docs(phone-dial-in): added note about nginx proxy-buffer-size

## [1.2.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.2.0...v1.2.1) (2025-03-28)

### Bug Fixes

* **dovecot:** Support external secrets ([f758685](f758685a2e))
* **element:** Update Synapse to 1.127.1; Fixes https://www.cve.org/CVERecord?id=CVE-2025-30355 which applies to Synapse installations with unrestricted (no allow list) federation enabled ([5cd12b9](5cd12b91c7))
* **openproject:** Update to 15.4.2 ([aa8e30b](aa8e30b34f))

CHANGELOG.md

@@ -1,3 +1,12 @@
+## [1.2.1](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.2.0...v1.2.1) (2025-03-28)
+
+
+### Bug Fixes
+
+* **dovecot:** Support external secrets ([f758685](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/f758685a2eb4c04bad6bce103cc5ba273c80606d))
+* **element:** Update Synapse to 1.127.1; Fixes https://www.cve.org/CVERecord?id=CVE-2025-30355 which applies to Synapse installations with unrestricted (no allow list) federation enabled ([5cd12b9](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/5cd12b91c78269b84749280e71aee0fcb195da17))
+* **openproject:** Update to 15.4.2 ([aa8e30b](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/commit/aa8e30b34f24302c756b2297b05e138d15ed0d2d))
+
 # [1.2.0](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk/compare/v1.1.2...v1.2.0) (2025-03-25)
 
 

README.md

@@ -32,18 +32,18 @@ For production use the [openDesk Enterprise Edition](./README-EE.md) is required
 
 openDesk currently features the following functional main components:
 
-| Function             | Functional Component        | Component<br/>Version                                                                                | Upstream Documentation                                                                                                                |
+| Function             | Functional Component        | Component<br/>Version                                                                                                         | Upstream Documentation                                                                                                                |
-| -------------------- | --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
+|----------------------|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
-| Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89)                       | [For the most recent release](https://element.io/user-guide)                                                                          |
+| Chat & collaboration | Element ft. Nordeck widgets | [1.11.89](https://github.com/element-hq/element-desktop/releases/tag/v1.11.89)                                                | [For the most recent release](https://element.io/user-guide)                                                                          |
-| Collaborative notes  | Notes (aka Docs)            | [2.4.0](https://github.com/suitenumerique/docs/releases/tag/v2.4.0)                                  | Online documentation/welcome document available in installed application                                                              |
+| Collaborative notes  | Notes (aka Docs)            | [2.4.0](https://github.com/suitenumerique/docs/releases/tag/v2.4.0)                                                           | Online documentation/welcome document available in installed application                                                              |
-| Diagram editor       | CryptPad ft. diagrams.net   | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                               | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
+| Diagram editor       | CryptPad ft. diagrams.net   | [2024.9.0](https://github.com/cryptpad/cryptpad/releases/tag/2024.9.0)                                                        | [For the most recent release](https://docs.cryptpad.org/en/)                                                                          |
-| File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                 | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
+| File management      | Nextcloud                   | [30.0.6](https://nextcloud.com/de/changelog/#30-0-6)                                                                          | [Nextcloud 30](https://docs.nextcloud.com/)                                                                                           |
-| Groupware            | OX App Suite                | [8.35](https://documentation.open-xchange.com/appsuite/releases/8.35/)                               | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
+| Groupware            | OX App Suite                | [8.35](https://documentation.open-xchange.com/appsuite/releases/8.35/)                                                        | Online documentation available from within the installed application; [Additional resources](https://documentation.open-xchange.com/) |
-| Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                     | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
+| Knowledge management | XWiki                       | [16.10.5](https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.5/)                                              | [For the most recent release](https://www.xwiki.org/xwiki/bin/view/Documentation)                                                     |
-| Portal & IAM         | Nubus                       | [1.5.1](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
+| Portal & IAM         | Nubus                       | [1.7.0](https://docs.software-univention.de/nubus-kubernetes-release-notes/latest/en/changelog.html#version-1-7-0-2025-02-23) | [Univention's documentation website](https://docs.software-univention.de/n/en/nubus.html)                                             |
-| Project management   | OpenProject                 | [15.4.1](https://www.openproject.org/docs/release-notes/15-4-1/)                                     | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
+| Project management   | OpenProject                 | [15.4.2](https://www.openproject.org/docs/release-notes/15-4-2/)                                                              | [For the most recent release](https://www.openproject.org/docs/user-guide/)                                                           |
-| Videoconferencing    | Jitsi                       | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
+| Videoconferencing    | Jitsi                       | [2.0.9955](https://github.com/jitsi/jitsi-meet/releases/tag/stable%2Fjitsi-meet_9955)                                         | [For the most recent  release](https://jitsi.github.io/handbook/docs/category/user-guide/)                                            |
-| Weboffice            | Collabora                   | [24.04.12.4](https://www.collaboraoffice.com/code-24-04-release-notes/)                              | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
+| Weboffice            | Collabora                   | [24.04.12.4](https://www.collaboraoffice.com/code-24-04-release-notes/)                                                       | Online documentation available from within the installed application; [Additional resources](https://sdk.collaboraonline.com/)        |
 
 While not all components are perfectly shaped for the execution inside containers, one of the project's objectives is to
 align the applications with best practices regarding container design and operations.

docs/architecture.md

@@ -433,6 +433,10 @@ In openDesk, OX App Suite is used for email, calendar, address book and personal
 
 [XWiki](https://www.xwiki.org) is an open-source wiki platform for knowledge management and collaboration.
 
+## Jitsi Phone Dial-in
+
+[Dial-in architecture notes](phone-dial-in/notes.md) describes the infrastructure to integrate an ability to participate in Jitsi calls. 
+
 # Application specific user accounts
 
 While the IAM managed users centrally, some applications come with local accounts for administrative purposes.

docs/architecture/apis.md

@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 
 This chapter presents APIs available in openDesk grouped by applications.
 
+<!-- TOC -->
 * [IAM - Nubus](#iam---nubus)
   * [UMC Python API](#umc-python-api)
   * [UMC store API](#umc-store-api)
@@ -43,7 +44,7 @@ This chapter presents APIs available in openDesk grouped by applications.
   * [BCF API](#bcf-api)
 * [Video Conferencing - Jitsi](#video-conferencing---jitsi)
   * [IFrame API](#iframe-api)
-  * [Lib-jitsi-meet API](#lib-jitsi-meet-api)
+  * [lib-jitsi-meet API](#lib-jitsi-meet-api)
   * [Jitsi Meet React SDK](#jitsi-meet-react-sdk)
 * [Chat - Element](#chat---element)
   * [Matrix Application Service API](#matrix-application-service-api)
@@ -60,6 +61,7 @@ This chapter presents APIs available in openDesk grouped by applications.
   * [Scripting API](#scripting-api)
   * [Java API](#java-api)
   * [JavaScript API](#javascript-api)
+<!-- TOC -->
 
 # IAM - Nubus
 

docs/debugging.md

@@ -18,6 +18,8 @@ SPDX-License-Identifier: Apache-2.0
   * [OpenProject](#openproject)
   * [PostgreSQL](#postgresql)
   * [Keycloak](#keycloak)
+    * [Setting the log level](#setting-the-log-level)
+    * [Accessing the Keycloak admin console](#accessing-the-keycloak-admin-console)
 <!-- TOC -->
 
 # Disclaimer
@@ -198,6 +200,8 @@ While you will find all details in the [psql subsection](https://www.postgresql.
 
 ## Keycloak
 
+### Setting the log level
+
 Keycloak is the gateway to integrate other authentication management systems or applications. It can be desired to
 avoid enabling debug mode for the whole platform when you just need to look into Keycloak.
 
@@ -214,3 +218,9 @@ kubectl patch -n ${NAMESPACE} configmap ${CONFIGMAP_NAME} --type merge -p '{"dat
 
 > **Note**<br>
 > As the `ums-keycloak-extensions-handler` is performing frequent (one per second) requests to Keycloak for retrieval of the Keycloak event history, you might want to stop/remove the deployment while debugging/analysing Keycloak to not get your debug output spammed by these requests.
+
+### Accessing the Keycloak admin console
+
+Deployments set to `debug.enable: true` expose the Keycloak admin console at `http://id.<your_opendesk_domain>/admin/`. This can also be achieved by updating the Ingress `ums-keycloak-extensions-proxy` with an additional path that allows access to `/admin/`.
+
+The admin console login is using the default Keycloak admin account `kcadmin` and the password from the secret `ums-opendesk-keycloak-credentials`.

docs/enhanced-configuration/idp-federation.md

@@ -28,10 +28,10 @@ This document shows how to configure your organization's IdP and the openDesk Id
 
 We would like to list successful IdP federation scenarios, so we are also happy about input from the community:
 
-| External IdP                                                        | last openDesk version tested |
+| External IdP                                                        | openDesk versions tested |
-| ------------------------------------------------------------------- | ---------------------------- |
+|---------------------------------------------------------------------|--------------------------|
-| [EU Login](https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi) | v0.9.0                       |
+| [EU Login](https://webgate.ec.europa.eu/cas/userdata/myAccount.cgi) | v0.9.0, v1.2.0           |
-| [ProConnect](https://www.proconnect.gouv.fr/)                       | v0.9.0                       |
+| [ProConnect](https://www.proconnect.gouv.fr/)                       | v0.9.0                   |
 
 # Prerequisites
 

docs/enhanced-configuration/matrix-federation.md

@@ -6,7 +6,6 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Matrix federation</h1>
 
 <!-- TOC -->
-* [Context](#context)
 * [Example configuration](#example-configuration)
   * [Disable federation](#disable-federation)
   * [Separate Matrix domain](#separate-matrix-domain)

docs/enhanced-configuration/separate-mail-matrix-domain.md

@@ -6,7 +6,6 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Separate domains for mail and or Matrix </h1>
 
 <!-- TOC -->
-* [Context](#context)
 * [Example configuration](#example-configuration)
   * [Mail domain](#mail-domain)
   * [Matrix domain](#matrix-domain)

docs/functional.md

@@ -7,6 +7,11 @@ SPDX-License-Identifier: Apache-2.0
 
 This document addresses the available functional configuration options of an openDesk deployment.
 
+<!-- TOC -->
+* [Supported functional configuration](#supported-functional-configuration)
+* [Customization of functional options](#customization-of-functional-options)
+<!-- TOC -->
+
 ## Supported functional configuration
 
 While the openDesk applications allow a wide range of configuration options, only a small subset of them are supported by openDesk. This subset can be found in [`helmfile/environments/default/functional.yaml.gotmpl`](../helmfile/environments/default/functional.yaml.gotmpl)
@@ -27,4 +32,4 @@ The following categories are available. Each category contains a set of options
 In case the options from [`functional.yaml.gotmpl`](../helmfile/environments/default/functional.yaml.gotmpl) are not sufficient, you might want to look into [`customization.yaml.gotmpl`](../helmfile/environments/default/customization.yaml.gotmpl). The customizations give you control over all templating that is being done in openDesk, but be aware it is an unsupported approach, so in case you have a strong need for customizations, please let us know by opening a ticket. We will check if it is a use case that can be supported by implementing it as part of the aforementioned [`functional.yaml.gotmpl`](../helmfile/environments/default/functional.yaml.gotmpl).
 
 > **Note<br>**
-> You can not directly template your own values in the structure found in [`customization.yaml.gotmpl`](../helmfile/environments/default/customization.yaml.gotmpl), rather, you need to reference your custom value files to overwrite the openDesk defaults. In the app specific `helmfile-child.yaml.gotmpl` files, the openDesk value files are referenced first, then afterwards, the files you define in the customizations are read. 
+> You can not directly template your own values in the structure found in [`customization.yaml.gotmpl`](../helmfile/environments/default/customization.yaml.gotmpl), rather, you need to reference your custom value files to overwrite the openDesk defaults. In the app specific `helmfile-child.yaml.gotmpl` files, the openDesk value files are referenced first, then afterwards, the files you define in the customizations are read.

docs/getting-started.md

@@ -21,8 +21,6 @@ This documentation lets you create an openDesk evaluation instance on your Kuber
     * [Container runtime](#container-runtime)
     * [Volumes](#volumes)
   * [Customize deployment](#customize-deployment)
-    * [Functional features](#functional-features)
-    * [Features through Customization](#features-through-customization)
   * [Connectivity](#connectivity)
     * [Ports](#ports)
       * [Web-based user interface](#web-based-user-interface)

docs/migrations.md

@@ -9,6 +9,9 @@ SPDX-License-Identifier: Apache-2.0
 * [Disclaimer](#disclaimer)
 * [Automated migrations - Overview and mandatory upgrade path](#automated-migrations---overview-and-mandatory-upgrade-path)
 * [Manual checks/actions](#manual-checksactions)
+  * [From v1.1.2](#from-v112)
+      * [Helmfile cleanup: Do not configure OX provisioning when no OX installed](#helmfile-cleanup-do-not-configure-ox-provisioning-when-no-ox-installed)
+      * [Helmfile new default: PostgreSQL for XWiki and Nextcloud](#helmfile-new-default-postgresql-for-xwiki-and-nextcloud)
   * [From v1.1.1](#from-v111)
     * [Pre-upgrade from v1.1.1](#pre-upgrade-from-v111)
       * [Helmfile feature update: App settings wrapped in `apps.` element](#helmfile-feature-update-app-settings-wrapped-in-apps-element)
@@ -47,6 +50,9 @@ SPDX-License-Identifier: Apache-2.0
       * [Updated customizable template attributes](#updated-customizable-template-attributes)
       * [`migrations` S3 bucket](#migrations-s3-bucket)
 * [Automated migrations - Details](#automated-migrations---details)
+  * [From v1.1.2 (automated)](#from-v112-automated)
+    * [migrations-pre](#migrations-pre)
+    * [migrations-post](#migrations-post)
   * [From v1.0.0 (automated)](#from-v100-automated)
   * [From v0.9.0 (automated)](#from-v090-automated)
   * [Related components and artifacts](#related-components-and-artifacts)

docs/monitoring.md

@@ -14,7 +14,7 @@ well as the overall status of monitoring integration.
 * [Metrics](#metrics)
 * [Alerts](#alerts)
 * [Dashboards for Grafana](#dashboards-for-grafana)
-* [Components](#components)
+* [Component overview](#component-overview)
 <!-- TOC -->
 
 # Technology

docs/phone-dial-in/notes.md

@@ -0,0 +1,200 @@
+# Phone dial in
+
+
+![alt text](architcture.drawio.png)
+
+#### Dial-in related jitsi configs
+
+https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-jitsi/-/blob/main/charts/opendesk-jitsi/values.yaml?ref_type=heads#L226-230
+
+`values.yaml`
+```yaml
+extraConfig:
+    doNotStoreRoom: false
+    dialinCountryCode: "DE"
+    # e.g. "+49 1111 22233344"
+    dialinPhoneNumbers: ""
+extraEnvs:
+    COLIBRI_WEBSOCKET_REGEX: "[a-z0-9._-]+"
+    # This value will be replace with internal conference mapper later when
+    # it is ready.
+    CONFCODE_URL: "https://jitsi-api.jitsi.net/conferenceMapper"
+    DIALIN_NUMBERS_URL: "/static/dialin-phone-numbers.json"
+```
+
+The template to generate the `dial-phone-numbers.json`
+https://gitlab.opencode.de/bmi/opendesk/components/platform-development/charts/opendesk-jitsi/-/blob/main/charts/opendesk-jitsi/files/web/dialin-phone-numbers.json?ref_type=heads
+
+
+### Frontend and the k8s NGINX ingress
+
+The frontend uses large cookies, the default "4k" for the nginx proxy is not enough.
+
+Modify the value in the ingress annotations
+```
+annotations:
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
+```
+
+Reference https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#proxy-buffer-size
+
+
+## 1. ovc-frontent -> opendesk
+
+ovc-frontend env
+```properties
+NEXT_PUBLIC_ICS_DOMAIN=https://ics.nightly.opendesk.qa
+NEXT_PUBLIC_PORTAL_DOMAIN=https://portal.nightly.opendesk.qa
+```
+
+## 2. ovc-frontend -> jitsi
+
+ovc-frontend env
+```properties
+NEXT_PUBLIC_JITSI_LINK=https://jitsi.opendesk.qa
+```
+
+## 3. ovc-frontend -> keycloak
+
+[NEXTAUTH_SECRET](https://next-auth.js.org/configuration/options#nextauth_secret)
+
+client_id and client_secret provided by keycloak.
+end_session and refresh urls can be found in keycloak `keycloak.com/realms/{realm}/.well-known` page.
+
+
+ovc-frontend env
+```properties
+KEYCLOAK_CLIENT_ID=ovc-client
+KEYCLOAK_CLIENT_SECRET=clientSecret
+NEXTAUTH_SECRET=clientSecret
+KEYCLOAK_ISSUER=https://KEYCLOAK.io/realms/opendesk
+END_SESSION_URL=https://KEYCLOAK.io/realms/opendesk/protocol/openid-connect/logout
+REFRESH_TOKEN_URL=https://KEYCLOAK.io/realms/opendesk/protocol/openid-connect/token
+
+```
+
+## 4. ovc-frontend -> ovc-backend
+
+ovc-frontend env
+```properties
+NEXT_PUBLIC_BACKEND_BASE_URL=https://api.opendesk.qa
+```
+
+## 5. ovc-frontend <-> ovc-videotest
+
+OPTIONAL, can be disabled and th videotest button will be hidden.
+
+ovc-frontend env
+```properties
+NEXT_PUBLIC_VIDEO_TEST_ENABLED=true
+NEXT_PUBLIC_VIDEO_TEST_LINK=https://videotest.opendesk.qa
+```
+
+
+## 6. ovc-backend -> postgres
+
+backend env vars
+```
+spring.datasource.password=secret
+spring.datasource.url=jdbc:postgresql://{{ $dbService }}:5432/{{ db.name }}
+spring.datasource.username=user
+```
+
+## 7. ovc-backend -> keycloak
+
+```
+spring.security.oauth2.resourceserver.jwt.issuer-uri={{ .Values.settings.keycloak.url }}/realms/{{ .Values.settings.keycloak.realm }}
+```
+
+## 8. JITSI -> ovc-backend
+
+#### Conference mapper for dial-in
+
+
+Phone line users that use a regular phone to attend a jitsi meeting can only enter numbers after they have dialed in a phone number. For Jitsi and the SIP server to know which conference they are calling into a mapping is created `conference name <-> pin number (conference code)`. A conference mapper api allows an external system to find a conference name by pin number or a pin number from a conference name.
+
+
+
+Jitsi uses `CONFCODE_URL` env param that "conference mapper" conference search api, it will use the `search pin by conference` functionality to present a dialog with a PIN number if a dial-in user wishes to know it.
+
+In the dial-in backend the endpoint has this template 
+`/api/v1.0/conference-mapper/jigasi/by-meeting-id?conference=`
+
+jitsi-meet configuration environment can be set like this
+```
+CONFCODE_URL=https://backend.domain/api/v1.0/conference-mapper/jigasi/by-meeting-id
+```
+
+SIP server may use a `search conference id by pin`  functionality api from the dial-in backend conference mapper.
+`/api/v1.0/conference-mapper/jigasi/by-pin?id={pin}`
+
+
+> The way a SIP server communicates with the dial-in backend conference mapper and JIGASI (Jitsi component) depends on the SIP server vendor, this is outside the scope of this document. 
+
+
+Jitsi implementation of the conference mapper API is  described in 
+https://github.com/jitsi/jitsi-meet/blob/master/resources/cloud-api.swagger
+They support a `/conferenceMapper` api endpoint that can search by `id` (pin) or `conference`. So both Jitsi and the SIP server can connect to a sigle endpoint. In the ovc-backend it's separated into 2 endpoints.
+
+
+## ovc-backend SIP config
+
+Used in "Copy Info" button functionality.
+```properties
+sip.phone.number=+49 40 3003 5005
+```
+
+## ovc-backend JWT token api 
+
+OPTIONAL, may be needed if jitsi requires a JWT token. 
+
+```yaml
+## this is part of Spring Boot  application.yaml, can also be provided as env vars
+jitsi:
+  domain: https://jitsi.opendesk.domain
+  jwt:
+    secret: oeRaYY7
+    expiration-in-minutes: 60              # how much longer after meeting end time the token is valid
+    expiration-for-rooms-in-minutes: 180   # same as above, but for rooms and instant meetings
+    not-before-in-minutes: 30              # how many minutes earlier the meeting can be opened
+```
+
+## ovc-videotest
+
+Optional component, phone dial-in can function without it. 
+
+It's a frontend only and doesn't require a backend to function. Configured by mounting a file in `/app/build/config/config.js`
+
+`config.js` example
+```js
+window.customConfig = {
+    // jitsi host
+    "REACT_APP_JITSI_FQDN": "meet.jit.si",
+    
+    // If jitsi requires a JWT, point it to a running ovc-videotest-backend api that 
+    // will return a token for a specific room. {roomName} is a special hardcoded  placeholder that will be replaced by the real room name when the api is being called (to make the api call flexible).
+    // "REACT_APP_JWT_ENDPOINT_URL": "http://localhost:8081/{roomName}",
+    
+    // prefix for videotest rooms. If a backend is used it may reject generating a JWT token if a room name doesn't have this prefix
+    "REACT_APP_ROOM_PREFIX":"videotest",
+
+    // if no callback parameter is provided, should be the ovc-frontend url
+    "REACT_APP_DEFAULT_CALLBACK_URL":"http://localhost:8080",
+
+    // to improve security only URLS in the list are allowed as callbacks
+    // if the list is empty any callback url is allowed
+    "REACT_APP_ALLOWED_CALLBACK_URLS":"http://localhost:3000,https://localhost:3000",
+    
+    // If you don't have a backend and jitsi requires a JWT token, for debugging purposes put the entire JWT here.
+    "REACT_APP_DEBUG_JITSI_JWT": ""
+}
+```
+
+
+
+
+
+
+
+
+ 

helmfile/apps/collabora/values-coco-enterprise.yaml.gotmpl

@@ -25,6 +25,7 @@ controller:
 image:
   repository: "{{ coalesce .Values.repositories.image.registryOpencodeDeEnterprise .Values.global.imageRegistry .Values.images.collaboraController.registry }}/{{ .Values.images.collaboraController.repository }}"
   tag: {{ .Values.images.collaboraController.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
   - name: {{ . | quote }}
@@ -38,6 +39,10 @@ ingress:
       paths:
         - path: "/controller"
           pathType: "Prefix"
+  tls:
+    - secretName: {{ .Values.ingress.tls.secretName | quote }}
+      hosts:
+        - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}"
 
 podAnnotations: {}
 

helmfile/apps/open-xchange/values-dovecot-enterprise.yaml.gotmpl

@@ -24,14 +24,16 @@ dovecot:
     host: {{ .Values.databases.dovecotDictmap.host | quote }}
     port: {{ .Values.databases.dovecotDictmap.port }}
     username: {{ .Values.databases.dovecotDictmap.username | quote }}
-    password: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
+    password:
+      value: {{ .Values.secrets.cassandra.dovecotDictmapUser | quote }}
     keyspace: {{ .Values.databases.dovecotDictmap.name | quote }}
   sharedMailboxes:
     enabled: false
     host: {{ .Values.databases.dovecotACL.host | quote }}
     port: {{ .Values.databases.dovecotACL.port }}
     username: {{ .Values.databases.dovecotACL.username | quote }}
-    password: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
+    password:
+      value: {{ .Values.secrets.cassandra.dovecotACLUser | quote }}
     keyspace: {{ .Values.databases.dovecotACL.name | quote }}
   objectStorage:
     encryption:
@@ -41,5 +43,6 @@ dovecot:
         value: {{ env "DOVECOT_CRYPT_PUBLIC_KEY" | quote }}
     fqdn: {{ .Values.objectstores.dovecot.endpoint | default (printf "%s.%s" .Values.global.hosts.minioApi .Values.global.domain) | quote }}
     username: {{ .Values.objectstores.dovecot.username | quote }}
-    password: {{ .Values.secrets.minio.dovecotUser | quote }}
+    password:
+      value: {{ .Values.secrets.minio.dovecotUser | quote }}
 ...

helmfile/apps/open-xchange/values-dovecot.yaml.gotmpl

@@ -10,26 +10,37 @@ image:
   tag: {{ .Values.images.dovecot.tag | quote }}
   pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
 
+imageInitDovecot:
+  registry: {{ coalesce .Values.repositories.image.dockerHub .Values.global.imageRegistry .Values.images.dovecotBootstrap.registry | quote }}
+  repository: {{ .Values.images.dovecotBootstrap.repository | quote }}
+  tag: {{ .Values.images.dovecotBootstrap.tag | quote }}
+  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+
 imagePullSecrets:
   {{ .Values.global.imagePullSecrets | toYaml | nindent 2 }}
 
 dovecot:
   mailDomain: {{ .Values.global.mailDomain | default .Values.global.domain | quote }}
-  password: {{ .Values.secrets.dovecot.doveadm | quote }}
+  password:
+    value: {{ .Values.secrets.dovecot.doveadm | quote }}
   migration:
     enabled: {{ .Values.functional.migration.oxAppSuite.enabled }}
-    masterPassword: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
+    masterPassword:
+      value: {{ .Values.secrets.oxAppSuite.migrationsMasterPassword | quote }}
   ldap:
     enabled: true
     host: {{ .Values.ldap.host | quote }}
     port: 389
     base: "{{ .Values.ldap.baseDn }}"
     dn: "uid=ldapsearch_dovecot,cn=users,{{ .Values.ldap.baseDn }}"
-    password: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
+    password:
+      value: {{ .Values.secrets.nubus.ldapSearch.dovecot | quote }}
   oidc:
     enabled: true
-    clientID: "opendesk-dovecot"
+    clientID:
-    clientSecret: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
+      value: "opendesk-dovecot"
+    clientSecret:
+      value: {{ .Values.secrets.keycloak.clientSecret.dovecot | quote }}
     introspectionHost: {{ printf "%s.%s" .Values.global.hosts.keycloak .Values.global.domain | quote }}
     introspectionPath: "/realms/{{ .Values.platform.realm }}/protocol/openid-connect/token/introspect"
     usernameAttribute: "opendesk_username"

helmfile/apps/services-external/values-postfix.yaml.gotmpl

@@ -71,8 +71,10 @@ postfix:
 
   staticAuthDB:
     enabled: true
-    username: "opendesk-system"
+    username:
-    password: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
+      value: "opendesk-system"
+    password:
+      value: {{ .Values.secrets.postfix.opendeskSystemPassword | quote }}
 
   {{- if .Values.antivirus.milter.host }}
   smtpdMilters: "inet:{{ .Values.antivirus.milter.host }}:{{ .Values.antivirus.milter.port }}"

helmfile/environments/default-enterprise-overrides/charts.yaml.gotmpl

@@ -6,7 +6,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "zendis/opendesk-enterprise/components/product-development/charts/opendesk-dovecot-pro"
     name: "dovecot"
-    version: "1.0.3-r1"
+    version: "2.0.2"
     verify: true
   oxAppSuite:
     registry: "registry.opencode.de"

helmfile/environments/default/charts.yaml.gotmpl

@@ -99,7 +99,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-dovecot"
     name: "dovecot"
-    version: "1.4.2"
+    version: "2.0.0"
     verify: true
   element:
     # providerCategory: "Platform"
@@ -109,7 +109,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-element"
-    version: "6.1.2"
+    version: "6.1.3"
     verify: true
   elementWellKnown:
     # providerCategory: "Platform"
@@ -119,7 +119,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-well-known"
-    version: "6.1.2"
+    version: "6.1.3"
     verify: true
   home:
     # providerCategory: "Platform"
@@ -211,7 +211,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-matrix-user-verification-service"
-    version: "6.1.2"
+    version: "6.1.3"
     verify: true
   memcached:
     # providerCategory: "Community"
@@ -355,7 +355,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/charts-mirror"
     name: "openproject"
-    version: "9.8.1"
+    version: "9.8.3"
     verify: true
   openprojectBootstrap:
     # providerCategory: "Platform"
@@ -419,7 +419,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-postfix"
     name: "postfix"
-    version: "2.3.3"
+    version: "3.0.0"
     verify: true
   postgresql:
     # providerCategory: "Platform"
@@ -449,7 +449,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse"
-    version: "6.1.2"
+    version: "6.1.3"
     verify: true
   synapseAdmin:
     # Enterprise Component
@@ -477,7 +477,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-create-account"
-    version: "6.1.2"
+    version: "6.1.3"
     verify: true
   synapseGroupsync:
     # Enterprise Component
@@ -505,7 +505,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-element"
     name: "opendesk-synapse-web"
-    version: "6.1.2"
+    version: "6.1.3"
     verify: true
   xwiki:
     # providerCategory: "Supplier"
@@ -517,6 +517,6 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/charts-mirror"
     name: "xwiki"
-    version: "1.4.3"
+    version: "1.4.4"
     verify: false
 ...

helmfile/environments/default/global.generated.yaml.gotmpl

@@ -3,5 +3,5 @@
 ---
 global:
   systemInformation:
-    releaseVersion: "v1.2.0"
+    releaseVersion: "v1.2.1"
 ...

helmfile/environments/default/images.yaml.gotmpl

@@ -77,6 +77,14 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/open-xchange/images/dovecot-public-sector"
     tag: "2.3.21@sha256:c76965a84d1ca527f523404eb027119f6736b199c094e4671037cb345ecad3dc"
+  dovecotBootstrap:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "alpine/k8s"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.32.3@sha256:eec3541331932d8613ce7b3283508063cba7f704302e9b4eda45e49b38a2a0f9"
   element:
     # providerCategory: "Supplier"
     # providerResponsible: "Element"
@@ -729,7 +737,7 @@ images:
     # upstreamMirrorStartFrom: ["13", "1", "1"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/openproject/images-mirror/open_desk"
-    tag: "15.4.1@sha256:4614f6c27f114d4dcaed28449e287784f8b8834e1982535eb89ea00d5fad2230"
+    tag: "15.4.2@sha256:d88df284e03b5c255ad3963ebe335f38a4e069754569dd47c5e92930e0b26a1b"
   openprojectBootstrap:
     # providerCategory: "Platform"
     # providerResponsible: "openDesk"
@@ -882,6 +890,14 @@ images:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/postfix"
     tag: "3.0.1@sha256:d2c6543b35b616ac3e6c8c27222d3154c0d35680813a8942ce0cc3fa9ea72a6d"
+  postfixBootstrap:
+    # providerCategory: "Community"
+    # providerResponsible: "openDesk"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "alpine/k8s"
+    registry: "registry-1.docker.io"
+    repository: "alpine/k8s"
+    tag: "1.32.3@sha256:eec3541331932d8613ce7b3283508063cba7f704302e9b4eda45e49b38a2a0f9"
   postgresql:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -917,7 +933,7 @@ images:
     # upstreamMirrorStartFrom: ["1", "91", "2"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/element/images-mirror/synapse"
-    tag: "v1.121.1@sha256:5d8081b6004eb115635334dbc1ec2f87318f19d5ad0e7c62f7476d4cc16de277"
+    tag: "v1.127.1@sha256:0b0b933314ac9e1ba917a72c29d5b49c47828ab6e8df3aae3ac244ee947a89fc"
   synapseCreateUser:
     # providerCategory: "Community"
     # providerResponsible: "Nordeck"

helmfile/environments/default/repositories.yaml.gotmpl

@@ -7,7 +7,7 @@ repositories:
   image:
     dockerHub: ""
     registryOpencodeDe: ""
-    registryOpencodeDeEnterprise: "registry.opencode.de"
+    registryOpencodeDeEnterprise: ""
   # Fine-granular registry settings, useful when you can't use virtual (Artifactory) or group (Nexus) repositories.
   # Higher precedence than `global.imageRegistry`
   helm:

helmfile/environments/default/secrets.yaml.gotmpl

@@ -36,9 +36,6 @@ secrets:
       ox: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_ox" | sha1sum | quote }}
       openproject: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_openproject" | sha1sum | quote }}
       xwiki: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "ldapsearch_xwiki" | sha1sum | quote }}
-    defaultAccounts:
-      userPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "default_accounts_user_password" | sha1sum | quote }}
-      adminPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "default_accounts_user_admin" | sha1sum | quote }}
     systemAccounts:
       administratorPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "Administrator" | sha1sum | quote }}
       sysIdpUserPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "nubus" "sysIdpUser" | sha1sum | quote }}

helmfile/files/theme/portal/stylesheet.css

@@ -136,7 +136,9 @@
 #kc-login,
 #kc-logout,
 #saveTOTPBtn,
-.pf-c-button.btn-lg {
+.pf-c-button.btn-lg,
+.kc-social-provider-name
+{
   color: var(--color-opendesk-white);
   border: 2px solid;
 }