mrknow traefik config

mrknow certificate in cert-manager
wekan and keycloak
2026-01-15 14:40:49 +01:00 · 2026-01-15 14:35:15 +01:00 · 2026-01-08 15:49:13 +01:00 · 2026-01-08 15:44:42 +01:00 · 2026-01-08 15:38:53 +01:00 · 2026-01-08 15:24:21 +01:00
74 changed files with 2579 additions and 553 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 .DS_Store
--- a/argocd/apps/.gitignore
+++ b/argocd/apps/.gitignore
@@ -0,0 +1 @@
 .idea
--- a/argocd/apps/argocd/argocd.yaml
+++ b/argocd/apps/argocd/argocd.yaml
@@ -8,7 +8,7 @@ spec:
  project: default
  source:
    repoURL: 'https://argoproj.github.io/argo-helm'
-    targetRevision: 8.* 
+    targetRevision: 9.* 
    helm:
      parameters:
        - name: 'server.extraArgs[0]'
--- a/argocd/apps/cert-manager-dev/cert-manager-dev.yaml
+++ b/argocd/apps/cert-manager-dev/cert-manager-dev.yaml
@@ -10,7 +10,7 @@ spec:
  project: default
  sources:
    - repoURL: https://charts.jetstack.io
-      targetRevision: v1.18.*
+      targetRevision: v1.19.*
      chart: cert-manager
      helm:
        version: v3
--- a/argocd/apps/cert-manager/cert-manager.yaml
+++ b/argocd/apps/cert-manager/cert-manager.yaml
@@ -10,7 +10,7 @@ spec:
  project: default
  sources:
    - repoURL: https://charts.jetstack.io
-      targetRevision: v1.18.*
+      targetRevision: v1.19.*
      chart: cert-manager
      helm:
        version: v3
--- a/argocd/apps/cert-manager/include/brain-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/brain-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.de-brain
  namespace: kube-system
 spec:
  secretName: brain-tls
  commonName: 'brain.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'brain.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/keycloak-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/keycloak-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.de-keycloak
  namespace: kube-system
 spec:
  secretName: keycloak-tls
  commonName: 'keycloak.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'keycloak.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/mantisbt-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/mantisbt-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.de-mantisbt
  namespace: kube-system
 spec:
  secretName: mantisbt-tls
  commonName: 'mantisbt.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'mantisbt.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/mrknow-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/mrknow-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.de-mrknow
  namespace: kube-system
 spec:
  secretName: mrknow-tls
  commonName: 'mrknow.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'mrknow.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/openproject-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/openproject-cerficate.yaml
@@ -1,14 +1,14 @@
-#apiVersion: cert-manager.io/v1
+apiVersion: cert-manager.io/v1
-#kind: Certificate
+kind: Certificate
-#metadata:
+metadata:
-#  name: innovation-hub-niedersachsen.de-openproject
+  name: innovation-hub-niedersachsen.de-openproject
-#  namespace: kube-system
+  namespace: kube-system
-#spec:
+spec:
-#  secretName: openproject-tls
+  secretName: openproject-tls
-#  commonName: 'openproject.innovation-hub-niedersachsen.de'
+  commonName: 'openproject.innovation-hub-niedersachsen.de'
-#  dnsNames:
+  dnsNames:
-#    - 'openproject.innovation-hub-niedersachsen.de'
+    - 'openproject.innovation-hub-niedersachsen.de'
-#  issuerRef:
+  issuerRef:
-#    name: lets-encrypt-staging
+    name: lets-encrypt
-#    kind: ClusterIssuer
+    kind: ClusterIssuer
-#    group: cert-manager.io
+    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/passbolt-certificate.yaml
+++ b/argocd/apps/cert-manager/include/passbolt-certificate.yaml
@@ -0,0 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: passbolt-cert
  namespace: kube-system
 spec:
  secretName: passbolt-tls
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
  commonName: passbolt.innovation-hub-niedersachsen.de
  dnsNames:
    - passbolt.innovation-hub-niedersachsen.de
--- a/argocd/apps/cert-manager/include/plane-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/plane-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.de-plane
  namespace: kube-system
 spec:
  secretName: plane-tls
  commonName: 'plane.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'plane.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/qrdoc-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/qrdoc-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.qrdoc
  namespace: kube-system
 spec:
  secretName: qrdoc.innovation-hub-niedersachsen.de-tls
  commonName: 'qrdoc.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'qrdoc.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/sws3-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/sws3-cerficate.yaml
@@ -1,14 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.sws3
  namespace: kube-system
 spec:
  secretName: sws3.innovation-hub-niedersachsen.de-tls
  commonName: 'sws3.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'sws3.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/cert-manager/include/vaultwarden-certificate.yaml
+++ b/argocd/apps/cert-manager/include/vaultwarden-certificate.yaml
@@ -0,0 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: vaultwarden-cert
  namespace: kube-system
 spec:
  secretName: vaultwarden-tls
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
  commonName: vaultwarden.innovation-hub-niedersachsen.de
  dnsNames:
    - vaultwarden.innovation-hub-niedersachsen.de
--- a/argocd/apps/cert-manager/include/wekantest-cerficate.yaml
+++ b/argocd/apps/cert-manager/include/wekantest-cerficate.yaml
@@ -0,0 +1,14 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: innovation-hub-niedersachsen.de-wekantest
  namespace: kube-system
 spec:
  secretName: wekantest-tls
  commonName: 'wekantest.innovation-hub-niedersachsen.de'
  dnsNames:
    - 'wekantest.innovation-hub-niedersachsen.de'
  issuerRef:
    name: lets-encrypt
    kind: ClusterIssuer
    group: cert-manager.io
--- a/argocd/apps/dashboard/kubernetes-dashboard.yaml
+++ b/argocd/apps/dashboard/kubernetes-dashboard.yaml
@@ -1,47 +1,47 @@
-apiVersion: argoproj.io/v1alpha1
+#apiVersion: argoproj.io/v1alpha1
-kind: Application
+#kind: Application
-metadata:
+#metadata:
-  name: dashboard
+#  name: dashboard
-  finalizers:
+#  finalizers:
-  - resources-finalizer.argocd.argoproj.io
+#  - resources-finalizer.argocd.argoproj.io
-spec:
+#spec:
-  project: default
+#  project: default
-  source:
+#  source:
-    repoURL: 'https://kubernetes.github.io/dashboard/'
+#    repoURL: 'https://kubernetes.github.io/dashboard/'
-    targetRevision: 7.*.*
+#    targetRevision: 7.*.*
-    helm:
+#    helm:
-      parameters:
+#      parameters:
-        - name: 'ingress.enabled'
+#        - name: 'ingress.enabled'
-          value: 'true'
+#          value: 'true'
-        - name: ingress.host
+#        - name: ingress.host
-          value: 'dashboard.innohub.local'
+#          value: 'dashboard.innohub.local'
-        - name: 'ingress.tls[0].hosts[0]'
+#        - name: 'ingress.tls[0].hosts[0]'
-          value: 'dashboard.innohub.local'
+#          value: 'dashboard.innohub.local'
-        - name: 'ingress.tls[0].secretName'
+#        - name: 'ingress.tls[0].secretName'
-          value: dashboard-tls
+#          value: dashboard-tls
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: websecure
+#          value: websecure
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
+#        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
+#          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
+#          value: 'true'
-          forceString: true
+#          forceString: true
-        - name: serversTransport
+#        - name: serversTransport
-          value: 'no-verify-tls'
+#          value: 'no-verify-tls'
-#        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
+##        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-#          value: lets-encrypt
+##          value: lets-encrypt
-        - name: persistence.enabled
+#        - name: persistence.enabled
-          value: 'true'
+#          value: 'true'
-    chart: kubernetes-dashboard
+#    chart: kubernetes-dashboard
-  destination:
+#  destination:
-    server: 'https://kubernetes.default.svc'
+#    server: 'https://kubernetes.default.svc'
-    namespace: kubernetes-dashboard
+#    namespace: kubernetes-dashboard
-  syncPolicy:
+#  syncPolicy:
-#    managedNamespaceMetadata:
+##    managedNamespaceMetadata:
-#      labels: 
+##      labels: 
-#        pod-security.kubernetes.io/enforce: 'privileged'
+##        pod-security.kubernetes.io/enforce: 'privileged'
-    automated:
+#    automated:
-      selfHeal: true
+#      selfHeal: true
-      prune: true
+#      prune: true
-    syncOptions:
+#    syncOptions:
-      - CreateNamespace=true
+#      - CreateNamespace=true
--- a/argocd/apps/grafana/grafana.yaml
+++ b/argocd/apps/grafana/grafana.yaml
@@ -9,7 +9,7 @@ spec:
  source:
    repoURL: 'https://grafana.github.io/helm-charts'
    path: 'grafana'
-    targetRevision: 9.*.*
+    targetRevision: 10.*.*
    chart: grafana
    helm:
      parameters:
--- a/argocd/apps/headlamp/values-headlamp.yaml
+++ b/argocd/apps/headlamp/values-headlamp.yaml
@@ -0,0 +1,66 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: headlamp
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: "https://kubernetes-sigs.github.io/headlamp/"
    chart: "headlamp"
    targetRevision: 0.*.*
    helm:
      values: |
        config:
          inCluster: false  # ❗ deaktiviert die in-Cluster-Verbindung
          extraArgs: []
        env:
          - name: KUBECONFIG
            value: /config/kubeconfig
        serviceAccount:
          create: false
          name: headlamp-admin
        clusterRoleBinding:
          create: false
        automountServiceAccountToken: false
        volumes:
          - name: sa-token
            secret:
              secretName: headlamp-admin-token
          - name: kubeconfig
            secret:
              secretName: headlamp-kubeconfig
        volumeMounts:
          - name: sa-token
            mountPath: /var/run/secrets/kubernetes.io/serviceaccount
            readOnly: true
          - name: kubeconfig
            mountPath: /config
            readOnly: true
        ingress:
          enabled: true
          ingressClassName: "traefik"
          annotations:
            traefik.ingress.kubernetes.io/router.entrypoints: web
          hosts:
            - host: headlamp.innohub.local
              paths:
                - path: /
                  type: ImplementationSpecific
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: kube-system
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/keycloak/values-keycloak.yaml
+++ b/argocd/apps/keycloak/values-keycloak.yaml
@@ -0,0 +1,42 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: keycloak-headers
  namespace: kube-system
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      X-Forwarded-Port: "443"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: keycloak
  namespace: kube-system
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`keycloak.innovation-hub-niedersachsen.de`)
      kind: Rule
      middlewares:
        - name: keycloak-headers
      services:
        - name: keycloak-external
          port: 8080
  tls:
    secretName: keycloak-tls
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: keycloak-external
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: keycloak.innohub.local
  ports:
    - port: 8080
--- a/argocd/apps/longhorn-dev/values-longhorn-dev.yaml
+++ b/argocd/apps/longhorn-dev/values-longhorn-dev.yaml
@@ -0,0 +1,56 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: longhorn-dev
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: "https://charts.longhorn.io"
    chart: "longhorn"
    targetRevision: 1.*.*
    helm:
      values: |
        preUpgradeChecker:
          jobEnabled: false
          upgradeVersionCheck: false
        persistence:
          defaultClass: true
          defaultFsType: ext4
          defaultMkfsParams: ""
          defaultClassReplicaCount: 2
          defaultDataLocality: disabled
          reclaimPolicy: Delete
          volumeBindingMode: "Immediate"
          migratable: false
          disableRevisionCounter: "true"
          nfsOptions: ""
        defaultSettings:
          storageOverProvisioningPercentage: "200"
          storageMinimalAvailablePercentage: "10"
          storageReservedPercentageForDefaultDisk: "10"
          defaultReplicaCount: '{"v1":"2","v2":"2"}'
          replicaAutoBalance: "best-effort"
          disableRevisionCounter: '{"v1":"true"}'
        ingress:
          enabled: true
          ingressClassName: "traefik"
          annotations:
            traefik.ingress.kubernetes.io/router.entrypoints: web
          host: longhorn-dev.innohub.local        
  destination:
    server: 'https://192.168.4.202:6443'
    namespace: longhorn-system
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/longhorn/values-longhorn.yaml
+++ b/argocd/apps/longhorn/values-longhorn.yaml
@@ -0,0 +1,60 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: longhorn
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: "https://charts.longhorn.io"
    chart: "longhorn"
    targetRevision: 1.*.*
    helm:
      values: |
        preUpgradeChecker:
          jobEnabled: false
          upgradeVersionCheck: false
        persistence:
          defaultClass: true
          defaultFsType: ext4
          defaultMkfsParams: ""
          defaultClassReplicaCount: 2
          defaultDataLocality: disabled
          reclaimPolicy: Delete
          volumeBindingMode: "Immediate"
          migratable: false
          disableRevisionCounter: "true"
          nfsOptions: ""
        defaultSettings:
          storageOverProvisioningPercentage: "200"
          storageMinimalAvailablePercentage: "10"
          storageReservedPercentageForDefaultDisk: "10"
          defaultReplicaCount: '{"v1":"2","v2":"2"}'
          replicaAutoBalance: "best-effort"
          disableRevisionCounter: '{"v1":"true"}'
          # Disk-Erstellung nur auf gelabelten Nodes
          createDefaultDiskLabeledNodes: true
          # Default-Pfad für neue Disks
          defaultDataPath: "/mnt/datastore/longhorn"
        ingress:
          enabled: true
          ingressClassName: "traefik"
          annotations:
            traefik.ingress.kubernetes.io/router.entrypoints: web
          host: longhorn.innohub.local        
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: longhorn-system
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/mantisbt/config_inc.php
+++ b/argocd/apps/mantisbt/config_inc.php
@@ -0,0 +1,35 @@
 <?php
 $g_hostname               = 'mantisbt-mariadb';
 $g_db_type                = 'mysqli';
 $g_database_name          = 'mantisbt';
 $g_db_username            = 'mantisbt';
 $g_db_password            = 'MantisDBPassword_2024!';
 $g_default_timezone       = 'Europe/Berlin';
 $g_crypto_master_salt     = 'shJaiK32W2tABdTZjwRUrZN+90AWLHXaLKiOt1Fwpaw=';
 $g_path                   = 'https://mantisbt.innovation-hub-niedersachsen.de/';
 # Email settings
 $g_webmaster_email        = 'inno-netz@zpd.polizei.niedersachsen.de';
 $g_from_email             = 'mantisbt@innovation-hub-niedersachsen.de';
 $g_return_path_email      = 'mantisbt@innovation-hub-niedersachsen.de';
 $g_from_name              = 'InnoHub MantisBT';
 # SMTP Configuration
 $g_phpMailer_method       = PHPMAILER_METHOD_SMTP;
 $g_smtp_host              = '192.168.4.125';
 $g_smtp_port              = 25;
 $g_enable_email_notification = ON;
 # File upload - match PHP limit
 $g_max_file_size          = 2000000;
 $g_allowed_files          = 'png,gif,jpg,jpeg,pdf,doc,docx,xls,xlsx,ppt,pptx,txt,zip,rar,7z';
 # Site settings
 $g_window_title           = 'InnoHub Bug Tracker';
 $g_logo_image             = 'images/mantis_logo.png';
 # Security - disable after installation!
 # $g_allow_signup           = OFF;
--- a/argocd/apps/mantisbt/values-mantisbt.yaml
+++ b/argocd/apps/mantisbt/values-mantisbt.yaml
@@ -0,0 +1,91 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mantisbt
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/mantisbt'
    targetRevision: 0.4.*
    chart: mantisbt
    helm:
      values: |
        image:
          repository: xlrl/mantisbt
          tag: "latest"
        ingress:
          enabled: true
          className: traefik
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.tls: "true"
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
            cert-manager.io/cluster-issuer: lets-encrypt
          hosts:
            - mantisbt.innovation-hub-niedersachsen.de
          tls:
            - secretName: mantisbt-tls
              hosts:
                - mantisbt.innovation-hub-niedersachsen.de
        mantisbt:
          enableAdmin: "0"
          timezone: "Europe/Berlin"
          masterSalt: "shJaiK32W2tABdTZjwRUrZN+90AWLHXaLKiOt1Fwpaw="
        persistence:
          enabled: true
          storageClass: longhorn
          size: 10Gi
        resources:
          requests:
            memory: 256Mi
            cpu: 100m
          limits:
            memory: 512Mi
            cpu: 500m
        mariadb:
          enabled: true
          image:
            tag: "latest"
          auth:
            database: mantisbt
            username: mantisbt
            password: "MantisDBPassword_2024!"
            rootPassword: "RootDBPassword_2024!"
          primary:
            persistence:
              enabled: true
              storageClass: longhorn
              size: 8Gi
            livenessProbe:
              enabled: true
              initialDelaySeconds: 120
              periodSeconds: 10
              timeoutSeconds: 5
              failureThreshold: 3
            readinessProbe:
              enabled: true
              initialDelaySeconds: 30
              periodSeconds: 10
              timeoutSeconds: 5
              failureThreshold: 3
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: mantisbt
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/mattermost/mattermnost.bak
+++ b/argocd/apps/mattermost/mattermnost.bak
@@ -1,47 +1,43 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: wekan
+  name: mattermost
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
-    repoURL: 'https://wekan.github.io/charts/'
+    repoURL: 'https://helm.mattermost.com'
-    targetRevision: 7.*.*
+    targetRevision: 6.*.*
    helm:
      parameters:
        - name: 'ingress.enabled'
          value: 'true'
        - name: 'endpoint'
-          value: 'wekan.innovation-hub-niedersachsen.de'
+          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: ingress.hosts[0]
-          value: 'wekan.innovation-hub-niedersachsen.de'
+          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: 'ingress.tls[0].hosts[0]'
-          value: 'wekan.innovation-hub-niedersachsen.de'
+          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: 'ingress.tls[0].secretName'
-          value: wekan-tls
+          value: mattermost-tls
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
          value: websecure
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
          value: 'true'
          forceString: true
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
          value: 'default-http-redirect@kubernetescrd'
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt
-        - name: autoscaling.enabled
+        - name: mysql.mysqlUser
-          value: 'false'
+          value: 'mmdbuser'
-        - name: sharedDataFolder.storageClass
+        - name: mysql.mysqlPassword
-          value: local-path
+          value: 'mmdbpwd'
-        - name: mongodb.replicaCount
+    chart: mattermost-team-edition
          value: '1'
        - name: root_url
          value: https://wekan.innovation-hub-niedersachsen.de
    chart: wekan
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: wekan
+    namespace: mattermost
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
@@ -50,4 +46,4 @@ spec:
      selfHeal: true
      prune: true
    syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true
--- a/argocd/apps/mattermost/mattermnost.yaml
+++ b/argocd/apps/mattermost/mattermnost.yaml
@@ -1,43 +1,101 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mattermost-postgres
 spec:
  project: default
  source:
    repoURL: 'https://charts.bitnami.com/bitnami'
    targetRevision: 16.*.*
    chart: postgresql
    helm:
      valuesObject:
        auth:
          postgresPassword: "mmROOT12345"
          database: "mattermost"
          username: "mmdbuser"
          password: "mmdbpwd"
        primary:
          persistence:
            enabled: true
            storageClass: "longhorn"
            size: 10Gi
        fullnameOverride: "mattermost-postgresql"
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: mattermost
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mattermost
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://helm.mattermost.com'
    targetRevision: 6.*.*
    helm:
      parameters:
        - name: 'ingress.enabled'
          value: 'true'
        - name: 'endpoint'
          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: ingress.hosts[0]
          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: 'ingress.tls[0].hosts[0]'
          value: 'mattermost.innovation-hub-niedersachsen.de'
        - name: 'ingress.tls[0].secretName'
          value: mattermost-tls
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
          value: 'true'
          forceString: true
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
          value: 'default-http-redirect@kubernetescrd'
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt
        - name: mysql.mysqlUser
          value: 'mmdbuser'
        - name: mysql.mysqlPassword
          value: 'mmdbpwd'
    chart: mattermost-team-edition
    helm:
      valuesObject:
        # Persistence für Mattermost Daten
        persistence:
          data:
            enabled: true
            size: 10Gi
            storageClass: "longhorn"
            accessMode: ReadWriteOnce
          plugins:
            enabled: true
            size: 1Gi
            storageClass: "longhorn"
            accessMode: ReadWriteOnce
        # MySQL SubChart DEAKTIVIEREN
        mysql:
          enabled: false
        # PostgreSQL als externe Datenbank
        externalDB:
          enabled: true
          externalDriverType: "postgres"
          externalConnectionString: "mmdbuser:mmdbpwd@mattermost-postgresql:5432/mattermost?sslmode=disable&connect_timeout=10"
        # WICHTIG: Security Context für korrekte Volume-Berechtigungen
        # Mattermost läuft als UID 2000, GID 2000
        securityContext:
          fsGroup: 2000
          runAsUser: 2000
          runAsGroup: 2000
        # Ingress Konfiguration
        ingress:
          enabled: true
          hosts:
            - mattermost.innovation-hub-niedersachsen.de
          tls:
            - hosts:
                - mattermost.innovation-hub-niedersachsen.de
              secretName: mattermost-tls
          annotations:
            kubernetes.io/ingress.class: traefik
            cert-manager.io/cluster-issuer: lets-encrypt
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: mattermost
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
--- a/argocd/apps/mattermost/mmm-initcontainer.yaml
+++ b/argocd/apps/mattermost/mmm-initcontainer.yaml
@@ -0,0 +1,9 @@
 extraInitContainers:
  - name: fix-permissions
    image: busybox
    command: ["sh", "-c", "chown -R 2000:2000 /mattermost/data"]
    volumeMounts:
      - name: mattermost-data
        mountPath: /mattermost/data
    securityContext:
      runAsUser: 0
--- a/argocd/apps/mattermost/mysql-secrets.yaml
+++ b/argocd/apps/mattermost/mysql-secrets.yaml
@@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: mattermost-db-credentials
  namespace: mattermost
 type: Opaque
 stringData:
  mysql-root-password: "InnoHubMYSQL_2025!"
  mysql-password: "mmdbpwd"
  mysql-user: "mmdbuser"
--- a/argocd/apps/minio/minio.yaml
+++ b/argocd/apps/minio/minio.yaml
@@ -1,64 +1,64 @@
-apiVersion: argoproj.io/v1alpha1
+#apiVersion: argoproj.io/v1alpha1
-kind: Application
+#kind: Application
-metadata:
+#metadata:
-  name: minio
+#  name: minio
-  finalizers:
+#  finalizers:
-  - resources-finalizer.argocd.argoproj.io
+#  - resources-finalizer.argocd.argoproj.io
-spec:
+#spec:
-  project: default
+#  project: default
-  source:
+#  source:
-    repoURL: 'registry-1.docker.io/bitnamicharts'
+#    repoURL: 'registry-1.docker.io/bitnamicharts'
-    path: minio
+#    path: minio
-    targetRevision: 16.*.*
+#    targetRevision: 16.*.*
-    chart: minio
+#    chart: minio
-    helm:
+#    helm:
-      parameters:
+#      parameters:
-        - name: auth.rootPassword
+#        - name: auth.rootPassword
-          value: 'InnoHubMINIO_2024!'
+#          value: 'InnoHubMINIO_2024!'
-        - name: ingress.enabled
+#        - name: ingress.enabled
-          value: 'true'
+#          value: 'true'
-        - name: ingress.hostname
+#        - name: ingress.hostname
-          value: 's3.innovation-hub-niedersachsen.de'
+#          value: 's3.innovation-hub-niedersachsen.de'
-        - name: ingress.tls
+#        - name: ingress.tls
-          value: 'true'
+#          value: 'true'
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
+#        - name: ingress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
+#          value: traefik
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
+#          value: 'true'
-          forceString: true
+#          forceString: true
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
+#        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
-          value: 'lets-encrypt'
+#          value: 'lets-encrypt'
-        - name: ingress.annotations.ingress\.secrets
+#        - name: ingress.annotations.ingress\.secrets
-          value: 's3.innovation-hub-niedersachsen.de-tls'
+#          value: 's3.innovation-hub-niedersachsen.de-tls'
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+#        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: websecure
+#          value: websecure
-        - name: apiIngress.enabled
+#        - name: apiIngress.enabled
-          value: 'true'
+#          value: 'true'
-        - name: apiIngress.hostname
+#        - name: apiIngress.hostname
-          value: 'api-s3.innovation-hub-niedersachsen.de'
+#          value: 'api-s3.innovation-hub-niedersachsen.de'
-        - name: apiIngress.tls
+#        - name: apiIngress.tls
-          value: 'true'
+#          value: 'true'
-        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
+#        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
-          value: 'websecure'
+#          value: 'websecure'
-        - name: apiIngress.annotations.kubernetes\.io\/ingress\.class
+#        - name: apiIngress.annotations.kubernetes\.io\/ingress\.class
-          value: traefik
+#          value: traefik
-        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+#        - name: apiIngress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
-          value: 'true'
+#          value: 'true'
-          forceString: true
+#          forceString: true
-        - name: apiIngress.annotations.cert-manager\.io\/cluster-issuer
+#        - name: apiIngress.annotations.cert-manager\.io\/cluster-issuer
-          value: 'lets-encrypt'
+#          value: 'lets-encrypt'
-        - name: apiIngress.annotations.ingress\.secrets
+#        - name: apiIngress.annotations.ingress\.secrets
-          value: 'api-s3.innovation-hub-niedersachsen.de-tls'  
+#          value: 'api-s3.innovation-hub-niedersachsen.de-tls'  
-  destination:
+#  destination:
-    server: 'https://kubernetes.default.svc'
+#    server: 'https://kubernetes.default.svc'
-    namespace: minio
+#    namespace: minio
-  syncPolicy:
+#  syncPolicy:
-    managedNamespaceMetadata:
+#    managedNamespaceMetadata:
-      labels: 
+#      labels: 
-        pod-security.kubernetes.io/enforce: "privileged"
+#        pod-security.kubernetes.io/enforce: "privileged"
-    automated:
+#    automated:
-      selfHeal: true
+#      selfHeal: true
-      prune: true
+#      prune: true
-    syncOptions:
+#    syncOptions:
-      - CreateNamespace=true
+#      - CreateNamespace=true
-      - RespectIgnoreDifferences=true
+#      - RespectIgnoreDifferences=true
--- a/argocd/apps/minio/values-minio.yaml
+++ b/argocd/apps/minio/values-minio.yaml
@@ -0,0 +1,67 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: minio
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'registry-1.docker.io/cloudpirates'
    path: minio
    targetRevision: 0.*.*
    chart: minio    
    helm:
      values: |
        auth:
          rootPassword: "InnoHubMINIO_2024!"
        ingress:
          enabled: true
          className: "traefik"
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
          hosts:
            - host: "api-s3.innovation-hub-niedersachsen.de"
              paths:
                - path: /
                  pathType: "Prefix"
          tls:
            - secretName: "api-s3.innovation-hub-niedersachsen.de-tls"
              hosts:
                - "api-s3.innovation-hub-niedersachsen.de" 
        consoleIngress:
          enabled: true
          className: "traefik"
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
          hosts:
            - host: "s3.innovation-hub-niedersachsen.de"
              paths:
                - path: /
                  pathType: "Prefix"
          tls:
            - secretName: "s3.innovation-hub-niedersachsen.de-tls"
              hosts:
                - "s3.innovation-hub-niedersachsen.de" 
        persistence:
          storageClass: "longhorn"
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: minio
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/mrknow/traefik-mrknow.yaml
+++ b/argocd/apps/mrknow/traefik-mrknow.yaml
@@ -0,0 +1,165 @@
 # =============================================================================
 # Traefik IngressRoute Konfiguration für MR.KNOW / BPM Inspire
 # =============================================================================
 # Anpassen:
 #   - Host: mrknow.innovation-hub-niedersachsen.de (oder gewünschte Domain)
 #   - externalName: IP/Hostname des Portainer/Docker Hosts
 #   - secretName: TLS-Zertifikat Secret
 # =============================================================================
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: mrknow-headers
  namespace: kube-system
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      X-Forwarded-Port: "443"
 ---
 # =============================================================================
 # IngressRoute für InForm (Frontend / Root-Pfad)
 # =============================================================================
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: mrknow-inform
  namespace: kube-system
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && !PathPrefix(`/insign`) && !PathPrefix(`/inspire`) && !PathPrefix(`/pgadmin`)
      kind: Rule
      middlewares:
        - name: mrknow-headers
      services:
        - name: mrknow-inform-external
          port: 8080
  tls:
    secretName: mrknow-tls
 ---
 # =============================================================================
 # IngressRoute für InSign
 # =============================================================================
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: mrknow-insign
  namespace: kube-system
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/insign`)
      kind: Rule
      middlewares:
        - name: mrknow-headers
      services:
        - name: mrknow-insign-external
          port: 8081
  tls:
    secretName: mrknow-tls
 ---
 # =============================================================================
 # IngressRoute für InSpire
 # =============================================================================
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: mrknow-inspire
  namespace: kube-system
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/inspire`)
      kind: Rule
      middlewares:
        - name: mrknow-headers
      services:
        - name: mrknow-inspire-external
          port: 8082
  tls:
    secretName: mrknow-tls
 # ---
 # =============================================================================
 # IngressRoute für PgAdmin (optional)
 # =============================================================================
 # apiVersion: traefik.io/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: mrknow-pgadmin
 #   namespace: kube-system
 # spec:
 #   entryPoints:
 #     - websecure
 #   routes:
 #     - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/pgadmin`)
 #       kind: Rule
 #       middlewares:
 #         - name: mrknow-headers
 #       services:
 #         - name: mrknow-pgadmin-external
 #           port: 5050
 #   tls:
 #     secretName: mrknow-tls
 ---
 # =============================================================================
 # External Services - Verbindung zum Portainer/Docker Host
 # =============================================================================
 # WICHTIG: externalName auf den Hostnamen/IP deines Docker-Hosts anpassen!
 # =============================================================================
 apiVersion: v1
 kind: Service
 metadata:
  name: mrknow-inform-external
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: mrknow.innohub.local
  ports:
    - port: 8080
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mrknow-insign-external
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: mrknow.innohub.local
  ports:
    - port: 8081
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mrknow-inspire-external
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: mrknow.innohub.local
  ports:
    - port: 8082
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mrknow-pgadmin-external
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: mrknow.innohub.local
  ports:
    - port: 5050
--- a/argocd/apps/n8n/8gears.yaml
+++ b/argocd/apps/n8n/8gears.yaml
@@ -1,59 +0,0 @@
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
 #metadata:
 #  name: n8n-dev 
 #  finalizers:
 #  - resources-finalizer.argocd.argoproj.io
 #spec:
 #  project: default
 #  source:
 #    repoURL: '8gears.container-registry.com/library'
 #    path: n8n
 #    targetRevision: 1.*.*
 #    chart: n8n
 #    helm: 
 #      parameters:
 #        - name: ingress.enabled
 #          value: 'true'
 #        - name: ingress.className
 #          value: traefik
 #        - name: ingress.hosts[0].host
 #          value: n8n-dev.innovation-hub-niedersachsen.de            
 #        - name: ingress.hosts[0].paths[0].path
 #          value: "/"
 #        - name: ingress.hosts[0].paths[0].pathType
 #          value: "Prefix"
 #        - name: ingress.annotations.kubernetes\.io\/ingress\.class
 #          value: traefik    
 #        - name: ingress.tls[0].secretName
 #          value: "n8n-dev-tls"
 #        - name: ingress.tls[0].hosts[0]
 #          value: "n8n-dev.innovation-hub-niedersachsen.de"  
 #        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
 #          value: websecure             
 #        - name: ingress.annotations.kubernetes\.io\/ingress\.class
 #          value: traefik
 #        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
 #          value: 'true'
 #          forceString: true
 #        - name: main.persistence.enabled
 #          value: 'true' 
 #        - name: redis.enabled
 #          value: 'true'   
 #        - name: worker.enabled
 #          value: 'true' 
 #        - name: main.secret.n8n.encryption_key
 #          value: '8gears-n8n-dev-encryption-key'
 #        - name: main.config.n8n.runners_enabled
 #          value: 'true'    
 #        - name: main.config.n8n.enforce_settings_file_permissions
 #          value: 'true'  
 #  destination:
 #    namespace: n8n
 #    server: 'https://192.168.4.202:6443'
 #  syncPolicy:
 #    automated:
 #      prune: true
 #      selfHeal: true
 #    syncOptions:
 #      - CreateNamespace=true
--- a/argocd/apps/n8n/n8n.yaml
+++ b/argocd/apps/n8n/n8n.yaml
@@ -1,69 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: n8n
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://community-charts.github.io/helm-charts'
    targetRevision: 1.*.*
    chart: n8n    
    helm:
      parameters:
        - name: db.type
          value: "postgresdb"
        - name: postgresql.enabled
          value: "true"
        - name: postgresql.primary.persistence.enabled
          value: "true"
        - name: postgresql.auth.usename
          value: "n8n"
        - name: postgresql.auth.password
          value: "n8n"  
        - name: minio.enabled
          value: "true"  
        - name: minio.persistence.enabled
          value: "true"  
        - name: webhook.allNodes
          value: "true"
        - name: webhook.url
          value: "https://n8n.innovation-hub-niedersachsen.de/"  
        - name: redis.enabled
          value: "true" 
        - name: redis.master.persistence.enabled
          value: "true"   
        - name: ingress.enabled
          value: "true"
        - name: ingress.className
          value: "traefik"
        - name: ingress.hosts[0].host
          value: "n8n.innovation-hub-niedersachsen.de"
        - name: ingress.hosts[0].paths[0].path
          value: "/"
        - name: ingress.hosts[0].paths[0].pathType
          value: "Prefix"
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik   
        - name: ingress.tls[0].secretName
          value: "n8n-tls"
        - name: ingress.tls[0].hosts[0]
          value: "n8n.innovation-hub-niedersachsen.de"
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
          value: "true"
          forceString: true
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt 
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: n8n
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/n8n/values-n8n.yaml
+++ b/argocd/apps/n8n/values-n8n.yaml
@@ -0,0 +1,112 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: n8n
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://community-charts.github.io/helm-charts'
    targetRevision: 1.*.*
    chart: n8n    
    helm:
      values: |
        encryptionKey: "239fbfe8315c786826a9af8f6f984e46"
        # n8n Hauptknoten mit Persistenz
        main:
          persistence:
            enabled: true
            storageClass: "longhorn"
            size: 10Gi
            accessMode: ReadWriteOnce
            mountPath: "/home/node/.n8n"
            annotations:
              helm.sh/resource-policy: keep
          forceToUseStatefulset: true
          count: 1
          # Umgebungsvariablen für Trust Proxy
          extraEnvVars:
            N8N_PROXY_HOPS: "1"
        # PostgreSQL Datenbank
        db:
          type: "postgresdb"
        postgresql:
          enabled: true
          primary:
            persistence:
              enabled: true
              storageClass: "longhorn"
              size: 10Gi
              accessMode: ReadWriteOnce
              annotations:
                helm.sh/resource-policy: keep
          auth:
            username: "n8n"
            password: "n8n"
            postgresPassword: "35PuQG99qi"
            database: "n8n"
        # MinIO für Binary Data
        minio:
          enabled: true
          rootUser: "vkYCY4YJsFv11E18az7o"
          rootPassword: "gOVBJMs5qxABhReVQwe3M43mfS8RsejUJSKOWr5N"
          persistence:
            enabled: true
            storageClass: "longhorn"
            size: 40Gi
            annotations:
              helm.sh/resource-policy: keep
        # Redis für Queue Mode
        redis:
          enabled: true
          auth:
            password: "y8GBnBTleK"
          master:
            persistence:
              enabled: true
              storageClass: "longhorn"
              size: 5Gi
              accessMode: ReadWriteOnce
              annotations:
                helm.sh/resource-policy: keep
        webhook:
          url: "https://n8n.innovation-hub-niedersachsen.de/"
          allNodes: true
        ingress:
          enabled: true 
          className: "traefik"
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
            traefik.ingress.kubernetes.io/router.entrypoints: websecure           
          hosts: 
            - host: "n8n.innovation-hub-niedersachsen.de"
              paths:
                - path: /
                  pathType: "Prefix"
          tls:
            - secretName: "n8n-tls"
              hosts:
                - "n8n.innovation-hub-niedersachsen.de"
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: n8n
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/nextcloud/nextcloud.bak
+++ b/argocd/apps/nextcloud/nextcloud.bak
@@ -0,0 +1,128 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: nextcloud
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://nextcloud.github.io/helm/'
    targetRevision: 8.*.*
    helm:
      parameters:
        - name: image.repository
          value: 'nextcloud'
        - name: image.flavor
          value: 'fpm'
        - name: ingress.className
          value: 'traefik'
        - name: nginx.enabled
          value: 'true'  
        - name: 'ingress.enabled'
          value: 'true'
        - name: ingress.servicePort
          value: 'https'
        - name: phpClientHttpsFix.enabled
          value: 'true'
        - name: phpClientHttpsFix.protocol
          value: 'https'
        - name: nextcloud.host
          value: 'innocloud.innovation-hub-niedersachsen.de'
        - name: nextcloud.password
          value: 'InnoHubADMIN_2024!'
        - name: internalDatabase.enabled
          value: 'false'
        - name: redis.enabled
          value: 'true'  
        - name: redis.auth.password
          value: 'redisInnoDBUser'          
        - name: postgresql.enabled
          value: 'true'
        - name: postgresql.global.postgresql.auth.password
          value: 'pgInnoDBUser'
        - name: postgresql.primary.persistence.enabled
          value: 'true'
        - name: 'endpoint'
          value: 'innocloud.innovation-hub-niedersachsen.de'
        - name: ingress.hosts[0]
          value: 'innocloud.innovation-hub-niedersachsen.de'
        - name: 'ingress.tls[0].hosts[0]'
          value: 'innocloud.innovation-hub-niedersachsen.de'
        - name: 'ingress.tls[0].secretName'
          value: innocloud-tls
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
          value: 'true'
          forceString: true
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
          value: 'kube-system-hsts@kubernetescrd'  
        - name: service\.annotations\.traefik\.ingress\.kubernetes\.io\/service\.sticky\.cookie
          value: 'true'
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt
        - name: persistence.enabled
          value: 'true'
        - name: persistence.nextcloudData.enabled
          value: 'true'
        - name: cronjob.enabled
          value: 'true'
        - name: nextcloud.mail.fromAddress
          value: 'admin'
        - name: nextcloud.mail.domain
          value: 'innovation-hub-niedersachsen.de'
        - name: nextcloud.mail.smtp.host
          value: '192.168.4.125'
        - name: nextcloud.mail.smtp.port
          value: '25'
        # AppAPI DinD Sidecar Configuration
        - name: nextcloud.extraSidecarContainers[0].name
          value: 'dind'
        - name: nextcloud.extraSidecarContainers[0].image
          value: 'docker:27-dind'
        - name: nextcloud.extraSidecarContainers[0].securityContext.privileged
          value: 'true'
        - name: nextcloud.extraSidecarContainers[0].env[0].name
          value: 'DOCKER_TLS_CERTDIR'
        - name: nextcloud.extraSidecarContainers[0].env[0].value
          value: ''
        - name: nextcloud.extraSidecarContainers[0].volumeMounts[0].name
          value: 'docker-sock'
        - name: nextcloud.extraSidecarContainers[0].volumeMounts[0].mountPath
          value: '/var/run'
        - name: nextcloud.extraSidecarContainers[0].volumeMounts[1].name
          value: 'dind-storage'
        - name: nextcloud.extraSidecarContainers[0].volumeMounts[1].mountPath
          value: '/var/lib/docker'
        # Extra Volumes für DinD
        - name: nextcloud.extraVolumes[0].name
          value: 'docker-sock'
        - name: nextcloud.extraVolumes[0].emptyDir
          value: '{}'
        - name: nextcloud.extraVolumes[1].name
          value: 'dind-storage'
        - name: nextcloud.extraVolumes[1].emptyDir
          value: '{}'
        # Mount Docker Socket in Nextcloud Container
        - name: nextcloud.extraVolumeMounts[0].name
          value: 'docker-sock'
        - name: nextcloud.extraVolumeMounts[0].mountPath
          value: '/var/run'
    chart: nextcloud
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: nextcloud
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/nextcloud/nextcloud.yaml
+++ b/argocd/apps/nextcloud/nextcloud.yaml
@@ -8,90 +8,129 @@ spec:
  project: default
  source:
    repoURL: 'https://nextcloud.github.io/helm/'
-    targetRevision: 7.*.*
+    targetRevision: 8.*.*
    helm:
-      parameters:
+      values: |
-        - name: image.repository
+        image:
-          value: 'nextcloud'
+          repository: nextcloud
-        - name: image.flavor
+          flavor: fpm
-          value: 'fpm'
+        
-        - name: ingress.className
+        ingress:
-          value: 'traefik'
+          enabled: true
-        - name: nginx.enabled
+          className: traefik
-          value: 'true'  
+          servicePort: https
-        - name: 'ingress.enabled'
+          annotations:
-          value: 'true'
+            kubernetes.io/ingress.class: traefik
-        - name: ingress.servicePort
+            traefik.ingress.kubernetes.io/router.tls: "true"
-          value: 'https'
+            traefik.ingress.kubernetes.io/router.middlewares: kube-system-hsts@kubernetescrd
-        - name: phpClientHttpsFix.enabled
+            cert-manager.io/cluster-issuer: lets-encrypt
-          value: 'true'
+          hosts:
-        - name: phpClientHttpsFix.protocol
+            - innocloud.innovation-hub-niedersachsen.de
-          value: 'https'
+          tls:
-        - name: nextcloud.host
+            - secretName: innocloud-tls
-          value: 'innocloud.innovation-hub-niedersachsen.de'
+              hosts:
-        - name: nextcloud.password
+                - innocloud.innovation-hub-niedersachsen.de
-          value: 'InnoHubADMIN_2024!'
+        
-        - name: internalDatabase.enabled
+        service:
-          value: 'false'
+          annotations:
-        - name: redis.enabled
+            traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
-          value: 'true'  
+        
-        - name: redis.auth.password
+        nginx:
-          value: 'redisInnoDBUser'          
+          enabled: true
-        - name: postgresql.enabled
+        
-          value: 'true'
+        phpClientHttpsFix:
-        - name: postgresql.global.postgresql.auth.password
+          enabled: true
-          value: 'pgInnoDBUser'
+          protocol: https
-        - name: postgresql.primary.persistence.enabled
+        
-          value: 'true'
+        nextcloud:
-#        - name: externalDatabase.type
+          host: innocloud.innovation-hub-niedersachsen.de
-#          value: postgresql
+          password: InnoHubADMIN_2024!
-#        - name: externalDatabase.host
+          mail:
-#          value: 'nextcloud-postgresql-0'
+            enabled: true
-#        - name: externalDatabase.password
+            fromAddress: admin
-#          value: 'pgInnoDBUser'
+            domain: innovation-hub-niedersachsen.de
-        - name: 'endpoint'
+            smtp:
-          value: 'innocloud.innovation-hub-niedersachsen.de'
+              host: 192.168.4.125
-        - name: ingress.hosts[0]
+              port: 25
-          value: 'innocloud.innovation-hub-niedersachsen.de'
+          
-        - name: 'ingress.tls[0].hosts[0]'
+          # DinD Sidecar für AppAPI (TCP Mode)
-          value: 'innocloud.innovation-hub-niedersachsen.de'
+          extraSidecarContainers:
-        - name: 'ingress.tls[0].secretName'
+            - name: dind
-          value: innocloud-tls
+              image: docker:27-dind
-        - name: ingress.annotations.kubernetes\.io\/ingress\.class
+              securityContext:
-          value: traefik
+                privileged: true
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
+              command:
-          value: 'true'
+                - dockerd
-          forceString: true
+              args:
-        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.middlewares
+                - --host=tcp://0.0.0.0:2375
-          value: 'kube-system-hsts@kubernetescrd'  
+                - --tls=false
-        - name: service\.annotations\.traefik\.ingress\.kubernetes\.io\/service\.sticky\.cookie
+              env:
-          value: 'true'
+                - name: DOCKER_TLS_CERTDIR
-        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
+                  value: ""
-          value: lets-encrypt
+              volumeMounts:
-        - name: persistence.enabled
+                - name: dind-storage
-          value: 'true'
+                  mountPath: /var/lib/docker
-        - name: persistence.nextcloudData.enabled
+              ports:
-          value: 'true'
+                - containerPort: 2375
-        - name: cronjob.enabled
+                  name: docker
-          value: 'true'
+          
-        - name: nextcloud.mail.fromAddress
+          extraVolumes:
-          value: 'admin'
+            - name: dind-storage
-        - name: nextcloud.mail.domain
+              emptyDir: {}
-          value: 'innovation-hub-niedersachsen.de'
+        
-        - name: nextcloud.mail.smtp.host
+        internalDatabase:
-          value: '192.168.4.125'
+          enabled: false
-        - name: nextcloud.mail.smtp.port
+        
-          value: '25'
+        redis:
          enabled: true
          auth:
            password: redisInnoDBUser
          # architecture: standalone
          master:
            extraEnvVars:
              - name: REDIS_MASTER_HOST
                value: "localhost"
              - name: REDIS_MASTER_PORT_NUMBER
                value: "6379"
            readinessProbe:
              timeoutSeconds: 20    
            replica:
            extraEnvVars:
              - name: REDIS_MASTER_HOST
                value: "nextcloud-redis-master"
              - name: REDIS_MASTER_PORT_NUMBER
                value: "6379"
            readinessProbe:
              timeoutSeconds: 20    
        postgresql:
          enabled: true
          global:
            postgresql:
              auth:
                password: pgInnoDBUser
          primary:
            persistence:
              enabled: true
        persistence:
          enabled: true
          nextcloudData:
            enabled: true
        cronjob:
          enabled: true
    chart: nextcloud
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: nextcloud
  syncPolicy:
    managedNamespaceMetadata:
-      labels: 
+      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
-      - CreateNamespace=true
+      - CreateNamespace=true
--- a/argocd/apps/open-webui/openwebui.yaml
+++ b/argocd/apps/open-webui/openwebui.yaml
@@ -1,57 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: open-webui
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://helm.openwebui.com/'
    targetRevision: 8.*.*
    helm:
      parameters:
        - name: serviceAccount.enable
          value: 'false'
        - name: persistence.size
          value: 200Gi
        - name: existingClaim
          value: "open-webui"
        - name: ollama.enabled
          value: 'false'  
      #  - name: ollama.persistentVolume.enabled
      #    value: 'true'
      #  - name: ollama.persistence.existingClaim
      #    value: "open-webui-llm-storage"
      #  - name: ollama.persistenceVolume.size
      #    value: 200Gi
        - name: ingress.class
          value: 'traefik'
        - name: ingress.enabled
          value: 'true'
        - name: ingress.host
          value: "innollm.innovation-hub-niedersachsen.de"
        - name: ingress.tls
          value: 'true'
        - name: ingress.existingSecret
          value: 'innollm-tls'
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.tls
          value: 'true'
          forceString: true
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt
    chart: open-webui
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: open-webui
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: 'privileged'
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/open-webui/values-openwebui.yaml
+++ b/argocd/apps/open-webui/values-openwebui.yaml
@@ -0,0 +1,72 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: open-webui
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://helm.openwebui.com/'
    targetRevision: 9.*.*
    chart: open-webui
    helm:
      values: |
        serviceAccount:
          enable: false
        persistence:
          size: 200Gi
          storageClass: longhorn
        ollama:
          enabled: false
        extraEnvVars:
          - name: OAUTH_LOGOUT_REDIRECT_URL
            value: "https://innollm.innovation-hub-niedersachsen.de/"
          - name: ENABLE_OAUTH_LOGOUT
            value: "true"
          - name: WEBUI_SECRET_KEY
            value: "17e027e793724fcbf0400c91374d6960f1beec64b52939c4ee20c1b6faf859ad"
          - name: CORS_ALLOW_ORIGIN
            value: "https://innollm.innovation-hub-niedersachsen.de"
          - name: USER_AGENT
            value: "Open-WebUI/InnoHub"
        ingress:
          enabled: true
          class: traefik
          host: "innollm.innovation-hub-niedersachsen.de"
          tls: true
          existingSecret: "innollm-tls"
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
        sso:
          enabled: true
          enableSignup: true
          mergeAccountsByEmail: false
          enableRoleManagement: false
          enableGroupManagement: false
          oidc:
            enabled: true
            clientId: "open-webui"
            clientSecret: "RFkQ5RDXv6KE4DiQsOq3BJejWFElu90G"
            providerUrl: "https://keycloak.innovation-hub-niedersachsen.de/realms/innohub/.well-known/openid-configuration"
            providerName: "Keycloak"
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: open-webui
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: 'privileged'
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/plane/bakup/plane-ingress_fix.txt
+++ b/argocd/apps/plane/bakup/plane-ingress_fix.txt
@@ -0,0 +1,10 @@
 kubectl patch ingress plane-ingress -n plane \
  --type merge \
  -p '{
    "spec": {
      "tls": [{
        "hosts": ["plane.innovation-hub-niedersachsen.de"],
        "secretName": "plane-tls"
      }]
    }
  }'
--- a/argocd/apps/plane/plane-secret-patcher.yaml
+++ b/argocd/apps/plane/plane-secret-patcher.yaml
@@ -0,0 +1,63 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: plane-secret-patcher
  namespace: plane
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:
  template:
    spec:
      serviceAccountName: plane-secret-patcher
      restartPolicy: Never
      containers:
      - name: patcher
        image: bitnami/kubectl:latest
        command:
        - /bin/sh
        - -c
        - |
          # Patch plane-app-secrets
          kubectl patch secret plane-app-secrets -n plane --type='json' -p='[
            {"op": "replace", "path": "/data/DATABASE_URL", "value": "'$(echo -n "postgresql://plane:plane@plane-pgdb:5432/plane" | base64)'"},
            {"op": "replace", "path": "/data/REDIS_URL", "value": "'$(echo -n "redis://plane-redis:6379/" | base64)'"},
            {"op": "replace", "path": "/data/AMQP_URL", "value": "'$(echo -n "amqp://plane:plane@plane-rabbitmq/" | base64)'"}
          ]'
          # Patch plane-live-secrets
          kubectl patch secret plane-live-secrets -n plane --type='json' -p='[
            {"op": "replace", "path": "/data/REDIS_URL", "value": "'$(echo -n "redis://plane-redis:6379/" | base64)'"}
          ]'
          echo "Secrets patched successfully"
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: plane-secret-patcher
  namespace: plane
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: plane-secret-patcher
  namespace: plane
 rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: plane-secret-patcher
  namespace: plane
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: plane-secret-patcher
 subjects:
 - kind: ServiceAccount
  name: plane-secret-patcher
  namespace: plane
--- a/argocd/apps/plane/values-plane.yaml
+++ b/argocd/apps/plane/values-plane.yaml
@@ -0,0 +1,135 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: plane
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  ignoreDifferences:
    - group: ""
      kind: PersistentVolumeClaim
      jsonPointers:
        - /metadata/creationTimestamp
    - group: batch
      kind: Job
      jsonPointers:
        - /spec
        - /metadata/annotations
        - /metadata/labels
    - group: apps
      kind: StatefulSet
      jsonPointers:
        - /spec/volumeClaimTemplates/0/metadata/creationTimestamp
        - /spec/volumeClaimTemplates/1/metadata/creationTimestamp
        - /spec/volumeClaimTemplates/2/metadata/creationTimestamp
    - group: ""
      kind: Secret
      jsonPointers:
        - /data
  project: default
  source:
    repoURL: 'https://helm.plane.so/'
    chart: 'plane-ce'
    targetRevision: 1.*.*
    helm:
      values: |
        ingress:
          enabled: true
          appHost: "plane.innovation-hub-niedersachsen.de"
          ingressClass: "traefik"
          ingress_annotations:
            cert-manager.io/cluster-issuer: lets-encrypt
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
        ssl:
          tls_secret_name: "plane-tls"
          createIssuer: false
          generateCerts: false
        redis:
          local_setup: true
          assign_cluster_ip: true
          storageClass: "longhorn"
          volumeSize: 500Mi
        postgres:
          local_setup: true
          assign_cluster_ip: true
          storageClass: "longhorn"
          volumeSize: 5Gi
        rabbitmq:
          local_setup: true
          assign_cluster_ip: true
          storageClass: "longhorn"
          volumeSize: 500Mi
        minio:
          local_setup: true
          storageClass: "longhorn"
          volumeSize: 10Gi
          root_user: "plane-minio-admin"
          root_password: "InnoHubPLANE2025!"
        api:
          replicas: 1
          memoryLimit: 2Gi
          cpuLimit: 1000m
          dnsConfig:
            options:
              - name: ndots
                value: "1"
        worker:
          replicas: 1
          memoryLimit: 8Gi
          cpuLimit: 1500m
          cpuRequest: 500m
          memoryRequest: 6Gi
          dnsConfig:
            options:
              - name: ndots
                value: "1"
        beatworker:
          replicas: 1
          dnsConfig:
            options:
              - name: ndots
                value: "1"
        live:
          replicas: 1
          dnsConfig:
            options:
              - name: ndots
                value: "1"
        env:
          pgdb_username: plane
          pgdb_password: plane
          pgdb_name: plane
          pgdb_remote_url: ""
          remote_redis_url: ""
          docstore_bucket: "uploads"
          doc_upload_size_limit: "5242880"
          cors_allowed_origins: "https://plane.innovation-hub-niedersachsen.de"
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: plane
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
      - RespectIgnoreDifferences=true
      - PruneLast=true
--- a/argocd/apps/praktikum/values-praktikum.yaml
+++ b/argocd/apps/praktikum/values-praktikum.yaml
@@ -0,0 +1,46 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: praktikum
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/praktikum'
    targetRevision: 0.*.*
    chart: praktikum
    helm:
      values: |
        ingress:
          enabled: true
          className: traefik
          annotations:
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
          hosts:
            - praktikum.innovation-hub-niedersachsen.de
          tls:
            - secretName: praktikum-tls
              hosts:
                - praktikum.innovation-hub-niedersachsen.de
        persistence:
          enabled: true
          storageClass: longhorn
          size: 5Gi
          accessMode: ReadWriteOnce
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: praktikum
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/qr-formlink/qr-formlink.yaml
+++ b/argocd/apps/qr-formlink/qr-formlink.yaml
@@ -1,13 +1,13 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: praktikum
+  name: qr-formlink
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
-    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/praktikum'
+    repoURL: 'https://gitea.innovation-hub-niedersachsen.de/innohub/charts/raw/main/qr-formlink'
    targetRevision: 0.*.*
    helm:
      parameters:
@@ -16,11 +16,11 @@ spec:
        - name: ingress.className
          value: "traefik"
        - name: ingress.hosts[0]
-          value: "praktikum.innovation-hub-niedersachsen.de"
+          value: "qrdoc.innovation-hub-niedersachsen.de"
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
          value: traefik
        - name: ingress.tls[0].secretName
-          value: "praktikum-tls"
+          value: "qrdoc.innovation-hub-niedersachsen.de-tls"
        - name: ingress.annotations.traefik\.ingress\.kubernetes\.io\/router\.entrypoints
          value: websecure
        - name: ingress.annotations.kubernetes\.io\/ingress\.class
@@ -29,13 +29,13 @@ spec:
          value: 'true'
          forceString: true
        - name: ingress.tls[0].hosts[0]
-          value: "praktikum.innovation-hub-niedersachsen.de"
+          value: "qrdoc.innovation-hub-niedersachsen.de"
        - name: ingress.annotations.cert-manager\.io\/cluster-issuer
          value: lets-encrypt
-    chart: praktikum
+    chart: qr-formlink
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: praktikum
+    namespace: qr-formlink
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
--- a/argocd/apps/seaweedfs/admin-s3-secrets.yaml
+++ b/argocd/apps/seaweedfs/admin-s3-secrets.yaml
@@ -1,12 +1,46 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Secret
+#kind: Secret
-type: Opaque
+#type: Opaque
-metadata:
+#metadata:
-  name: admin-s3-secret
+#  name: admin-s3-secret
-  namespace: seaweedfs
+#  namespace: seaweedfs
-  labels:
+#  labels:
-    app.kubernetes.io/name: seaweedfs
+#    app.kubernetes.io/name: seaweedfs
-    app.kubernetes.io/component: seaweedfs-s3
+#    app.kubernetes.io/component: seaweedfs-s3
-stringData:
+#
-  # this key must be an inline json config file
+#stringData:
-  seaweedfs_s3_config: '{"identities":[{"name":"admin","credentials":[{"accessKey":"wjpKrmaqXra99rX3D61H","secretKey":"fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"}],"actions":["Admin","Read","Write"]}]}'
+#  seaweedfs_s3_config: |
 #    {
 #      "identities": [
 #        {
 #          "name": "tatort",
 #          "credentials": [
 #            {
 #              "accessKey": "wjpKrmaqXra99rX3D61H",
 #              "secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
 #            }
 #          ],
 #          "actions": ["Read", "Write", "Admin"]
 #        },
 #        {
 #          "name": "plane",
 #          "credentials": [
 #            {
 #              "accessKey": "a0ccb47cc0994bf51ecd",
 #              "secretKey": "0d54ee2f943f2a56b8cafc3afe9cb1e2f9fecac2"
 #            }
 #          ],
 #          "actions": ["Read", "Write", "Admin"]
 #        },
 #        {
 #          "name": "n8n",
 #          "credentials": [
 #            {
 #              "accessKey": "WPpTwIoSMgrPChsS3rdS",
 #              "secretKey": "C59o3EAhsUKBWj1oiPtiYRq3GhLMFeYDeiMxJ4SW"
 #            }
 #          ],
 #          "actions": ["Read", "Write", "Admin"]
 #        }
 #      ]
 #    }
--- a/argocd/apps/seaweedfs/seaweedfs-jwt-secret.yaml
+++ b/argocd/apps/seaweedfs/seaweedfs-jwt-secret.yaml
@@ -1,10 +1,10 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Secret
+#kind: Secret
-metadata:
+#metadata:
-  name: seaweedfs-jwt
+#  name: seaweedfs-jwt
-  namespace: seaweedfs
+#  namespace: seaweedfs
-stringData:
+#stringData:
-  jwt.json: |
+#  jwt.json: |
-    {
+#    {
-      "secret": "inno-super-secret-key"
+#      "secret": "inno-super-secret-key"
-    }
+#    }
--- a/argocd/apps/seaweedfs/seaweedfs.yaml
+++ b/argocd/apps/seaweedfs/seaweedfs.yaml
@@ -1,73 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: seaweedfs
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://seaweedfs.github.io/seaweedfs/helm'
    chart: seaweedfs
    targetRevision: 4.*.*
    helm:
      values: |
        master:
          enabled: true
          replicas: 1
        volume:
          enabled: true
          replicas: 1
        filer:
          enabled: true
          replicas: 1
        s3:
          enabled: true
          replicas: 1
          port: 8333
          httpsPort: 8433
          enableAuth: true
          existingConfigSecret: "admin-s3-secret"
          ingress:
            enabled: true
            className: "traefik"
            host: "sws3.innovation-hub-niedersachsen.de"
            # additional ingress annotations for the s3 endpoint
            annotations:
              kubernetes.io/ingress.class: "traefik"
              traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
              traefik.ingress.kubernetes.io/router.tls: "true"
              cert-manager.io/cluster-issuer: "lets-encrypt"
              # traefik.ingress.kubernetes.io/headers.customRequestHeaders: |
              #  X-Forwarded-Proto = https
              #traefik.ingress.kubernetes.io/headers.customResponseHeaders: |
              #  Access-Control-Allow-Origin: "*"
              #  Access-Control-Allow-Methods: "GET, OPTIONS, PUT, POST, DELETE"
              #  Access-Control-Allow-Headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"
              #  Access-Control-Expose-Headers: "Content-Length,Content-Range"
              #  Referrer-Policy: no-referrer-when-downgrade
            hosts:
              - host: "sws3.innovation-hub-niedersachsen.de"
                paths:
                  - path: /
                    pathType: Prefix
            tls:
              - secretName: "sws3.innovation-hub-niedersachsen.de-tls"
                hosts:
                  - "sws3.innovation-hub-niedersachsen.de"
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: seaweedfs
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/seaweedfs/values-seaweedfs.yaml
+++ b/argocd/apps/seaweedfs/values-seaweedfs.yaml
@@ -0,0 +1,108 @@
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
 #metadata:
 #  name: seaweedfs
 #  finalizers:
 #    - resources-finalizer.argocd.argoproj.io
 #spec:
 #  project: default
 #  source:
 #    repoURL: "https://seaweedfs.github.io/seaweedfs/helm"
 #    chart: seaweedfs
 #    targetRevision: "4.*.*"
 #    helm:
 #      values: |
 #        global:
 #          extraEnvironmentVars:
 #            WEED_CLUSTER_DEFAULT: "sw"
 #            WEED_CLUSTER_SW_MASTER: "seaweedfs-master.seaweedfs:9333"
 #            WEED_CLUSTER_SW_FILER: "seaweedfs-filer.seaweedfs:8888"
 #
 #        master:
 #          enabled: true
 #          replicas: 1
 #          data:
 #            type: existingClaim
 #            claimName: seaweedfs-master-data-longhorn
 #
 #        volume:
 #          enabled: true
 #          replicas: 1
 #          dataDirs:
 #            - name: data1
 #              type: existingClaim
 #              claimName: seaweedfs-volume-data-longhorn
 #              maxVolumes: 0
 #          idx:
 #            type: existingClaim
 #            claimName: seaweedfs-volume-idx-longhorn
 #
 #        filer:
 #          enabled: true
 #          replicas: 1
 #          data:
 #            type: existingClaim
 #            claimName: seaweedfs-filer-data-longhorn
 #          # s3:
 #          #  enabled: false
 #          #  port: 8333
 #          #  domainName: "sws3.innovation-hub-niedersachsen.de"
 #          #  allowEmptyFolder: true
 #          #  enableAuth: true
 #          #  allowDeleteBucketNotEmpty: true
 #
 #        s3:
 #          enabled: true
 #          replicas: 1
 #          port: 8333
 #          enableAuth: true
 #          existingConfigSecret: admin-s3-secret
 #          existingConfigSecretKey: seaweedfs_s3_config
 #
 #          extraEnvironmentVars:
 #            WEED_S3_ALLOWED_ORIGINS: "*"
 #            WEED_FILER: "seaweedfs-filer.seaweedfs.svc.cluster.local:8888"
 #          extraArgs:
 #            - "-allowedOrigins=*"
 #            - "-filer=seaweedfs-filer.seaweedfs:8888"
 #
 #          service:
 #            type: ClusterIP
 #            ports:
 #              - name: http
 #                port: 8333
 #                targetPort: 8333
 #                protocol: TCP
 #
 #          ingress:
 #            enabled: true
 #            className: traefik
 #            annotations:
 #              traefik.ingress.kubernetes.io/router.entrypoints: websecure
 #              traefik.ingress.kubernetes.io/router.tls: "true"
 #              cert-manager.io/cluster-issuer: "lets-encrypt"
 #              traefik.ingress.kubernetes.io/router.middlewares: seaweedfs-s3-cors@kubernetescrd
 #            host: "sws3.innovation-hub-niedersachsen.de"  
 #            hosts:
 #              - host: sws3.innovation-hub-niedersachsen.de
 #                paths:
 #                  - path: /
 #                    pathType: Prefix
 #            tls:
 #              - secretName: sws3.innovation-hub-niedersachsen.de-tls
 #                hosts:
 #                  - sws3.innovation-hub-niedersachsen.de
 #
 #  destination:
 #    server: "https://kubernetes.default.svc"
 #    namespace: seaweedfs
 #
 #  syncPolicy:
 #    managedNamespaceMetadata:
 #      labels:
 #        pod-security.kubernetes.io/enforce: "privileged"
 #    automated:
 #      selfHeal: true
 #      prune: true
 #    syncOptions:
 #      - CreateNamespace=true
--- a/argocd/apps/wekan/values-wekan.yaml
+++ b/argocd/apps/wekan/values-wekan.yaml
@@ -0,0 +1,112 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: wekan
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://wekan.github.io/charts/'
    chart: wekan
    targetRevision: 7.97.0
    helm:
      values: |
        replicaCount: 1
        dbname: wekan
        env:
          - name: MONGO_URL
            value: mongodb://wekan-mongodb:27017/wekan
          - name: MAIL_URL
            value: smtp://192.168.4.125:25?ignoreTLS=true&tls={rejectUnauthorized:false}&secure=false
          - name: MAIL_FROM
            value: Noreplay admin@innovation-hub-niedersachsen.de
          - name: OAUTH2_ENABLED
            value: "true"
          - name: OAUTH2_LOGIN_STYLE
            value: "redirect"
          - name: OAUTH2_CLIENT_ID
            value: "wekan"
          - name: OAUTH2_SERVER_URL
            value: "https://keycloak.innovation-hub-niedersachsen.de"
          - name: OAUTH2_AUTH_ENDPOINT
            value: "/realms/innohub/protocol/openid-connect/auth"
          - name: OAUTH2_USERINFO_ENDPOINT
            value: "/realms/innohub/protocol/openid-connect/userinfo"
          - name: OAUTH2_TOKEN_ENDPOINT
            value: "/realms/innohub/protocol/openid-connect/token"
          - name: OAUTH2_SECRET
            value: "vp1kG3WgUdPCUAWvECZbAmBdST6Vgm0I"
          - name: OAUTH2_ID_MAP
            value: "sub"
          - name: OAUTH2_USERNAME_MAP
            value: "preferred_username"
          - name: OAUTH2_EMAIL_MAP
            value: "email"
          - name: OAUTH2_FULLNAME_MAP
            value: "name"
          - name: OAUTH2_ADFS_ENABLED
            value: "false"
          - name: OAUTH2_B2C_ENABLED
            value: "false"
          - name: OAUTH2_REQUEST_PERMISSIONS
            value: "openid profile email"        
        end_point: wekan.innovation-hub-niedersachsen.de
        root_url: https://wekan.innovation-hub-niedersachsen.de
        # Probe-Einstellungen anpassen
        livenessProbe:
          enabled: true
          initialDelaySeconds: 60
          periodSeconds: 15
          timeoutSeconds: 10
          failureThreshold: 5
        readinessProbe:
          enabled: true
          initialDelaySeconds: 20
          periodSeconds: 15
          timeoutSeconds: 10
          failureThreshold: 3
        ingress:
          enabled: true
          annotations: 
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
          hosts:
            - wekan.innovation-hub-niedersachsen.de
          tls:
            - secretName: wekan-tls
              hosts:
                - wekan.innovation-hub-niedersachsen.de
        route:
          enabled: false
        sharedDataFolder:
          enabled: true
          storageClass: longhorn
        mongodb:
          enabled: true
          image:
            tag: 7.0.28
          storage:
            className: longhorn
          nodeSelector:
            kubernetes.io/hostname: k3s-prod
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: wekan
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/wekantest/values-wekantest.yaml
+++ b/argocd/apps/wekantest/values-wekantest.yaml
@@ -0,0 +1,110 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: wekantest
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: 'https://wekan.github.io/charts/'
    chart: wekan
    targetRevision: 8.*.*
    helm:
      values: |
        replicaCount: 1
        dbname: wekan
        env:
          - name: MONGO_URL
            value: mongodb://wekantest-mongodb:27017/wekan
          - name: MAIL_URL
            value: smtp://192.168.4.125:25?ignoreTLS=true&tls={rejectUnauthorized:false}&secure=false
          - name: MAIL_FROM
            value: Noreplay admin@innovation-hub-niedersachsen.de
          - name: OAUTH2_ENABLED
            value: "true"
          - name: OAUTH2_LOGIN_STYLE
            value: "redirect"
          - name: OAUTH2_CLIENT_ID
            value: "wekantest"
          - name: OAUTH2_SERVER_URL
            value: "https://keycloak.innovation-hub-niedersachsen.de"
          - name: OAUTH2_AUTH_ENDPOINT
            value: "/realms/innohub/protocol/openid-connect/auth"
          - name: OAUTH2_USERINFO_ENDPOINT
            value: "/realms/innohub/protocol/openid-connect/userinfo"
          - name: OAUTH2_TOKEN_ENDPOINT
            value: "/realms/innohub/protocol/openid-connect/token"
          - name: OAUTH2_SECRET
            value: "cOJpL4jiiA6OL8fFqA3lb4KCbxjjl7AQ"
          - name: OAUTH2_ID_MAP
            value: "sub"
          - name: OAUTH2_USERNAME_MAP
            value: "preferred_username"
          - name: OAUTH2_EMAIL_MAP
            value: "email"
          - name: OAUTH2_FULLNAME_MAP
            value: "name"
          - name: OAUTH2_ADFS_ENABLED
            value: "false"
          - name: OAUTH2_B2C_ENABLED
            value: "false"
          - name: OAUTH2_REQUEST_PERMISSIONS
            value: "openid profile email"
        end_point: wekantest.innovation-hub-niedersachsen.de
        root_url: https://wekantest.innovation-hub-niedersachsen.de
        # Probe-Einstellungen anpassen
        livenessProbe:
          enabled: true
          initialDelaySeconds: 60
          periodSeconds: 15
          timeoutSeconds: 10
          failureThreshold: 5
        readinessProbe:
          enabled: true
          initialDelaySeconds: 20
          periodSeconds: 15
          timeoutSeconds: 10
          failureThreshold: 3
        ingress:
          enabled: true
          annotations: 
            kubernetes.io/ingress.class: traefik
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
            traefik.ingress.kubernetes.io/router.tls: "true"
            cert-manager.io/cluster-issuer: lets-encrypt
          hosts:
            - wekantest.innovation-hub-niedersachsen.de
          tls:
            - secretName: wekantest-tls
              hosts:
                - wekantest.innovation-hub-niedersachsen.de
        route:
          enabled: false
        sharedDataFolder:
          enabled: true
          storageClass: longhorn
        mongodb:
          enabled: true
          storage:
            className: longhorn
          nodeSelector:
            kubernetes.io/hostname: k3s-prod
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: wekantest
  syncPolicy:
    managedNamespaceMetadata:
      labels: 
        pod-security.kubernetes.io/enforce: "privileged"
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/apps/wordpress/wordpress.yaml
+++ b/argocd/apps/wordpress/wordpress.yaml
@@ -9,7 +9,7 @@ spec:
  source:
    repoURL: 'registry-1.docker.io/bitnamicharts'
    path: wordpress
-    targetRevision: 25.*.*
+    targetRevision: 28.*.*
    chart: wordpress
    helm:
      parameters:
--- a/config/.idea/.gitignore
+++ b/config/.idea/.gitignore
@@ -0,0 +1,10 @@
 # Default ignored files
 /shelf/
 /workspace.xml
 # Ignored default folder with query files
 /queries/
 # Datasource local storage ignored files
 /dataSources/
 /dataSources.local.xml
 # Editor-based HTTP Client requests
 /httpRequests/
--- a/config/.idea/IntelliLang.xml
+++ b/config/.idea/IntelliLang.xml
@@ -0,0 +1,151 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="LanguageInjectionConfiguration">
    <injection language="SQL" injector-id="java">
      <display-name>AsyncQueryRunner (org.apache.commons.dbutils)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("batch").withParameterCount(2).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("insertBatch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("batch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("insertBatch").withParameterCount(4).definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.AsyncQueryRunner"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>Jodd (jodd.db)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query").withParameterCount(1).definedInClass("jodd.db.DbQuery"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("DbQuery").withParameterCount(2).definedInClass("jodd.db.DbQuery"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query").withParameterCount(2).definedInClass("jodd.db.DbQuery"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(2, psiMethod().withName("DbQuery").withParameterCount(3).definedInClass("jodd.db.DbQuery"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>MyBatis @Select/@Delete/@Insert/@Update</display-name>
      <single-file value="true" />
      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Delete")]]></place>
      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Insert")]]></place>
      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Select")]]></place>
      <place><![CDATA[psiMethod().withName("value").withParameters().definedInClass("org.apache.ibatis.annotations.Update")]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>QueryRunner (org.apache.commons.dbutils)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("batch").withParameterCount(2).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("insertBatch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "insert", "execute").withParameters("java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update").withParameters("java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("update", "execute").withParameters("java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("batch").withParameterCount(3).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("insertBatch").withParameterCount(4).definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("query", "insert", "execute").withParameters("java.sql.Connection", "java.lang.String", "org.apache.commons.dbutils.ResultSetHandler").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(1, psiMethod().withName("update", "execute").withParameters("java.sql.Connection", "java.lang.String", "java.lang.Object...").definedInClass("org.apache.commons.dbutils.QueryRunner"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>R2DBC (io.r2dbc)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("add").definedInClass("io.r2dbc.spi.Batch"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("createStatement").definedInClass("io.r2dbc.spi.Connection"))]]></place>
    </injection>
    <injection language="PostgreSQL" injector-id="java">
      <display-name>Reactiverse Postgres Client (io.reactiverse)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgTransaction"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgPool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.reactiverse.reactivex.pgclient.PgTransaction"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.axle.pgclient.PgClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.reactiverse.pgclient.PgPool"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>SmallRye Axle SqlClient (io.vertx.axle.sqlclient)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.axle.sqlclient.Pool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.axle.sqlclient.SqlClient"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>SmallRye Mutiny SqlClient (io.vertx.mutiny.sqlclient)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mutiny.sqlclient.Pool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mutiny.sqlclient.SqlClient"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>SmallRye Mutiny SqlConnection (io.vertx.mutiny.sqlclient)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.db2client.DB2Connection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.mssqlclient.MSSQLConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.mysqlclient.MySQLConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("prepare", "prepareAndAwait").definedInClass("io.vertx.mutiny.pgclient.PgConnection"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>Vert.x SQL Extensions (io.vertx.ext.sql)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams").definedInClass("io.vertx.ext.sql.SQLClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams").definedInClass("io.vertx.ext.sql.SQLOperations"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams", "execute", "batchWithParams", "batchCallableWithParams").definedInClass("io.vertx.ext.sql.SQLConnection"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>Vert.x SQL Reactive Extensions (io.vertx.reactivex.ext.sql)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams").definedInClass("io.vertx.reactivex.ext.sql.SQLOperations"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams", "execute", "batchWithParams", "batchCallableWithParams", "rxQuerySingle", "rxQuerySingleWithParams", "rxQuery", "rxQueryWithParams", "rxQueryStream", "rxQueryStreamWithParams", "rxUpdate", "rxUpdateWithParams", "rxCall", "rxCallWithParams", "rxExecute", "rxBatchWithParams", "rxBatchCallableWithParams").definedInClass("io.vertx.reactivex.ext.sql.SQLClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "queryWithParams", "queryStream", "queryStreamWithParams", "querySingle", "querySingleWithParams", "update", "updateWithParams", "call", "callWithParams", "execute", "batchWithParams", "batchCallableWithParams", "rxQuerySingle", "rxQuerySingleWithParams", "rxQuery", "rxQueryWithParams", "rxQueryStream", "rxQueryStreamWithParams", "rxUpdate", "rxUpdateWithParams", "rxCall", "rxCallWithParams", "rxExecute", "rxBatchWithParams", "rxBatchCallableWithParams").definedInClass("io.vertx.reactivex.ext.sql.SQLConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("querySingle", "rxQuerySingle", "querySingleWithParams", "rxQuerySingleWithParams").definedInClass("io.vertx.reactivex.ext.asyncsql.AsyncSQLClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("querySingle", "rxQuerySingle", "querySingleWithParams", "rxQuerySingleWithParams").definedInClass("io.vertx.reactivex.ext.asyncsql.MySQLClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("querySingle", "rxQuerySingle", "querySingleWithParams", "rxQuerySingleWithParams").definedInClass("io.vertx.reactivex.ext.asyncsql.PostgreSQLClient"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>Vert.x SqlClient (io.vertx.sqlclient)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mssqlclient.MSSQLConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.mysqlclient.MySQLConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.pgclient.PgConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.Pool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.SqlClient"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.SqlConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch").definedInClass("io.vertx.sqlclient.Transaction"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>Vert.x SqlClient RxJava2 (io.vertx.reactivex.sqlclient)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.mysqlclient.MySQLConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.pgclient.PgConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.SqlConnection"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPrepare", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.Transaction"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.mysqlclient.MySQLPool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.pgclient.PgPool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.Pool"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "prepare", "preparedQuery", "preparedBatch", "rxQuery", "rxPreparedQuery", "rxPreparedBatch").definedInClass("io.vertx.reactivex.sqlclient.SqlClient"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>jOOQ (org.jooq.DSLContext)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("batch").withParameters("java.lang.String", "java.lang.Object[]...").definedInClass("org.jooq.DSLContext"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "fetch", "fetchLazy", "fetchAsync", "fetchStream", "fetchMany", "fetchOne", "fetchSingle", "fetchOptional", "fetchValue", "fetchOptionalValue", "fetchValues", "execute", "resultQuery").withParameters("java.lang.String", "java.lang.Object...").definedInClass("org.jooq.DSLContext"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("query", "fetch", "fetchLazy", "fetchAsync", "fetchStream", "fetchMany", "fetchOne", "fetchSingle", "fetchOptional", "fetchValue", "fetchOptionalValue", "fetchValues", "execute", "resultQuery", "batch").withParameters("java.lang.String").definedInClass("org.jooq.DSLContext"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(psiMethod().withName("batch").withParameters("java.lang.String...").definedInClass("org.jooq.DSLContext"))]]></place>
    </injection>
    <injection language="SQL" injector-id="java">
      <display-name>rxjava2-jdbc (org.davidmoten.rx.jdbc)</display-name>
      <single-file value="true" />
      <place><![CDATA[psiMethod().withName("value").definedInClass("org.davidmoten.rx.jdbc.annotations.Query")]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("call", "select", "update").definedInClass("org.davidmoten.rx.jdbc.Database"))]]></place>
      <place><![CDATA[psiParameter().ofMethod(0, psiMethod().withName("call", "select", "update").definedInClass("org.davidmoten.rx.jdbc.TransactedBuilder"))]]></place>
    </injection>
  </component>
 </project>
--- a/config/.idea/config.iml
+++ b/config/.idea/config.iml
@@ -0,0 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module type="JAVA_MODULE" version="4">
  <component name="NewModuleRootManager" inherit-compiler-output="true">
    <exclude-output />
    <content url="file://$MODULE_DIR$" />
    <orderEntry type="inheritedJdk" />
    <orderEntry type="sourceFolder" forTests="false" />
  </component>
 </module>
--- a/config/.idea/misc.xml
+++ b/config/.idea/misc.xml
@@ -0,0 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="ProjectRootManager" version="2">
    <output url="file://$PROJECT_DIR$/out" />
  </component>
 </project>
--- a/config/.idea/modules.xml
+++ b/config/.idea/modules.xml
@@ -0,0 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="ProjectModuleManager">
    <modules>
      <module fileurl="file://$PROJECT_DIR$/.idea/config.iml" filepath="$PROJECT_DIR$/.idea/config.iml" />
    </modules>
  </component>
 </project>
--- a/config/.idea/vcs.xml
+++ b/config/.idea/vcs.xml
@@ -0,0 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="VcsDirectoryMappings">
    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
  </component>
 </project>
--- a/config/brain/brain-ingressroute.yaml
+++ b/config/brain/brain-ingressroute.yaml
@@ -0,0 +1,53 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: brain-stripprefix
  namespace: kube-system
 spec:
  stripPrefix:
    prefixes:
      - /
 ---
 apiVersion: traefik.io/v1alpha1
 kind: ServersTransport
 metadata:
  name: brain-transport
  namespace: kube-system
 spec:
  insecureSkipVerify: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: brain-external
  namespace: kube-system
  annotations:
    cert-manager.io/cluster-issuer: "lets-encrypt"
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`brain.innovation-hub-niedersachsen.de`)
      kind: Rule
      services:
        - name: brain-external-service
          port: 8083
          scheme: http
          serversTransport: brain-transport
      middlewares:
        - name: brain-stripprefix
  tls:
    secretName: brain-tls
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: brain-external-service
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: 192-168-4-106.nip.io
  ports:
    - port: 8083
      targetPort: 8083
--- a/config/hemmelig/hemmelig-ingressroute.yaml
+++ b/config/hemmelig/hemmelig-ingressroute.yaml
@@ -22,6 +22,8 @@ kind: IngressRoute
 metadata:
  name: hemmelig-external
  namespace: kube-system
  annotations:
    cert-manager.io/cluster-issuer: "lets-encrypt"
 spec:
  entryPoints:
    - websecure
--- a/config/minio/minio-policies-configmap.yaml
+++ b/config/minio/minio-policies-configmap.yaml
@@ -0,0 +1,61 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: minio-policies
  namespace: minio
 data:
  # Policy: Vollzugriff auf tatort
  policy-tatort.json: |
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads"
          ],
          "Resource": ["arn:aws:s3:::tatort"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload"
          ],
          "Resource": ["arn:aws:s3:::tatort/*"]
        }
      ]
    }
  # Policy: Vollzugriff auf tatort-dev
  policy-tatort-dev.json: |
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads"
          ],
          "Resource": ["arn:aws:s3:::tatort-dev"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload"
          ],
          "Resource": ["arn:aws:s3:::tatort-dev/*"]
        }
      ]
    }
--- a/config/minio/minio-setup-job.yaml
+++ b/config/minio/minio-setup-job.yaml
@@ -0,0 +1,77 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: minio-setup-users
  namespace: minio
 spec:
  ttlSecondsAfterFinished: 600
  backoffLimit: 5
  template:
    spec:
      restartPolicy: OnFailure
      volumes:
        - name: policies
          configMap:
            name: minio-policies
      containers:
        - name: mc
          image: minio/mc:latest
          volumeMounts:
            - name: policies
              mountPath: /policies
          env:
            - name: MINIO_ROOT_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: minio
                  key: root-password
            - name: TATORT_ACCESS
              valueFrom:
                secretKeyRef:
                  name: minio-users
                  key: tatort-access-key
            - name: TATORT_SECRET
              valueFrom:
                secretKeyRef:
                  name: minio-users
                  key: tatort-secret-key
            - name: TATORT_DEV_ACCESS
              valueFrom:
                secretKeyRef:
                  name: minio-users
                  key: tatort-dev-access-key
            - name: TATORT_DEV_SECRET
              valueFrom:
                secretKeyRef:
                  name: minio-users
                  key: tatort-dev-secret-key
          command:
            - /bin/sh
            - -c
            - |
              set -e
              echo "Warte auf MinIO..."
              sleep 10
              echo "Verbinde mit MinIO..."
              mc alias set myminio http://minio:9000 admin $MINIO_ROOT_PASSWORD
              echo "Erstelle Buckets (falls nicht vorhanden)..."
              mc mb --ignore-existing myminio/tatort
              mc mb --ignore-existing myminio/tatort-dev
              echo "Erstelle Policies..."
              mc admin policy create myminio policy-tatort /policies/policy-tatort.json || true
              mc admin policy create myminio policy-tatort-dev /policies/policy-tatort-dev.json || true
              echo "Erstelle Benutzer..."
              mc admin user add myminio $TATORT_ACCESS $TATORT_SECRET || true
              mc admin user add myminio $TATORT_DEV_ACCESS $TATORT_DEV_SECRET || true
              echo "Weise Policies zu..."
              mc admin policy attach myminio policy-tatort --user $TATORT_ACCESS
              mc admin policy attach myminio policy-tatort-dev --user $TATORT_DEV_ACCESS
              echo "Setup abgeschlossen!"
              mc admin user list myminio
--- a/config/minio/minio-users-secret.yaml
+++ b/config/minio/minio-users-secret.yaml
@@ -0,0 +1,13 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: minio-users
  namespace: minio
 type: Opaque
 stringData:
  # tatort: Zugriff nur auf tatort
  tatort-access-key: "GxKhfnfkNvlDU7qzsz0D"
  tatort-secret-key: "cqSM5rIRr4MPtqzu2sNKgmB9k2OghPbyxwAWogeM"
  # tatort-dev: Zugriff nur auf tatort-dev
  tatort-dev-access-key: "AbCdEfGhIjKlMnOpQrSt"
  tatort-dev-secret-key: "UvWxYz1234567890AbCdEfGhIjKlMnOpQrStUvWx"
--- a/config/passbolt/passbolt-ingressroute.yaml
+++ b/config/passbolt/passbolt-ingressroute.yaml
@@ -0,0 +1,53 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: passbolt-stripprefix
  namespace: kube-system
 spec:
  stripPrefix:
    prefixes:
      - /
 ---
 apiVersion: traefik.io/v1alpha1
 kind: ServersTransport
 metadata:
  name: passbolt-transport
  namespace: kube-system
 spec:
  insecureSkipVerify: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: passbolt-external
  namespace: kube-system
  annotations:
    cert-manager.io/cluster-issuer: "lets-encrypt"
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`passbolt.innovation-hub-niedersachsen.de`)
      kind: Rule
      services:
        - name: passbolt-external-service
          port: 3001
          scheme: http
          serversTransport: passbolt-transport
      middlewares:
        - name: passbolt-stripprefix
  tls:
    secretName: passbolt-tls
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: passbolt-external-service
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: 192-168-4-106.nip.io
  ports:
    - port: 3001
      targetPort: 3001
--- a/config/seaweedfs/admin-s3-secrets.yaml
+++ b/config/seaweedfs/admin-s3-secrets.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
  name: admin-s3-secret
  namespace: seaweedfs
  labels:
    app.kubernetes.io/name: seaweedfs
    app.kubernetes.io/component: seaweedfs-s3
 stringData:
  seaweedfs_s3_config: |
    {
      "identities": [
        {
          "name": "tatort",
          "credentials": [
            {
              "accessKey": "wjpKrmaqXra99rX3D61H",
              "secretKey": "fTPi0u0FR6Lv9Y9IKydWv6WM0EA5XrsK008HCt9u"
            }
          ],
          "actions": ["Read", "Write", "Admin"]
        },
        {
          "name": "plane",
          "credentials": [
            {
              "accessKey": "a0ccb47cc0994bf51ecd",
              "secretKey": "0d54ee2f943f2a56b8cafc3afe9cb1e2f9fecac2"
            }
          ],
          "actions": ["Read", "Write", "Admin"]
        },
        {
          "name": "n8n",
          "credentials": [
            {
              "accessKey": "WPpTwIoSMgrPChsS3rdS",
              "secretKey": "C59o3EAhsUKBWj1oiPtiYRq3GhLMFeYDeiMxJ4SW"
            }
          ],
          "actions": ["Read", "Write", "Admin"]
        }
      ]
    }
--- a/config/seaweedfs/backup/astronaut.glb
+++ b/config/seaweedfs/backup/astronaut.glb
--- a/config/seaweedfs/backup/recovery/tatort_60.dat
+++ b/config/seaweedfs/backup/recovery/tatort_60.dat
--- a/config/seaweedfs/backup/recovery/tatort_62.dat
+++ b/config/seaweedfs/backup/recovery/tatort_62.dat
--- a/config/seaweedfs/backup/recovery/uploads_110.dat
+++ b/config/seaweedfs/backup/recovery/uploads_110.dat
--- a/config/seaweedfs/backup/recovery/uploads_111.dat
+++ b/config/seaweedfs/backup/recovery/uploads_111.dat
--- a/config/seaweedfs/backup/recovery/uploads_112.dat
+++ b/config/seaweedfs/backup/recovery/uploads_112.dat
--- a/config/seaweedfs/backup/recovery/uploads_113.dat
+++ b/config/seaweedfs/backup/recovery/uploads_113.dat
--- a/config/seaweedfs/backup/recovery/uploads_114.dat
+++ b/config/seaweedfs/backup/recovery/uploads_114.dat
--- a/config/seaweedfs/backup/tatort_62.dat
+++ b/config/seaweedfs/backup/tatort_62.dat
--- a/config/seaweedfs/backup/tatort_large.bin
+++ b/config/seaweedfs/backup/tatort_large.bin
--- a/config/vaultwarden/vaultwarden-ingressroute.yaml
+++ b/config/vaultwarden/vaultwarden-ingressroute.yaml
@@ -0,0 +1,53 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: vaultwarden-stripprefix
  namespace: kube-system
 spec:
  stripPrefix:
    prefixes:
      - /
 ---
 apiVersion: traefik.io/v1alpha1
 kind: ServersTransport
 metadata:
  name: vaultwarden-transport
  namespace: kube-system
 spec:
  insecureSkipVerify: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: vaultwarden-external
  namespace: kube-system
  annotations:
    cert-manager.io/cluster-issuer: "lets-encrypt"
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`vaultwarden.innovation-hub-niedersachsen.de`)
      kind: Rule
      services:
        - name: vaultwarden-external-service
          port: 3003
          scheme: http
          serversTransport: vaultwarden-transport
      middlewares:
        - name: vaultwarden-stripprefix
  tls:
    secretName: vaultwarden-tls
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: vaultwarden-external-service
  namespace: kube-system
 spec:
  type: ExternalName
  externalName: 192-168-4-106.nip.io
  ports:
    - port: 3003
      targetPort: 3003