Release Notes

ESS Pro 25.8.5 (2025-09-02)

Fixed

• Fix Helm >= 3.18.5 considering our schema invalid due to a repeated $id.

ESS Pro 25.8.4 (2025-08-27)

Added

• Added example values file fragment for customising the bug report (Rageshake) server.

Changed

• Improvements to the ESS Pro README.

• Support configuring a different cluster domain for internal Service references.

• Improved the documentation around the values file required for external vs internal PostgreSQL servers.

• Switch to stabilised Matrix Authentication Service <-> Synapse configuration.

  matrixAuthenticationService.synapseOIDCClientSecret has been removed from the values schema and must be removed from your values files if set.

• Upgrade Synapse to v1.137.0.

  Highlights:

  • Stabilise support for delegating authentication to Matrix Authentication Service
  • Add support for MSC4293 - Redact on Kick/Ban

  Full Changelogs:

  • v1.136.0
  • v1.137.0

• Update Matrix Authentication Service to v1.1.0.

  Highlights:

  • Support for stable Matrix native OIDC scopes

  Full Changelogs:

  • v1.0.0
  • v1.1.0

• Update matrix-tools to 0.9.0.

  Highlights:

  • Add support for reading MAS Client Secret from file.

• Change the name of the releases in the changelog to ESS Pro.

• Advanced Identity Management is now deployed using a StatefulSet.

• Documentation: Email is not required any more to set up Let's Encrypt.

• Update Element Web to v1.11.110.

  Highlights:

  • Show a blue lock for unencrypted rooms and hide the grey shield for encrypted rooms
  • Fix matrix.to links not being handled in the app

  Full Changelogs:

  • v1.11.110

Fixed

• Fix incorrectly routing unsupported room admin API requests to workers.

• Ensure Matrix RTC authoriser can contact itself in the test cluster.

• Fix Advanced Identity Management documentation reference url.

ESS Pro 25.8.3 (2025-08-21)

Fixed

• Fix Helm >= 3.18.5 considering our schema invalid due to a repeated $id.

ESS Pro 25.8.2 (2025-08-15)

Added

• Push chart changelogs to docs.element.io.

Changed

• Upgrade AuditBot to 6.5.1.

Fixed

• Fix the ARM image for the Synapse Pro Federation Reader.

• Fix S3 AccessKeyID and SecretAccessKey values file comments.

ESS Pro 25.8.1 (2025-08-12)

Changed

• Upgrade Advanced Identity Management to v0.16.1.

• Update Synapse to v1.135.0-pro4.

  Highlights:

  • This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.
  • The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

• Update Element Web to v1.11.109.

  Highlights:

  • Add support for the new room version 12
  • Allow /upgraderoom command without developer mode enabled
  • Support for creator/owner power level
  • Various icons and visual changes

ESS Pro 25.8.0 (2025-08-06)

Added

• matrix-tools: add matrix-user subcommand to create Matrix users and provision a single device id/token.

• Add automated creation of a Matrix user with admin permissions.

• Add support for AuditBot.

• Add a new script in the chart to convert Community Synapse & Matrix Authentication Service configuration for OIDC & LDAP to ESS Pro authentication values.

• Add support for airgapped setups by providing airgapped bundles of ESS Pro on the ESS Download Page

Changed

• Update Matrix Authentication Service Connector to set the LDAP port based on the scheme, if no port is provided.

• Replace auth.oidc.backchannelLogoutEnabled with auth.oidc.backchannelLogout.

  • auth.oidc.backchannelLogoutEnabled=true should be updated to be auth.oidc.backchannelLogout=logout_all
  • auth.oidc.backchannelLogoutEnabled=false should be updated to be auth.oidc.backchannelLogout=do_nothing

• Default Synapse to requiring TLS 1.2 or later.

  This can be overridden in additional configuration.

• Set Element Pro as app to be pointed to when accessing Element Web from a mobile browser.

• Document in ci values example that deploymentMarkers is default enabled.

• Upgrade Sygnal to v0.16.0, which is the first release under AGPL + Element Commercial.

• Upgrade lk-jwt-service to 0.3.0.

  Highlights:

  • Support restricting Matrix room creation to local homeserver only. Configure this through matrixRTC.restrictRoomCreationToLocalUsers. Default to false for now until clients support this new feature.

  Full Changelog:

  • 0.3.0

• Source whether Synapse workers are single or scalable from the values rather than maintaining a list of single vs scalable workers.

• Upgrade Synapse to v1.135.0-pro.1.

  Highlights:

  • MSC4267 support - automatically forgetting rooms on leave
  • Advertise support for Matrix v1.12
  • Add ability to limit amount of media uploaded by a user in a given time period
  • Support arbitrary profile fields

  Full Changelog:

  • v1.134.0
  • v1.135.0

• Split the receipts-account worker type into account-data and receipts workers.

  If you've configured synapse.workers.receipts-account this is no longer valid and your configuration should be updated to setup synapse.workers.account-data and/or synapse-workers.receipts as appropriate.

• Update worker capable paths for Synapse v1.135.0.

• Source whether Synapse workers serve HTTP endpoints or have replication from other configuration to improve consistency of configuration.

• Introduce a device-lists worker for Synapse.

• Upgrade Matrix Authentication Service to v0.20.0.

  Highlights:

  • Support linking of upstream accounts to existing users when the localpart matches
  • Make email address lookups case-insensitive
  • Improve spec compliance of upstream OAuth 2.0 client auth methods
  • Support receiving OpenID Connect Back-Channel Logout notifications

  Full Changelog:

  • v0.19.0
  • v0.20.0

• Upgrade Element Web to v1.11.108.

  Highlights:

  • Save image on Ctrl/Cmd + S
  • Allow Element Call to learn the room name

  Full Changelog:

  • v1.11.106
  • v1.11.107
  • v1.11.108

• Update matrix-tools to 0.8.4.

  Highlights:

  • Adds support for provisioning a given device ID for a user.

Fixed

• Fix multiple Sygnal apps pointing at the same Secret and Secret key causing Sygnal to be unable to start.

• Synapse: Fix wrong secret value was used for workers replication secret.

• Fix /_matrix/federation/v1/version being incorrectly forwarded to the Pro Federation Reader worker.

• Matrix Authentication Service: Fix manually set token_endpoint and jwks_uri from authentication section was not set properly.

• Allow authentication.oidc[%i].*.template to be empty if action is ignore.

• Fix authentication.oidc[%i].claimsImport.subject.template being ignored.

• Synapse: fix requests being routed to initial-synchrotron incorrectly.

ESS Pro 25.7.0 (2025-07-02)

Added

• TI-Messenger: Add support for usersExemptFromRoomCleanup of users which will prevent rooms from being deleted.

Changed

• Don't set hostAliases on the Synapse config job as it just operates on the config files.

• Avoid additional LDAP provider selection screen when more than 1 LDAP provider is configured against Matrix Authentication Service.

• Better document uninstallation of, and the stores of state managed by the chart.

• Document how to re-run integration tests from scratch.

• Don't push chart OCI images for every PR.

• Upgrade Secure Borde Gateway to v1.12.1 and TI-Messenger Sidecar to v1.10.0.

  -Bugfixes*:

  • Move filtering of response headers to the end of the response pipeline. This fixes the regression in PAR functionality from the previous release.

• Upgrade Matrix Authentication Service to v0.18.0.

  Full Changelog:

  • v0.18.0

• Upgrade Element Web to v1.11.105.

  Highlights:

  • Improvements to the new room list (in labs)
  • Support for custom message components via Module API

  Full Changelog:

  • v1.11.105

• Upgrade Synapse to v1.133.0.

  Highlights:

  • Add support for the MSC4260 user report API

  Full Changelog:

  • v1.133.0

• Tweak changelog sections ordering.

Fixed

• Fix Matrix Authentication Service's Dex not having hostAliases support.

• Fix Advanced Identity Management not having hostAliases support.

• Fix Matrix Authentication Service not using the hostAliases set in the values.

• Fix Sygnal's hostAliases not being templated.

• Fix claimImports configuration for OIDC upstream IdPs being unused by Matrix Authentication Service.

• Fix Postgres and Synapse Media storageClassName configuration not being respected.

  -Warning* Previously synapse.media.storage.storageClass and postgres.storage.storageClass were in the values file and associated schema. These values were accidentally silently ignored and all chart-managed PersistentVolumeClaims were constructed without spec.storageClassName set, using the cluster default StorageClass.

  The values file and associated schema have been updated so that the values are now synapse.media.storage.storageClassName and postgres.storage.storageClassName. The previous values are disallowed by the schema. Setting these values after the initial install could cause the PersistentVolumeClaims to be recreated, with associated data-loss. Only set synapse.media.storage.storageClassName or postgres.storage.storageClassName on initial installation.

• Fix Matrix RTC Authoriser not having default hostAliases values.

• Fix Matrix RTC SFU ServiceMonitor not working.

Removed

• Remove Matrix RTC Authoriser ServiceMonitor as the Authoriser has no metrics endpoint.

• Remove hostAliases support from Matrix RTC SFU as it doesn't make outbound requests.

ESS Pro 25.6.2 (2025-06-19)

Fixed

• matrix-tools: Skip any completed pods when scaling down synapse pods in syn2mas migration.

• Fix comments around the image tag and digest in the values file.

• Fix Matrix RTC's SFU constructing an invalid Service if given too wide a nodePort range.

• Fix extraEnv with duplicate keys not being correctly merged.

• Correctly render user provided extraEnv that uses valueFrom in all workloads.

• Fix MatrixRTC RTCSession Error if a push-rules Synapse worker is enabled.

• Fix certificate name inconsistencies between setup docs and values file fragments.

• Secure Border Gateway: Fix S3 Uploads.

Changed

• Remove warning about deprecated prometheus_port config value in Matrix RTC SFU.

• Omit the UDP port range metadata for Matrix RTC's SFU if the range is larger than 100 ports.

• Upgrade Matrix RTC SFU to v1.9.0.

  Full changelogs:

  • v1.9.0

• Add additional validation to extraEnv.valueFrom.

• Consistently handle user provided extraEnv versus chart configured env.

  Chart configured env should win.

• Document extraEnv in values.yaml for every workload.

• Upgrade Synapse to v1.132.0-pro.1.

  Highlights:

  • Implement MSC4155 invite filtering
  • Successful requests to /_matrix/app/v1/ping will now force Synapse to reattempt delivering transactions to appservices.

  Full changelog:

  • v1.132.0

• Upgrade Element Web to v1.11.104.

  Highlights:

  • Implement MSC4155 invite filtering
  • Add /share?msg= endpoint using the forward message dialogue

  Full changelog:

  • v1.11.104

• Upgrade Matrix Authentication Service to v0.17.1.

  Highlights:

  • Support Registration Tokens

  Full changelog:

  • v0.17.0
  • v0.17.1

• TI-Messenger sidecar: Upgrade to v1.9.1.

• Secure Border Gateway: Upgrade to v1.12.0.

ESS Pro 25.6.1 (2025-06-10)

Security

• Upgrade Element Web to v1.11.103 for GHSA-x958-rvg6-956w.

  Resolves GHSA-x958-rvg6-956w - Check the sender of an event matches owner of session, preventing sender spoofing by homeserver owners.

Added

• Add support for Syn2Mas migration. See matrixAuthenticationService.syn2mas documentation in values file for more information.

Changed

• Name secrets mounted based on a hash of their names instead of an index.

• matrix-tools: Update to 0.7.1 to support syn2mas migration command.

• matrixRTC.sfu.additional now uses the same additional properties schema as Matrix Authentication Service and Synapse.

  Values can be specified inline:

  matrixRTC:
    sfu:
      additional:
        your-config.yaml: |
          example: value
  

  Or referencing an existing Secret in-cluster:

  matrixRTC:
    sfu:
      additional:
        another-config.yaml:
          configSecret: "{{ $.Release.Name }}-mrtc-external"
          configSecretKey: config
  

  Setting matrixRTC.sfu.additional to a string value is no longer supported or allowed.

ESS Pro 25.6.0 (2025-06-05)

Added

• Secure Border Gateway: Support Vertical and Horizontal autoscaling.

• Add a new deploymentMarkers job which prevent users from accidentally breaking their setup by choosing incompatible values.

• Add a NOTES.txt for some post-setup messages.

• Add support for configuring replicas of the matrix-rtc-authorization-service.

• Add support for Matrix Authentication Service replicas.

Changed

• Improve the validation on set properties for external Postgreses.

• Improve the validation that for every image the tag and/or the digest is set.

• Add example config for Nginx reverse proxy.

• Restrict some Synapse worker names such that release_names can be 29 characters long.

• Improve validation messages for values that are templated.

• Rename synapse-check-config-hook to synapse-check-config for consistency with init-secrets and deployment-markers.

• Upgrade Element Web to v1.11.102.

  Highlights:

  • Modernize the recovery key input modal.
  • General enhancements of the new room list (sorting, filtering, etc.).
  • Prompt the user when key storage is unexpectedly off.

• Set deployments maxUnavailable to 0 if it has only one replicas.

• Configure Synapse appropriately for Element Call when matrixRTC is enabled.

• Upgrade Synapse to v1.131.0.

  Highlights:

  • Add msc4263_limit_key_queries_to_users_who_share_rooms config option as per MSC4263.
  • Add option to allow registrations that begin with _.
  • Add support for calling Policy Servers (MSC4284) to mark events as spam.

• TI-Messenger: Enforce TLS for Synapse stats endpoint only if it is external to the cluster.

Fixed

• Sygnal: Fix additional not actually supporting injection configuration.

• Fix incorrect default imagePullPolicy for Synapse' local S3 media cleanup pod.

• Fix potentially wrong resources set on pods using VerticalPodAutoscaler.

• Ensure the names of Secrets in volume/volumeMounts don't have names that are too long.

• Fix routing to the initial-synchrotron worker in HAProxy.

• Fix initial-synchrotron paths not falling back to main if the worker is unavailable.

• Matrix RTC: Set proxy timeout and enforce disabled buffering nginx-ingress controllerType annotations if SFU is enabled.

ESS Pro 25.5.1 (2025-05-23)

Changed

• Make probe defaults explicit.

• Replace the use of initialDelaySeconds in default probes with adjustments to the startupProbes.

• Rename GroupSync to Advanced Identity Management.

• Postgres: Pretty print internal postgres env variables.

• Remove wellKnownDelegation.ingress.host from values.yaml as serverName is used for the well-known Ingress.

• Element Web: upgrade from v1.11.100 to v1.11.101.

  Highlights:

  • Improve identity reset UI

  Full Changelog: https://github.com/element-hq/element-web/releases/tag/v1.11.101

• Synapse: Upgrade from v1.129.0 to v1.130.0.

  Highlights:

  • Add an Admin API endpoint GET /_synapse/admin/v1/scheduled_tasks to fetch scheduled tasks.
  • Add config option user_directory.exclude_remote_users which, when enabled, excludes remote users from user directory search results.
  • Add support for handling GET /devices/ on workers.
  • Fix a longstanding bug where Synapse would immediately retry a failing push endpoint when a new event is received, ignoring any backoff timers.
  • Fix to pass leave from remote invite rejection down Sliding Sync.

  Full Changelog: https://github.com/element-hq/synapse/releases/tag/v1.130.0

• Use a distroless & rootless container image for Advanced Identity Management.

Fixed

• SBG: Fix own ca generated key must be 4096 bits.

• Make Dex probes respect the configuration in the values files.

• Fix helm.sh/version label being incorrectly present on Dex Pods.

• TI-Messenger: PAR Requests interception now uses clientId + redirectUri for identification of the PAR interception to do.

• CI: Make sure that released versions follow the semver semantics.

• Sygnal: Fix an issue with the volume name being too long when the app name is long.

• TI-Messenger: Support cyphersuites and curves to comply with A_18467.

• Fix invalid YAML when Synapse App Service registrations are configured.

ESS Pro 25.04.01 (2025-05-16)

Changed

• The ESS Pro Helm Chart now uses a new versioning scheme, time-based: YY.MM.XX.

Fixed

• Fix built-in Element Web not being allowed to be overridden.

ESS Pro 0.12.0 (2025-05-16)

Added

• Add support for GroupSync deployment.

• matrix-tools: Add the possibility to generate application service registration files when initializing chart internal secrets.

• Add support for LDAP authentication when using Matrix Authentication Service.

• TI-Messenger: Allow configuration of additional outbound hosts.

• Add support for LDAP authentication when using Synapse without Matrix Authentication Service.

• GroupSync: Use the first LDAP authentication provider by default if it is available.

Changed

• Allow routing of Synapse to Sygnal requests through the Secure Border Gateway for TI-Messenger.

• Don't force trailing slashes for the federation master URI in the TI-M entity statement.

• Ensure all Postgres containers have a startupProbe.

• Ensure HAProxy has a startupProbe when Synapse isn't enabled.

• Ensure Synapse's Redis has a startupProbe.

• Allow configuration of thresholds and frequencies for all startupProbes.

• Allow configuration of thresholds and frequencies for all livenessProbes.

• Allow configuration of thresholds and frequencies for all readinessProbes.

• Rename TI-Messenger sidecar container to better identify it.

• Allow configuration of the env and resources for Synapse's S3 media local-cleanup sidecar.

• Mark GroupSync and Matrix Authentication Service as not compatible for now.

• Matrix RTC Authorizer is now named Matrix RTC Authorisation Service.

• Minor quick setup docs fixes and improvements.

Fixed

• Validate that the Sygnal configuration contains at least 1 application.

• Correctly allow maxConnections and timeToLive be optional in Sygnal app configurations.

• Fix required message when matrix-tools image tag is missing in MAS templates.

• Fix Synapse per-worker resource overrides not being respected.

• Fix Secure Border Gateway OwnCA hash label name on Synapse Pro workers.

• Fix Pod Disruption Budget for the Federation Reader Pro worker not being correctly applied.

ESS Pro 0.11.5 (2025-05-08)

Added

• TI-M: Add newRoomCheckInterval configuraiton for insured users.

Changed

• Upgrade to Synapse v1.129.0-lts.1.

• Upgrade to Matrix Authentication Service 0.16.0.

• Upgrade TI-Messenger sidecar to 1.8.2.

• Upgrade Secure Border Gateway to 1.10.2.

• Update Element Web to v1.11.100.

• Upgrade to Synapse v1.129.0.

Fixed

• TI-M: Fix PAR & Token endpoint missing from proxy allowed hosts when they are distinct from the issuer endpoint.

ESS Pro 0.11.4 (2025-05-06)

Changed

• Include TI-Messenger defaults in values.yaml.

• Update Architecture diagram.

• Matrix Authentication Service: perform database migration with an init container, instead of on the startup of the main container.

• Upgrade to Matrix Authentication Service 0.15.0.

• HAProxy: Use ACLs instead of backup for synapse main worker fallback.

• Update Secure Border Gateway to v1.10.1, which excludes BusyBox tooling in the container image.

Fixed

• TI-M: Fix jwks_uri to the sidecar must not go through SBG Proxy.

ESS Pro 0.11.3 (2025-04-30)

Added

• TI-Messenger: Support overriding openid-federation scopes in the sidecar.

• TI-Messenger: Add tiMessenger.sso.allowJwkGeneration to enable or disable key generation by the sidecar.

• TI-Messenger: Add tiMessenger.sso.signingJwkPrivateKey and encryptionJwkPrivateKey to pass the entity statement JWKs.

• Add synapse.statistics to configure report_stats and allow it in TI-Messenger when required.

Changed

• Update Secure Border Gateway to v1.10.0.

• matrix-tools: Update Go to 1.24.

• matrix-tools: Update to 0.4.5.

Fixed

• TI-Messenger: Only do mTls against non-sektoral IdPs.

• well-known additional: fix additional content being passed as 1 configmap key.

ESS Pro 0.11.2 (2025-04-29)

Changed

• HAProxy: Return 405 on POST, PUT and DELETE requests on well-known files.

• Make it possible to configure the Helm keep/delete resource-policy for PersistentVolumeClaims and default to keeping them.

• Synapse: Increase probes timeout on the python processes to 15 seconds.

Fixed

• Matrix Authentication Service: Fix templating of OIDC endpoints.

• Synapse: Fix missing ess credentials for checkConfigHook if initSecrets is disabled.

• Synapse: Fix missing federation-inbound worker from values schema.

ESS Pro 0.11.1 (2025-04-28)

Fixed

• Synapse: Fix VPA memory maxAllowed template rendering.

• Fix merging of boolean in configurations.

ESS Pro 0.11.0 (2025-04-25)

Changed

• Ensure that all managed Pods have the same labels as their parent Deployment/StatefulSet/Job (apart from the helm.sh/chart label).

• Enforce a common format for k8s.element.io labels across components.

• Move Postgres config/secret hashes to labels for consistency with all other components.

• Ensure app.kubernetes.io/version labels are properly escaped & restricted.

• Extract Synapse config into template files like other config.

• Update matrix-tools dependencies and release 0.4.4.

Fixed

• Fix chart upgrade causing a restart of the whole stack.

• Fix helm.sh/chart label size with dev builds.

• Fix Synapse Pro Federation-Reader internal health check.

• Authentication: Stop trying to parse claimImports templates with helm.

• Fix Matrix RTC not working correctly with certificate authorities defined in the Helm values.

• Fix env values missing quotes in SBG & Sygnal.

ESS Pro 0.10.2 (2025-04-16)

Fixed

• Make sure Synapse can reach the MAS well-known openid-configuration.

ESS Pro 0.10.1 (2025-04-16)

Added

• Matrix Authentication Service: Allow to setup without enabling auth delegation in Synapse using matrixAuthenticationService.preMigrationSynapseHandlesAuth.

• Add support for authentication.additionalAuthorizationParameters configuration.

Changed

• Use a distroless & rootless container image for Redis.

• Upgrade livekit-server to a distroless & rootless variant of v1.8.4.

• Correct docs as setup_test_cluster.sh no longer manages a Postgres directly, the chart installs it.

• Synapse: Add trailing slash to public_baseurl.

• Synapse: Make health listener resource name explicit.

Fixed

• Synapse: fix enable_media_repo nil value.

ESS Pro 0.10.0 (2025-04-14)

Added

• Add matrixRTC backend deployment.

• Add the possibility to configure additional settings per-workers in Synapse.

Changed

• Synapse: Config secrets annotation hash now depends on processType.

• Upgrade Element Web to 1.11.97.

• Add caching headers for Element Web as per upstream.

• Synapse: Longer startup probes for single workers.

• Upgrade Synapse to 1.128.0.

Fixed

• Fix Matrix Authentication Service Deployment missing resources.

• matrix-tools: Fix rendered file permissions, from 664 to 440.

• Fix topologySpreadConstraints selectorLabel.matchLabels keys could not be nuked.

• Fix Synapse default topologySpreadConstraints not matching pod labels.

ESS Pro 0.9.1 (2025-04-04)

Fixed

• TI-Messenger: Fix /tim-information must not be exposed on the ingress in ePA mode.

ESS Pro 0.9.0 (2025-04-04)

Added

• Synapse: Allow to mount extra volumes on non-pro workers.

• Synapse: Allow to inject appservices registration from secrets.

• Synapse: Add additional consent and manhole listeners, disabled by default.

• Well-known: Add support for custom, non matrix/element files.

• Document how to migrate from existing installations.

• TI-Messenger: Allow to configure entity statement service name.

• Add an example for Apache2 to the reverse proxy documentation in the README.

Changed

• Improved README.md structure and content.

• TI-Messenger: Update SBG to v1.9.0, Sidecar to v1.7.0.

• Enable TLS by default on all ingresses. This can be disabled using tlsEnabled: false globally or per ingress.

Deprecated

• synapse.appservices[].registrationFileConfigMap is now synapse.appservices[].configMap.

Fixed

• Synapse: Fix AWS_CA_BUNDLE has to be defined for botocore s3 uploads against non-AWS S3 buckets.

• HAProxy: Don't set replicas if HorizontalPodAutoscaler is configured.

• Fix handling of extraVolumes and extraVolumeMounts in hook through adding a new mountContext.

• TI-Messenger: Fix sidecar does not have all redirect uris.

• Synapse/Matrix Authentication Service: Fix shared OIDC secret when init secret is disabled.

• Synapse should not mount OIDC providers secrets when used with Matrix Authentication Service.

• TI-Messenger: Only Service Title Public information is required.

• Postgres password: Generate only required passwords.

• Synapse: Use consistenly the hostname of the pod as worker names.

ESS Pro 0.8.1 (2025-03-28)

Changed

• Upgrade Element Web to 1.11.96.

Fixed

• Synapse: Fix volume mount path of config in s3 cleanup container job.

• TI-Messenger: Fix handling of new Insured Users Synapse module.

ESS Pro 0.8.0 (2025-03-27)

Added

• Synapse: Add VerticalPodAutoscaler configuration.

• Add HorizontalPodAutoscaler to HAProxy.

• Add PodDisruptionBudget for Synapse.

• HAProxy: Add VerticalPodAutoscalers.

• Add PodDisruptionBudget for HAProxy.

• TI-Messenger: Configure InsuredUserSeparationModule in ePA mode.

• TI-Messenger: Add support for Push Data protection for TI-M specialist service.

Changed

• TI-Messenger: Update Secure Border Gateway to v1.8.0 and Sidecar to v1.6.0.

• TI-Messenger: Info API is only exposed in Pro mode.

Fixed

• Fixed Helm template for Synapse deployment not properly configuring appservice registration file path.

ESS Pro 0.7.6 (2025-03-26)

Deprecated

• Removed markEmailAsVerified from email claim import as Matrix Authentication Service does not need it anymore.

Fixed

• MAS: Fix issuer when serving under elementWeb ingress.

ESS Pro 0.7.5 (2025-03-25)

Added

• Authentication: Add support for private_key_jwt when using Matrix Authentication Service.

• authentication: configure confirm_localpart in synapse depending on claim import action.

Changed

• Matrix Authentication Service does not need to prune database anymore, OIDC providers are being disabled instead.

• Authentication: template is required for OIDC claim import displayName if displayName is configured.

• Make it possible to provide additional command line arguments to Synapse.

• Have Synapse load Matrix Authentication Service shared secrets from files.

Fixed

• Fix authentication schema: userinfo is optional when discovery is disabled.

• matrix-tools: Various internal fixes after upgrading linter.

• Update matrix-tools to 0.4.2.

ESS Pro 0.7.4 (2025-03-20)

Fixed

• TI-Messenger: The sidecar should reach synapse through the internal service.

ESS Pro 0.7.3 (2025-03-20)

Added

• TI-Messenger: Add support for public room checks.

Fixed

• Authentication: fix handling of none clientAuthMethod.

• TI-Messenger: Fix SBG behaviour in ePA mode when using non-sektoral IdP.

ESS Pro 0.7.2 (2025-03-18)

Added

• Support configuring custom labels on the TI-Messenger resources.

• Added documentation for a quick bootstrap setup.

• Add the possibility to disable synapse media altogether.

• Auto manage the Pod securityContext in OpenShift.

• Add ingress.controllerType field to apply automatic behaviours depending on ingress controller. Supports ingress-nginx only for now.

Changed

• matrix-tools is now a public image.

• Disable immediate redirect to Matrix Authentication Service in Element Web.

• Matrix Authentication Service ingress can now be deployed in Element Web ingress if it is enabled.

• Update the init-secrets job to use the common Pod spec helper so that its behaviour is consistent with all other components.

• Don't deploy HorizontalPodAutoscaler resources if the metrics-server isn't installed.

• Upgrade Synapse to v1.126.0.

• Update SBG tls config to allowed ECDSA cipher groups, and TLS version 1.3.

• Bump matrix-tools to 0.4.1.

Fixed

• Ensure the Synapse Pro pods restart when the internal Postgres password changes.

• Fix the wrong labels being applied to the Synapse Config Check Hook Job.

• Fixing missing type from the Postgres Secret.

• Avoid to mount unused generated secrets in internal postgres container.

• TI-Messenger: Remove wrong log line about unknown field availability.

• MAS: Fix serving matrix and well-known oidc when using shared element web ingress.

• Add missing worker_replication_secret_path in synapse.

• README: Fix broken internal links and missing ess namespace argument.

ESS Pro 0.7.1 (2025-03-07)

Fixed

• Fix secret names when using in-helm values.

• Docs: Fix Architecture diagram wrong link between HAProxy & MAS.

ESS Pro 0.7.0 (2025-03-07)

Added

• TI-Messenger: Add sso.providers[*].tokenEndpoint configuration.

• TI-Messenger: Add support for Sectoral IdP.

• TI-Messenger: Add sso.publicKeyForSigningJwkUrl and sso.publicKeyForEncryptionJwkUrl sidecar configuration.

• TI-Messenger: Add support for OpenID federation.

• Redirect on the serverName domain to the chat app unless it is a well-known path.

• Support QR code login when MAS is enabled.

• Authentication: Allow configuration of idTokenSigningAlgValuesSupported.

• Synapse: Allow to override clients redirect URIs.

• Element Web: Add support for additionalHosts in its ingress.

• ElementWeb: Add support for extraVolumes and extraVolumeMounts.

• Synapse: Add a config check as Helm hook.

• Support passing extra environment variables to Element Web.

• Allow configuration of Synapse's max_upload_size via Helm values.

• Document deployment Architecture in docs/ARCHITECTURE.md.

Changed

• Refactor the commands for synapse's local media cleanup container to be compatible with minimal container images.

• Upgrade to Postgres Exporter 0.17.0 for better Postgres 17 compatibility.

• Use distinct pull Secret for Hooks.

• Update CI values files so they can be used as examples for the new users.

• Ensure all ports have names.

• Rename instances to replicas for Synapse workers to be consistent with other components.

• Ensure all managed Secrets set their type.

• ElementWeb additional config now expect multiple subproperties.

• Don't gate enabling presence in Synapse on having a presence writer worker, use the Synapse defaults and allow easy configuration.

• Improve credential validation.

Fixed

• TI-Messenger Synapse: Add support fo overriding id_token_signing_alg_values_supported for an OpenID identity provider.

• Fix an issue where postgres port could be missing when waiting for db.

• Fixed recent Element Web versions failing to start when running with GID of 0.

• Fix incorrect missing context error messages from some configuration files.

• Fix incorrect S3 credentials being used for storing media.

ESS Pro 0.6.1 (2025-02-21)

Added

• TI-Messenger: Add Public Rooms Client-API Authentication checks for Pro mode.

• TI-Messenger: Add support for overridding the default redirect uri in sso flows.

• Support the push-rules stream writer worker in Synapse.

Changed

• Upgrade Secure Border Gateway to v1.5.0.

• Update Synapse worker paths support for 1.124.0.

Fixed

• TI-Messenger: Gate OAuth PAR modules behind ePA mode.

• Fix HAProxy not starting with some combinations of Synapse workers. Regression in 0.6.0.

ESS Pro 0.6.0 (2025-02-21)

Added

• Synapse: if SigningKey is not provided, it is now automatically generated.

• Add an init-secrets job that will prepare internal secrets automatically if they are not provided by the user.

• Add support to deploy Matrix Authentication Service.

• Add support for OIDC Authentication configuration in MAS.

• Add the "concat" command to matrix-tools.

• Added the ability to generate the registration shared secret if no value or external Secret is configured.

• Add internal PostgreSQL database.

• Config ElementWeb automatically for best Matrix Authentication Service integration.

• Add a value to automatically configure CertManager on all ingresses.

Changed

• Project name is now ESS Pro Helm Chart instead of Element Pro Helm Chart.

• Update READMEs to improve the user on-boarding experience.

• Refactor the "update-ssl-certs" init containers to use matrix-tools -concat instead of update-ca-certificates.

• Update Synapse to v1.124.0.

• Update Element Web to v1.11.92.

• Refactor synapse pro worker pods to be compatible with minimal container images.

• Support arm64 in matrix-tools image.

• Upgrade to Matrix Authentication Service 0.14.0.

• Refactor synapse pod to be compatible with minimal container images.

• Secure Border Gateway additional and modulesAdditional now expect a YAML string.

• ElementWeb "additional" value now expect a json string.

• Configure Element Web to submit RageShakes.

• Configure Element Web for location sharing.

• HAProxy: Return 429 error code as Matrix Json format.

• Set the LD_PRELOAD environment variable only in containers that run Synapse.

• Improve Synapse HTTP request handling when Synapse processes are restarting.

Fixed

• SBG properly targets Synapse HTTP service instead of HAProxy metrics service.

• Fixed version label on well-known delegation templates.

• Fixed the HAProxy Service being headless rather than ClusterIP.

• Fix missing labels on the Pod created by the initSecret Job.

• Hard-code the org.opencontainers.image.licenses label be accurate.

• Handle CAs and custom CAs consistently across Synapse, Sygnal, MAS and SBG.

• Fix tracing configuration of TI-Messenger.

• HAProxy: Fix timeouts configuration are not passed to the pod.

• Fix Matrix Authentication Service render-config container was lacking extraEnv.

• Fix typo in postgresql values documentation.

• Postgres: Fixed duplicated ports in statefulset.

• Fix an issue where HAProxy would be ready despite not having any backend ready to answer.

• Postgres: Fix an issue where initialization would fail to happen properly.

• Correct some "missing context" error messages to refer to the correct template that is missing a context.

ESS Pro 0.5.0 (2025-01-30)

Added

• Give Sygnal a default number of replicas like other components.

• Add support for .well-known/matrix/support in Well Known Delegation.

• Add a matrix-tools image to handle dynamic config build and other chart features.

• Add the possibility to quote substituted env variable from synapse config.

Fixed

• Fix Sygnal incorrectly intpretting the number of replicas.

• Fix Sygnal incorrectly mounting APNS credentials.

ESS Pro 0.4.3 (2025-01-23)

Added

• Add changelog to releases.

• Document how to use a custom CA in the README.

• Document the behaviour of common base sections of the values file in the README.

Changed

• Synapse pro workers are now enabled by default.

Fixed

• Synapse: Fix OIDC secret issue when inlined in values file.

• Sygnal: Fix APNs secret issue when inlined in the values.

• Synapse: Fix an issue where the secret key was wrong when using synapse.postgres.value.

• Fixed an issue with changelogs generation.

• TI-Messenger: Fixed an issue with Sidecar when no custom CA is injected in the setup.

• TI-Messenger: Fix missing SSO exempt paths from restrict_client_access.

• Synapse: Fixed an issue when inlining media s3 secret values in the value file.