnnotations:
    intents.otterize.com/service-name: "ums-udm-rest-api"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUdmRestApi | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  serviceAccount:
    annotations:
      intended.usage: "compliance"
  resources:
    {{ .Values.resources.umsUdmRestApi | toYaml | nindent 4 }}
  initResources:
    {{ .Values.resources.umsUdmRestApiInit | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUdmRestApi }}
 nubusUmcGateway:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsUmcGateway | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount: {{ .Values.replicas.umsUmcGateway }}
  resources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
  initResources:
    {{ .Values.resources.umsUmcGateway | toYaml | nindent 4 }}
 nubusKeycloakBootstrap:
  additionalAnnotations:
    argocd.argoproj.io/hook: "Sync"
  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    readOnlyRootFilesystem: false
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 1000
    seccompProfile:
      type: "RuntimeDefault"
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsKeycloakBootstrap | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  podAnnotations:
    intents.otterize.com/service-name: "ums-keycloak-bootstrap"
  resources:
    {{ .Values.resources.umsKeycloakBootstrap | toYaml | nindent 4 }}
 nubusProvisioning:
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - "ALL"
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: "RuntimeDefault"
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    seLinuxOptions:
      {{ .Values.seLinuxOptions.umsProvisioning | toYaml | nindent 6 }}
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
  replicaCount:
    dispatcher: {{ .Values.replicas.umsProvisioningDispatcher }}
    udmTransformer: {{ .Values.replicas.umsProvisioningUdmTransformer }}
    prefill: {{ .Values.replicas.umsProvisioningPrefill }}
    api: {{ .Values.replicas.umsProvisioningApi }}
  serviceAccount:
    create: true
  nats:
    config:
      cluster:
        replicas: {{ .Values.replicas.umsProvisioningNats }}
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - "ALL"
      enabled: true
      runAsUser: 1000
      runAsGroup: 1000
      seccompProfile:
        type: "RuntimeDefault"
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      seLinuxOptions:
        {{ .Values.seLinuxOptions.umsProvisioningNats | toYaml | nindent 8 }}
    imagePullSecrets:
      {{ .Values.global.imagePullSecrets | toYaml | nindent 6 }}
    persistence:
      size: {{ .Values.persistence.size.nubus.provisioningNats }}
    resources:
      {{ .Values.resources.umsProvisioningNats | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-nats"
    serviceAccount:
      create: true
  api:
    resources:
      {{ .Values.resources.umsProvisioningApi | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-api"
  dispatcher:
    resources:
      {{ .Values.resources.umsProvisioningDispatcher | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-dispatcher"
  prefill:
    resources:
      {{ .Values.resources.umsProvisioningPrefill | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-prefill"
  registerConsumers:
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
    podAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-register-consumers"
  udmTransformer:
    resources:
      {{ .Values.resources.umsProvisioningUdmTransformer | toYaml | nindent 6 }}
    additionalAnnotations:
      intents.otterize.com/service-name: "ums-provisioning-udm-transformer"
  resources:
    registerConsumers:
      {{ .Values.resources.umsProvisioningRegisterConsumers | toYaml | nindent 6 }}
--- a/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-images.yaml.gotmpl
@@ -1,266 +0,0 @@
 {{/*
 SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 SPDX-License-Identifier: Apache-2.0
 */}}
 ---
 global:
  imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 keycloak:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloak.registry | quote }}
    repository: {{ .Values.images.nubusKeycloak.repository }}
    tag: {{ .Values.images.nubusKeycloak.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusKeycloakBootstrap:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakBootstrap.registry | quote }}
    repository: {{ .Values.images.nubusKeycloakBootstrap.repository }}
    tag: {{ .Values.images.nubusKeycloakBootstrap.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusKeycloakExtensions:
    handler:
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionHandler.registry | quote }}
        repository: {{ .Values.images.nubusKeycloakExtensionHandler.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionHandler.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    proxy:
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusKeycloakExtensionProxy.registry | quote }}
        repository: {{ .Values.images.nubusKeycloakExtensionProxy.repository }}
        tag: {{ .Values.images.nubusKeycloakExtensionProxy.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapNotifier:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapNotifier.registry | quote }}
    repository: {{ .Values.images.nubusLdapNotifier.repository }}
    tag: {{ .Values.images.nubusLdapNotifier.tag }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusLdapServer:
  ldapServer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServer.registry | quote }}
      repository: {{ .Values.images.nubusLdapServer.repository }}
      tag: {{ .Values.images.nubusLdapServer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    leaderElector:
      image:
        registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerLeaderElector.registry | quote }}
        repository: {{ .Values.images.nubusLdapServerLeaderElector.repository }}
        tag: {{ .Values.images.nubusLdapServerLeaderElector.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  dhInitcontainer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusLdapServerDhInitContainer.registry | quote }}
      repository: {{ .Values.images.nubusLdapServerDhInitContainer.repository }}
      tag: {{ .Values.images.nubusLdapServerDhInitContainer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusNotificationsApi:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusNotificationsApi.registry | quote }}
    repository: {{ .Values.images.nubusNotificationsApi.repository }}
    tag: {{ .Values.images.nubusNotificationsApi.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalFrontend:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalFrontend.registry | quote }}
    repository: {{ .Values.images.nubusPortalFrontend.repository }}
    tag: {{ .Values.images.nubusPortalFrontend.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalConsumer:
  portalConsumer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalConsumer.registry | quote }}
      repository: {{ .Values.images.nubusPortalConsumer.repository }}
      tag: {{ .Values.images.nubusPortalConsumer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusPortalServer:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusPortalServer.registry | quote }}
    repository: {{ .Values.images.nubusPortalServer.repository }}
    tag: {{ .Values.images.nubusPortalServer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioning:
  api:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
      tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  dispatcher:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningDispatcher.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningDispatcher.repository }}
      tag: {{ .Values.images.nubusProvisioningDispatcher.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  udmTransformer:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmTransformer.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningUdmTransformer.repository }}
      tag: {{ .Values.images.nubusProvisioningUdmTransformer.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  prefill:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
      repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
      tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  registerConsumers:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  nats:
    nats:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNats.registry | quote }}
        repository: {{ .Values.images.nubusNats.repository }}
        tag: {{ .Values.images.nubusNats.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    reloader:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsReloader.registry | quote }}
        repository: {{ .Values.images.nubusNatsReloader.repository }}
        tag: {{ .Values.images.nubusNatsReloader.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    natsBox:
      image:
        registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusNatsBox.registry | quote }}
        repository: {{ .Values.images.nubusNatsBox.repository }}
        tag: {{ .Values.images.nubusNatsBox.tag }}
        imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioningEventsAndConsumerApi:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningEventsAndConsumerApi.registry | quote }}
    repository: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.repository }}
    tag: {{ .Values.images.nubusProvisioningEventsAndConsumerApi.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusProvisioningPrefill:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningPrefill.registry | quote }}
    repository: {{ .Values.images.nubusProvisioningPrefill.repository }}
    tag: {{ .Values.images.nubusProvisioningPrefill.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUdmListener:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusProvisioningUdmListener.registry | quote }}
    repository: {{ .Values.images.nubusProvisioningUdmListener.repository }}
    tag: {{ .Values.images.nubusProvisioningUdmListener.tag }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusSelfServiceConsumer:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusSelfServiceConsumer.registry | quote }}
    repository: {{ .Values.images.nubusSelfServiceConsumer.repository }}
    tag: {{ .Values.images.nubusSelfServiceConsumer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  waitForDependency:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
      repository: {{ .Values.images.nubusWaitForDependency.repository }}
      tag: {{ .Values.images.nubusWaitForDependency.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUdmRestApi:
  udmRestApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUdmRestApi.registry | quote }}
      repository: {{ .Values.images.nubusUdmRestApi.repository }}
      tag: {{ .Values.images.nubusUdmRestApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUmcGateway:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcGateway.registry | quote }}
    repository: {{ .Values.images.nubusUmcGateway.repository }}
    tag: {{ .Values.images.nubusUmcGateway.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusUmcServer:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusUmcServer.registry | quote }}
    repository: {{ .Values.images.nubusUmcServer.repository }}
    tag: {{ .Values.images.nubusUmcServer.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
    pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  proxy:
    image:
      registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.nubusUmcServerProxy.registry | quote }}
      repository: {{ .Values.images.nubusUmcServerProxy.repository }}
      tag: {{ .Values.images.nubusUmcServerProxy.tag }}
      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusWaitForDependency:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    tag: {{ .Values.images.nubusWaitForDependency.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusGuardian:
  provisioning:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianProvisioning.registry | quote }}
      repository: {{ .Values.images.nubusGuardianProvisioning.repository }}
      tag: {{ .Values.images.nubusGuardianProvisioning.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  authorizationApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianAuthorizationApi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianAuthorizationApi.repository }}
      tag: {{ .Values.images.nubusGuardianAuthorizationApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  managementApi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementApi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianManagementApi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementApi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  managementUi:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusGuardianManagementUi.registry | quote }}
      repository: {{ .Values.images.nubusGuardianManagementUi.repository }}
      tag: {{ .Values.images.nubusGuardianManagementUi.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  openPolicyAgent:
    image:
      registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusOpenPolicyAgent.registry | quote }}
      repository: {{ .Values.images.nubusOpenPolicyAgent.repository }}
      tag: {{ .Values.images.nubusOpenPolicyAgent.tag }}
      imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 nubusStackDataUms:
  image:
    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusDataLoader.registry | quote }}
    repository: {{ .Values.images.nubusDataLoader.repository }}
    tag: {{ .Values.images.nubusDataLoader.tag }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy | quote }}
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -30,7 +30,7 @@ config:
      {{ .Values.functional.authentication.oidc.clients | toYaml | nindent 6 }}
  managed:
    clientScopes: [ 'acr', 'web-origins', 'email', 'profile', 'microprofile-jwt', 'role_list', 'offline_access', 'roles', 'address', 'phone' ]
-    clients: [ 'opendesk-intercom', 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
+    clients: [ 'guardian-management-api', 'guardian-scripts', 'guardian-ui', 'UMC', '${client_account}', '${client_account-console}', '${client_admin-cli}', '${client_broker}', '${client_realm-management}', '${client_security-admin-console}' ]
  keycloak:
    adminUser: "kcadmin"
    adminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
@@ -442,34 +442,6 @@ config:
              included.client.audience: "opendesk-intercom"
              id.token.claim: false
              access.token.claim: true
          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
          # it to `opendesk_useruuid` standard claim. For reference:
          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
          - name: "entryuuid_temp"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "entryuuid"
              jsonType.label: "String"
          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
          # set it to `opendesk_username` standard claim. For reference:
          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
          - name: "phoenixusername_temp"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "uid"
              id.token.claim: true
              access.token.claim: true
              claim.name: "phoenixusername"
              jsonType.label: "String"
          - name: "opendesk_username"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
@@ -481,6 +453,17 @@ config:
              access.token.claim: true
              claim.name: "opendesk_username"
              jsonType.label: "String"
          - name: "opendesk_useruuid"
            protocol: "openid-connect"
            protocolMapper: "oidc-usermodel-attribute-mapper"
            consentRequired: false
            config:
              userinfo.token.claim: true
              user.attribute: "entryUUID"
              id.token.claim: true
              access.token.claim: true
              claim.name: "opendesk_useruuid"
              jsonType.label: "String"
        defaultClientScopes:
          - "offline_access"
 {{ if .Values.notes.enabled }}
--- a/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-oxconnector.yaml.gotmpl
@@ -23,9 +23,8 @@ image:
  repository: {{ .Values.images.oxConnector.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.oxConnector.tag | quote }}
  waitForDependency:
-    registry: {{ .Values.global.imageRegistry | default .Values.images.nubusWaitForDependency.registry | quote }}
+    registry: {{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.nubusWaitForDependency.registry | quote }}
    repository: {{ .Values.images.nubusWaitForDependency.repository }}
    imagePullPolicy: {{ .Values.global.imagePullPolicy }}
    pullSecrets:
--- a/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-opendesk-static-files.yaml.gotmpl
@@ -10,6 +10,68 @@ global:
  imagePullSecrets:
    {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
 assets:
  element:
    subdomain: {{ .Values.global.hosts.element }}
    paths:
      - path: "/vector-icons/favicon.........ico"
        data: {{ .Values.theme.imagery.chat.faviconIco }}
  jitsi:
    subdomain: {{ .Values.global.hosts.jitsi }}
    paths:
      - path: "/images/favicon.svg"
        data: {{ .Values.theme.imagery.videoconference.faviconSvg }}
  keycloak:
    subdomain: {{ .Values.global.hosts.keycloak }}
    paths:
      - path: "/resources/...../login/UCS/img/favicon.ico"
        data: {{ .Values.theme.imagery.login.faviconIco }}
      - path: "/static-files/login/logo.svg"
        data: {{ .Values.theme.imagery.login.logoSvg }}
  nextcloud:
    subdomain: {{ .Values.global.hosts.nextcloud }}
    paths:
      - path: "/core/img/favicon-touch.png"
        data: {{ .Values.theme.imagery.files.faviconPng }}
      - path: "/core/img/favicon.ico"
        data: {{ .Values.theme.imagery.files.faviconIco }}
  notes:
    subdomain: {{ .Values.global.hosts.notes }}
    paths:
      - path: "/favicon.ico"
        data: {{ .Values.theme.imagery.notes.faviconIco }}
  openproject:
    subdomain: {{ .Values.global.hosts.openproject }}
    paths:
      - path: "/custom_style/........../favicon/favicon.svg"
        data: {{ .Values.theme.imagery.projects.faviconSvg }}
  openxchange:
    subdomain: {{ .Values.global.hosts.openxchange }}
    paths:
      - path: "/appsuite/favicon.ico"
        data: {{ .Values.theme.imagery.groupware.faviconIco }}
      - path: "/appsuite/favicon.svg"
        data: {{ .Values.theme.imagery.groupware.faviconSvg }}
  portal:
    subdomain: {{ .Values.global.hosts.nubus }}
    paths:
      - path: "/favicon.ico"
        data: {{ .Values.theme.imagery.portal.faviconIco }}
      - path: "/static-files/portal/background.svg"
        data: {{ .Values.theme.imagery.portal.backgroundSvg }}
      - path: "/static-files/portal/waiting-spinner.svg"
        data: {{ .Values.theme.imagery.portal.waitingSpinnerSvg }}
      - path: "/static-files/login/background.jpg"
        data: {{ .Values.theme.imagery.login.backgroundJpg }}
  xwiki:
    subdomain: {{ .Values.global.hosts.xwiki }}
    paths:
      - path: "/resources/icons/xwiki/favicon.svg"
        data: {{ .Values.theme.imagery.knowledge.faviconSvg }}
      - path: "/resources/icons/xwiki/favicon16.png"
        data: {{ .Values.theme.imagery.knowledge.faviconPng }}
 cleanup:
  deletePodsOnSuccess: {{ .Values.debug.cleanup.deletePodsOnSuccess }}
  deletePodsOnSuccessTimeout: {{ .Values.debug.cleanup.deletePodsOnSuccessTimeout }}
@@ -54,59 +116,4 @@ resources:
 service:
  type: "ClusterIP"
 theme:
  imagery:
    assets:
      element:
        subdomain: {{ .Values.global.hosts.element }}
        paths:
          - path: "/vector-icons/favicon.........ico"
            data: {{ .Values.theme.imagery.chat.faviconIco }}
      jitsi:
        subdomain: {{ .Values.global.hosts.jitsi }}
        paths:
          - path: "/images/favicon.svg"
            data: {{ .Values.theme.imagery.videoconference.faviconSvg }}
      keycloak:
        subdomain: {{ .Values.global.hosts.keycloak }}
        paths:
          - path: "/resources/...../login/UCS/img/favicon.ico"
            data: {{ .Values.theme.imagery.portal.faviconIco }}
      nextcloud:
        subdomain: {{ .Values.global.hosts.nextcloud }}
        paths:
          - path: "/core/img/favicon-touch.png"
            data: {{ .Values.theme.imagery.files.faviconPng }}
          - path: "/core/img/favicon.ico"
            data: {{ .Values.theme.imagery.files.faviconIco }}
      notes:
        subdomain: {{ .Values.global.hosts.notes }}
        paths:
          - path: "/favicon.ico"
            data: {{ .Values.theme.imagery.notes.faviconIco }}
      openproject:
        subdomain: {{ .Values.global.hosts.openproject }}
        paths:
          - path: "/custom_style/........../favicon/favicon.svg"
            data: {{ .Values.theme.imagery.projects.faviconSvg }}
      openxchange:
        subdomain: {{ .Values.global.hosts.openxchange }}
        paths:
          - path: "/appsuite/favicon.ico"
            data: {{ .Values.theme.imagery.groupware.faviconIco }}
          - path: "/appsuite/favicon.svg"
            data: {{ .Values.theme.imagery.groupware.faviconSvg }}
      portal:
        subdomain: {{ .Values.global.hosts.nubus }}
        paths:
          - path: "/favicon.ico"
            data: {{ .Values.theme.imagery.portal.faviconIco }}
      xwiki:
        subdomain: {{ .Values.global.hosts.xwiki }}
        paths:
          - path: "/resources/icons/xwiki/favicon.svg"
            data: {{ .Values.theme.imagery.knowledge.faviconSvg }}
          - path: "/resources/icons/xwiki/favicon16.png"
            data: {{ .Values.theme.imagery.knowledge.faviconPng }}
 ...
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -318,7 +318,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-alerts"
    name: "opendesk-alerts"
-    version: "1.1.0"
+    version: "1.1.1"
    verify: true
  opendeskDashboards:
    # providerCategory: "Platform"
@@ -328,7 +328,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-dashboards"
    name: "opendesk-dashboards"
-    version: "1.1.0"
+    version: "1.1.1"
    verify: true
  opendeskKeycloakBootstrap:
    # providerCategory: "Platform"
@@ -348,7 +348,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-static-files"
    name: "opendesk-static-files"
-    version: "3.0.1"
+    version: "4.0.1"
    verify: true
  openproject:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/global.generated.yaml.gotmpl
+++ b/helmfile/environments/default/global.generated.yaml.gotmpl
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v1.1.0"
+    releaseVersion: "v1.1.1"
 ...
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -61,7 +61,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/nordeck/images/opendesk-element-web"
-    tag: "1.11.4@sha256:bfb0ce4afe737e7b6a0404c9e3f2d8dbe341ce72a930d0d5173a0145729cf646"
+    tag: "1.11.6@sha256:1ac5eeea24c5fbfdfeda44cb00651fa22864e26d8cb32add150c4bf1aea0fb36"
  freshclam:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
@@ -130,12 +130,12 @@ images:
    tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
  jitsiPatchJVB:
    # providerCategory: "Community"
-    # providerResponsible: "Nordeck"
+    # providerResponsible: "openDesk"
    # upstreamRegistry: "https://registry-1.docker.io"
    # upstreamRepository: "bitnami/kubectl"
    registry: "registry-1.docker.io"
    repository: "bitnami/kubectl"
-    tag: "1.31.3@sha256:e90b9642d3daeabcfe73cf9aadcbbc624d1de7f88185095307c785f1c266bdb9"
+    tag: "1.32.0@sha256:48c81b7aaf4fabf2733a0b888960f6982181fbcd2c3f8dfcebc4a1a065631162"
  jvb:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -453,7 +453,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus"
-    tag: "1.9.0@sha256:1a84ae2f21849934d3ff24c066fce21c4bc811521b615cc0071432d3fb1848c1"
+    tag: "1.9.1@sha256:4cc4d4bc39167d7dc305ab1787763fd1091fa1284ddf373e081c595d4dce39a9"
  nubusOpenPolicyAgent:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -833,7 +833,7 @@ images:
    # upstreamMirrorStartFrom: ["1", "91", "2"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.120.2@sha256:daee887fa4ca6370e297439bb33a61896ff3413c9454540446a94e461f097d33"
+    tag: "v1.121.1@sha256:5d8081b6004eb115635334dbc1ec2f87318f19d5ad0e7c62f7476d4cc16de277"
  synapseCreateUser:
    # providerCategory: "Community"
    # providerResponsible: "Nordeck"
@@ -841,7 +841,7 @@ images:
    # upstreamRepository: "alpine/k8s"
    registry: "registry-1.docker.io"
    repository: "alpine/k8s"
-    tag: "1.31.3@sha256:77812543abe5649b286d5f0dc17a7dbaa4056433225f6f695150f329cb4b6803"
+    tag: "1.32.0@sha256:6d49f7f37ae5f4c07bfe46edb44e3d3b6896974d1b87da76d8aa8d6e23b4d619"
  synapseGuestModule:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
--- a/helmfile/environments/default/secrets.yaml.gotmpl
+++ b/helmfile/environments/default/secrets.yaml.gotmpl
@@ -7,22 +7,20 @@ SPDX-License-Identifier: Apache-2.0
 secrets:
  oxAppSuite:
    adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "admin_password" | sha1sum | quote }}
-    migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
+    basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
    cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
-    sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryptionkey" | sha1sum | quote }}
+    hzGroupPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "hz_group_password" | sha1sum | quote }}
-    shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_cryptkey" | sha1sum | quote }}
+    jolokiaPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "jolokia_password" | sha1sum | quote }}
    migrationsMasterPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "opendesk") "ox_appsuite" "migrations_master_password" | sha1sum | quote }}
    oxguardMC: {{ printf "MC%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "oxguardMC" | sha1sum | trunc 20 | b64enc) | quote }}
    oxguardRC: {{ printf "RC%s" (derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "oxguardRC" | sha1sum | trunc 20 | b64enc) | quote }}
    hzGroupPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "hz_group_password" | sha1sum | quote }}
    basicAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "basic_auth_password" | sha1sum | quote }}
    jolokiaPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "jolokia_password" | sha1sum | quote }}
    cookieHashSalt: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "cookie_hash_salt" | sha1sum | quote }}
    shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
    sessiondEncryptionKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "sessiond_encryption_key" | sha1sum | quote }}
    shareCryptKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "share_crypt_key" | sha1sum | quote }}
    synapseAsToken: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "ox_appsuite" "as_token" | sha1sum | quote }}
  oxConnector:
    provisioningApiPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ox-connector" | sha1sum | quote }}
  nubus:
    masterpassword: {{ env "MASTER_PASSWORD" | default "sovereign-workplace" | quote }}
    ldapSecret: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "cn=admin" "ldap" | sha1sum | quote }}
    ldapSearch:
      keycloak: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_keycloak" | sha1sum | quote }}
@@ -82,7 +80,6 @@ secrets:
      dovecot: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "dovecot_client_secret" | sha1sum | quote }}
      intercom: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "intercom_client_secret" | sha1sum | quote }}
      matrix: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "matrix_client_secret" | sha1sum | quote }}
      notes: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "notes_client_secret" | sha1sum | quote }}
      jitsi: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "jitsi_plain_client_secret" | sha1sum | quote }}
      ncoidc: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "ncoidc_client_secret" | sha1sum | quote }}
      openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "keycloak" "openproject_client_secret" | sha1sum | quote }}
--- a/helmfile/environments/default/theme.yaml.gotmpl
+++ b/helmfile/environments/default/theme.yaml.gotmpl
@@ -49,6 +49,11 @@ theme:
      faviconIco: {{ readFile "./../../files/theme/files/favicon.ico" | b64enc | quote }}
      faviconPng: {{ readFile "./../../files/theme/files/favicon.png" | b64enc | quote }}
    login:
      faviconIco: {{ readFile "./../../files/theme/login/favicon.ico" | b64enc | quote }}
      backgroundJpg: {{ readFile "./../../files/theme/login/background.jpg" | b64enc | quote }}
      logoSvg: {{ readFile "./../../files/theme/login/logo.svg" | b64enc | quote }}
    groupware:
      faviconIco: {{ readFile "./../../files/theme/groupware/favicon.ico" | b64enc | quote }}
      faviconSvg: {{ readFile "./../../files/theme/groupware/favicon.svg" | b64enc | quote }}
@@ -62,8 +67,8 @@ theme:
    portal:
      faviconIco: {{ readFile "./../../files/theme/portal/favicon.ico" | b64enc | quote }}
-      waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waitingSpinner.svg" | b64enc  }}
+      waitingSpinnerSvg: {{ readFile "./../../files/theme/portal/waiting-spinner.svg" | b64enc  }}
-      logoBackgroundSvg: {{ readFile "./../../files/theme/empty.svg" | b64enc | quote }}
+      backgroundSvg: {{ readFile "./../../files/theme/portal/background.svg" | b64enc | quote }}
    portalTiles:
      adminAnnouncement: {{ readFile "./../../files/theme/portal-tiles/admin_announcement.svg" | b64enc | quote }}
      adminContext: {{ readFile "./../../files/theme/portal-tiles/admin_context.svg" | b64enc | quote }}
--- a/helmfile/files/theme/login/background.jpg
+++ b/helmfile/files/theme/login/background.jpg
--- a/helmfile/files/theme/login/favicon.ico
+++ b/helmfile/files/theme/login/favicon.ico
--- a/helmfile/files/theme/portal/logoBackground.svg
+++ b/helmfile/files/theme/portal/logoBackground.svg
--- a/helmfile/files/theme/portal/background.svg
+++ b/helmfile/files/theme/portal/background.svg
--- a/helmfile/files/theme/portal/stylesheet.css
+++ b/helmfile/files/theme/portal/stylesheet.css
--- a/helmfile/files/theme/portal/waiting-spinner.svg
+++ b/helmfile/files/theme/portal/waiting-spinner.svg
Author	SHA1	Message	Date
Norbert Tretkowski	c8edd970bb	fix(docs): Update Nubus version to 1.5.1	2025-01-13 13:57:25 +01:00
Norbert Tretkowski	6d300304ee	fix(docs): Fix debug option	2025-01-09 10:41:25 +01:00
Thorsten Roßner	da79f3b286	fix(static-files): Update Helm chart to v4.0.1 to support longer domain names	2025-01-09 07:05:49 +01:00
Philip Gaber	ed5bf231cc	docs: Fixed typos and incompatible characters in table	2025-01-08 14:52:58 +01:00
Thorsten Roßner	f4faebaf68	fix(nubus): Template `secrets.nubus.masterpassword`	2025-01-08 07:52:43 +01:00
Michael Weimann	574acb5976	docs(element): Add Matrix Modules and Widget API Co-Authored-By: Kim Brose <kim.brose@nordeck.net>	2025-01-07 10:36:57 +01:00
René Fischer	44d5e5a2b5	fix(docs): Fix doc link and missing TOC annotation	2025-01-06 15:21:37 +01:00
Thorsten Roßner	984b23c73b	fix(open-xchange): Add missing `registryOpencodeDe` to OX-Connector's `waitForDependency` image	2025-01-06 11:30:42 +01:00
Thorsten Roßner	abca53d02f	fix(nubus): Update customizations for group cleanup	2025-01-03 19:24:39 +00:00
Thorsten Roßner	a159724abd	fix(nubus): Fix `pullPolicy` setting for `ldapServer.leaderElector` to satisfy Kyverno linter	2025-01-03 19:24:39 +00:00
Thorsten Roßner	8c1b0802a0	fix(nubus): Remove `extra` settings from ldapServer needed for 1.0 LDAP migration	2025-01-03 19:24:39 +00:00
openDesk Bot	000af5a604	fix(helmfile): Update upstream images for k8s/kubectl to v1.32.0	2025-01-03 09:19:34 +01:00
Thorsten Roßner	ba9560d14b	fix(element): Update Element to v1.11.89 and Synapse to v1.121.1	2025-01-02 06:26:12 +00:00
Thorsten Roßner	0c91117575	fix(helmfile): Update `opendesk-alerts` and `opendesk-dashboards` to get predictable sort order, improving GitOps deployments	2024-12-30 14:28:59 +00:00
Thorsten Roßner	6c67eca7aa	fix(nubus): Merge yaml files for better maintainability	2024-12-30 14:28:59 +00:00
Dominik Kaminski	0e21d2cea5	ci(gitlab): Update openDesk CLI to v2.7.1	2024-12-29 18:33:11 +01:00
Thorsten Roßner	a13cf63024	fix(helmfile): Remove duplicate entries from `secrets.yaml.gotmpl`	2024-12-28 20:50:07 +01:00
Dominik Kaminski	28a6528528	ci(gitlab): Update openDesk CLI to v2.6.0	2024-12-27 15:33:29 +01:00
Thorsten Roßner	2926e2c93a	fix(nubus): Remove b64 encoded files from CSS, instead use `opendesk-static-files`	2024-12-27 13:37:00 +01:00
Thorsten Roßner	6796f320f7	fix(intercom): Remove legacy OIDC claims	2024-12-27 11:16:09 +00:00
Thorsten Roßner	63562c1aae	fix(static-files): Update Helm chart to use more generic `assets` over `theme.imagery.assets`	2024-12-24 08:34:31 +01:00