mrknow traefik config

mrknow certificate in cert-manager
wekan and keycloak
2026-01-15 14:40:49 +01:00 · 2026-01-15 14:35:15 +01:00 · 2026-01-08 15:49:13 +01:00 · 2026-01-08 15:44:42 +01:00 · 2026-01-08 15:38:53 +01:00 · 2026-01-08 15:24:21 +01:00
74 changed files with 2444 additions and 921 deletions
--- a/.DS_Store
+++ b/.DS_Store
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
--- a/argocd/.DS_Store
+++ b/argocd/.DS_Store
--- a/argocd/apps/.DS_Store
+++ b/argocd/apps/.DS_Store
--- a/argocd/apps/.gitignore
+++ b/argocd/apps/.gitignore
@@ -0,0 +1 @@
+.idea
--- a/argocd/apps/argocd/argocd.yaml
+++ b/argocd/apps/argocd/argocd.yaml
@@ -8,7 +8,7 @@ spec:
  project: default
  source:
    repoURL: 'https://argoproj.github.io/argo-helm'
-    targetRevision: 8.* 
+    targetRevision: 9.* 
    helm:
      parameters:
        - name: 'server.extraArgs[0]'
--- a/argocd/apps/cert-manager/include/brain-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/brain-cerficate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: innovation-hub-niedersachsen.de-brain
+  namespace: kube-system
+spec:
+  secretName: brain-tls
+  commonName: 'brain.innovation-hub-niedersachsen.de'
+  dnsNames:
+    - 'brain.innovation-hub-niedersachsen.de'
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/keycloak-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/keycloak-cerficate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: innovation-hub-niedersachsen.de-keycloak
+  namespace: kube-system
+spec:
+  secretName: keycloak-tls
+  commonName: 'keycloak.innovation-hub-niedersachsen.de'
+  dnsNames:
+    - 'keycloak.innovation-hub-niedersachsen.de'
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/mantisbt-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/mantisbt-cerficate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: innovation-hub-niedersachsen.de-mantisbt
+  namespace: kube-system
+spec:
+  secretName: mantisbt-tls
+  commonName: 'mantisbt.innovation-hub-niedersachsen.de'
+  dnsNames:
+    - 'mantisbt.innovation-hub-niedersachsen.de'
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/mrknow-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/mrknow-cerficate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: innovation-hub-niedersachsen.de-mrknow
+  namespace: kube-system
+spec:
+  secretName: mrknow-tls
+  commonName: 'mrknow.innovation-hub-niedersachsen.de'
+  dnsNames:
+    - 'mrknow.innovation-hub-niedersachsen.de'
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/passbolt-certificate.yaml
+++ b/argocd/apps/cert-manager/include/passbolt-certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: passbolt-cert
+  namespace: kube-system
+spec:
+  secretName: passbolt-tls
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+  commonName: passbolt.innovation-hub-niedersachsen.de
+  dnsNames:
+    - passbolt.innovation-hub-niedersachsen.de
--- a/argocd/apps/cert-manager/include/sws3-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/sws3-cerficate.yaml
@@ -1,14 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: innovation-hub-niedersachsen.sws3
-  namespace: kube-system
-spec:
-  secretName: sws3.innovation-hub-niedersachsen.de-tls
-  commonName: 'sws3.innovation-hub-niedersachsen.de'
-  dnsNames:
-    - 'sws3.innovation-hub-niedersachsen.de'
-  issuerRef:
-    name: lets-encrypt
-    kind: ClusterIssuer
-    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/vaultwarden-certificate.yaml
+++ b/argocd/apps/cert-manager/include/vaultwarden-certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vaultwarden-cert
+  namespace: kube-system
+spec:
+  secretName: vaultwarden-tls
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+  commonName: vaultwarden.innovation-hub-niedersachsen.de
+  dnsNames:
+    - vaultwarden.innovation-hub-niedersachsen.de
--- a/argocd/apps/cert-manager/include/wekantest-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/wekantest-cerficate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: innovation-hub-niedersachsen.de-wekantest
+  namespace: kube-system
+spec:
+  secretName: wekantest-tls
+  commonName: 'wekantest.innovation-hub-niedersachsen.de'
+  dnsNames:
+    - 'wekantest.innovation-hub-niedersachsen.de'
+  issuerRef:
+    name: lets-encrypt
+    kind: ClusterIssuer
+    group: cert-manager.io
--- a/argocd/apps/dashboard/kubernetes-dashboard.yaml
+++ b/argocd/apps/dashboard/kubernetes-dashboard.yaml
@@ -1,47 +1,47 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dashboard
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: 'https://kubernetes.github.io/dashboard/'
-    targetRevision: 7.*.*
-    helm:
-      parameters:
-        - name: 'ingress.enabled'
-          value: 'true'
-        - name: ingress.host
-          value: 'dashboard.innohub.local'
-        - name: 'ingress.tls[0].hosts[0]'
-          value: 'dashboard.innohub.local'
-        - name: 'ingress.tls[0].secretName'
-          value: dashboard-tls
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: websecure
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
-          forceString: true
-        - name: serversTransport
-          value: 'no-verify-tls'
-#        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-#          value: lets-encrypt
-        - name: persistence.enabled
-          value: 'true'
-    chart: kubernetes-dashboard
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: kubernetes-dashboard
-  syncPolicy:
-#    managedNamespaceMetadata:
-#      labels: 
-#        pod-security.kubernetes.io/enforce: 'privileged'
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: dashboard
+#  finalizers:
+#  - resources-finalizer.argocd.argoproj.io
+#spec:
+#  project: default
+#  source:
+#    repoURL: 'https://kubernetes.github.io/dashboard/'
+#    targetRevision: 7.*.*
+#    helm:
+#      parameters:
+#        - name: 'ingress.enabled'
+#          value: 'true'
+#        - name: ingress.host
+#          value: 'dashboard.innohub.local'
+#        - name: 'ingress.tls[0].hosts[0]'
+#          value: 'dashboard.innohub.local'
+#        - name: 'ingress.tls[0].secretName'
+#          value: dashboard-tls
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+#          value: websecure
+#        - name: ingress.annotations.kubernetes\.io\/ingress\.class
+#          value: traefik
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+#          value: 'true'
+#          forceString: true
+#        - name: serversTransport
+#          value: 'no-verify-tls'
+##        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
+##          value: lets-encrypt
+#        - name: persistence.enabled
+#          value: 'true'
+#    chart: kubernetes-dashboard
+#  destination:
+#    server: 'https://kubernetes.default.svc'
+#    namespace: kubernetes-dashboard
+#  syncPolicy:
+##    managedNamespaceMetadata:
+##      labels: 
+##        pod-security.kubernetes.io/enforce: 'privileged'
+#    automated:
+#      selfHeal: true
+#      prune: true
+#    syncOptions:
+#      - CreateNamespace=true
--- a/argocd/apps/headlamp/values-headlamp.yaml
+++ b/argocd/apps/headlamp/values-headlamp.yaml
@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: headlamp
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: "https://kubernetes-sigs.github.io/headlamp/"
+    chart: "headlamp"
+    targetRevision: 0.*.*
+    helm:
+      values: |
+        config:
+          inCluster: false  # ❗ deaktiviert die in-Cluster-Verbindung
+          extraArgs: []
+        
+        env:
+          - name: KUBECONFIG
+            value: /config/kubeconfig
+
+        serviceAccount:
+          create: false
+          name: headlamp-admin
+        
+        clusterRoleBinding:
+          create: false
+        
+        automountServiceAccountToken: false
+
+        volumes:
+          - name: sa-token
+            secret:
+              secretName: headlamp-admin-token
+          - name: kubeconfig
+            secret:
+              secretName: headlamp-kubeconfig
+
+        volumeMounts:
+          - name: sa-token
+            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            readOnly: true
+          - name: kubeconfig
+            mountPath: /config
+            readOnly: true
+        
+        ingress:
+          enabled: true
+          ingressClassName: "traefik"
+          annotations:
+            traefik.ingress.kubernetes.io/router.entrypoints: web
+          hosts:
+            - host: headlamp.innohub.local
+              paths:
+                - path: /
+                  type: ImplementationSpecific
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/keycloak/values-keycloak.yaml
+++ b/argocd/apps/keycloak/values-keycloak.yaml
@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-headers
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-Port: "443"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: keycloak
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`keycloak.innovation-hub-niedersachsen.de`)
+      kind: Rule
+      middlewares:
+        - name: keycloak-headers
+      services:
+        - name: keycloak-external
+          port: 8080
+  tls:
+    secretName: keycloak-tls
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: keycloak.innohub.local
+  ports:
+    - port: 8080
--- a/argocd/apps/longhorn-dev/values-longhorn-dev.yaml
+++ b/argocd/apps/longhorn-dev/values-longhorn-dev.yaml
@@ -0,0 +1,56 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn-dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: "https://charts.longhorn.io"
+    chart: "longhorn"
+    targetRevision: 1.*.*
+    helm:
+      values: |
+        preUpgradeChecker:
+          jobEnabled: false
+          upgradeVersionCheck: false
+        persistence:
+          defaultClass: true
+          defaultFsType: ext4
+          defaultMkfsParams: ""
+          defaultClassReplicaCount: 2
+          defaultDataLocality: disabled
+          reclaimPolicy: Delete
+          volumeBindingMode: "Immediate"
+          migratable: false
+          disableRevisionCounter: "true"
+          nfsOptions: ""
+
+        defaultSettings:
+          storageOverProvisioningPercentage: "200"
+          storageMinimalAvailablePercentage: "10"
+          storageReservedPercentageForDefaultDisk: "10"
+          defaultReplicaCount: '{"v1":"2","v2":"2"}'
+          replicaAutoBalance: "best-effort"
+          disableRevisionCounter: '{"v1":"true"}'
+          
+        ingress:
+          enabled: true
+          ingressClassName: "traefik"
+          annotations:
+            traefik.ingress.kubernetes.io/router.entrypoints: web
+          host: longhorn-dev.innohub.local        
+
+  destination:
+    server: 'https://192.168.4.202:6443'
+    namespace: longhorn-system
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/longhorn/values-longhorn.yaml
+++ b/argocd/apps/longhorn/values-longhorn.yaml
@@ -0,0 +1,60 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: "https://charts.longhorn.io"
+    chart: "longhorn"
+    targetRevision: 1.*.*
+    helm:
+      values: |
+        preUpgradeChecker:
+          jobEnabled: false
+          upgradeVersionCheck: false
+        persistence:
+          defaultClass: true
+          defaultFsType: ext4
+          defaultMkfsParams: ""
+          defaultClassReplicaCount: 2
+          defaultDataLocality: disabled
+          reclaimPolicy: Delete
+          volumeBindingMode: "Immediate"
+          migratable: false
+          disableRevisionCounter: "true"
+          nfsOptions: ""
+
+        defaultSettings:
+          storageOverProvisioningPercentage: "200"
+          storageMinimalAvailablePercentage: "10"
+          storageReservedPercentageForDefaultDisk: "10"
+          defaultReplicaCount: '{"v1":"2","v2":"2"}'
+          replicaAutoBalance: "best-effort"
+          disableRevisionCounter: '{"v1":"true"}'
+          # Disk-Erstellung nur auf gelabelten Nodes
+          createDefaultDiskLabeledNodes: true
+          # Default-Pfad für neue Disks
+          defaultDataPath: "/mnt/datastore/longhorn"
+          
+        ingress:
+          enabled: true
+          ingressClassName: "traefik"
+          annotations:
+            traefik.ingress.kubernetes.io/router.entrypoints: web
+          host: longhorn.innohub.local        
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: longhorn-system
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/mantisbt/config_inc.php
+++ b/argocd/apps/mantisbt/config_inc.php
@@ -0,0 +1,35 @@
+<?php
+$g_hostname               = 'mantisbt-mariadb';
+$g_db_type                = 'mysqli';
+$g_database_name          = 'mantisbt';
+$g_db_username            = 'mantisbt';
+$g_db_password            = 'MantisDBPassword_2024!';
+
+$g_default_timezone       = 'Europe/Berlin';
+
+$g_crypto_master_salt     = 'shJaiK32W2tABdTZjwRUrZN+90AWLHXaLKiOt1Fwpaw=';
+
+$g_path                   = 'https://mantisbt.innovation-hub-niedersachsen.de/';
+
+# Email settings
+$g_webmaster_email        = 'inno-netz@zpd.polizei.niedersachsen.de';
+$g_from_email             = 'mantisbt@innovation-hub-niedersachsen.de';
+$g_return_path_email      = 'mantisbt@innovation-hub-niedersachsen.de';
+$g_from_name              = 'InnoHub MantisBT';
+
+# SMTP Configuration
+$g_phpMailer_method       = PHPMAILER_METHOD_SMTP;
+$g_smtp_host              = '192.168.4.125';
+$g_smtp_port              = 25;
+$g_enable_email_notification = ON;
+
+# File upload - match PHP limit
+$g_max_file_size          = 2000000;
+$g_allowed_files          = 'png,gif,jpg,jpeg,pdf,doc,docx,xls,xlsx,ppt,pptx,txt,zip,rar,7z';
+
+# Site settings
+$g_window_title           = 'InnoHub Bug Tracker';
+$g_logo_image             = 'images/mantis_logo.png';
+
+# Security - disable after installation!
+# $g_allow_signup           = OFF;
--- a/argocd/apps/mantisbt/values-mantisbt.yaml
+++ b/argocd/apps/mantisbt/values-mantisbt.yaml
@@ -0,0 +1,91 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mantisbt
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/mantisbt'
+    targetRevision: 0.4.*
+    chart: mantisbt
+    helm:
+      values: |
+        image:
+          repository: xlrl/mantisbt
+          tag: "latest"
+        
+        ingress:
+          enabled: true
+          className: traefik
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+            cert-manager.io/cluster-issuer: lets-encrypt
+          hosts:
+            - mantisbt.innovation-hub-niedersachsen.de
+          tls:
+            - secretName: mantisbt-tls
+              hosts:
+                - mantisbt.innovation-hub-niedersachsen.de
+        
+        mantisbt:
+          enableAdmin: "0"
+          timezone: "Europe/Berlin"
+          masterSalt: "shJaiK32W2tABdTZjwRUrZN+90AWLHXaLKiOt1Fwpaw="
+        
+        persistence:
+          enabled: true
+          storageClass: longhorn
+          size: 10Gi
+        
+        resources:
+          requests:
+            memory: 256Mi
+            cpu: 100m
+          limits:
+            memory: 512Mi
+            cpu: 500m
+        
+        mariadb:
+          enabled: true
+          image:
+            tag: "latest"
+          auth:
+            database: mantisbt
+            username: mantisbt
+            password: "MantisDBPassword_2024!"
+            rootPassword: "RootDBPassword_2024!"
+          primary:
+            persistence:
+              enabled: true
+              storageClass: longhorn
+              size: 8Gi
+            livenessProbe:
+              enabled: true
+              initialDelaySeconds: 120
+              periodSeconds: 10
+              timeoutSeconds: 5
+              failureThreshold: 3
+            readinessProbe:
+              enabled: true
+              initialDelaySeconds: 30
+              periodSeconds: 10
+              timeoutSeconds: 5
+              failureThreshold: 3
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: mantisbt
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/mattermost/mattermnost.bak
+++ b/argocd/apps/mattermost/mattermnost.bak
@@ -1,41 +1,43 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: praktikum
+  name: mattermost
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
-    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/praktikum'
-    targetRevision: 0.*.*
+    repoURL: 'https://helm.mattermost.com'
+    targetRevision: 6.*.*
    helm:
      parameters:
-        - name: ingress.enabled
-          value: "true"
-        - name: ingress.className
-          value: "traefik"
+        - name: 'ingress.enabled'
+          value: 'true'
+        - name: 'endpoint'
+          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: ingress.hosts[0]
-          value: "praktikum.innovation-hub-niedersachsen.de"
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: ingress.tls[0].secretName
-          value: "praktikum-tls"
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: websecure
+          value: 'mattermost.innovation-hub-niedersachsen.de'
+        - name: 'ingress.tls[0].hosts[0]'
+          value: 'mattermost.innovation-hub-niedersachsen.de'
+        - name: 'ingress.tls[0].secretName'
+          value: mattermost-tls
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
          value: 'true'
          forceString: true
-        - name: ingress.tls[0].hosts[0]
-          value: "praktikum.innovation-hub-niedersachsen.de"
+        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
+          value: 'default-http-redirect@kubernetescrd'
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt
-    chart: praktikum
+        - name: mysql.mysqlUser
+          value: 'mmdbuser'
+        - name: mysql.mysqlPassword
+          value: 'mmdbpwd'
+    chart: mattermost-team-edition
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: praktikum
+    namespace: mattermost
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
--- a/argocd/apps/mattermost/mattermnost.yaml
+++ b/argocd/apps/mattermost/mattermnost.yaml
@@ -1,43 +1,101 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: mattermost-postgres
+spec:
+  project: default
+  source:
+    repoURL: 'https://charts.bitnami.com/bitnami'
+    targetRevision: 16.*.*
+    chart: postgresql
+    helm:
+      valuesObject:
+        auth:
+          postgresPassword: "mmROOT12345"
+          database: "mattermost"
+          username: "mmdbuser"
+          password: "mmdbpwd"
+        
+        primary:
+          persistence:
+            enabled: true
+            storageClass: "longhorn"
+            size: 10Gi
+
+        fullnameOverride: "mattermost-postgresql"
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: mattermost
+
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
  name: mattermost
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://helm.mattermost.com'
    targetRevision: 6.*.*
-    helm:
-      parameters:
-        - name: 'ingress.enabled'
-          value: 'true'
-        - name: 'endpoint'
-          value: 'mattermost.innovation-hub-niedersachsen.de'
-        - name: ingress.hosts[0]
-          value: 'mattermost.innovation-hub-niedersachsen.de'
-        - name: 'ingress.tls[0].hosts[0]'
-          value: 'mattermost.innovation-hub-niedersachsen.de'
-        - name: 'ingress.tls[0].secretName'
-          value: mattermost-tls
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
-          forceString: true
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
-          value: 'default-http-redirect@kubernetescrd'
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-          value: lets-encrypt
-        - name: mysql.mysqlUser
-          value: 'mmdbuser'
-        - name: mysql.mysqlPassword
-          value: 'mmdbpwd'
    chart: mattermost-team-edition
+    helm:
+      valuesObject:
+
+        # Persistence für Mattermost Daten
+        persistence:
+          data:
+            enabled: true
+            size: 10Gi
+            storageClass: "longhorn"
+            accessMode: ReadWriteOnce
+          plugins:
+            enabled: true
+            size: 1Gi
+            storageClass: "longhorn"
+            accessMode: ReadWriteOnce
+
+        # MySQL SubChart DEAKTIVIEREN
+        mysql:
+          enabled: false
+
+        # PostgreSQL als externe Datenbank
+        externalDB:
+          enabled: true
+          externalDriverType: "postgres"
+          externalConnectionString: "mmdbuser:mmdbpwd@mattermost-postgresql:5432/mattermost?sslmode=disable&connect_timeout=10"
+
+        # WICHTIG: Security Context für korrekte Volume-Berechtigungen
+        # Mattermost läuft als UID 2000, GID 2000
+        securityContext:
+          fsGroup: 2000
+          runAsUser: 2000
+          runAsGroup: 2000
+
+        # Ingress Konfiguration
+        ingress:
+          enabled: true
+          hosts:
+            - mattermost.innovation-hub-niedersachsen.de
+          tls:
+            - hosts:
+                - mattermost.innovation-hub-niedersachsen.de
+              secretName: mattermost-tls
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            cert-manager.io/cluster-issuer: lets-encrypt
+
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: mattermost
+
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
--- a/argocd/apps/mattermost/mmm-initcontainer.yaml
+++ b/argocd/apps/mattermost/mmm-initcontainer.yaml
@@ -0,0 +1,9 @@
+extraInitContainers:
+  - name: fix-permissions
+    image: busybox
+    command: ["sh", "-c", "chown -R 2000:2000 /mattermost/data"]
+    volumeMounts:
+      - name: mattermost-data
+        mountPath: /mattermost/data
+    securityContext:
+      runAsUser: 0
--- a/argocd/apps/mattermost/mysql-secrets.yaml
+++ b/argocd/apps/mattermost/mysql-secrets.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mattermost-db-credentials
+  namespace: mattermost
+type: Opaque
+stringData:
+  mysql-root-password: "InnoHubMYSQL_2025!"
+  mysql-password: "mmdbpwd"
+  mysql-user: "mmdbuser"
--- a/argocd/apps/minio/minio.yaml
+++ b/argocd/apps/minio/minio.yaml
@@ -1,64 +1,64 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: minio
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: 'registry-1.docker.io/bitnamicharts'
-    path: minio
-    targetRevision: 16.*.*
-    chart: minio
-    helm:
-      parameters:
-        - name: auth.rootPassword
-          value: 'InnoHubMINIO_2024!'
-        - name: ingress.enabled
-          value: 'true'
-        - name: ingress.hostname
-          value: 's3.innovation-hub-niedersachsen.de'
-        - name: ingress.tls
-          value: 'true'
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
-          forceString: true
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-          value: 'lets-encrypt'
-        - name: ingress.annotations.ingress\.secrets
-          value: 's3.innovation-hub-niedersachsen.de-tls'
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: websecure
-        - name: apiIngress.enabled
-          value: 'true'
-        - name: apiIngress.hostname
-          value: 'api-s3.innovation-hub-niedersachsen.de'
-        - name: apiIngress.tls
-          value: 'true'
-        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: 'websecure'
-        - name: apiIngress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
-          forceString: true
-        - name: apiIngress.annotations.cert-manager\.io\/cluster-issuer
-          value: 'lets-encrypt'
-        - name: apiIngress.annotations.ingress\.secrets
-          value: 'api-s3.innovation-hub-niedersachsen.de-tls'  
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: minio
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels: 
-        pod-security.kubernetes.io/enforce: "privileged"
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - RespectIgnoreDifferences=true
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: minio
+#  finalizers:
+#  - resources-finalizer.argocd.argoproj.io
+#spec:
+#  project: default
+#  source:
+#    repoURL: 'registry-1.docker.io/bitnamicharts'
+#    path: minio
+#    targetRevision: 16.*.*
+#    chart: minio
+#    helm:
+#      parameters:
+#        - name: auth.rootPassword
+#          value: 'InnoHubMINIO_2024!'
+#        - name: ingress.enabled
+#          value: 'true'
+#        - name: ingress.hostname
+#          value: 's3.innovation-hub-niedersachsen.de'
+#        - name: ingress.tls
+#          value: 'true'
+#        - name: ingress.annotations.kubernetes\.io\/ingress\.class
+#          value: traefik
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+#          value: 'true'
+#          forceString: true
+#        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
+#          value: 'lets-encrypt'
+#        - name: ingress.annotations.ingress\.secrets
+#          value: 's3.innovation-hub-niedersachsen.de-tls'
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+#          value: websecure
+#        - name: apiIngress.enabled
+#          value: 'true'
+#        - name: apiIngress.hostname
+#          value: 'api-s3.innovation-hub-niedersachsen.de'
+#        - name: apiIngress.tls
+#          value: 'true'
+#        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+#          value: 'websecure'
+#        - name: apiIngress.annotations.kubernetes\.io\/ingress\.class
+#          value: traefik
+#        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+#          value: 'true'
+#          forceString: true
+#        - name: apiIngress.annotations.cert-manager\.io\/cluster-issuer
+#          value: 'lets-encrypt'
+#        - name: apiIngress.annotations.ingress\.secrets
+#          value: 'api-s3.innovation-hub-niedersachsen.de-tls'  
+#  destination:
+#    server: 'https://kubernetes.default.svc'
+#    namespace: minio
+#  syncPolicy:
+#    managedNamespaceMetadata:
+#      labels: 
+#        pod-security.kubernetes.io/enforce: "privileged"
+#    automated:
+#      selfHeal: true
+#      prune: true
+#    syncOptions:
+#      - CreateNamespace=true
+#      - RespectIgnoreDifferences=true
--- a/argocd/apps/minio/values-minio.yaml
+++ b/argocd/apps/minio/values-minio.yaml
@@ -0,0 +1,67 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: minio
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'registry-1.docker.io/cloudpirates'
+    path: minio
+    targetRevision: 0.*.*
+    chart: minio    
+    helm:
+      values: |
+        auth:
+          rootPassword: "InnoHubMINIO_2024!"
+        ingress:
+          enabled: true
+          className: "traefik"
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          hosts:
+            - host: "api-s3.innovation-hub-niedersachsen.de"
+              paths:
+                - path: /
+                  pathType: "Prefix"
+          tls:
+            - secretName: "api-s3.innovation-hub-niedersachsen.de-tls"
+              hosts:
+                - "api-s3.innovation-hub-niedersachsen.de" 
+
+        consoleIngress:
+          enabled: true
+          className: "traefik"
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          hosts:
+            - host: "s3.innovation-hub-niedersachsen.de"
+              paths:
+                - path: /
+                  pathType: "Prefix"
+          tls:
+            - secretName: "s3.innovation-hub-niedersachsen.de-tls"
+              hosts:
+                - "s3.innovation-hub-niedersachsen.de" 
+        persistence:
+          storageClass: "longhorn"
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: minio
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels: 
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/mrknow/traefik-mrknow.yaml
+++ b/argocd/apps/mrknow/traefik-mrknow.yaml
@@ -0,0 +1,165 @@
+# =============================================================================
+# Traefik IngressRoute Konfiguration für MR.KNOW / BPM Inspire
+# =============================================================================
+# Anpassen:
+#   - Host: mrknow.innovation-hub-niedersachsen.de (oder gewünschte Domain)
+#   - externalName: IP/Hostname des Portainer/Docker Hosts
+#   - secretName: TLS-Zertifikat Secret
+# =============================================================================
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: mrknow-headers
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-Port: "443"
+
+---
+# =============================================================================
+# IngressRoute für InForm (Frontend / Root-Pfad)
+# =============================================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mrknow-inform
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && !PathPrefix(`/insign`) && !PathPrefix(`/inspire`) && !PathPrefix(`/pgadmin`)
+      kind: Rule
+      middlewares:
+        - name: mrknow-headers
+      services:
+        - name: mrknow-inform-external
+          port: 8080
+  tls:
+    secretName: mrknow-tls
+
+---
+# =============================================================================
+# IngressRoute für InSign
+# =============================================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mrknow-insign
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/insign`)
+      kind: Rule
+      middlewares:
+        - name: mrknow-headers
+      services:
+        - name: mrknow-insign-external
+          port: 8081
+  tls:
+    secretName: mrknow-tls
+
+---
+# =============================================================================
+# IngressRoute für InSpire
+# =============================================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mrknow-inspire
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/inspire`)
+      kind: Rule
+      middlewares:
+        - name: mrknow-headers
+      services:
+        - name: mrknow-inspire-external
+          port: 8082
+  tls:
+    secretName: mrknow-tls
+
+# ---
+# =============================================================================
+# IngressRoute für PgAdmin (optional)
+# =============================================================================
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: mrknow-pgadmin
+#   namespace: kube-system
+# spec:
+#   entryPoints:
+#     - websecure
+#   routes:
+#     - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/pgadmin`)
+#       kind: Rule
+#       middlewares:
+#         - name: mrknow-headers
+#       services:
+#         - name: mrknow-pgadmin-external
+#           port: 5050
+#   tls:
+#     secretName: mrknow-tls
+
+---
+# =============================================================================
+# External Services - Verbindung zum Portainer/Docker Host
+# =============================================================================
+# WICHTIG: externalName auf den Hostnamen/IP deines Docker-Hosts anpassen!
+# =============================================================================
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-inform-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 8080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-insign-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 8081
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-inspire-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 8082
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-pgadmin-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 5050
--- a/argocd/apps/n8n/8gears.yaml
+++ b/argocd/apps/n8n/8gears.yaml
@@ -1,59 +0,0 @@
-#apiVersion: argoproj.io/v1alpha1
-#kind: Application
-#metadata:
-#  name: n8n-dev 
-#  finalizers:
-#  - resources-finalizer.argocd.argoproj.io
-#spec:
-#  project: default
-#  source:
-#    repoURL: '8gears.container-registry.com/library'
-#    path: n8n
-#    targetRevision: 1.*.*
-#    chart: n8n
-#    helm: 
-#      parameters:
-#        - name: ingress.enabled
-#          value: 'true'
-#        - name: ingress.className
-#          value: traefik
-#        - name: ingress.hosts[0].host
-#          value: n8n-dev.innovation-hub-niedersachsen.de            
-#        - name: ingress.hosts[0].paths[0].path
-#          value: "/"
-#        - name: ingress.hosts[0].paths[0].pathType
-#          value: "Prefix"
-#        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-#          value: traefik    
-#        - name: ingress.tls[0].secretName
-#          value: "n8n-dev-tls"
-#        - name: ingress.tls[0].hosts[0]
-#          value: "n8n-dev.innovation-hub-niedersachsen.de"  
-#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-#          value: websecure             
-#        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-#          value: traefik
-#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-#          value: 'true'
-#          forceString: true
-#        - name: main.persistence.enabled
-#          value: 'true' 
-#        - name: redis.enabled
-#          value: 'true'   
-#        - name: worker.enabled
-#          value: 'true' 
-#        - name: main.secret.n8n.encryption_key
-#          value: '8gears-n8n-dev-encryption-key'
-#        - name: main.config.n8n.runners_enabled
-#          value: 'true'    
-#        - name: main.config.n8n.enforce_settings_file_permissions
-#          value: 'true'  
-#  destination:
-#    namespace: n8n
-#    server: 'https://192.168.4.202:6443'
-#  syncPolicy:
-#    automated:
-#      prune: true
-#      selfHeal: true
-#    syncOptions:
-#      - CreateNamespace=true
--- a/argocd/apps/n8n/n8n.yaml
+++ b/argocd/apps/n8n/n8n.yaml
@@ -1,69 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: n8n
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: 'https://community-charts.github.io/helm-charts'
-    targetRevision: 1.*.*
-    chart: n8n    
-    helm:
-      parameters:
-        - name: db.type
-          value: "postgresdb"
-        - name: postgresql.enabled
-          value: "true"
-        - name: postgresql.primary.persistence.enabled
-          value: "true"
-        - name: postgresql.auth.usename
-          value: "n8n"
-        - name: postgresql.auth.password
-          value: "n8n"  
-        - name: minio.enabled
-          value: "true"  
-        - name: minio.persistence.enabled
-          value: "true"  
-        - name: webhook.allNodes
-          value: "true"
-        - name: webhook.url
-          value: "https://n8n.innovation-hub-niedersachsen.de/"  
-        - name: redis.enabled
-          value: "true" 
-        - name: redis.master.persistence.enabled
-          value: "true"   
-        - name: ingress.enabled
-          value: "true"
-        - name: ingress.className
-          value: "traefik"
-        - name: ingress.hosts[0].host
-          value: "n8n.innovation-hub-niedersachsen.de"
-        - name: ingress.hosts[0].paths[0].path
-          value: "/"
-        - name: ingress.hosts[0].paths[0].pathType
-          value: "Prefix"
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik   
-        - name: ingress.tls[0].secretName
-          value: "n8n-tls"
-        - name: ingress.tls[0].hosts[0]
-          value: "n8n.innovation-hub-niedersachsen.de"
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: "true"
-          forceString: true
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-          value: lets-encrypt 
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: n8n
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels: 
-        pod-security.kubernetes.io/enforce: "privileged"
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/apps/n8n/values-n8n.yaml
+++ b/argocd/apps/n8n/values-n8n.yaml
@@ -0,0 +1,112 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: n8n
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://community-charts.github.io/helm-charts'
+    targetRevision: 1.*.*
+    chart: n8n    
+    helm:
+      values: |
+        encryptionKey: "239fbfe8315c786826a9af8f6f984e46"
+        
+        # n8n Hauptknoten mit Persistenz
+        main:
+          persistence:
+            enabled: true
+            storageClass: "longhorn"
+            size: 10Gi
+            accessMode: ReadWriteOnce
+            mountPath: "/home/node/.n8n"
+            annotations:
+              helm.sh/resource-policy: keep
+          forceToUseStatefulset: true
+          count: 1
+          
+          # Umgebungsvariablen für Trust Proxy
+          extraEnvVars:
+            N8N_PROXY_HOPS: "1"
+        
+        # PostgreSQL Datenbank
+        db:
+          type: "postgresdb"
+        postgresql:
+          enabled: true
+          primary:
+            persistence:
+              enabled: true
+              storageClass: "longhorn"
+              size: 10Gi
+              accessMode: ReadWriteOnce
+              annotations:
+                helm.sh/resource-policy: keep
+          auth:
+            username: "n8n"
+            password: "n8n"
+            postgresPassword: "35PuQG99qi"
+            database: "n8n"
+        
+        # MinIO für Binary Data
+        minio:
+          enabled: true
+          rootUser: "vkYCY4YJsFv11E18az7o"
+          rootPassword: "gOVBJMs5qxABhReVQwe3M43mfS8RsejUJSKOWr5N"
+          persistence:
+            enabled: true
+            storageClass: "longhorn"
+            size: 40Gi
+            annotations:
+              helm.sh/resource-policy: keep
+
+        # Redis für Queue Mode
+        redis:
+          enabled: true
+          auth:
+            password: "y8GBnBTleK"
+          master:
+            persistence:
+              enabled: true
+              storageClass: "longhorn"
+              size: 5Gi
+              accessMode: ReadWriteOnce
+              annotations:
+                helm.sh/resource-policy: keep
+
+        webhook:
+          url: "https://n8n.innovation-hub-niedersachsen.de/"
+          allNodes: true
+
+        ingress:
+          enabled: true 
+          className: "traefik"
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure           
+          hosts: 
+            - host: "n8n.innovation-hub-niedersachsen.de"
+              paths:
+                - path: /
+                  pathType: "Prefix"
+          tls:
+            - secretName: "n8n-tls"
+              hosts:
+                - "n8n.innovation-hub-niedersachsen.de"
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: n8n
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels: 
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/nextcloud/nextcloud.bak
+++ b/argocd/apps/nextcloud/nextcloud.bak
@@ -0,0 +1,128 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://nextcloud.github.io/helm/'
+    targetRevision: 8.*.*
+    helm:
+      parameters:
+        - name: image.repository
+          value: 'nextcloud'
+        - name: image.flavor
+          value: 'fpm'
+        - name: ingress.className
+          value: 'traefik'
+        - name: nginx.enabled
+          value: 'true'  
+        - name: 'ingress.enabled'
+          value: 'true'
+        - name: ingress.servicePort
+          value: 'https'
+        - name: phpClientHttpsFix.enabled
+          value: 'true'
+        - name: phpClientHttpsFix.protocol
+          value: 'https'
+        - name: nextcloud.host
+          value: 'innocloud.innovation-hub-niedersachsen.de'
+        - name: nextcloud.password
+          value: 'InnoHubADMIN_2024!'
+        - name: internalDatabase.enabled
+          value: 'false'
+        - name: redis.enabled
+          value: 'true'  
+        - name: redis.auth.password
+          value: 'redisInnoDBUser'          
+        - name: postgresql.enabled
+          value: 'true'
+        - name: postgresql.global.postgresql.auth.password
+          value: 'pgInnoDBUser'
+        - name: postgresql.primary.persistence.enabled
+          value: 'true'
+        - name: 'endpoint'
+          value: 'innocloud.innovation-hub-niedersachsen.de'
+        - name: ingress.hosts[0]
+          value: 'innocloud.innovation-hub-niedersachsen.de'
+        - name: 'ingress.tls[0].hosts[0]'
+          value: 'innocloud.innovation-hub-niedersachsen.de'
+        - name: 'ingress.tls[0].secretName'
+          value: innocloud-tls
+        - name: ingress.annotations.kubernetes\.io\/ingress\.class
+          value: traefik
+        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+          value: 'true'
+          forceString: true
+        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
+          value: 'kube-system-hsts@kubernetescrd'  
+        - name: service\.annotations\.traefik\.ingress\.kubernetes\.io\/service\.sticky\.cookie
+          value: 'true'
+        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
+          value: lets-encrypt
+        - name: persistence.enabled
+          value: 'true'
+        - name: persistence.nextcloudData.enabled
+          value: 'true'
+        - name: cronjob.enabled
+          value: 'true'
+        - name: nextcloud.mail.fromAddress
+          value: 'admin'
+        - name: nextcloud.mail.domain
+          value: 'innovation-hub-niedersachsen.de'
+        - name: nextcloud.mail.smtp.host
+          value: '192.168.4.125'
+        - name: nextcloud.mail.smtp.port
+          value: '25'
+
+        # AppAPI DinD Sidecar Configuration
+        - name: nextcloud.extraSidecarContainers[0].name
+          value: 'dind'
+        - name: nextcloud.extraSidecarContainers[0].image
+          value: 'docker:27-dind'
+        - name: nextcloud.extraSidecarContainers[0].securityContext.privileged
+          value: 'true'
+        - name: nextcloud.extraSidecarContainers[0].env[0].name
+          value: 'DOCKER_TLS_CERTDIR'
+        - name: nextcloud.extraSidecarContainers[0].env[0].value
+          value: ''
+        - name: nextcloud.extraSidecarContainers[0].volumeMounts[0].name
+          value: 'docker-sock'
+        - name: nextcloud.extraSidecarContainers[0].volumeMounts[0].mountPath
+          value: '/var/run'
+        - name: nextcloud.extraSidecarContainers[0].volumeMounts[1].name
+          value: 'dind-storage'
+        - name: nextcloud.extraSidecarContainers[0].volumeMounts[1].mountPath
+          value: '/var/lib/docker'
+        
+        # Extra Volumes für DinD
+        - name: nextcloud.extraVolumes[0].name
+          value: 'docker-sock'
+        - name: nextcloud.extraVolumes[0].emptyDir
+          value: '{}'
+        - name: nextcloud.extraVolumes[1].name
+          value: 'dind-storage'
+        - name: nextcloud.extraVolumes[1].emptyDir
+          value: '{}'
+        
+        # Mount Docker Socket in Nextcloud Container
+        - name: nextcloud.extraVolumeMounts[0].name
+          value: 'docker-sock'
+        - name: nextcloud.extraVolumeMounts[0].mountPath
+          value: '/var/run'
+          
+    chart: nextcloud
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: nextcloud
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels: 
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/nextcloud/nextcloud.yaml
+++ b/argocd/apps/nextcloud/nextcloud.yaml
@@ -10,78 +10,117 @@ spec:
    repoURL: 'https://nextcloud.github.io/helm/'
    targetRevision: 8.*.*
    helm:
-      parameters:
-        - name: image.repository
-          value: 'nextcloud'
-        - name: image.flavor
-          value: 'fpm'
-        - name: ingress.className
-          value: 'traefik'
-        - name: nginx.enabled
-          value: 'true'  
-        - name: 'ingress.enabled'
-          value: 'true'
-        - name: ingress.servicePort
-          value: 'https'
-        - name: phpClientHttpsFix.enabled
-          value: 'true'
-        - name: phpClientHttpsFix.protocol
-          value: 'https'
-        - name: nextcloud.host
-          value: 'innocloud.innovation-hub-niedersachsen.de'
-        - name: nextcloud.password
-          value: 'InnoHubADMIN_2024!'
-        - name: internalDatabase.enabled
-          value: 'false'
-        - name: redis.enabled
-          value: 'true'  
-        - name: redis.auth.password
-          value: 'redisInnoDBUser'          
-        - name: postgresql.enabled
-          value: 'true'
-        - name: postgresql.global.postgresql.auth.password
-          value: 'pgInnoDBUser'
-        - name: postgresql.primary.persistence.enabled
-          value: 'true'
-#        - name: externalDatabase.type
-#          value: postgresql
-#        - name: externalDatabase.host
-#          value: 'nextcloud-postgresql-0'
-#        - name: externalDatabase.password
-#          value: 'pgInnoDBUser'
-        - name: 'endpoint'
-          value: 'innocloud.innovation-hub-niedersachsen.de'
-        - name: ingress.hosts[0]
-          value: 'innocloud.innovation-hub-niedersachsen.de'
-        - name: 'ingress.tls[0].hosts[0]'
-          value: 'innocloud.innovation-hub-niedersachsen.de'
-        - name: 'ingress.tls[0].secretName'
-          value: innocloud-tls
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
-          forceString: true
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
-          value: 'kube-system-hsts@kubernetescrd'  
-        - name: service\.annotations\.traefik\.ingress\.kubernetes\.io\/service\.sticky\.cookie
-          value: 'true'
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-          value: lets-encrypt
-        - name: persistence.enabled
-          value: 'true'
-        - name: persistence.nextcloudData.enabled
-          value: 'true'
-        - name: cronjob.enabled
-          value: 'true'
-        - name: nextcloud.mail.fromAddress
-          value: 'admin'
-        - name: nextcloud.mail.domain
-          value: 'innovation-hub-niedersachsen.de'
-        - name: nextcloud.mail.smtp.host
-          value: '192.168.4.125'
-        - name: nextcloud.mail.smtp.port
-          value: '25'
+      values: |
+        image:
+          repository: nextcloud
+          flavor: fpm
+        
+        ingress:
+          enabled: true
+          className: traefik
+          servicePort: https
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd
+            cert-manager.io/cluster-issuer: lets-encrypt
+          hosts:
+            - innocloud.innovation-hub-niedersachsen.de
+          tls:
+            - secretName: innocloud-tls
+              hosts:
+                - innocloud.innovation-hub-niedersachsen.de
+        
+        service:
+          annotations:
+            traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
+        
+        nginx:
+          enabled: true
+        
+        phpClientHttpsFix:
+          enabled: true
+          protocol: https
+        
+        nextcloud:
+          host: innocloud.innovation-hub-niedersachsen.de
+          password: InnoHubADMIN_2024!
+          mail:
+            enabled: true
+            fromAddress: admin
+            domain: innovation-hub-niedersachsen.de
+            smtp:
+              host: 192.168.4.125
+              port: 25
+          
+          # DinD Sidecar für AppAPI (TCP Mode)
+          extraSidecarContainers:
+            - name: dind
+              image: docker:27-dind
+              securityContext:
+                privileged: true
+              command:
+                - dockerd
+              args:
+                - --host=tcp://0.0.0.0:2375
+                - --tls=false
+              env:
+                - name: DOCKER_TLS_CERTDIR
+                  value: ""
+              volumeMounts:
+                - name: dind-storage
+                  mountPath: /var/lib/docker
+              ports:
+                - containerPort: 2375
+                  name: docker
+          
+          extraVolumes:
+            - name: dind-storage
+              emptyDir: {}
+        
+        internalDatabase:
+          enabled: false
+        
+        redis:
+          enabled: true
+          auth:
+            password: redisInnoDBUser
+          # architecture: standalone
+          master:
+            extraEnvVars:
+              - name: REDIS_MASTER_HOST
+                value: "localhost"
+              - name: REDIS_MASTER_PORT_NUMBER
+                value: "6379"
+            readinessProbe:
+              timeoutSeconds: 20    
+            replica:
+            extraEnvVars:
+              - name: REDIS_MASTER_HOST
+                value: "nextcloud-redis-master"
+              - name: REDIS_MASTER_PORT_NUMBER
+                value: "6379"
+            readinessProbe:
+              timeoutSeconds: 20    
+        
+        postgresql:
+          enabled: true
+          global:
+            postgresql:
+              auth:
+                password: pgInnoDBUser
+          primary:
+            persistence:
+              enabled: true
+        
+        persistence:
+          enabled: true
+          nextcloudData:
+            enabled: true
+        
+        cronjob:
+          enabled: true
+    
    chart: nextcloud
  destination:
    server: 'https://kubernetes.default.svc'
--- a/argocd/apps/open-webui/openwebui.yaml
+++ b/argocd/apps/open-webui/openwebui.yaml
@@ -1,57 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: open-webui
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: 'https://helm.openwebui.com/'
-    targetRevision: 8.*.*
-    helm:
-      parameters:
-        - name: serviceAccount.enable
-          value: 'false'
-        - name: persistence.size
-          value: 200Gi
-        - name: existingClaim
-          value: "open-webui"
-        - name: ollama.enabled
-          value: 'false'  
-      #  - name: ollama.persistentVolume.enabled
-      #    value: 'true'
-      #  - name: ollama.persistence.existingClaim
-      #    value: "open-webui-llm-storage"
-      #  - name: ollama.persistenceVolume.size
-      #    value: 200Gi
-        - name: ingress.class
-          value: 'traefik'
-        - name: ingress.enabled
-          value: 'true'
-        - name: ingress.host
-          value: "innollm.innovation-hub-niedersachsen.de"
-        - name: ingress.tls
-          value: 'true'
-        - name: ingress.existingSecret
-          value: 'innollm-tls'
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
-          forceString: true
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-          value: lets-encrypt
-    chart: open-webui
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: open-webui
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels: 
-        pod-security.kubernetes.io/enforce: 'privileged'
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/apps/open-webui/values-openwebui.yaml
+++ b/argocd/apps/open-webui/values-openwebui.yaml
@@ -0,0 +1,72 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-webui
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://helm.openwebui.com/'
+    targetRevision: 9.*.*
+    chart: open-webui
+    helm:
+      values: |
+        serviceAccount:
+          enable: false
+
+        persistence:
+          size: 200Gi
+          storageClass: longhorn
+
+        ollama:
+          enabled: false
+        
+        extraEnvVars:
+          - name: OAUTH_LOGOUT_REDIRECT_URL
+            value: "https://innollm.innovation-hub-niedersachsen.de/"
+          - name: ENABLE_OAUTH_LOGOUT
+            value: "true"
+          - name: WEBUI_SECRET_KEY
+            value: "17e027e793724fcbf0400c91374d6960f1beec64b52939c4ee20c1b6faf859ad"
+          - name: CORS_ALLOW_ORIGIN
+            value: "https://innollm.innovation-hub-niedersachsen.de"
+          - name: USER_AGENT
+            value: "Open-WebUI/InnoHub"
+
+        ingress:
+          enabled: true
+          class: traefik
+          host: "innollm.innovation-hub-niedersachsen.de"
+          tls: true
+          existingSecret: "innollm-tls"
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+        
+        sso:
+          enabled: true
+          enableSignup: true
+          mergeAccountsByEmail: false
+          enableRoleManagement: false
+          enableGroupManagement: false
+          oidc:
+            enabled: true
+            clientId: "open-webui"
+            clientSecret: "RFkQ5RDXv6KE4DiQsOq3BJejWFElu90G"
+            providerUrl: "https://keycloak.innovation-hub-niedersachsen.de/realms/innohub/.well-known/openid-configuration"
+            providerName: "Keycloak"
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: open-webui
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: 'privileged'
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/openproject/cvmtmp.sh
+++ b/argocd/apps/openproject/cvmtmp.sh
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-echo "=== Pods Status ==="
-kubectl get pods -n openproject
-
-echo -e "\n=== Deployment Status ==="
-kubectl get deployment -n openproject
-
-echo -e "\n=== Web Pod Details ==="
-kubectl describe pod -n openproject -l app.kubernetes.io/name=openproject,app.kubernetes.io/component=web | tail -50
-
-echo -e "\n=== ReplicaSet Status ==="
-kubectl get replicaset -n openproject
--- a/argocd/apps/openproject/openproject-ns.yaml
+++ b/argocd/apps/openproject/openproject-ns.yaml
@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata: 
-  name: openproject
-  labels:
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/warn: privileged
--- a/argocd/apps/openproject/postgresql-auth.yaml
+++ b/argocd/apps/openproject/postgresql-auth.yaml
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: postgresql-auth
-  namespace: openproject
-type: Opaque
-stringData:
-  postgres-password: InnoPG2025
-  password: InnoDB2025
--- a/argocd/apps/openproject/values-openproject.yaml
+++ b/argocd/apps/openproject/values-openproject.yaml
@@ -1,126 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: openproject
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: 'https://charts.openproject.org'
-    chart: openproject
-    targetRevision: 11.*.*
-    helm:
-      values: |
-        develop: false
-        
-        environment:
-          EMAIL_DELIVERY_METHOD: "smtp"
-          SMTP_ADDRESS: "smtp.innohub.local"
-          SMTP_PORT: "25"
-          SMTP_DOMAIN: "innovation-hub-niedersachsen.de"
-          SMTP_AUTHENTICATION: "none"
-          SMTP_ENABLE_STARTTLS_AUTO: "false"
-
-        cron:
-          enabled: false
-          environment:
-            IMAP_HOST: "smtp.innovation-hub-niedersachsen.de"
-            IMAP_PORT: 993
-            IMAP_SSL: "true"
-            IMAP_USERNAME: "openproject"
-            IMAP_PASSWORD: "openproject-imap-password"
-          schedule: "*/5 * * * *"  
-        ingress:
-          enabled: true
-          ingressClassName: traefik
-          annotations:
-            kubernetes.io/ingress.class: traefik
-            traefik.ingress.kubernetes.io/router.entrypoints: websecure
-            traefik.ingress.kubernetes.io/router.tls: "true"
-            cert-manager.io/cluster-issuer: lets-encrypt
-          host: "openproject.innovation-hub-niedersachsen.de"
-          path: /
-          pathType: "Prefix"
-          tls:
-            enabled: true
-            secretName: openproject-tls
-        
-        openproject:
-          https: true
-          hsts: true
-          seed_locale: "de"
-          useTmpVolumes: "false"
-          admin_user:
-            password: "admin"
-            password_reset: true
-            name: "OpenProject Admin"
-            mail: "inno-netz@zpd.polizei.niedersachsen.de"
-
-        resources:
-          requests:
-            memory: "1Gi"
-          limits:
-            memory: "2Gi"
-
-        appInit:
-          resources:
-            requests:
-              memory: "512Mi"
-            limits:
-              memory: "1Gi"       
-
-        memcached:
-          global:
-            readOnlyRootFilesystem: false
-        
-        containerSecurityContext:
-          readOnlyRootFilesystem: false
-
-        persistence:
-          enabled: false
-          accessModes:
-            - "ReadWriteOnce"
-
-        s3:
-          enabled: true
-          auth:
-            accessKeyId: "K7mNpQ2vRxL9wYtH3Zc8"
-            secretAccessKey: "jX9fK2mP5nQ8rT1vW4yZ7bN0cM3hL6gF9dS2aE5k"
-          host: "sws3.innovation-hub-niedersachsen.de"
-          port: 443
-          bucketName: "openproject"
-          region: "eu-central-1"
-        
-        postgresql:
-          bundled: true
-          auth:
-            existingSecret: "postgresql-auth"
-            username: "openproject"
-            # password: "openproject123"
-            # postgresPassword: "postgres123"
-            database: "openproject"
-          global:
-            readOnlyRootFilesystem: false
-          primary:
-            persistence:
-              enabled: true
-              size: 8Gi
-            service:
-              type: ClusterIP
-              ports:
-                postgresql: 5432
-  
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: openproject
-  
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        pod-security.kubernetes.io/enforce: "privileged"
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/apps/plane/bakup/plane-ingress_fix.txt
+++ b/argocd/apps/plane/bakup/plane-ingress_fix.txt
@@ -0,0 +1,10 @@
+kubectl patch ingress plane-ingress -n plane \
+  --type merge \
+  -p '{
+    "spec": {
+      "tls": [{
+        "hosts": ["plane.innovation-hub-niedersachsen.de"],
+        "secretName": "plane-tls"
+      }]
+    }
+  }'
--- a/argocd/apps/plane/plane-secret-patcher.yaml
+++ b/argocd/apps/plane/plane-secret-patcher.yaml
@@ -0,0 +1,63 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: plane-secret-patcher
+  namespace: plane
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  template:
+    spec:
+      serviceAccountName: plane-secret-patcher
+      restartPolicy: Never
+      containers:
+      - name: patcher
+        image: bitnami/kubectl:latest
+        command:
+        - /bin/sh
+        - -c
+        - |
+          # Patch plane-app-secrets
+          kubectl patch secret plane-app-secrets -n plane --type='json' -p='[
+            {"op": "replace", "path": "/data/DATABASE_URL", "value": "'$(echo -n "postgresql://plane:plane@plane-pgdb:5432/plane" | base64)'"},
+            {"op": "replace", "path": "/data/REDIS_URL", "value": "'$(echo -n "redis://plane-redis:6379/" | base64)'"},
+            {"op": "replace", "path": "/data/AMQP_URL", "value": "'$(echo -n "amqp://plane:plane@plane-rabbitmq/" | base64)'"}
+          ]'
+          
+          # Patch plane-live-secrets
+          kubectl patch secret plane-live-secrets -n plane --type='json' -p='[
+            {"op": "replace", "path": "/data/REDIS_URL", "value": "'$(echo -n "redis://plane-redis:6379/" | base64)'"}
+          ]'
+          
+          echo "Secrets patched successfully"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: plane-secret-patcher
+  namespace: plane
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: plane-secret-patcher
+  namespace: plane
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: plane-secret-patcher
+  namespace: plane
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: plane-secret-patcher
+subjects:
+- kind: ServiceAccount
+  name: plane-secret-patcher
+  namespace: plane
--- a/argocd/apps/plane/values-plane.yaml
+++ b/argocd/apps/plane/values-plane.yaml
@@ -2,6 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: plane
+  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
@@ -10,31 +11,112 @@ spec:
      kind: PersistentVolumeClaim
      jsonPointers:
        - /metadata/creationTimestamp
+    - group: batch
+      kind: Job
+      jsonPointers:
+        - /spec
+        - /metadata/annotations
+        - /metadata/labels
+    - group: apps
+      kind: StatefulSet
+      jsonPointers:
+        - /spec/volumeClaimTemplates/0/metadata/creationTimestamp
+        - /spec/volumeClaimTemplates/1/metadata/creationTimestamp
+        - /spec/volumeClaimTemplates/2/metadata/creationTimestamp
+    - group: ""
+      kind: Secret
+      jsonPointers:
+        - /data
+        
  project: default
  source:
    repoURL: 'https://helm.plane.so/'
    chart: 'plane-ce'
-    targetRevision: 1.2.*
+    targetRevision: 1.*.*
    helm:
      values: |
-        planeVersion: stable
        
        ingress:
          enabled: true
-          ingressClass: traefik
-          annotations:
-            kubernetes.io/ingress.class: traefik
-            traefik.ingress.kubernetes.io/router.entrypoints: websecure
-            traefik.ingress.kubernetes.io/router.tls: "true"
+          appHost: "plane.innovation-hub-niedersachsen.de"
+          ingressClass: "traefik"
+          ingress_annotations:
            cert-manager.io/cluster-issuer: lets-encrypt
-          hosts: 
-            - "plane.innovation-hub-niedersachsen.de"
-          tls:
-            - secretName: plane-tls
-              hosts:
-                - "plane.innovation-hub-niedersachsen.de"  
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        
        ssl:
-            tls_secret_name: plane-tls
+          tls_secret_name: "plane-tls"
+          createIssuer: false
+          generateCerts: false
+
+        redis:
+          local_setup: true
+          assign_cluster_ip: true
+          storageClass: "longhorn"
+          volumeSize: 500Mi
+
+        postgres:
+          local_setup: true
+          assign_cluster_ip: true
+          storageClass: "longhorn"
+          volumeSize: 5Gi
+
+        rabbitmq:
+          local_setup: true
+          assign_cluster_ip: true
+          storageClass: "longhorn"
+          volumeSize: 500Mi
+
+        minio:
+          local_setup: true
+          storageClass: "longhorn"
+          volumeSize: 10Gi
+          root_user: "plane-minio-admin"
+          root_password: "InnoHubPLANE2025!"
+
+        api:
+          replicas: 1
+          memoryLimit: 2Gi
+          cpuLimit: 1000m
+          dnsConfig:
+            options:
+              - name: ndots
+                value: "1"
+
+        worker:
+          replicas: 1
+          memoryLimit: 8Gi
+          cpuLimit: 1500m
+          cpuRequest: 500m
+          memoryRequest: 6Gi
+          dnsConfig:
+            options:
+              - name: ndots
+                value: "1"
+
+        beatworker:
+          replicas: 1
+          dnsConfig:
+            options:
+              - name: ndots
+                value: "1"
+
+        live:
+          replicas: 1
+          dnsConfig:
+            options:
+              - name: ndots
+                value: "1"
+
+        env:
+          pgdb_username: plane
+          pgdb_password: plane
+          pgdb_name: plane
+          pgdb_remote_url: ""
+          remote_redis_url: ""
+          docstore_bucket: "uploads"
+          doc_upload_size_limit: "5242880"
+          cors_allowed_origins: "https://plane.innovation-hub-niedersachsen.de"
          
  destination:
    server: 'https://kubernetes.default.svc'
@@ -49,3 +131,5 @@ spec:
      prune: true
    syncOptions:
      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+      - PruneLast=true
--- a/argocd/apps/plane/values.txt
+++ b/argocd/apps/plane/values.txt
@@ -1,183 +0,0 @@
-planeVersion: stable
-
-dockerRegistry:
-  enabled: false
-  host: "index.docker.io/v1/"
-  loginid: ""
-  password: ""
-
-ingress:
-  enabled: true
-  appHost: "plane.example.com"
-  minioHost: ""
-  rabbitmqHost: ""
-  ingressClass: "nginx"
-  ingress_annotations: {"nginx.ingress.kubernetes.io/proxy-body-size": "5m"}
-
-# SSL Configuration - Valid only if ingress.enabled is true
-ssl:
-  tls_secret_name: "" # If you have a custom TLS secret name
-  # If you want to use Let's Encrypt, set createIssuer and generateCerts to true
-  createIssuer: false
-  issuer: "http" # Allowed : cloudflare, digitalocean, http
-  token: "" # not required for http
-  server: https://acme-v02.api.letsencrypt.org/directory
-  email: plane@example.com
-  generateCerts: false
-
-redis:
-  local_setup: true
-  image: valkey/valkey:7.2.5-alpine
-  servicePort: 6379
-  storageClass: ""
-  volumeSize: 100Mi
-  pullPolicy: IfNotPresent
-  assign_cluster_ip: false
-
-postgres:
-  local_setup: true
-  image: postgres:15.7-alpine
-  servicePort: 5432
-  storageClass: ""
-  volumeSize: 1Gi
-  pullPolicy: IfNotPresent
-  assign_cluster_ip: false
-
-rabbitmq:
-  local_setup: true
-  image: rabbitmq:3.13.6-management-alpine
-  pullPolicy: IfNotPresent
-  servicePort: 5672
-  managementPort: 15672
-  storageClass: ""
-  volumeSize: 100Mi
-  default_user: plane
-  default_password: plane
-  external_rabbitmq_url: ''
-  assign_cluster_ip: false
-
-minio:
-  image: minio/minio:latest
-  image_mc: minio/mc:latest
-  local_setup: true
-  pullPolicy: IfNotPresent
-  root_password: password
-  root_user: admin
-  storageClass: ""
-  volumeSize: 1Gi
-  assign_cluster_ip: false
-  env:
-   minio_endpoint_ssl: false
-
-web:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-frontend
-  pullPolicy: Always
-  assign_cluster_ip: false
-
-space:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-space
-  pullPolicy: Always
-  assign_cluster_ip: false
-
-admin:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-admin
-  pullPolicy: Always
-  assign_cluster_ip: false
-
-live:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-live
-  pullPolicy: Always
-  assign_cluster_ip: false
-
-api:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-backend
-  pullPolicy: Always
-  assign_cluster_ip: false
-
-worker:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-backend
-  pullPolicy: Always
-
-beatworker:
-  replicas: 1
-  memoryLimit: 1000Mi
-  cpuLimit: 500m
-  cpuRequest: 50m
-  memoryRequest: 50Mi
-  image: artifacts.plane.so/makeplane/plane-backend
-  pullPolicy: Always
-
-external_secrets:
-  # Name of the existing Kubernetes Secret resource; see README for more details
-  rabbitmq_existingSecret: '' 
-  pgdb_existingSecret: ''
-  doc_store_existingSecret: ''
-  app_env_existingSecret: ''
-  live_env_existingSecret: ''
-
-env:
-
-  # NEXT_PUBLIC_DEPLOY_URL:  ""
-  # REDIS
-  remote_redis_url: "" #INCASE OF REMOTE REDIS ONLY
-  
-  # POSTGRES DB VALUES
-  pgdb_username: plane
-  pgdb_password: plane
-  pgdb_name: plane
-  pgdb_remote_url: "" #INCASE OF REMOTE PG DB URL ONLY
-
-  # DATA STORE
-  docstore_bucket: "uploads"
-  doc_upload_size_limit: "5242880" # 5MB
-
-  # REQUIRED IF MINIO LOCAL SETUP IS FALSE
-  aws_access_key: ""
-  aws_secret_access_key: ""
-  aws_region: ""
-  aws_s3_endpoint_url: ""
-
-  secret_key: "60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5"
-
-  sentry_dsn: ""
-  sentry_environment: ""
-
-  cors_allowed_origins: ""
-  default_cluster_domain: cluster.local
-
-  live_sentry_dsn: ""
-  live_sentry_environment: ""
-  live_sentry_traces_sample_rate: ""
-
-  api_key_rate_limit: "60/minute"
-
--- a/argocd/apps/praktikum/values-praktikum.yaml
+++ b/argocd/apps/praktikum/values-praktikum.yaml
@@ -0,0 +1,46 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: praktikum
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/praktikum'
+    targetRevision: 0.*.*
+    chart: praktikum
+    helm:
+      values: |
+        ingress:
+          enabled: true
+          className: traefik
+          annotations:
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+          hosts:
+            - praktikum.innovation-hub-niedersachsen.de
+          tls:
+            - secretName: praktikum-tls
+              hosts:
+                - praktikum.innovation-hub-niedersachsen.de
+        
+        persistence:
+          enabled: true
+          storageClass: longhorn
+          size: 5Gi
+          accessMode: ReadWriteOnce
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: praktikum
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/seaweedfs/admin-s3-secrets.yaml
+++ b/argocd/apps/seaweedfs/admin-s3-secrets.yaml
@@ -1,44 +1,46 @@
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: admin-s3-secret
-  namespace: seaweedfs
-  labels:
-    app.kubernetes.io/name: seaweedfs
-    app.kubernetes.io/component: seaweedfs-s3
-
-stringData:
-  seaweedfs_s3_config: |
-    {
-      "identities": [
-        {
-          "name": "admin",
-          "credentials": [
-            {
-              "accessKey": "wjpKrmaqXra99rX3D61H",
-              "secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
-            }
-          ],
-          "actions": [
-            "Admin",
-            "Read",
-            "Write"
-          ]
-        },
-        {
-          "name": "openproject",
-          "credentials": [
-            {
-              "accessKey": "K7mNpQ2vRxL9wYtH3Zc8",
-              "secretKey": "jX9fK2mP5nQ8rT1vW4yZ7bN0cM3hL6gF9dS2aE5k"
-            }
-          ],
-          "actions": [
-            "Admin",
-            "Read",
-            "Write"
-          ]
-        }
-      ]
-    }
+#apiVersion: v1
+#kind: Secret
+#type: Opaque
+#metadata:
+#  name: admin-s3-secret
+#  namespace: seaweedfs
+#  labels:
+#    app.kubernetes.io/name: seaweedfs
+#    app.kubernetes.io/component: seaweedfs-s3
+#
+#stringData:
+#  seaweedfs_s3_config: |
+#    {
+#      "identities": [
+#        {
+#          "name": "tatort",
+#          "credentials": [
+#            {
+#              "accessKey": "wjpKrmaqXra99rX3D61H",
+#              "secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
+#            }
+#          ],
+#          "actions": ["Read", "Write", "Admin"]
+#        },
+#        {
+#          "name": "plane",
+#          "credentials": [
+#            {
+#              "accessKey": "a0ccb47cc0994bf51ecd",
+#              "secretKey": "0d54ee2f943f2a56b8cafc3afe9cb1e2f9fecac2"
+#            }
+#          ],
+#          "actions": ["Read", "Write", "Admin"]
+#        },
+#        {
+#          "name": "n8n",
+#          "credentials": [
+#            {
+#              "accessKey": "WPpTwIoSMgrPChsS3rdS",
+#              "secretKey": "C59o3EAhsUKBWj1oiPtiYRq3GhLMFeYDeiMxJ4SW"
+#            }
+#          ],
+#          "actions": ["Read", "Write", "Admin"]
+#        }
+#      ]
+#    }
--- a/argocd/apps/seaweedfs/seaweedfs-jwt-secret.yaml
+++ b/argocd/apps/seaweedfs/seaweedfs-jwt-secret.yaml
@@ -1,10 +1,10 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: seaweedfs-jwt
-  namespace: seaweedfs
-stringData:
-  jwt.json: |
-    {
-      "secret": "inno-super-secret-key"
-    }
+#apiVersion: v1
+#kind: Secret
+#metadata:
+#  name: seaweedfs-jwt
+#  namespace: seaweedfs
+#stringData:
+#  jwt.json: |
+#    {
+#      "secret": "inno-super-secret-key"
+#    }
--- a/argocd/apps/seaweedfs/seaweedfs.yaml
+++ b/argocd/apps/seaweedfs/seaweedfs.yaml
@@ -1,73 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: seaweedfs
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  source:
-    repoURL: 'https://seaweedfs.github.io/seaweedfs/helm'
-    chart: seaweedfs
-    targetRevision: 4.*.*
-    helm:
-      values: |
-        master:
-          enabled: true
-          replicas: 1
-
-        volume:
-          enabled: true
-          replicas: 1
-
-        filer:
-          enabled: true
-          replicas: 1
-
-        s3:
-          enabled: true
-          replicas: 1
-          port: 8333
-          httpsPort: 8433
-          enableAuth: true
-          existingConfigSecret: "admin-s3-secret"
-          ingress:
-            enabled: true
-            className: "traefik"
-            host: "sws3.innovation-hub-niedersachsen.de"
-            # additional ingress annotations for the s3 endpoint
-            annotations:
-              kubernetes.io/ingress.class: "traefik"
-              traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
-              traefik.ingress.kubernetes.io/router.tls: "true"
-              cert-manager.io/cluster-issuer: "lets-encrypt"
-              # traefik.ingress.kubernetes.io/headers.customRequestHeaders: |
-              #  X-Forwarded-Proto = https
-              #traefik.ingress.kubernetes.io/headers.customResponseHeaders: |
-              #  Access-Control-Allow-Origin: "*"
-              #  Access-Control-Allow-Methods: "GET, OPTIONS, PUT, POST, DELETE"
-              #  Access-Control-Allow-Headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
-              #  Access-Control-Expose-Headers: "Content-Length,Content-Range"
-              #  Referrer-Policy: no-referrer-when-downgrade
-            hosts:
-              - host: "sws3.innovation-hub-niedersachsen.de"
-                paths:
-                  - path: /
-                    pathType: Prefix
-            tls:
-              - secretName: "sws3.innovation-hub-niedersachsen.de-tls"
-                hosts:
-                  - "sws3.innovation-hub-niedersachsen.de"
-                  
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: seaweedfs
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        pod-security.kubernetes.io/enforce: "privileged"
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/apps/seaweedfs/values-seaweedfs.yaml
+++ b/argocd/apps/seaweedfs/values-seaweedfs.yaml
@@ -0,0 +1,108 @@
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: seaweedfs
+#  finalizers:
+#    - resources-finalizer.argocd.argoproj.io
+#spec:
+#  project: default
+#  source:
+#    repoURL: "https://seaweedfs.github.io/seaweedfs/helm"
+#    chart: seaweedfs
+#    targetRevision: "4.*.*"
+#    helm:
+#      values: |
+#        global:
+#          extraEnvironmentVars:
+#            WEED_CLUSTER_DEFAULT: "sw"
+#            WEED_CLUSTER_SW_MASTER: "seaweedfs-master.seaweedfs:9333"
+#            WEED_CLUSTER_SW_FILER: "seaweedfs-filer.seaweedfs:8888"
+#
+#        master:
+#          enabled: true
+#          replicas: 1
+#          data:
+#            type: existingClaim
+#            claimName: seaweedfs-master-data-longhorn
+#
+#        volume:
+#          enabled: true
+#          replicas: 1
+#          dataDirs:
+#            - name: data1
+#              type: existingClaim
+#              claimName: seaweedfs-volume-data-longhorn
+#              maxVolumes: 0
+#          idx:
+#            type: existingClaim
+#            claimName: seaweedfs-volume-idx-longhorn
+#
+#        filer:
+#          enabled: true
+#          replicas: 1
+#          data:
+#            type: existingClaim
+#            claimName: seaweedfs-filer-data-longhorn
+#          # s3:
+#          #  enabled: false
+#          #  port: 8333
+#          #  domainName: "sws3.innovation-hub-niedersachsen.de"
+#          #  allowEmptyFolder: true
+#          #  enableAuth: true
+#          #  allowDeleteBucketNotEmpty: true
+#
+#        s3:
+#          enabled: true
+#          replicas: 1
+#          port: 8333
+#          enableAuth: true
+#          existingConfigSecret: admin-s3-secret
+#          existingConfigSecretKey: seaweedfs_s3_config
+#
+#          extraEnvironmentVars:
+#            WEED_S3_ALLOWED_ORIGINS: "*"
+#            WEED_FILER: "seaweedfs-filer.seaweedfs.svc.cluster.local:8888"
+#          extraArgs:
+#            - "-allowedOrigins=*"
+#            - "-filer=seaweedfs-filer.seaweedfs:8888"
+#
+#          service:
+#            type: ClusterIP
+#            ports:
+#              - name: http
+#                port: 8333
+#                targetPort: 8333
+#                protocol: TCP
+#
+#          ingress:
+#            enabled: true
+#            className: traefik
+#            annotations:
+#              traefik.ingress.kubernetes.io/router.entrypoints: websecure
+#              traefik.ingress.kubernetes.io/router.tls: "true"
+#              cert-manager.io/cluster-issuer: "lets-encrypt"
+#              traefik.ingress.kubernetes.io/router.middlewares: seaweedfs-s3-cors@kubernetescrd
+#            host: "sws3.innovation-hub-niedersachsen.de"  
+#            hosts:
+#              - host: sws3.innovation-hub-niedersachsen.de
+#                paths:
+#                  - path: /
+#                    pathType: Prefix
+#            tls:
+#              - secretName: sws3.innovation-hub-niedersachsen.de-tls
+#                hosts:
+#                  - sws3.innovation-hub-niedersachsen.de
+#
+#  destination:
+#    server: "https://kubernetes.default.svc"
+#    namespace: seaweedfs
+#
+#  syncPolicy:
+#    managedNamespaceMetadata:
+#      labels:
+#        pod-security.kubernetes.io/enforce: "privileged"
+#    automated:
+#      selfHeal: true
+#      prune: true
+#    syncOptions:
+#      - CreateNamespace=true
--- a/argocd/apps/wekan/values-wekan.yaml
+++ b/argocd/apps/wekan/values-wekan.yaml
@@ -9,22 +9,67 @@ spec:
  source:
    repoURL: 'https://wekan.github.io/charts/'
    chart: wekan
-    targetRevision: 8.0.0
+    targetRevision: 7.97.0
    helm:
      values: |
        replicaCount: 1
        dbname: wekan
        env:
-          - name: "MONGO_URL"
-            value: "mongodb://wekan-mongodb:27017"
+          - name: MONGO_URL
+            value: mongodb://wekan-mongodb:27017/wekan
          - name: MAIL_URL
            value: smtp://192.168.4.125:25?ignoreTLS=true&tls={rejectUnauthorized:false}&secure=false
          - name: MAIL_FROM
            value: Noreplay admin@innovation-hub-niedersachsen.de
+          - name: OAUTH2_ENABLED
+            value: "true"
+          - name: OAUTH2_LOGIN_STYLE
+            value: "redirect"
+          - name: OAUTH2_CLIENT_ID
+            value: "wekan"
+          - name: OAUTH2_SERVER_URL
+            value: "https://keycloak.innovation-hub-niedersachsen.de"
+          - name: OAUTH2_AUTH_ENDPOINT
+            value: "/realms/innohub/protocol/openid-connect/auth"
+          - name: OAUTH2_USERINFO_ENDPOINT
+            value: "/realms/innohub/protocol/openid-connect/userinfo"
+          - name: OAUTH2_TOKEN_ENDPOINT
+            value: "/realms/innohub/protocol/openid-connect/token"
+          - name: OAUTH2_SECRET
+            value: "vp1kG3WgUdPCUAWvECZbAmBdST6Vgm0I"
+          - name: OAUTH2_ID_MAP
+            value: "sub"
+          - name: OAUTH2_USERNAME_MAP
+            value: "preferred_username"
+          - name: OAUTH2_EMAIL_MAP
+            value: "email"
+          - name: OAUTH2_FULLNAME_MAP
+            value: "name"
+          - name: OAUTH2_ADFS_ENABLED
+            value: "false"
+          - name: OAUTH2_B2C_ENABLED
+            value: "false"
+          - name: OAUTH2_REQUEST_PERMISSIONS
+            value: "openid profile email"        

        end_point: wekan.innovation-hub-niedersachsen.de
        root_url: https://wekan.innovation-hub-niedersachsen.de
        
+        # Probe-Einstellungen anpassen
+        livenessProbe:
+          enabled: true
+          initialDelaySeconds: 60
+          periodSeconds: 15
+          timeoutSeconds: 10
+          failureThreshold: 5
+        
+        readinessProbe:
+          enabled: true
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          timeoutSeconds: 10
+          failureThreshold: 3
+        
        ingress:
          enabled: true
          annotations: 
@@ -41,8 +86,19 @@ spec:
        route:
          enabled: false

+        sharedDataFolder:
+          enabled: true
+          storageClass: longhorn
+      
        mongodb:
          enabled: true
+          image:
+            tag: 7.0.28
+          storage:
+            className: longhorn
+          nodeSelector:
+            kubernetes.io/hostname: k3s-prod
+
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: wekan
@@ -51,7 +107,6 @@ spec:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
-      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/wekantest/values-wekantest.yaml
+++ b/argocd/apps/wekantest/values-wekantest.yaml
@@ -0,0 +1,110 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wekantest
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://wekan.github.io/charts/'
+    chart: wekan
+    targetRevision: 8.*.*
+    helm:
+      values: |
+        replicaCount: 1
+        dbname: wekan
+        env:
+          - name: MONGO_URL
+            value: mongodb://wekantest-mongodb:27017/wekan
+          - name: MAIL_URL
+            value: smtp://192.168.4.125:25?ignoreTLS=true&tls={rejectUnauthorized:false}&secure=false
+          - name: MAIL_FROM
+            value: Noreplay admin@innovation-hub-niedersachsen.de
+          - name: OAUTH2_ENABLED
+            value: "true"
+          - name: OAUTH2_LOGIN_STYLE
+            value: "redirect"
+          - name: OAUTH2_CLIENT_ID
+            value: "wekantest"
+          - name: OAUTH2_SERVER_URL
+            value: "https://keycloak.innovation-hub-niedersachsen.de"
+          - name: OAUTH2_AUTH_ENDPOINT
+            value: "/realms/innohub/protocol/openid-connect/auth"
+          - name: OAUTH2_USERINFO_ENDPOINT
+            value: "/realms/innohub/protocol/openid-connect/userinfo"
+          - name: OAUTH2_TOKEN_ENDPOINT
+            value: "/realms/innohub/protocol/openid-connect/token"
+          - name: OAUTH2_SECRET
+            value: "cOJpL4jiiA6OL8fFqA3lb4KCbxjjl7AQ"
+          - name: OAUTH2_ID_MAP
+            value: "sub"
+          - name: OAUTH2_USERNAME_MAP
+            value: "preferred_username"
+          - name: OAUTH2_EMAIL_MAP
+            value: "email"
+          - name: OAUTH2_FULLNAME_MAP
+            value: "name"
+          - name: OAUTH2_ADFS_ENABLED
+            value: "false"
+          - name: OAUTH2_B2C_ENABLED
+            value: "false"
+          - name: OAUTH2_REQUEST_PERMISSIONS
+            value: "openid profile email"
+
+        end_point: wekantest.innovation-hub-niedersachsen.de
+        root_url: https://wekantest.innovation-hub-niedersachsen.de
+        
+        # Probe-Einstellungen anpassen
+        livenessProbe:
+          enabled: true
+          initialDelaySeconds: 60
+          periodSeconds: 15
+          timeoutSeconds: 10
+          failureThreshold: 5
+        
+        readinessProbe:
+          enabled: true
+          initialDelaySeconds: 20
+          periodSeconds: 15
+          timeoutSeconds: 10
+          failureThreshold: 3
+        
+        ingress:
+          enabled: true
+          annotations: 
+            kubernetes.io/ingress.class: traefik
+            traefik.ingress.kubernetes.io/router.entrypoints: websecure
+            traefik.ingress.kubernetes.io/router.tls: "true"
+            cert-manager.io/cluster-issuer: lets-encrypt
+          hosts:
+            - wekantest.innovation-hub-niedersachsen.de
+          tls:
+            - secretName: wekantest-tls
+              hosts:
+                - wekantest.innovation-hub-niedersachsen.de
+        route:
+          enabled: false
+
+        sharedDataFolder:
+          enabled: true
+          storageClass: longhorn
+      
+        mongodb:
+          enabled: true
+          storage:
+            className: longhorn
+          nodeSelector:
+            kubernetes.io/hostname: k3s-prod
+
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: wekantest
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels: 
+        pod-security.kubernetes.io/enforce: "privileged"
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/apps/wordpress/wordpress.yaml
+++ b/argocd/apps/wordpress/wordpress.yaml
@@ -9,7 +9,7 @@ spec:
  source:
    repoURL: 'registry-1.docker.io/bitnamicharts'
    path: wordpress
-    targetRevision: 27.*.*
+    targetRevision: 28.*.*
    chart: wordpress
    helm:
      parameters:
--- a/config/.idea/.gitignore
+++ b/config/.idea/.gitignore
@@ -0,0 +1,10 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Ignored default folder with query files
+/queries/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
+# Editor-based HTTP Client requests
+/httpRequests/
--- a/config/.idea/IntelliLang.xml
+++ b/config/.idea/IntelliLang.xml
@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="LanguageInjectionConfiguration">
+    <injection language="SQL" injector-id="java">
+      <display-name>AsyncQueryRunner (org.apache.commons.dbutils)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("batch").withParameterCount(2).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("insertBatch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("batch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("insertBatch").withParameterCount(4).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>Jodd (jodd.db)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query").withParameterCount(1).definedInClass("jodd.db.DbQuery"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("DbQuery").withParameterCount(2).definedInClass("jodd.db.DbQuery"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query").withParameterCount(2).definedInClass("jodd.db.DbQuery"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(2, psiMethod().withName("DbQuery").withParameterCount(3).definedInClass("jodd.db.DbQuery"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>MyBatis @Select/@Delete/@Insert/@Update</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Delete")]]></place>
+      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Insert")]]></place>
+      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Select")]]></place>
+      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Update")]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>QueryRunner (org.apache.commons.dbutils)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("batch").withParameterCount(2).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("insertBatch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert", "execute").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update", "execute").withParameters("java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("batch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("insertBatch").withParameterCount(4).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert", "execute").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update", "execute").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>R2DBC (io.r2dbc)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("add").definedInClass("io.r2dbc.spi.Batch"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("createStatement").definedInClass("io.r2dbc.spi.Connection"))]]></place>
+    </injection>
+    <injection language="PostgreSQL" injector-id="java">
+      <display-name>Reactiverse Postgres Client (io.reactiverse)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgTransaction"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgPool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgTransaction"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.axle.pgclient.PgClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgPool"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>SmallRye Axle SqlClient (io.vertx.axle.sqlclient)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.axle.sqlclient.Pool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.axle.sqlclient.SqlClient"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>SmallRye Mutiny SqlClient (io.vertx.mutiny.sqlclient)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mutiny.sqlclient.Pool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mutiny.sqlclient.SqlClient"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>SmallRye Mutiny SqlConnection (io.vertx.mutiny.sqlclient)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.db2client.DB2Connection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.mssqlclient.MSSQLConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.mysqlclient.MySQLConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.pgclient.PgConnection"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>Vert.x SQL Extensions (io.vertx.ext.sql)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams").definedInClass("io.vertx.ext.sql.SQLClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams").definedInClass("io.vertx.ext.sql.SQLOperations"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams", "execute", "batchWithParams", "batchCallableWithParams").definedInClass("io.vertx.ext.sql.SQLConnection"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>Vert.x SQL Reactive Extensions (io.vertx.reactivex.ext.sql)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams").definedInClass("io.vertx.reactivex.ext.sql.SQLOperations"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams", "execute", "batchWithParams", "batchCallableWithParams", "rxQuerySingle", "rxQuerySingleWithParams", "rxQuery", "rxQueryWithParams", "rxQueryStream", "rxQueryStreamWithParams", "rxUpdate", "rxUpdateWithParams", "rxCall", "rxCallWithParams", "rxExecute", "rxBatchWithParams", "rxBatchCallableWithParams").definedInClass("io.vertx.reactivex.ext.sql.SQLClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams", "execute", "batchWithParams", "batchCallableWithParams", "rxQuerySingle", "rxQuerySingleWithParams", "rxQuery", "rxQueryWithParams", "rxQueryStream", "rxQueryStreamWithParams", "rxUpdate", "rxUpdateWithParams", "rxCall", "rxCallWithParams", "rxExecute", "rxBatchWithParams", "rxBatchCallableWithParams").definedInClass("io.vertx.reactivex.ext.sql.SQLConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("querySingle", "rxQuerySingle", "querySingleWithParams", "rxQuerySingleWithParams").definedInClass("io.vertx.reactivex.ext.asyncsql.AsyncSQLClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("querySingle", "rxQuerySingle", "querySingleWithParams", "rxQuerySingleWithParams").definedInClass("io.vertx.reactivex.ext.asyncsql.MySQLClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("querySingle", "rxQuerySingle", "querySingleWithParams", "rxQuerySingleWithParams").definedInClass("io.vertx.reactivex.ext.asyncsql.PostgreSQLClient"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>Vert.x SqlClient (io.vertx.sqlclient)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mssqlclient.MSSQLConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mysqlclient.MySQLConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.pgclient.PgConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.Pool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.SqlClient"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.SqlConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.Transaction"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>Vert.x SqlClient RxJava2 (io.vertx.reactivex.sqlclient)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.mysqlclient.MySQLConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.pgclient.PgConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.SqlConnection"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.Transaction"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.mysqlclient.MySQLPool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.pgclient.PgPool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.Pool"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.SqlClient"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>jOOQ (org.jooq.DSLContext)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("batch").withParameters("java.lang.String", "java.lang.Object[]...").definedInClass("org.jooq.DSLContext"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "fetch", "fetchLazy", "fetchAsync", "fetchStream", "fetchMany", "fetchOne", "fetchSingle", "fetchOptional", "fetchValue", "fetchOptionalValue", "fetchValues", "execute", "resultQuery").withParameters("java.lang.String", "java.lang.Object...").definedInClass("org.jooq.DSLContext"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "fetch", "fetchLazy", "fetchAsync", "fetchStream", "fetchMany", "fetchOne", "fetchSingle", "fetchOptional", "fetchValue", "fetchOptionalValue", "fetchValues", "execute", "resultQuery", "batch").withParameters("java.lang.String").definedInClass("org.jooq.DSLContext"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(psiMethod().withName("batch").withParameters("java.lang.String...").definedInClass("org.jooq.DSLContext"))]]></place>
+    </injection>
+    <injection language="SQL" injector-id="java">
+      <display-name>rxjava2-jdbc (org.davidmoten.rx.jdbc)</display-name>
+      <single-file value="true" />
+      <place><![CDATA[psiMethod().withName("value").definedInClass("org.davidmoten.rx.jdbc.annotations.Query")]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("call", "select", "update").definedInClass("org.davidmoten.rx.jdbc.Database"))]]></place>
+      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("call", "select", "update").definedInClass("org.davidmoten.rx.jdbc.TransactedBuilder"))]]></place>
+    </injection>
+  </component>
+</project>
--- a/config/.idea/config.iml
+++ b/config/.idea/config.iml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
--- a/config/.idea/misc.xml
+++ b/config/.idea/misc.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2">
+    <output url="file://$PROJECT_DIR$/out" />
+  </component>
+</project>
--- a/config/.idea/modules.xml
+++ b/config/.idea/modules.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/config.iml" filepath="$PROJECT_DIR$/.idea/config.iml" />
+    </modules>
+  </component>
+</project>
--- a/config/.idea/vcs.xml
+++ b/config/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>
--- a/config/brain/brain-ingressroute.yaml
+++ b/config/brain/brain-ingressroute.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: brain-stripprefix
+  namespace: kube-system
+spec:
+  stripPrefix:
+    prefixes:
+      - /
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: brain-transport
+  namespace: kube-system
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: brain-external
+  namespace: kube-system
+  annotations:
+    cert-manager.io/cluster-issuer: "lets-encrypt"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`brain.innovation-hub-niedersachsen.de`)
+      kind: Rule
+      services:
+        - name: brain-external-service
+          port: 8083
+          scheme: http
+          serversTransport: brain-transport
+      middlewares:
+        - name: brain-stripprefix
+  tls:
+    secretName: brain-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: brain-external-service
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: 192-168-4-106.nip.io
+  ports:
+    - port: 8083
+      targetPort: 8083
--- a/config/minio/minio-policies-configmap.yaml
+++ b/config/minio/minio-policies-configmap.yaml
@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: minio-policies
+  namespace: minio
+data:
+  # Policy: Vollzugriff auf tatort
+  policy-tatort.json: |
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetBucketLocation",
+            "s3:ListBucket",
+            "s3:ListBucketMultipartUploads"
+          ],
+          "Resource": ["arn:aws:s3:::tatort"]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListMultipartUploadParts",
+            "s3:AbortMultipartUpload"
+          ],
+          "Resource": ["arn:aws:s3:::tatort/*"]
+        }
+      ]
+    }
+
+  # Policy: Vollzugriff auf tatort-dev
+  policy-tatort-dev.json: |
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetBucketLocation",
+            "s3:ListBucket",
+            "s3:ListBucketMultipartUploads"
+          ],
+          "Resource": ["arn:aws:s3:::tatort-dev"]
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "s3:GetObject",
+            "s3:PutObject",
+            "s3:DeleteObject",
+            "s3:ListMultipartUploadParts",
+            "s3:AbortMultipartUpload"
+          ],
+          "Resource": ["arn:aws:s3:::tatort-dev/*"]
+        }
+      ]
+    }
--- a/config/minio/minio-setup-job.yaml
+++ b/config/minio/minio-setup-job.yaml
@@ -0,0 +1,77 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: minio-setup-users
+  namespace: minio
+spec:
+  ttlSecondsAfterFinished: 600
+  backoffLimit: 5
+  template:
+    spec:
+      restartPolicy: OnFailure
+      volumes:
+        - name: policies
+          configMap:
+            name: minio-policies
+      containers:
+        - name: mc
+          image: minio/mc:latest
+          volumeMounts:
+            - name: policies
+              mountPath: /policies
+          env:
+            - name: MINIO_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: minio
+                  key: root-password
+            - name: TATORT_ACCESS
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-access-key
+            - name: TATORT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-secret-key
+            - name: TATORT_DEV_ACCESS
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-dev-access-key
+            - name: TATORT_DEV_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: minio-users
+                  key: tatort-dev-secret-key
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -e
+
+              echo "Warte auf MinIO..."
+              sleep 10
+
+              echo "Verbinde mit MinIO..."
+              mc alias set myminio http://minio:9000 admin $MINIO_ROOT_PASSWORD
+
+              echo "Erstelle Buckets (falls nicht vorhanden)..."
+              mc mb --ignore-existing myminio/tatort
+              mc mb --ignore-existing myminio/tatort-dev
+
+              echo "Erstelle Policies..."
+              mc admin policy create myminio policy-tatort /policies/policy-tatort.json || true
+              mc admin policy create myminio policy-tatort-dev /policies/policy-tatort-dev.json || true
+
+              echo "Erstelle Benutzer..."
+              mc admin user add myminio $TATORT_ACCESS $TATORT_SECRET || true
+              mc admin user add myminio $TATORT_DEV_ACCESS $TATORT_DEV_SECRET || true
+
+              echo "Weise Policies zu..."
+              mc admin policy attach myminio policy-tatort --user $TATORT_ACCESS
+              mc admin policy attach myminio policy-tatort-dev --user $TATORT_DEV_ACCESS
+
+              echo "Setup abgeschlossen!"
+              mc admin user list myminio
--- a/config/minio/minio-users-secret.yaml
+++ b/config/minio/minio-users-secret.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-users
+  namespace: minio
+type: Opaque
+stringData:
+  # tatort: Zugriff nur auf tatort
+  tatort-access-key: "GxKhfnfkNvlDU7qzsz0D"
+  tatort-secret-key: "cqSM5rIRr4MPtqzu2sNKgmB9k2OghPbyxwAWogeM"
+  # tatort-dev: Zugriff nur auf tatort-dev
+  tatort-dev-access-key: "AbCdEfGhIjKlMnOpQrSt"
+  tatort-dev-secret-key: "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"
--- a/config/passbolt/passbolt-ingressroute.yaml
+++ b/config/passbolt/passbolt-ingressroute.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: passbolt-stripprefix
+  namespace: kube-system
+spec:
+  stripPrefix:
+    prefixes:
+      - /
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: passbolt-transport
+  namespace: kube-system
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: passbolt-external
+  namespace: kube-system
+  annotations:
+    cert-manager.io/cluster-issuer: "lets-encrypt"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`passbolt.innovation-hub-niedersachsen.de`)
+      kind: Rule
+      services:
+        - name: passbolt-external-service
+          port: 3001
+          scheme: http
+          serversTransport: passbolt-transport
+      middlewares:
+        - name: passbolt-stripprefix
+  tls:
+    secretName: passbolt-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: passbolt-external-service
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: 192-168-4-106.nip.io
+  ports:
+    - port: 3001
+      targetPort: 3001
--- a/config/seaweedfs/admin-s3-secrets.yaml
+++ b/config/seaweedfs/admin-s3-secrets.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: admin-s3-secret
+  namespace: seaweedfs
+  labels:
+    app.kubernetes.io/name: seaweedfs
+    app.kubernetes.io/component: seaweedfs-s3
+
+stringData:
+  seaweedfs_s3_config: |
+    {
+      "identities": [
+        {
+          "name": "tatort",
+          "credentials": [
+            {
+              "accessKey": "wjpKrmaqXra99rX3D61H",
+              "secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
+            }
+          ],
+          "actions": ["Read", "Write", "Admin"]
+        },
+        {
+          "name": "plane",
+          "credentials": [
+            {
+              "accessKey": "a0ccb47cc0994bf51ecd",
+              "secretKey": "0d54ee2f943f2a56b8cafc3afe9cb1e2f9fecac2"
+            }
+          ],
+          "actions": ["Read", "Write", "Admin"]
+        },
+        {
+          "name": "n8n",
+          "credentials": [
+            {
+              "accessKey": "WPpTwIoSMgrPChsS3rdS",
+              "secretKey": "C59o3EAhsUKBWj1oiPtiYRq3GhLMFeYDeiMxJ4SW"
+            }
+          ],
+          "actions": ["Read", "Write", "Admin"]
+        }
+      ]
+    }
--- a/config/seaweedfs/backup/astronaut.glb
+++ b/config/seaweedfs/backup/astronaut.glb
--- a/config/seaweedfs/backup/recovery/tatort_60.dat
+++ b/config/seaweedfs/backup/recovery/tatort_60.dat
--- a/config/seaweedfs/backup/recovery/tatort_62.dat
+++ b/config/seaweedfs/backup/recovery/tatort_62.dat
--- a/config/seaweedfs/backup/recovery/uploads_110.dat
+++ b/config/seaweedfs/backup/recovery/uploads_110.dat
--- a/config/seaweedfs/backup/recovery/uploads_111.dat
+++ b/config/seaweedfs/backup/recovery/uploads_111.dat
--- a/config/seaweedfs/backup/recovery/uploads_112.dat
+++ b/config/seaweedfs/backup/recovery/uploads_112.dat
--- a/config/seaweedfs/backup/recovery/uploads_113.dat
+++ b/config/seaweedfs/backup/recovery/uploads_113.dat
--- a/config/seaweedfs/backup/recovery/uploads_114.dat
+++ b/config/seaweedfs/backup/recovery/uploads_114.dat
--- a/config/seaweedfs/backup/tatort_62.dat
+++ b/config/seaweedfs/backup/tatort_62.dat
--- a/config/seaweedfs/backup/tatort_large.bin
+++ b/config/seaweedfs/backup/tatort_large.bin
--- a/config/vaultwarden/vaultwarden-ingressroute.yaml
+++ b/config/vaultwarden/vaultwarden-ingressroute.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: vaultwarden-stripprefix
+  namespace: kube-system
+spec:
+  stripPrefix:
+    prefixes:
+      - /
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: vaultwarden-transport
+  namespace: kube-system
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vaultwarden-external
+  namespace: kube-system
+  annotations:
+    cert-manager.io/cluster-issuer: "lets-encrypt"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`vaultwarden.innovation-hub-niedersachsen.de`)
+      kind: Rule
+      services:
+        - name: vaultwarden-external-service
+          port: 3003
+          scheme: http
+          serversTransport: vaultwarden-transport
+      middlewares:
+        - name: vaultwarden-stripprefix
+  tls:
+    secretName: vaultwarden-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden-external-service
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: 192-168-4-106.nip.io
+  ports:
+    - port: 3003
+      targetPort: 3003