ESS Community Helm Chart 25.9.1 (2025-09-17)

Added

• MatrixRTC: Add sfu.useStunToDiscoverPublicIP and sfu.manualIP values to simplify networking configuration.

  Warning: In version 25.10, these values will override any manually set rtc.external_ip and rtc.node_ip
  configured through sfu.additional additional configuration. (#733)

Changed

• Update Element Web to v1.11.112.

  Highlights:

  • Fix CVE-2025-59161 / GHSA-m6c8-98f4-75rr

  Full Changelogs:

  • v1.11.112

  (#739)

Internal

• Update the matrix-stack chart's .helmignore file to ignore Vim swap files. (#724)
• Update tests to grant MAS users with access to the Synapse admin API when requested. (#728)
• CI: Make sure tests fixtures errors are not silenced. (#729)
• CI: Raise an error if the pod is not ready when we want to run it. (#730)
• CI: Do not delete failed curl pods during metrics endpoints tests. (#732)
• Restart curl pods on failure when fetching metrics. (#737)

ESS Community Helm Chart 25.9.0 (2025-09-10)

Added

• Add /_synapse/ess/version to the Synapse ingress exposing the chart version and edition. (#715)

Changed

• Turn on push notifications for encrypted messages (MSC4028) support by default. (#712)

• Update Element Web to v1.11.111.

  Highlights:

  • Remember whether sidebar is shown for calls when switching rooms
  • Fix room joining over federation not specifying via's or using aliases

  Full Changelogs:

  • v1.11.111

  (#716)

• Upgrade Synapse to v1.138.0.

  Highlights:

  • Support for the stable endpoint and scopes of MSC3861 & co.

  Full Changelogs:

  • v1.138.0

  (#717)

• Update Matrix Authentication Service to v1.2.0.

  Highlights:

  • Translation updates

  Full Changelogs:

  • v1.2.0

  (#718)

• Use unique names for component configuration files, to prevent them from clashing against identically-named files in pods that deploy those components. (#723)

Internal

• CI: Check labels values against validation regex. (#705)
• CI: Check PVC presence only for existing workloads. (#705)
• Fix typo in "jitter_delay" config keys used in CI tests. (#722)

ESS Community Helm Chart 25.8.3 (2025-08-27)

Changed

• Improvements to the ESS Community README. (#678)

• Improved the documentation around the values file required for external vs internal PostgreSQL servers. (#688)

• Update Matrix Authentication Service to v1.1.0.

  Highlights:

  • Support for stable Matrix native OIDC scopes

  Full Changelogs:

  • v1.0.0
  • v1.1.0

  (#689)

• Switch to stabilised Matrix Authentication Service <-> Synapse configuration.

  matrixAuthenticationService.synapseOIDCClientSecret has been removed from the values
  schema and must be removed from your values files if set. (#689)

• Upgrade Synapse to v1.137.0.

  Highlights:

  • Stabilise support for delegating authentication to Matrix Authentication Service
  • Add support for MSC4293 - Redact on Kick/Ban

  Full Changelogs:

  • v1.136.0
  • v1.137.0

  (#689)

• Update Element Web to v1.11.110.

  Highlights:

  • Show a blue lock for unencrypted rooms and hide the grey shield for encrypted rooms
  • Fix matrix.to links not being handled in the app

  Full Changelogs:

  • v1.11.110

  (#690)

• Support configuring a different cluster domain for internal Service references. (#692)

• Documentation: Email is not required any more to set up Let's Encrypt. (#704)

Fixed

• Fix incorrectly routing unsupported room admin API requests to workers. (#685)
• Ensure Matrix RTC authoriser can contact itself in the test cluster. (#687)

Internal

• Add dockerhub secrets to curl pods used in pytest. (#669)
• CI: Add Spell Checks in markdown documentation. (#696)

ESS Community Helm Chart 25.8.2 (2025-08-21)

Fixed

• Fix Helm >= 3.18.5 considering our schema invalid due to a repeated $id. (#682)

ESS Community Helm Chart 25.8.1 (2025-08-11)

Changed

• Update Element Web to v1.11.109.

  Highlights :

  • Add support for the new room version 12
  • Allow /upgraderoom command without developer mode enabled
  • Support for creator/owner power level
  • Various icons and visual changes

  (#663)

• Update Synapse to v1.135.2.

  Highlights :

  • This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.
  • The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

  (#664)

Internal

• CI: remove flakes in test_routes_to_synapse_workers_correctly by streaming logs from all HAProxy Pods, not just the current ones. (#654, #655)
• Speed-up the tests asserting the possibility not to create service accounts per components. (#659)
• CI: Fix external contributors CI runs not running properly. (#661)
• Add a helper to build synapse internal hostport in helm templates. (#662)

ESS Community Helm Chart 25.8.0 (2025-08-06)

Added

• Document how to configure k3s traefik timeouts. (#617)

Changed

• Default Synapse to requiring TLS 1.2 or later.

  This can be overridden in additional configuration. (#609)

• Set Element X as app to be pointed to when accessing Element Web from a mobile browser. (#610)

• Document in CI values example that deploymentMarkers is default enabled. (#620)

• Upgrade Matrix Authentication Service to v0.20.0.

  Highlights:

  • Support receiving OpenID Connect Back-Channel Logout notifications
  • Support linking of upstream accounts to existing users when the localpart matches
  • Make email address lookups case-insensitive
  • Improve spec compliance of upstream OAuth 2.0 client auth methods

  Full Changelog:

  • v0.19.0
  • v0.20.0

  (#634)

• Upgrade lk-jwt-service to 0.3.0.

  Highlights:

  • Support restricting Matrix room creation to local homeserver only.
    Configure this through matrixRTC.restrictRoomCreationToLocalUsers. Default to false for now until clients support this new feature.

  Full Changelog:

  • 0.3.0

  (#635)

• Upgrade Element Web to v1.11.108.

  Highlights:

  • Allow Element Call to learn the room name
  • Save image on Ctrl/Cmd + S

  Full Changelog:

  • v1.11.106
  • v1.11.107
  • v1.11.108

  (#638)

• Introduce a device-lists worker for Synapse. (#639)

• Update worker capable paths for Synapse v1.135.0. (#639)

• Upgrade Synapse to v1.135.0.

  Highlights:

  • MSC4267 support - automatically forgetting rooms on leave
  • Advertise support for Matrix v1.12
  • Add ability to limit amount of media uploaded by a user in a given time period
  • Support arbitrary profile fields

  Full Changelog:

  • v1.134.0
  • v1.135.0

  (#639)

• Split the receipts-account worker type into account-data and receipts workers.

  If you've configured synapse.workers.receipts-account this is no longer valid and your configuration should be updated to
  setup synapse.workers.account-data and/or synapse-workers.receipts as appropriate. (#640)

• Remove support for /.well-known/element/element.json.

  It isn't used by clients of ESS Community.

  If you've set it, please remove wellKnownDelegation.additional.element from your values files. (#641)

• Source whether Synapse workers are single or scalable from the values rather than maintaining a list of single vs scalable workers. (#644)

• Source whether Synapse workers serve HTTP endpoints or have replication from other configuration to improve consistency of configuration. (#645)

• Update matrix-tools to 0.5.5. (#652)

Fixed

• Synapse: fix requests being routed to initial-synchrotron incorrectly. (#632, #642, #643, #646)
• Fix incorrect routing for Matrix Authentication Service related Synapse Admin API paths during migration. (#639)

Internal

• Refactor matrix-tools handling of subcommand. (#592)
• CI: change the comparision branch for the dyff job after the change to the source branch. (#602)
• Add the ability to regenerate a single file in charts/matrix-stack/ci. (#603)
• Add the ability to generate values files in charts/matrix-stack/user_values from charts/matrix-stack/ci/fragments. (#605)
• CI: just list manifests in that dyff that are added/deleted rather than any metadata about them. (#606)
• CI: improve testing of TLS certificates with intermediates. (#612)
• CI: handle deploymentMarkers not being enabled in various some PyTests. (#621)
• CI: remove deploymentMarkers from {synapse,matrix-authentication-service}(-checkov)-values.yaml as no extra values are required if deployment markers aren't enabled. (#621)
• CI: add checkov values file that covers all default enabled components. (#621)
• CI: sort list of source_fragments in CI values files. (#622, #623)
• CI: check automount service account policy against Job in tests. (#625)
• CI: refactor test users in integration tests. (#626)
• CI: fix flaking tests when checking upgrades. (#627)
• CI: in tests, wait for all replicasets to be ready before checking service endpoints and monitored pods. (#629)
• CI: in tests for pods to services labels match, skip pods part of a previous-generation replicaset. (#630)
• CI: fix warnings about wrong checkout action parameters. (#636)

ESS Community Helm Chart 25.7.0 (2025-07-02)

Changed

• Don't set hostAliases on the Synapse config job as it just operates on the config files. (#574)

• Upgrade Element Web to v1.11.105.

  Highlights:

  • Improvements to the new room list (in labs)
  • Support for custom message components via Module API

  Full Changelog:

  • v1.11.105

  (#575)

• Upgrade Synapse to v1.133.0.

  Highlights:

  • Add support for the MSC4260 user report API

  Full Changelog:

  • v1.133.0

  (#577)

• Upgrade Matrix Authentication Service to v0.18.0.

  Full Changelog:

  • v0.18.0

  (#578)

• Document how to re-run integration tests from scratch. (#579)

• Better document uninstallation of, and the stores of state managed by the chart. (#585)

• Don't push chart OCI images for every PR. (#589, #591)

• Tweak changelog sections ordering. (#600)

Fixed

• Fix Matrix RTC SFU ServiceMonitor not working. (#569)

• Fix Matrix Authentication Service not using the hostAliases set in the values. (#573)

• Fix Matrix RTC Authoriser not having default hostAliases values. (#573)

• Fix Postgres and Synapse Media storageClassName configuration not being respected.

  Warning Previously synapse.media.storage.storageClass and postgres.storage.storageClass
  were in the values file and associated schema. These values were accidentally silently ignored
  and all chart-managed PersistentVolumeClaims were constructed without spec.storageClassName
  set, using the cluster default StorageClass.

  The values file and associated schema have been updated so that the values are now
  synapse.media.storage.storageClassName and postgres.storage.storageClassName. The previous
  values are disallowed by the schema. Setting these values after the initial install could
  cause the PersistentVolumeClaims to be recreated, with associated data-loss. Only set
  synapse.media.storage.storageClassName or postgres.storage.storageClassName on initial
  installation. (#582, #583)

Removed

• Remove Matrix RTC Authoriser ServiceMonitor as the Authoriser has no metrics endpoint. (#569)
• Remove hostAliases support from Matrix RTC SFU as it doesn't make outbound requests. (#574)

Internal

• CI: test that the default values includes stub settings (and thus comments) for various properties. (#573)
• CI: test that hostAliases are correctly set for all workloads that make outbound requests. (#573, #574)
• CI: improve the test cluster setup for Matrix RTC. (#579)
• CI: improve testing of chart managed PersistentVolumeClaims. (#582)
• CI: test nodeSelectors are appropriately configured. (#583)
• CI: simplify which commit we checkout. (#586)
• CI: switch to using pull_request triggers. (#586)
• CI: don't push artifacthub metadata on PRs. (#589)
• CI: be explicit about what permissions are workflow/job requires. (#589)
• CI: allow dyff job to work on forks. (#589, #594)
• Tests: don't check services matching labels against terminating pods. (#595, #598)
• Add yamllint ct dependency to poetry.toml. (#596)
• Prepare for 25.7.0 release. (#597)
• CI: run the preview-changelog job on main and manually as well as PRs. (#599)

ESS Community Helm Chart 25.6.2 (2025-06-19)

Fixed

• matrix-tools: Skip any completed pods when scaling down synapse pods in syn2mas migration. (#546)
• Fix Matrix RTC's SFU constructing an invalid Service if given too wide a nodePort range. (#549)
• Fix comments around the image tag and digest in the values file. (#553)
• Fix certificate name inconsistencies between setup docs and values file fragments. (#555)
• Fix MatrixRTC RTCSession Error if a push-rules Synapse worker is enabled. (#557)
• Fix extraEnv with duplicate keys not being correctly merged. (#559)
• Document the need for removal of generated secrets & deployment marker configmap when uninstalling. (#567)

Changed

• Omit the UDP port range metadata for Matrix RTC's SFU if the range is larger than 100 ports. (#549)

• Remove warning about deprecated prometheus_port config value in Matrix RTC SFU. (#550)

• Upgrade Matrix RTC SFU to v1.9.0.

  Full changelogs:

  • v1.8.0
  • v1.8.1 - no changelog
  • v1.8.2 - no changelog
  • v1.8.3
  • v1.8.4
  • v1.9.0

  (#552)

• Document extraEnv in values.yaml for every workload. (#559)

• Consistently handle user provided extraEnv versus chart configured env.

  Chart configured env should win. (#559)

• Upgrade Matrix Authentication Service to v0.17.1.

  Highlights:

  • Support Registration Tokens

  Full changelog:

  • v0.17.0
  • v0.17.1

  (#564)

• Upgrade Element Web to v1.11.104.

  Highlights:

  • Implement MSC4155 invite filtering
  • Add /share?msg= endpoint using the forward message dialogue

  Full changelog:

  • v1.11.104

  (#565)

• Upgrade Synapse to v1.132.0.

  Highlights:

  • Implement MSC4155 invite filtering
  • Successful requests to /_matrix/app/v1/ping will now force Synapse to reattempt delivering transactions to appservices.

  Full changelog:

  • v1.132.0

  (#566)

Internal

• CI: Test upgrades against the nearest reachable tag and not the most recently created. (#547)
• CI: Enhance dyff jobs output to print yaml manifests in a single block code. (#548)
• Ensure example NodePort values use ports within kind's NodePort range. (#551)
• Run integration tests with kind 0.29.0. (#563)

ESS Community Helm Chart 25.6.1 (2025-06-10)

Security

• Upgrade Element Web to v1.11.103 for GHSA-x958-rvg6-956w.

  Resolves GHSA-x958-rvg6-956w

  • Check the sender of an event matches owner of session, preventing sender spoofing by homeserver owners.

  (#541)

Added

• Add support for Syn2Mas migration. See matrixAuthenticationService.syn2mas documentation in values file for more information. (#454, #527)

Changed

• Name secrets mounted based on a hash of their names instead of an index. (#519)

• matrixRTC.sfu.additional now uses the same additional properties schema as Matrix Authentication Service and Synapse.

  Values can be specified inline:

  matrixRTC:
    sfu:
      additional:
        your-config.yaml: |
          example: value

  Or referencing an existing Secret in-cluster:

  matrixRTC:
    sfu:
      additional:
        another-config.yaml:
          configSecret: "{{ $.Release.Name }}-mrtc-external"
          configSecretKey: config

  Setting matrixRTC.sfu.additional to a string value is no longer supported or allowed. (#529, #535)

• matrix-tools: Update to 0.5.2 to support syn2mas migration command. (#532, #534)

Internal

• CI: Dont pass go-version to golanglint-ci action. (#521)
• CI: Truncate added files in dyff comment. (#523)
• CI: Test chart upgrades. (#524)
• CI: Run mypy against integration tests. (#525)
• CI: Add a test to assert labels key length. (#528)
• CI: Expect 429s to happen on chart version upgrade tests. (#530)
• CI: Fix an internal issue where aiohttp expected errors were not retried. (#531)
• Rename the templates for Matrix RTC Authorisation Service for clarity. (#533)
• CI: Test that podAntiAffinity for Deployments is not strict anti-affinity. (#536, #537)
• CI: Verify podAntiAffinity against kubeconform. (#540)
• Don't send set changelog entries in the artifacthub metadata. (#542)
• Reorder changelog sections. (#544)

ESS Community Helm Chart 25.6.0 (2025-06-05)

Added

• Add a new deploymentMarkers job which prevent users from accidentally breaking their setup by choosing incompatible values. (#487)
• Add a NOTES.txt for some post-setup messages. (#491, #509)
• Add support for Matrix Authentication Service replicas. (#515)
• Add support for Matrix RTC Authorisation Service replicas. (#515)

Changed

• Improve the validation that for every image the tag and/or the digest is set. (#484)

• Improve the validation on set properties for external Postgreses. (#485)

• Add example config for Nginx reverse proxy. (#486)

• Restrict some Synapse worker names such that release_names can be 29 characters long. (#494)

• Improve validation messages for values that are templated. (#497)

• Rename synapse-check-config-hook to synapse-check-config for consistency with init-secrets and deployment-markers. (#501)

• Upgrade Synapse to v1.131.0.

  Highlights:

  • Add msc4263_limit_key_queries_to_users_who_share_rooms config option as per MSC4263.
  • Add option to allow registrations that begin with _.
  • Add support for calling Policy Servers (MSC4284) to mark events as spam.

  (#511)

• Upgrade Element Web to v1.11.102.

  Highlights:

  • Modernize the recovery key input modal.
  • General enhancements of the new room list (sorting, filtering, etc.).
  • Prompt the user when key storage is unexpectedly off.

  (#512)

• Configure Synapse appropriately for Element Call when matrixRTC is enabled. (#513)

• Set deployments maxUnavailable to 0 if it has only one replicas. (#515)

• Pull Synapse from ghcr.io/element-hq/synapse rather than the legacy repository on Docker Hub. (#517)

• Pull Element Web from ghcr.io/element-hq/element-web rather than the legacy repository on Docker Hub. (#518)

Fixed

• Fix routing to the initial-synchrotron worker in HAProxy. (#494)
• Ensure the names of Secrets in volume/volumeMounts don't have names that are too long. (#495)
• Fix initial-synchrotron paths not falling back to main if the worker is unavailable. (#508)
• Matrix RTC: Set proxy timeout and enforce disabled buffering nginx-ingress controllerType annotations if SFU is enabled. (#514)

Internal

• Add tests to verify that additional.config/configSecret/configSecretKey is properly being used. (#483)
• Make it easier to write manifest tests where sub-components and sidecars read values from their parent component. (#484)
• Refactor to use a common helper for render-config additional mechanism. (#488)
• Improve error messages in pod images manifest test. (#492)
• Simplify manifest tests by making template_to_deployable_details an import not a fixture. (#492)
• Use internal render-config helper for the SFU keys.yaml generation. (#493)
• Validate manifest name lengths in tests. (#494)
• Validate that workload selectors match the labels in the template. (#496)
• Validate that covering manifests are named consistently with what they cover. (#496)
• Validate manifests set the namespace correctly. (#496)
• Consistently use template_id helper for identifying manifests. (#500)
• Unpin from Helm 3.17.3 after helm/helm#30878 / helm/helm#30880 are fixed. (#502)
• CI: Enhance dyff comment formatting. (#510)