Release Notes

ESS Pro 25.12.0 (2025-12-04)

Removed / Breaking Changes

Remove support for elementWeb.inject configuration as it is unused.
Remove the ability to set rtc.{use_external_ip,node_ip} via matrixRTC.sfu.additional in favour of matrixRTC.sfu.{useStunToDiscoverPublicIP,manualIP}.

As of 25.9.1 matrixRTC.sfu.{useStunToDiscoverPublicIP,manualIP} were introduced to provide direct values for these settings. Attempting to set these via matrixRTC.sfu.additional will result in your values being ignored.
Remove imagePullSecrets in favour of image.pullSecrets.

As of 25.10.1 imagePullSecrets was deprecated in favour of image.pullSecrets. It has now been removed and attempting to use imagePullSecrets will trigger a schema validation error.

Added

The Telemetry service can now be enabled via telemetry. For more information, please read the Telemetry docs.
Add support for Adminbot deployment.
matrix-tools: Add support for multiple devices creation.
matrix-tools: Add support for create a stub Secret that is initialized but expected to be filled in by another process later on.
When deploying Synapse as a tenant in a multi-Synapse shard, it is not necessary to set the kube-identifier labels on external secrets anymore. Requires synapse-shards chart 0.6.0.

Changed

Display command to get the local admin user credentials after setting up with helm.
Set a soft, default topologySpreadConstraints for all workloads.

The can be removed by setting topologySpreadConstraints to [] at the top-level or overridden on a per-component basis by setting that component's topologySpreadConstraints.
Remove hard-coded podAntiAffinity for Deployments that had set replicas > 2.
Support topologySpreadConstraints on all workloads, not just select ones.
Unify construction of all HorizontalPodAutoscalers.
Unify management of StatefulSet.spec along with Deployment.spec.
Update the default HorizontalPodAutoscaler settings to always be enabled if possible and set minReplicas: 2.
Synapse as a tenant in a multi-Synapse shard does not need to specify a log config any more, it is handled in the synapse shard.
Change Element Web and MatrixRTC SFU Ingresses to target Service port names rather than numbers.
Harmonise the hook weights and reduce the number of distinct hook weight values.

This should speed up installs and upgrades as now there are only 2 distinct pre-install/pre-upgrade hook weights.
Update the Admin User provisioning Job to use the correct image pull Secret.
Allow explicit configuration of HAProxy maxconn at the global and backend level in helm chart values.

This improves the compatibility with microk8s clusters that don't raise ulimits by default.
Better handle the only worker-capable delayed-events endpoint.
Upgrade Element Admin to v0.1.9.

Highlights:
- Integration with the ESS Pro Adminbot
Full Changelogs:
- v0.1.9
Upgrade Synapse to v1.143.0.

Highlights:
- Update MSC4140 delayed event support, for separate endpoints.
Full Changelogs:
- v1.143.0
Upgrade Matrix Authentication Service to v1.7.0.

Highlights:
- Interactively help users choosing a username.
Full Changelogs:
- v1.7.0
Change ipFamilyPolicy to PreferDualStack for all Services to expose them over IPv4 & IPv6 where possible.
Upgrade Element Web to v1.12.6.

Highlights:
- Remove mentions from forwarded messages.
- Improve aria attributes on the emoji picker.
- Support using Element Call for voice calls in DMs.
Full Changelogs:
- v1.12.4
- v1.12.5
- v1.12.6
Change Matrix Authentication Service deployment maxSurge to 0 and replicas to 1.

We have seen migrations race conditions happening during Matrix Authentication Service pods rollout. This sets maxSurge to 0 and replicas to 1 to try to make sure only 1 pod at a time runs the migration process.
Listen for HAProxy traffic over IPv6.

Fixed

Ensure spec.replicas is correctly absent when HorizontalPodAutoscalers are in use.
Ensure spec.replicas is present when HorizontalPodAutoscaler are requested but not possible in the cluster.
Fix an issue where the OIDC Client would be missing from Matrix Authentication Service configuration when adminUser was disabled, despite being required for other matrix-user setups.
Stop HAProxy Pods restarting whenever the chart is upgraded.

The version of ESS is now fetched from a Synapse module that handles the version changing without having to restart the Pod.

The version API now requires an access token for an admin of the homeserver.
matrix-tools: Fix a behaviour where it would silently continue while failing to generate a registration file during init-secret phase.
Fix Synapse experimental_features not being enabled for Auditbot if MAS and MatrixRTC aren't enabled.
Fix secrets missing the Synapse tenant label when using synapse.asTenantHook.enabled.
Fix MatrixRTC Authoriser having an incorrect set of volumes in some situations.
Change Auditbot emptyDirs to be memory backed.
Change Postgres emptyDirs to be memory backed.
Fix init-secrets Job should not be run when Advanced Identity Management and Auditbot specify their secrets in the values files.
Ensure Postgres is fully setup before marking as available or live.
Fix Matrix Authentication Service secrets config generation so private keys coming from an external secret are correctly referenced.

ESS Pro 25.11.1 (2025-11-14)

Changed

Upgrade Matrix Authentication Service to v1.6.0.

Highlights:
- Be strict about undefined variables in templates
Full Changelogs:
- v1.6.0
Upgrade Synapse to v1.142.0.

Highlights:
- Add an Admin API to allow an admin to fetch the space/room hierarchy for a given space.
Full Changelogs:
- v1.142.0
Run Matrix Authentication Service with multiple replicas by default.
Upgrade Element Web to v1.12.3a.

Highlights:
- Fix Element Call widget not working inside Element Web Pro
Enabled, scalable Synapse workers should run with multiple replicas by default.

ESS Pro 25.11.0 (2025-11-06)

Changed

Re-add the chart's icon.
Upgrade Sygnal to v0.17.0.

Highlights:
- Support configuring whether to send badge counts in APNS and FCM/GCM pushkins.
Full Changelogs:
- v0.17.0
Upgrade the Synapse Pro Federation Reader to not log all event ids in some situations.
Update README.
Upgrade Element Web to v1.12.3.

Highlights:
- Fix sort order in space hierarchy.
- New Room list: don't display message preview of thread.
Full Changelogs:
- v1.12.3
Configure experimental MSC4143 advertisement in Synapse when MatrixRTC is enabled.

This is in addition to the MSC4143 advertisement on the client well-known endpoint for now, but it is expected to replace it in time.
Update Element Web's default bug report URL to use the dedicated subdomain for bug reporting.

Fixed

Fix an issue where the chart could not be deployed against clusters returning an experimental build.
Ensure any externally provided password for chart created users has leading & trailing whitespace removed.

Documentation

Document setting alternative STUN servers for MatrixRTC.

ESS Pro LTS 25.10.0 (2025-10-31)

Removed / Breaking Changes

Rename authentication.ldap[].ldapUsernameAttribute to authentication.ldap[].attributesMapping.usernameOverride.ldapAttribute.

This property is useful when the username a user should login to LDAP with doesn't match the property that should end up in their Matrix ID or when authentication.ldap[].attributesMapping.localpart.template can't be used to reformat authentication.ldap[].attributesMapping.localpart.ldapAttribute into the desired format.

Unlike authentication.ldap[].ldapUsernameAttribute, it is now optional and defaults to authentication.ldap[].attributesMapping.localpart.ldapAttribute
Removed authentication.ldap[].attributesMapping.id and it should no longer be set.

authentication.ldap[].attributesMapping.id provided a mapping between Matrix Authentication Service and the Matrix Authentication Connector for LDAP. This could always be set to the same value as authentication.ldap[].attributesMapping.localpart as that needs to uniquely identify users and be consistent.

Deprecated

Setting imagePullSecrets is deprecated and will be removed in 25.11. If you set imagePullSecrets in your values files, please migrate to image.pullSecrets or you will see schema errors on upgrading to 25.11 when it is released.
Inform chart users, in helm install/helm upgrade notes, of the deprecations around rtc.{use_external_ip,node_ip} that happened in 25.9.1.

Added

List deprecations in NOTES.txt when running helm install/helm upgrade.
Support overriding the default imagePullPolicy for every component by setting image.pullPolicy.

Per-image overrides can be set by setting <path.to>.image.pullPolicy as before.

If image.pullPolicy or per-image overrides aren't set IfNotPresent is used by default for images referenced by digest and Always is used by default images referenced by tag as previously.
Add image.registry (defaulting to registry.element.io) to allow changing the registry across all used images.

<component>.image.registry overrides image.registry.
Added example values file fragment for setting a brand colour in Element Pro.
Support migrating to Matrix Authentication Service with LDAP upstreams.

For each LDAP upstream must have attributesMapping.localpart.onConflict set to add in authentication.ldap. This must remain until each and every user that existed prior to migrating to Matrix Authentication Service has logged in at least once.
Matrix RTC: Add support for extra volumes in the SFU.

Changed

Allow configuration of the updateMode for VerticalPodAutoscalers.

The default value used in the chart changes from Auto to Replace as Auto is deprecated as of https://github.com/kubernetes/autoscaler/issues/8424 and the in-place behaviour was not implemented when using Auto.

InPlaceOrRecreate is feature-gated on most clusters and isn't an appropriate default yet. A future release may change the default to InPlaceOrRecreate.
Upgrade Synapse to v1.141.0-lts.1.

Highlights:
- Add experimental support for MSC4308: Thread Subscriptions extension to Sliding Sync when MSC4306: Thread Subscriptions and MSC4186: Simplified Sliding Sync are enabled.
- Update MSC4190 support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication.
- Fix bug where we did not send invite revocations over federation.
- Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via the origin/media_id identifier found in a Matrix Content URI.
- Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC.
- Update docker image to use Debian trixie as the base and thus Python 3.13
- Allow using MSC4190 behaviour without the opt-in registration flag
- Stabilize support for MSC4326: Device masquerading for appservices
Full Changelogs:
- v1.139.0
- v1.139.1
- v1.139.2
- v1.140.0
- v1.141.0
Allow configuration of how HAProxy interprets additional files on the wellKnownDelegation Ingress.
Ensure consistent captured headers in HAProxy log lines, between all HTTP request processing HAProxy frontends.
Log the X-Forwarded-For header and stop logging the Referer header in HAProxy.
Correct the handling of multiple X-Forwarded-For headers to Synapse.

This may have exhibit itself as requests being incorrectly rate-limited by Synapse.

The source IP logged by HAProxy is now always the IP connecting to HAProxy rather than a value extracted from the X-Forwarded-For header (if present). This is usually an IP for the ingress controller.
Upgrade HAProxy to 3.2.

Release notes:
- 3.2
Fix chart managed users not being able to be provisioned when Matrix Authentication Service has password registration turned off.
Upgrade Element Admin to v0.1.8.

Highlights:
- Use authenticated media endpoints for thumbnails
- Keep selected item when changing filters
- Allow admins to generate personal access tokens for users
- Fix the ESS version not loading after a refresh
Full Changelogs:
- v0.1.4
- v0.1.5
- v0.1.6
- v0.1.7
- v0.1.8
Secure Border Gateway does not have default required client headers any more.
Move the top-level imagePullSecrets list to image.pullSecrets.
Support configuring whether OIDC users can be associated with existing users in MAS (in addition to the existing Synapse support).
Ensure there's at least 2 newlines at the end of the haproxy.cfg file.
Upgrade Postgres Exporter to 0.18.1.

Full Changelogs:
- 0.18.0
- 0.18.1
Upgrade Element Web to v1.12.2.

Highlights:
- Improve handling of animated images.
- Fix duration of voice message in timeline.
- Improve keyboard navigation on invite dialog.
Full Changelogs:
- v1.12.2
Update Chart metadata to enhance tooling like renovate and artifacthub.io.
Update example-default-enabled-components-values.yaml to include MatrixRTC as it is enabled by default.
Add 'Element Creations Ltd' copyright to every file.
Upgrade Matrix Authentication Service to v1.5.0.

Highlights:
- Initial support for admins managing Personal Access Tokens for users using the Admin APIs.
Full Changelogs:
- v1.5.0

Fixed

Fix templated <component>.ingress.host values not being rendered correctly in NOTES.txt.
Fix the Matrix RTC SFU not restarting when user-provided configuration is set via matrixRTC.sfu.additional.<name>.config.
Fix a Matrix compatible JSON response not being correctly sent when a Synapse backend is down.
Fix Auditbot validations not being checked correctly.
Prioritize wellKnownDelegation.baseDomainRedirect.url over elementWeb.ingress.host.

Previously, whenever elementWeb was enabled, the url property was silently ignored instead of, as expected, taking precedence.
Drop /var/run mount point from Auditbot as it is not used any more.
Fix Synapse process environment variables to include only the required one for hooks.
Postgres: Fix the ess-updater container do not have access to the local data directory.
Explicitly set SSL_CERT_DIR and SSL_CERT_FILE in containers using the CA trust store.
Matrix Authentication Service: Fix the CA Trust store was missing during the database-migrate init container runtime.
matrix-user: Use a dedicated environment variables helper.
Fixed LDAP integration not working with Matrix Authentication Service when it is hosted on Element Web's ingress and not its own.

Documentation

Matrix RTC: Document the SFU CrashLoopBackOff issue.
Values Fragments: Make serverName unique to 1 fragment.

ESS Pro 25.9.5 (2025-10-16)

Security

Update Matrix Authentication Service to v1.4.1.

This is a security release which includes a fix for CVE-2025-62425 / GHSA-6wfp-jq3r-j9xh, which affects servers using the local password database, starting MAS 0.20.0 and later. See the advisory for details.

Highlights:
- Make it possible to allow password registration without email verification.
- Add Admin API to finish individual sessions.
Full Changelogs:
- v1.4.0
- v1.4.1

ESS Pro 25.9.4 (2025-10-08)

Added

Add a validation check to make sure no component is sharing any postgres database.

Changed

Update Advanced Identity Management to v0.17.0, to support Synapse v1.139+ and MSC4190.
Upgrade Auditbot to 6.6.1, to support Synapse v1.139+ and MSC4190.
Upgrade Synapse to v1.138.4.

Highlights:
- Fix CVE-2025-61672 / GHSA-fh66-fcv5-jjfr. Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.
Full Changelogs:
- v1.138.3
- v1.138.4
Update Element Web to v1.12.1.

Highlights:
- Update Message Sound for Element
- New Room List: Don't clear filters on space change
- Rich Text Editor: Add emoji suggestion support
Full Changelogs:
- v1.12.1
matrix-tools: allow creating an appservice user without specifying an initial device ID, which will cause a new device ID to be generated and returned.

Fixed

matrix-tools: Keep the labels on updated render-config secrets to keep the synapse-pro labels set by the shards-controller.
matrix-tools: Support registering appservice users against Synapse v1.139.0+.
Fix an issue where matrix-tools would fail to render configuration on containers restarts not causing a new pod cycle.

Documentation

Add initial troubleshooting guide around MISSING_MATRIX_RTC_FOCUS.

ESS Pro 25.9.3 (2025-10-02)

Added

Automatically configure CORS Allow Headers when deploying in TI-Messenger mode.

Fixed

Fix Matrix RTC SFU manualIP setting so that it correctly propagates through.

ESS Pro 25.9.2 (2025-09-30)

Added

MatrixRTC: Add sfu.useStunToDiscoverPublicIP and sfu.manualIP values to simplify networking configuration.

-Warning:* In version 25.10, these values will override any manually set rtc.external_ip and rtc.node_ip configured through sfu.additional additional configuration.
Introducing Element Admin, a user-friendly interface to manage your ESS deployment. This is default enabled, and you need to configure elementAdmin.ingress.host on upgrade, as well as create its DNS and TLS.

Changed

matrix-tools: add appservice-registration argument to the matrix-user subcommand to create Matrix users that are otherwise reserved by a specified appservice. This allows for granting an appservice user/bot with an associated MAS user.
Advanced Identity Management: add compatibility with Matrix Authentication Service.
When MAS is deployed, grant the internal admin user with MAS admin scopes.
matrix-tools: Allow requesting a specified list of OAuth 2.0 scopes when requesting an access token for a MAS user.
Update Matrix Authentication Service to v1.3.0.

Highlights:
- Add Admin API filter to search users by username.
- Add Admin API to list upstream OAuth 2.0 providers.
Full Changelogs:
- v1.3.0
Define "matrix-tools" containers with "args" set instead of "command".
Allow overriding of the Matrix Authentication Service policy configuration via additional configuration.
Upgrade Synapse to v1.138.2.

Highlights:
- Fix a performance regression related to the experimental Delayed Events (MSC4140) feature.
Full Changelogs:
- v1.138.2
Remove experimental.access_token_ttl from the Matrix Authentication Service config as the need for it has gone.
Update Element Web to v1.12.0.

Highlights:
- Use the new room list by default
- Automatically adjust history visibility when making a room private
- Stop ringing and remove toast if another device answers a RTC call.
Full Changelogs:
- v1.12.0
Rename Synapse Secrets&ConfigMaps hooks so that they match the hook using them.
Upgrade Auditbot to 6.6.0 for ARM64 support.
Define more containers with "args" set instead of "command".
Upgrade Matrix RTC SFU (LiveKit) to v1.9.1.

Full Changelogs:
- v1.9.1

Fixed

Support configuring x-tim-user-agent lowercase.

ESS Pro 25.9.1 (2025-09-15)

Added

Add support for configuring Synapse tenant in a distinct namespace.

Note: This needs synapse-shards chart minimum version 0.3.0 to be installed with cluster scope permissions.

Fixed

Fix encryption support for Auditbot.
Prevent internal file conflict error when deploying Auditbot with MAS.
Fix non-generated Auditbot user passwords and backup passphrases not being respected.
Fix non-generated Auditbot AppService registration causing the Synapse check-config job to fail.

ESS Pro 25.9.0 (2025-09-10)

Added

Add the possibility to deploy Synapse as a tenant in a shard deployed using synapse-shards chart using synapse.asTenantHook.enabled.
Element Web now uses the Pro image variant.
Add /_synapse/ess/version to the Synapse ingress exposing the chart version and edition.

Changed

Turn on push notifications for encrypted messages (MSC4028) support by default.
Upgrade Synapse to v1.138.0.

Highlights:
- Support for the stable endpoint and scopes of MSC3861 & co.
Full Changelogs:
- v1.138.0
Use unique names for component configuration files, to prevent them from clashing against identically-named files in pods that deploy those components.
Update Matrix Authentication Service to v1.2.0.

Highlights:
- Translation updates
Full Changelogs:
- v1.2.0
Update Element Web to v1.11.111.

Highlights:
- Remember whether sidebar is shown for calls when switching rooms
- Fix room joining over federation not specifying via's or using aliases
Full Changelogs:
- v1.11.111

ESS Pro 25.8.5 (2025-09-02)

Fixed

Fix Helm >= 3.18.5 considering our schema invalid due to a repeated $id.

ESS Pro 25.8.4 (2025-08-27)

Added

Added example values file fragment for customising the bug report (Rageshake) server.

Changed

Improvements to the ESS Pro README.
Support configuring a different cluster domain for internal Service references.
Improved the documentation around the values file required for external vs internal PostgreSQL servers.
Switch to stabilised Matrix Authentication Service <-> Synapse configuration.

matrixAuthenticationService.synapseOIDCClientSecret has been removed from the values schema and must be removed from your values files if set.
Upgrade Synapse to v1.137.0.

Highlights:
- Stabilise support for delegating authentication to Matrix Authentication Service
- Add support for MSC4293 - Redact on Kick/Ban
Full Changelogs:
- v1.136.0
- v1.137.0
Update Matrix Authentication Service to v1.1.0.

Highlights:
- Support for stable Matrix native OIDC scopes
Full Changelogs:
- v1.0.0
- v1.1.0
Update matrix-tools to 0.9.0.

Highlights:
- Add support for reading MAS Client Secret from file.
Change the name of the releases in the changelog to ESS Pro.
Advanced Identity Management is now deployed using a StatefulSet.
Documentation: Email is not required any more to set up Let's Encrypt.
Update Element Web to v1.11.110.

Highlights:
- Show a blue lock for unencrypted rooms and hide the grey shield for encrypted rooms
- Fix matrix.to links not being handled in the app
Full Changelogs:
- v1.11.110

Fixed

Fix incorrectly routing unsupported room admin API requests to workers.
Ensure Matrix RTC authoriser can contact itself in the test cluster.
Fix Advanced Identity Management documentation reference url.

ESS Pro 25.8.3 (2025-08-21)

Fixed

Fix Helm >= 3.18.5 considering our schema invalid due to a repeated $id.

ESS Pro 25.8.2 (2025-08-15)

Added

Push chart changelogs to docs.element.io.

Changed

Upgrade AuditBot to 6.5.1.

Fixed

Fix the ARM image for the Synapse Pro Federation Reader.
Fix S3 AccessKeyID and SecretAccessKey values file comments.

ESS Pro 25.8.1 (2025-08-12)

Changed

Upgrade Advanced Identity Management to v0.16.1.
Update Synapse to v1.135.0-pro4.

Highlights:
- This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.
- The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.
Update Element Web to v1.11.109.

Highlights:
- Add support for the new room version 12
- Allow /upgraderoom command without developer mode enabled
- Support for creator/owner power level
- Various icons and visual changes

ESS Pro 25.8.0 (2025-08-06)

Added

matrix-tools: add matrix-user subcommand to create Matrix users and provision a single device id/token.
Add automated creation of a Matrix user with admin permissions.
Add support for AuditBot.
Add a new script in the chart to convert Community Synapse & Matrix Authentication Service configuration for OIDC & LDAP to ESS Pro authentication values.
Add support for airgapped setups by providing airgapped bundles of ESS Pro on the ESS Download Page

Changed

Update Matrix Authentication Service Connector to set the LDAP port based on the scheme, if no port is provided.
Replace auth.oidc.backchannelLogoutEnabled with auth.oidc.backchannelLogout.
- auth.oidc.backchannelLogoutEnabled=true should be updated to be auth.oidc.backchannelLogout=logout_all
- auth.oidc.backchannelLogoutEnabled=false should be updated to be auth.oidc.backchannelLogout=do_nothing
Default Synapse to requiring TLS 1.2 or later.

This can be overridden in additional configuration.
Set Element Pro as app to be pointed to when accessing Element Web from a mobile browser.
Document in ci values example that deploymentMarkers is default enabled.
Upgrade Sygnal to v0.16.0, which is the first release under AGPL + Element Commercial.
Upgrade lk-jwt-service to 0.3.0.

Highlights:
- Support restricting Matrix room creation to local homeserver only. Configure this through matrixRTC.restrictRoomCreationToLocalUsers. Default to false for now until clients support this new feature.
Full Changelog:
- 0.3.0
Source whether Synapse workers are single or scalable from the values rather than maintaining a list of single vs scalable workers.
Upgrade Synapse to v1.135.0-pro.1.

Highlights:
- MSC4267 support - automatically forgetting rooms on leave
- Advertise support for Matrix v1.12
- Add ability to limit amount of media uploaded by a user in a given time period
- Support arbitrary profile fields
Full Changelog:
- v1.134.0
- v1.135.0
Split the receipts-account worker type into account-data and receipts workers.

If you've configured synapse.workers.receipts-account this is no longer valid and your configuration should be updated to setup synapse.workers.account-data and/or synapse-workers.receipts as appropriate.
Update worker capable paths for Synapse v1.135.0.
Source whether Synapse workers serve HTTP endpoints or have replication from other configuration to improve consistency of configuration.
Introduce a device-lists worker for Synapse.
Upgrade Matrix Authentication Service to v0.20.0.

Highlights:
- Support linking of upstream accounts to existing users when the localpart matches
- Make email address lookups case-insensitive
- Improve spec compliance of upstream OAuth 2.0 client auth methods
- Support receiving OpenID Connect Back-Channel Logout notifications
Full Changelog:
- v0.19.0
- v0.20.0
Upgrade Element Web to v1.11.108.

Highlights:
- Save image on Ctrl/Cmd + S
- Allow Element Call to learn the room name
Full Changelog:
Update matrix-tools to 0.8.4.

Highlights:
- Adds support for provisioning a given device ID for a user.

Fixed

Fix multiple Sygnal apps pointing at the same Secret and Secret key causing Sygnal to be unable to start.
Synapse: Fix wrong secret value was used for workers replication secret.
Fix /_matrix/federation/v1/version being incorrectly forwarded to the Pro Federation Reader worker.
Matrix Authentication Service: Fix manually set token_endpoint and jwks_uri from authentication section was not set properly.
Allow authentication.oidc[%i].*.template to be empty if action is ignore.
Fix authentication.oidc[%i].claimsImport.subject.template being ignored.
Synapse: fix requests being routed to initial-synchrotron incorrectly.

ESS Pro 25.7.0 (2025-07-02)

Added

TI-Messenger: Add support for usersExemptFromRoomCleanup of users which will prevent rooms from being deleted.

Changed

Don't set hostAliases on the Synapse config job as it just operates on the config files.
Avoid additional LDAP provider selection screen when more than 1 LDAP provider is configured against Matrix Authentication Service.
Better document uninstallation of, and the stores of state managed by the chart.
Document how to re-run integration tests from scratch.
Don't push chart OCI images for every PR.
Upgrade Secure Borde Gateway to v1.12.1 and TI-Messenger Sidecar to v1.10.0.

-Bugfixes*:
- Move filtering of response headers to the end of the response pipeline. This fixes the regression in PAR functionality from the previous release.
Upgrade Matrix Authentication Service to v0.18.0.

Full Changelog:
- v0.18.0
Upgrade Element Web to v1.11.105.

Highlights:
- Improvements to the new room list (in labs)
- Support for custom message components via Module API
Full Changelog:
- v1.11.105
Upgrade Synapse to v1.133.0.

Highlights:
- Add support for the MSC4260 user report API
Full Changelog:
- v1.133.0
Tweak changelog sections ordering.

Fixed

Fix Matrix Authentication Service's Dex not having hostAliases support.
Fix Advanced Identity Management not having hostAliases support.
Fix Matrix Authentication Service not using the hostAliases set in the values.
Fix Sygnal's hostAliases not being templated.
Fix claimImports configuration for OIDC upstream IdPs being unused by Matrix Authentication Service.
Fix Postgres and Synapse Media storageClassName configuration not being respected.

-Warning* Previously synapse.media.storage.storageClass and postgres.storage.storageClass were in the values file and associated schema. These values were accidentally silently ignored and all chart-managed PersistentVolumeClaims were constructed without spec.storageClassName set, using the cluster default StorageClass.

The values file and associated schema have been updated so that the values are now synapse.media.storage.storageClassName and postgres.storage.storageClassName. The previous values are disallowed by the schema. Setting these values after the initial install could cause the PersistentVolumeClaims to be recreated, with associated data-loss. Only set synapse.media.storage.storageClassName or postgres.storage.storageClassName on initial installation.
Fix Matrix RTC Authoriser not having default hostAliases values.
Fix Matrix RTC SFU ServiceMonitor not working.

Removed

Remove Matrix RTC Authoriser ServiceMonitor as the Authoriser has no metrics endpoint.
Remove hostAliases support from Matrix RTC SFU as it doesn't make outbound requests.

ESS Pro 25.6.2 (2025-06-19)

Fixed

matrix-tools: Skip any completed pods when scaling down synapse pods in syn2mas migration.
Fix comments around the image tag and digest in the values file.
Fix Matrix RTC's SFU constructing an invalid Service if given too wide a nodePort range.
Fix extraEnv with duplicate keys not being correctly merged.
Correctly render user provided extraEnv that uses valueFrom in all workloads.
Fix MatrixRTC RTCSession Error if a push-rules Synapse worker is enabled.
Fix certificate name inconsistencies between setup docs and values file fragments.
Secure Border Gateway: Fix S3 Uploads.

Changed

Remove warning about deprecated prometheus_port config value in Matrix RTC SFU.
Omit the UDP port range metadata for Matrix RTC's SFU if the range is larger than 100 ports.
Upgrade Matrix RTC SFU to v1.9.0.

Full changelogs:
- v1.9.0
Add additional validation to extraEnv.valueFrom.
Consistently handle user provided extraEnv versus chart configured env.

Chart configured env should win.
Document extraEnv in values.yaml for every workload.
Upgrade Synapse to v1.132.0-pro.1.

Highlights:
- Implement MSC4155 invite filtering
- Successful requests to /_matrix/app/v1/ping will now force Synapse to reattempt delivering transactions to appservices.
Full changelog:
- v1.132.0
Upgrade Element Web to v1.11.104.

Highlights:
- Implement MSC4155 invite filtering
- Add /share?msg= endpoint using the forward message dialogue
Full changelog:
- v1.11.104
Upgrade Matrix Authentication Service to v0.17.1.

Highlights:
- Support Registration Tokens
Full changelog:
- v0.17.0
- v0.17.1
TI-Messenger sidecar: Upgrade to v1.9.1.
Secure Border Gateway: Upgrade to v1.12.0.

ESS Pro 25.6.1 (2025-06-10)

Security

Upgrade Element Web to v1.11.103 for GHSA-x958-rvg6-956w.

Resolves GHSA-x958-rvg6-956w - Check the sender of an event matches owner of session, preventing sender spoofing by homeserver owners.

Added

Add support for Syn2Mas migration. See matrixAuthenticationService.syn2mas documentation in values file for more information.

Changed

Name secrets mounted based on a hash of their names instead of an index.
matrix-tools: Update to 0.7.1 to support syn2mas migration command.

matrixRTC.sfu.additional now uses the same additional properties schema as Matrix Authentication Service and Synapse.

Values can be specified inline:

matrixRTC:
  sfu:
    additional:
      your-config.yaml: |
        example: value

Or referencing an existing Secret in-cluster:

matrixRTC:
  sfu:
    additional:
      another-config.yaml:
        configSecret: "{{ $.Release.Name }}-mrtc-external"
        configSecretKey: config

Setting matrixRTC.sfu.additional to a string value is no longer supported or allowed.

ESS Pro 25.6.0 (2025-06-05)

Added

Secure Border Gateway: Support Vertical and Horizontal autoscaling.
Add a new deploymentMarkers job which prevent users from accidentally breaking their setup by choosing incompatible values.
Add a NOTES.txt for some post-setup messages.
Add support for configuring replicas of the matrix-rtc-authorization-service.
Add support for Matrix Authentication Service replicas.

Changed

Improve the validation on set properties for external Postgreses.
Improve the validation that for every image the tag and/or the digest is set.
Add example config for Nginx reverse proxy.
Restrict some Synapse worker names such that release_names can be 29 characters long.
Improve validation messages for values that are templated.
Rename synapse-check-config-hook to synapse-check-config for consistency with init-secrets and deployment-markers.
Upgrade Element Web to v1.11.102.

Highlights:
- Modernize the recovery key input modal.
- General enhancements of the new room list (sorting, filtering, etc.).
- Prompt the user when key storage is unexpectedly off.
Set deployments maxUnavailable to 0 if it has only one replicas.
Configure Synapse appropriately for Element Call when matrixRTC is enabled.
Upgrade Synapse to v1.131.0.

Highlights:
- Add msc4263_limit_key_queries_to_users_who_share_rooms config option as per MSC4263.
- Add option to allow registrations that begin with _.
- Add support for calling Policy Servers (MSC4284) to mark events as spam.
TI-Messenger: Enforce TLS for Synapse stats endpoint only if it is external to the cluster.

Fixed

Sygnal: Fix additional not actually supporting injection configuration.
Fix incorrect default imagePullPolicy for Synapse' local S3 media cleanup pod.
Fix potentially wrong resources set on pods using VerticalPodAutoscaler.
Ensure the names of Secrets in volume/volumeMounts don't have names that are too long.
Fix routing to the initial-synchrotron worker in HAProxy.
Fix initial-synchrotron paths not falling back to main if the worker is unavailable.
Matrix RTC: Set proxy timeout and enforce disabled buffering nginx-ingress controllerType annotations if SFU is enabled.

ESS Pro 25.5.1 (2025-05-23)

Changed

Make probe defaults explicit.
Replace the use of initialDelaySeconds in default probes with adjustments to the startupProbes.
Rename GroupSync to Advanced Identity Management.
Postgres: Pretty print internal postgres env variables.
Remove wellKnownDelegation.ingress.host from values.yaml as serverName is used for the well-known Ingress.
Element Web: upgrade from v1.11.100 to v1.11.101.

Highlights:
- Improve identity reset UI
Full Changelog: https://github.com/element-hq/element-web/releases/tag/v1.11.101
Synapse: Upgrade from v1.129.0 to v1.130.0.

Highlights:
- Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks.
- Add config option user_directory.exclude_remote_users which, when enabled, excludes remote users from user directory search results.
- Add support for handling GET /devices/ on workers.
- Fix a longstanding bug where Synapse would immediately retry a failing push endpoint when a new event is received, ignoring any backoff timers.
- Fix to pass leave from remote invite rejection down Sliding Sync.
Full Changelog: https://github.com/element-hq/synapse/releases/tag/v1.130.0
Use a distroless & rootless container image for Advanced Identity Management.

Fixed

SBG: Fix own ca generated key must be 4096 bits.
Make Dex probes respect the configuration in the values files.
Fix helm.sh/version label being incorrectly present on Dex Pods.
TI-Messenger: PAR Requests interception now uses clientId + redirectUri for identification of the PAR interception to do.
CI: Make sure that released versions follow the semver semantics.
Sygnal: Fix an issue with the volume name being too long when the app name is long.
TI-Messenger: Support cyphersuites and curves to comply with A_18467.
Fix invalid YAML when Synapse App Service registrations are configured.

ESS Pro 25.04.01 (2025-05-16)

Changed

The ESS Pro Helm Chart now uses a new versioning scheme, time-based: YY.MM.XX.

Fixed

Fix built-in Element Web not being allowed to be overridden.

ESS Pro 0.12.0 (2025-05-16)

Added

Add support for GroupSync deployment.
matrix-tools: Add the possibility to generate application service registration files when initializing chart internal secrets.
Add support for LDAP authentication when using Matrix Authentication Service.
TI-Messenger: Allow configuration of additional outbound hosts.
Add support for LDAP authentication when using Synapse without Matrix Authentication Service.
GroupSync: Use the first LDAP authentication provider by default if it is available.

Changed

Allow routing of Synapse to Sygnal requests through the Secure Border Gateway for TI-Messenger.
Don't force trailing slashes for the federation master URI in the TI-M entity statement.
Ensure all Postgres containers have a startupProbe.
Ensure HAProxy has a startupProbe when Synapse isn't enabled.
Ensure Synapse's Redis has a startupProbe.
Allow configuration of thresholds and frequencies for all startupProbes.
Allow configuration of thresholds and frequencies for all livenessProbes.
Allow configuration of thresholds and frequencies for all readinessProbes.
Rename TI-Messenger sidecar container to better identify it.
Allow configuration of the env and resources for Synapse's S3 media local-cleanup sidecar.
Mark GroupSync and Matrix Authentication Service as not compatible for now.
Matrix RTC Authorizer is now named Matrix RTC Authorisation Service.
Minor quick setup docs fixes and improvements.

Fixed

Validate that the Sygnal configuration contains at least 1 application.
Correctly allow maxConnections and timeToLive be optional in Sygnal app configurations.
Fix required message when matrix-tools image tag is missing in MAS templates.
Fix Synapse per-worker resource overrides not being respected.
Fix Secure Border Gateway OwnCA hash label name on Synapse Pro workers.
Fix Pod Disruption Budget for the Federation Reader Pro worker not being correctly applied.

ESS Pro 0.11.5 (2025-05-08)

Added

TI-M: Add newRoomCheckInterval configuraiton for insured users.

Changed

Upgrade to Synapse v1.129.0-lts.1.
Upgrade to Matrix Authentication Service 0.16.0.
Upgrade TI-Messenger sidecar to 1.8.2.
Upgrade Secure Border Gateway to 1.10.2.
Update Element Web to v1.11.100.
Upgrade to Synapse v1.129.0.

Fixed

TI-M: Fix PAR & Token endpoint missing from proxy allowed hosts when they are distinct from the issuer endpoint.

ESS Pro 0.11.4 (2025-05-06)

Changed

Include TI-Messenger defaults in values.yaml.
Update Architecture diagram.
Matrix Authentication Service: perform database migration with an init container, instead of on the startup of the main container.
Upgrade to Matrix Authentication Service 0.15.0.
HAProxy: Use ACLs instead of backup for synapse main worker fallback.
Update Secure Border Gateway to v1.10.1, which excludes BusyBox tooling in the container image.

Fixed

TI-M: Fix jwks_uri to the sidecar must not go through SBG Proxy.

ESS Pro 0.11.3 (2025-04-30)

Added

TI-Messenger: Support overriding openid-federation scopes in the sidecar.
TI-Messenger: Add tiMessenger.sso.allowJwkGeneration to enable or disable key generation by the sidecar.
TI-Messenger: Add tiMessenger.sso.signingJwkPrivateKey and encryptionJwkPrivateKey to pass the entity statement JWKs.
Add synapse.statistics to configure report_stats and allow it in TI-Messenger when required.

Changed

Update Secure Border Gateway to v1.10.0.
matrix-tools: Update Go to 1.24.
matrix-tools: Update to 0.4.5.

Fixed

TI-Messenger: Only do mTls against non-sektoral IdPs.
well-known additional: fix additional content being passed as 1 configmap key.

ESS Pro 0.11.2 (2025-04-29)

Changed

HAProxy: Return 405 on POST, PUT and DELETE requests on well-known files.
Make it possible to configure the Helm keep/delete resource-policy for PersistentVolumeClaims and default to keeping them.
Synapse: Increase probes timeout on the python processes to 15 seconds.

Fixed

Matrix Authentication Service: Fix templating of OIDC endpoints.
Synapse: Fix missing ess credentials for checkConfigHook if initSecrets is disabled.
Synapse: Fix missing federation-inbound worker from values schema.

ESS Pro 0.11.1 (2025-04-28)

Fixed

Synapse: Fix VPA memory maxAllowed template rendering.
Fix merging of boolean in configurations.

ESS Pro 0.11.0 (2025-04-25)

Changed

Ensure that all managed Pods have the same labels as their parent Deployment/StatefulSet/Job (apart from the helm.sh/chart label).
Enforce a common format for k8s.element.io labels across components.
Move Postgres config/secret hashes to labels for consistency with all other components.
Ensure app.kubernetes.io/version labels are properly escaped & restricted.
Extract Synapse config into template files like other config.
Update matrix-tools dependencies and release 0.4.4.

Fixed

Fix chart upgrade causing a restart of the whole stack.
Fix helm.sh/chart label size with dev builds.
Fix Synapse Pro Federation-Reader internal health check.
Authentication: Stop trying to parse claimImports templates with helm.
Fix Matrix RTC not working correctly with certificate authorities defined in the Helm values.
Fix env values missing quotes in SBG & Sygnal.

ESS Pro 0.10.2 (2025-04-16)

Fixed

Make sure Synapse can reach the MAS well-known openid-configuration.

ESS Pro 0.10.1 (2025-04-16)

Added

Matrix Authentication Service: Allow to setup without enabling auth delegation in Synapse using matrixAuthenticationService.preMigrationSynapseHandlesAuth.
Add support for authentication.additionalAuthorizationParameters configuration.

Changed

Use a distroless & rootless container image for Redis.
Upgrade livekit-server to a distroless & rootless variant of v1.8.4.
Correct docs as setup_test_cluster.sh no longer manages a Postgres directly, the chart installs it.
Synapse: Add trailing slash to public_baseurl.
Synapse: Make health listener resource name explicit.

Fixed

Synapse: fix enable_media_repo nil value.

ESS Pro 0.10.0 (2025-04-14)

Added

Add matrixRTC backend deployment.
Add the possibility to configure additional settings per-workers in Synapse.

Changed

Synapse: Config secrets annotation hash now depends on processType.
Upgrade Element Web to 1.11.97.
Add caching headers for Element Web as per upstream.
Synapse: Longer startup probes for single workers.
Upgrade Synapse to 1.128.0.

Fixed

Fix Matrix Authentication Service Deployment missing resources.
matrix-tools: Fix rendered file permissions, from 664 to 440.
Fix topologySpreadConstraints selectorLabel.matchLabels keys could not be nuked.
Fix Synapse default topologySpreadConstraints not matching pod labels.

ESS Pro 0.9.1 (2025-04-04)

Fixed

TI-Messenger: Fix /tim-information must not be exposed on the ingress in ePA mode.

ESS Pro 0.9.0 (2025-04-04)

Added

Synapse: Allow to mount extra volumes on non-pro workers.
Synapse: Allow to inject appservices registration from secrets.
Synapse: Add additional consent and manhole listeners, disabled by default.
Well-known: Add support for custom, non matrix/element files.
Document how to migrate from existing installations.
TI-Messenger: Allow to configure entity statement service name.
Add an example for Apache2 to the reverse proxy documentation in the README.

Changed

Improved README.md structure and content.
TI-Messenger: Update SBG to v1.9.0, Sidecar to v1.7.0.
Enable TLS by default on all ingresses. This can be disabled using tlsEnabled: false globally or per ingress.

Deprecated

synapse.appservices[].registrationFileConfigMap is now synapse.appservices[].configMap.

Fixed

Synapse: Fix AWS_CA_BUNDLE has to be defined for botocore s3 uploads against non-AWS S3 buckets.
HAProxy: Don't set replicas if HorizontalPodAutoscaler is configured.
Fix handling of extraVolumes and extraVolumeMounts in hook through adding a new mountContext.
TI-Messenger: Fix sidecar does not have all redirect uris.
Synapse/Matrix Authentication Service: Fix shared OIDC secret when init secret is disabled.
Synapse should not mount OIDC providers secrets when used with Matrix Authentication Service.
TI-Messenger: Only Service Title Public information is required.
Postgres password: Generate only required passwords.
Synapse: Use consistenly the hostname of the pod as worker names.

ESS Pro 0.8.1 (2025-03-28)

Changed

Upgrade Element Web to 1.11.96.

Fixed

Synapse: Fix volume mount path of config in s3 cleanup container job.
TI-Messenger: Fix handling of new Insured Users Synapse module.

ESS Pro 0.8.0 (2025-03-27)

Added

Synapse: Add VerticalPodAutoscaler configuration.
Add HorizontalPodAutoscaler to HAProxy.
Add PodDisruptionBudget for Synapse.
HAProxy: Add VerticalPodAutoscalers.
Add PodDisruptionBudget for HAProxy.
TI-Messenger: Configure InsuredUserSeparationModule in ePA mode.
TI-Messenger: Add support for Push Data protection for TI-M specialist service.

Changed

TI-Messenger: Update Secure Border Gateway to v1.8.0 and Sidecar to v1.6.0.
TI-Messenger: Info API is only exposed in Pro mode.

Fixed

Fixed Helm template for Synapse deployment not properly configuring appservice registration file path.

ESS Pro 0.7.6 (2025-03-26)

Deprecated

Removed markEmailAsVerified from email claim import as Matrix Authentication Service does not need it anymore.

Fixed

MAS: Fix issuer when serving under elementWeb ingress.

ESS Pro 0.7.5 (2025-03-25)

Added

Authentication: Add support for private_key_jwt when using Matrix Authentication Service.
authentication: configure confirm_localpart in synapse depending on claim import action.

Changed

Matrix Authentication Service does not need to prune database anymore, OIDC providers are being disabled instead.
Authentication: template is required for OIDC claim import displayName if displayName is configured.
Make it possible to provide additional command line arguments to Synapse.
Have Synapse load Matrix Authentication Service shared secrets from files.

Fixed

Fix authentication schema: userinfo is optional when discovery is disabled.
matrix-tools: Various internal fixes after upgrading linter.
Update matrix-tools to 0.4.2.

ESS Pro 0.7.4 (2025-03-20)

Fixed

TI-Messenger: The sidecar should reach synapse through the internal service.

ESS Pro 0.7.3 (2025-03-20)

Added

TI-Messenger: Add support for public room checks.

Fixed

Authentication: fix handling of none clientAuthMethod.
TI-Messenger: Fix SBG behaviour in ePA mode when using non-sektoral IdP.

ESS Pro 0.7.2 (2025-03-18)

Added

Support configuring custom labels on the TI-Messenger resources.
Added documentation for a quick bootstrap setup.
Add the possibility to disable synapse media altogether.
Auto manage the Pod securityContext in OpenShift.
Add ingress.controllerType field to apply automatic behaviours depending on ingress controller. Supports ingress-nginx only for now.

Changed

matrix-tools is now a public image.
Disable immediate redirect to Matrix Authentication Service in Element Web.
Matrix Authentication Service ingress can now be deployed in Element Web ingress if it is enabled.
Update the init-secrets job to use the common Pod spec helper so that its behaviour is consistent with all other components.
Don't deploy HorizontalPodAutoscaler resources if the metrics-server isn't installed.
Upgrade Synapse to v1.126.0.
Update SBG tls config to allowed ECDSA cipher groups, and TLS version 1.3.
Bump matrix-tools to 0.4.1.

Fixed

Ensure the Synapse Pro pods restart when the internal Postgres password changes.
Fix the wrong labels being applied to the Synapse Config Check Hook Job.
Fixing missing type from the Postgres Secret.
Avoid to mount unused generated secrets in internal postgres container.
TI-Messenger: Remove wrong log line about unknown field availability.
MAS: Fix serving matrix and well-known oidc when using shared element web ingress.
Add missing worker_replication_secret_path in synapse.
README: Fix broken internal links and missing ess namespace argument.

ESS Pro 0.7.1 (2025-03-07)

Fixed

Fix secret names when using in-helm values.
Docs: Fix Architecture diagram wrong link between HAProxy & MAS.

ESS Pro 0.7.0 (2025-03-07)

Added

TI-Messenger: Add sso.providers[*].tokenEndpoint configuration.
TI-Messenger: Add support for Sectoral IdP.
TI-Messenger: Add sso.publicKeyForSigningJwkUrl and sso.publicKeyForEncryptionJwkUrl sidecar configuration.
TI-Messenger: Add support for OpenID federation.
Redirect on the serverName domain to the chat app unless it is a well-known path.
Support QR code login when MAS is enabled.
Authentication: Allow configuration of idTokenSigningAlgValuesSupported.
Synapse: Allow to override clients redirect URIs.
Element Web: Add support for additionalHosts in its ingress.
ElementWeb: Add support for extraVolumes and extraVolumeMounts.
Synapse: Add a config check as Helm hook.
Support passing extra environment variables to Element Web.
Allow configuration of Synapse's max_upload_size via Helm values.
Document deployment Architecture in docs/ARCHITECTURE.md.

Changed

Refactor the commands for synapse's local media cleanup container to be compatible with minimal container images.
Upgrade to Postgres Exporter 0.17.0 for better Postgres 17 compatibility.
Use distinct pull Secret for Hooks.
Update CI values files so they can be used as examples for the new users.
Ensure all ports have names.
Rename instances to replicas for Synapse workers to be consistent with other components.
Ensure all managed Secrets set their type.
ElementWeb additional config now expect multiple subproperties.
Don't gate enabling presence in Synapse on having a presence writer worker, use the Synapse defaults and allow easy configuration.
Improve credential validation.

Fixed

TI-Messenger Synapse: Add support fo overriding id_token_signing_alg_values_supported for an OpenID identity provider.
Fix an issue where postgres port could be missing when waiting for db.
Fixed recent Element Web versions failing to start when running with GID of 0.
Fix incorrect missing context error messages from some configuration files.
Fix incorrect S3 credentials being used for storing media.

ESS Pro 0.6.1 (2025-02-21)

Added

TI-Messenger: Add Public Rooms Client-API Authentication checks for Pro mode.
TI-Messenger: Add support for overridding the default redirect uri in sso flows.
Support the push-rules stream writer worker in Synapse.

Changed

Upgrade Secure Border Gateway to v1.5.0.
Update Synapse worker paths support for 1.124.0.

Fixed

TI-Messenger: Gate OAuth PAR modules behind ePA mode.
Fix HAProxy not starting with some combinations of Synapse workers. Regression in 0.6.0.

ESS Pro 0.6.0 (2025-02-21)

Added

Synapse: if SigningKey is not provided, it is now automatically generated.
Add an init-secrets job that will prepare internal secrets automatically if they are not provided by the user.
Add support to deploy Matrix Authentication Service.
Add support for OIDC Authentication configuration in MAS.
Add the "concat" command to matrix-tools.
Added the ability to generate the registration shared secret if no value or external Secret is configured.
Add internal PostgreSQL database.
Config ElementWeb automatically for best Matrix Authentication Service integration.
Add a value to automatically configure CertManager on all ingresses.

Changed

Project name is now ESS Pro Helm Chart instead of Element Pro Helm Chart.
Update READMEs to improve the user on-boarding experience.
Refactor the "update-ssl-certs" init containers to use matrix-tools -concat instead of update-ca-certificates.
Update Synapse to v1.124.0.
Update Element Web to v1.11.92.
Refactor synapse pro worker pods to be compatible with minimal container images.
Support arm64 in matrix-tools image.
Upgrade to Matrix Authentication Service 0.14.0.
Refactor synapse pod to be compatible with minimal container images.
Secure Border Gateway additional and modulesAdditional now expect a YAML string.
ElementWeb "additional" value now expect a json string.
Configure Element Web to submit RageShakes.
Configure Element Web for location sharing.
HAProxy: Return 429 error code as Matrix Json format.
Set the LD_PRELOAD environment variable only in containers that run Synapse.
Improve Synapse HTTP request handling when Synapse processes are restarting.

Fixed

SBG properly targets Synapse HTTP service instead of HAProxy metrics service.
Fixed version label on well-known delegation templates.
Fixed the HAProxy Service being headless rather than ClusterIP.
Fix missing labels on the Pod created by the initSecret Job.
Hard-code the org.opencontainers.image.licenses label be accurate.
Handle CAs and custom CAs consistently across Synapse, Sygnal, MAS and SBG.
Fix tracing configuration of TI-Messenger.
HAProxy: Fix timeouts configuration are not passed to the pod.
Fix Matrix Authentication Service render-config container was lacking extraEnv.
Fix typo in postgresql values documentation.
Postgres: Fixed duplicated ports in statefulset.
Fix an issue where HAProxy would be ready despite not having any backend ready to answer.
Postgres: Fix an issue where initialization would fail to happen properly.
Correct some "missing context" error messages to refer to the correct template that is missing a context.

ESS Pro 0.5.0 (2025-01-30)

Added

Give Sygnal a default number of replicas like other components.
Add support for .well-known/matrix/support in Well Known Delegation.
Add a matrix-tools image to handle dynamic config build and other chart features.
Add the possibility to quote substituted env variable from synapse config.

Fixed

Fix Sygnal incorrectly intpretting the number of replicas.
Fix Sygnal incorrectly mounting APNS credentials.

ESS Pro 0.4.3 (2025-01-23)

Added

Add changelog to releases.
Document how to use a custom CA in the README.
Document the behaviour of common base sections of the values file in the README.

Changed

Synapse pro workers are now enabled by default.

Fixed

Synapse: Fix OIDC secret issue when inlined in values file.
Sygnal: Fix APNs secret issue when inlined in the values.
Synapse: Fix an issue where the secret key was wrong when using synapse.postgres.value.
Fixed an issue with changelogs generation.
TI-Messenger: Fixed an issue with Sidecar when no custom CA is injected in the setup.
TI-Messenger: Fix missing SSO exempt paths from restrict_client_access.
Synapse: Fixed an issue when inlining media s3 secret values in the value file.