25.9.3

ESS Community Helm Chart 25.9.3 (2025-10-02)

Fixed

• Fix Matrix RTC SFU manualIP setting so that it correctly propagates through. (#765)

Internal

• CI: update Matrix RTC values files to cover STUN, Manual IP, and Node IP cases correctly. (#765)

25.9.2

ESS Community Helm Chart 25.9.2 (2025-09-30)

Added

• Introducing Element Admin, a user-friendly interface to manage your ESS deployment. This is default enabled, and you need to configure elementAdmin.ingress.host on upgrade, as well as create its DNS and TLS.

  (#743, #759, #762)

Changed

• Define "matrix-tools" containers with "args" set instead of "command". (#738)

• Update Element Web to v1.12.0.

  Highlights:

  • Use the new room list by default
  • Automatically adjust history visibility when making a room private
  • Stop ringing and remove toast if another device answers a RTC call.

  Full Changelogs:

  • v1.12.0

  (#744)

• Allow overriding of the Matrix Authentication Service policy configuration via additional configuration. (#745)

• Remove experimental.access_token_ttl from the Matrix Authentication Service config as the need for it has gone. (#745)

• Upgrade Synapse to v1.139.0.

  Highlights:

  • Fix a performance regression related to the experimental Delayed Events (MSC4140) feature.
  • Add experimental support for MSC4308: Thread Subscriptions extension to Sliding Sync when MSC4306: Thread Subscriptions and MSC4186: Simplified Sliding Sync are enabled.
  • Update MSC4190 support to return correct errors and allow appservices to reset cross-signing keys without user-interactive authentication.
  • Fix bug where we did not send invite revocations over federation.

  Full Changelogs:

  • v1.138.2
  • v1.139.0

  (#752, #755)

• Update Matrix Authentication Service to v1.3.0.

  Highlights:

  • Add Admin API filter to search users by username.
  • Add Admin API to list upstream OAuth 2.0 providers.

  Full Changelogs:

  • v1.3.0

  (#753)

• Upgrade Matrix RTC SFU (LiveKit) to v1.9.1.

  Full Changelogs:

  • v1.9.1

  (#758)

Internal

• CI: disable initSecrets for test values files that are to use secrets defined in Helm or external secrets. (#748)
• CI: cover testing in-Helm secrets for MAS. (#751)
• CI: Add go cache while building matrix-tools. (#754)
• CI: use stable URL for auth_metadata check. (#756)

25.9.1

ESS Community Helm Chart 25.9.1 (2025-09-17)

Added

• MatrixRTC: Add sfu.useStunToDiscoverPublicIP and sfu.manualIP values to simplify networking configuration.

  Warning: In version 25.10, these values will override any manually set rtc.external_ip and rtc.node_ip
  configured through sfu.additional additional configuration. (#733)

Changed

• Update Element Web to v1.11.112.

  Highlights:

  • Fix CVE-2025-59161 / GHSA-m6c8-98f4-75rr

  Full Changelogs:

  • v1.11.112

  (#739)

Internal

• Update the matrix-stack chart's .helmignore file to ignore Vim swap files. (#724)
• Update tests to grant MAS users with access to the Synapse admin API when requested. (#728)
• CI: Make sure tests fixtures errors are not silenced. (#729)
• CI: Raise an error if the pod is not ready when we want to run it. (#730)
• CI: Do not delete failed curl pods during metrics endpoints tests. (#732)
• Restart curl pods on failure when fetching metrics. (#737)

25.9.0

ESS Community Helm Chart 25.9.0 (2025-09-10)

Added

• Add /_synapse/ess/version to the Synapse ingress exposing the chart version and edition. (#715)

Changed

• Turn on push notifications for encrypted messages (MSC4028) support by default. (#712)

• Update Element Web to v1.11.111.

  Highlights:

  • Remember whether sidebar is shown for calls when switching rooms
  • Fix room joining over federation not specifying via's or using aliases

  Full Changelogs:

  • v1.11.111

  (#716)

• Upgrade Synapse to v1.138.0.

  Highlights:

  • Support for the stable endpoint and scopes of MSC3861 & co.

  Full Changelogs:

  • v1.138.0

  (#717)

• Update Matrix Authentication Service to v1.2.0.

  Highlights:

  • Translation updates

  Full Changelogs:

  • v1.2.0

  (#718)

• Use unique names for component configuration files, to prevent them from clashing against identically-named files in pods that deploy those components. (#723)

Internal

• CI: Check labels values against validation regex. (#705)
• CI: Check PVC presence only for existing workloads. (#705)
• Fix typo in "jitter_delay" config keys used in CI tests. (#722)

25.8.3

ESS Community Helm Chart 25.8.3 (2025-08-27)

Changed

• Improvements to the ESS Community README. (#678)

• Improved the documentation around the values file required for external vs internal PostgreSQL servers. (#688)

• Update Matrix Authentication Service to v1.1.0.

  Highlights:

  • Support for stable Matrix native OIDC scopes

  Full Changelogs:

  • v1.0.0
  • v1.1.0

  (#689)

• Switch to stabilised Matrix Authentication Service <-> Synapse configuration.

  matrixAuthenticationService.synapseOIDCClientSecret has been removed from the values
  schema and must be removed from your values files if set. (#689)

• Upgrade Synapse to v1.137.0.

  Highlights:

  • Stabilise support for delegating authentication to Matrix Authentication Service
  • Add support for MSC4293 - Redact on Kick/Ban

  Full Changelogs:

  • v1.136.0
  • v1.137.0

  (#689)

• Update Element Web to v1.11.110.

  Highlights:

  • Show a blue lock for unencrypted rooms and hide the grey shield for encrypted rooms
  • Fix matrix.to links not being handled in the app

  Full Changelogs:

  • v1.11.110

  (#690)

• Support configuring a different cluster domain for internal Service references. (#692)

• Documentation: Email is not required any more to set up Let's Encrypt. (#704)

Fixed

• Fix incorrectly routing unsupported room admin API requests to workers. (#685)
• Ensure Matrix RTC authoriser can contact itself in the test cluster. (#687)

Internal

• Add dockerhub secrets to curl pods used in pytest. (#669)
• CI: Add Spell Checks in markdown documentation. (#696)

25.8.2

ESS Community Helm Chart 25.8.2 (2025-08-21)

Fixed

• Fix Helm >= 3.18.5 considering our schema invalid due to a repeated $id. (#682)

25.8.1

ESS Community Helm Chart 25.8.1 (2025-08-11)

Changed

• Update Element Web to v1.11.109.

  Highlights :

  • Add support for the new room version 12
  • Allow /upgraderoom command without developer mode enabled
  • Support for creator/owner power level
  • Various icons and visual changes

  (#663)

• Update Synapse to v1.135.2.

  Highlights :

  • This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.
  • The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

  (#664)

Internal

• CI: remove flakes in test_routes_to_synapse_workers_correctly by streaming logs from all HAProxy Pods, not just the current ones. (#654, #655)
• Speed-up the tests asserting the possibility not to create service accounts per components. (#659)
• CI: Fix external contributors CI runs not running properly. (#661)
• Add a helper to build synapse internal hostport in helm templates. (#662)

25.8.0

ESS Community Helm Chart 25.8.0 (2025-08-06)

Added

• Document how to configure k3s traefik timeouts. (#617)

Changed

• Default Synapse to requiring TLS 1.2 or later.

  This can be overridden in additional configuration. (#609)

• Set Element X as app to be pointed to when accessing Element Web from a mobile browser. (#610)

• Document in CI values example that deploymentMarkers is default enabled. (#620)

• Upgrade Matrix Authentication Service to v0.20.0.

  Highlights:

  • Support receiving OpenID Connect Back-Channel Logout notifications
  • Support linking of upstream accounts to existing users when the localpart matches
  • Make email address lookups case-insensitive
  • Improve spec compliance of upstream OAuth 2.0 client auth methods

  Full Changelog:

  • v0.19.0
  • v0.20.0

  (#634)

• Upgrade lk-jwt-service to 0.3.0.

  Highlights:

  • Support restricting Matrix room creation to local homeserver only.
    Configure this through matrixRTC.restrictRoomCreationToLocalUsers. Default to false for now until clients support this new feature.

  Full Changelog:

  • 0.3.0

  (#635)

• Upgrade Element Web to v1.11.108.

  Highlights:

  • Allow Element Call to learn the room name
  • Save image on Ctrl/Cmd + S

  Full Changelog:

  • v1.11.106
  • v1.11.107
  • v1.11.108

  (#638)

• Introduce a device-lists worker for Synapse. (#639)

• Update worker capable paths for Synapse v1.135.0. (#639)

• Upgrade Synapse to v1.135.0.

  Highlights:

  • MSC4267 support - automatically forgetting rooms on leave
  • Advertise support for Matrix v1.12
  • Add ability to limit amount of media uploaded by a user in a given time period
  • Support arbitrary profile fields

  Full Changelog:

  • v1.134.0
  • v1.135.0

  (#639)

• Split the receipts-account worker type into account-data and receipts workers.

  If you've configured synapse.workers.receipts-account this is no longer valid and your configuration should be updated to
  setup synapse.workers.account-data and/or synapse-workers.receipts as appropriate. (#640)

• Remove support for /.well-known/element/element.json.

  It isn't used by clients of ESS Community.

  If you've set it, please remove wellKnownDelegation.additional.element from your values files. (#641)

• Source whether Synapse workers are single or scalable from the values rather than maintaining a list of single vs scalable workers. (#644)

• Source whether Synapse workers serve HTTP endpoints or have replication from other configuration to improve consistency of configuration. (#645)

• Update matrix-tools to 0.5.5. (#652)

Fixed

• Synapse: fix requests being routed to initial-synchrotron incorrectly. (#632, #642, #643, #646)
• Fix incorrect routing for Matrix Authentication Service related Synapse Admin API paths during migration. (#639)

Internal

• Refactor matrix-tools handling of subcommand. (#592)
• CI: change the comparision branch for the dyff job after the change to the source branch. (#602)
• Add the ability to regenerate a single file in charts/matrix-stack/ci. (#603)
• Add the ability to generate values files in charts/matrix-stack/user_values from charts/matrix-stack/ci/fragments. (#605)
• CI: just list manifests in that dyff that are added/deleted rather than any metadata about them. (#606)
• CI: improve testing of TLS certificates with intermediates. (#612)
• CI: handle deploymentMarkers not being enabled in various some PyTests. (#621)
• CI: remove deploymentMarkers from {synapse,matrix-authentication-service}(-checkov)-values.yaml as no extra values are required if deployment markers aren't enabled. (#621)
• CI: add checkov values file that covers all default enabled components. (#621)
• CI: sort list of source_fragments in CI values files. (#622, #623)
• CI: check automount service account policy against Job in tests. (#625)
• CI: refactor test users in integration tests. (#626)
• CI: fix flaking tests when checking upgrades. (#627)
• CI: in tests, wait for all replicasets to be ready before checking service endpoints and monitored pods. (#629)
• CI: in tests for pods to services labels match, skip pods part of a previous-generation replicaset. (#630)
• CI: fix warnings about wrong checkout action parameters. (#636)

25.7.0

ESS Community Helm Chart 25.7.0 (2025-07-02)

Changed

• Don't set hostAliases on the Synapse config job as it just operates on the config files. (#574)

• Upgrade Element Web to v1.11.105.

  Highlights:

  • Improvements to the new room list (in labs)
  • Support for custom message components via Module API

  Full Changelog:

  • v1.11.105

  (#575)

• Upgrade Synapse to v1.133.0.

  Highlights:

  • Add support for the MSC4260 user report API

  Full Changelog:

  • v1.133.0

  (#577)

• Upgrade Matrix Authentication Service to v0.18.0.

  Full Changelog:

  • v0.18.0

  (#578)

• Document how to re-run integration tests from scratch. (#579)

• Better document uninstallation of, and the stores of state managed by the chart. (#585)

• Don't push chart OCI images for every PR. (#589, #591)

• Tweak changelog sections ordering. (#600)

Fixed

• Fix Matrix RTC SFU ServiceMonitor not working. (#569)

• Fix Matrix Authentication Service not using the hostAliases set in the values. (#573)

• Fix Matrix RTC Authoriser not having default hostAliases values. (#573)

• Fix Postgres and Synapse Media storageClassName configuration not being respected.

  Warning Previously synapse.media.storage.storageClass and postgres.storage.storageClass
  were in the values file and associated schema. These values were accidentally silently ignored
  and all chart-managed PersistentVolumeClaims were constructed without spec.storageClassName
  set, using the cluster default StorageClass.

  The values file and associated schema have been updated so that the values are now
  synapse.media.storage.storageClassName and postgres.storage.storageClassName. The previous
  values are disallowed by the schema. Setting these values after the initial install could
  cause the PersistentVolumeClaims to be recreated, with associated data-loss. Only set
  synapse.media.storage.storageClassName or postgres.storage.storageClassName on initial
  installation. (#582, #583)

Removed

• Remove Matrix RTC Authoriser ServiceMonitor as the Authoriser has no metrics endpoint. (#569)
• Remove hostAliases support from Matrix RTC SFU as it doesn't make outbound requests. (#574)

Internal

• CI: test that the default values includes stub settings (and thus comments) for various properties. (#573)
• CI: test that hostAliases are correctly set for all workloads that make outbound requests. (#573, #574)
• CI: improve the test cluster setup for Matrix RTC. (#579)
• CI: improve testing of chart managed PersistentVolumeClaims. (#582)
• CI: test nodeSelectors are appropriately configured. (#583)
• CI: simplify which commit we checkout. (#586)
• CI: switch to using pull_request triggers. (#586)
• CI: don't push artifacthub metadata on PRs. (#589)
• CI: be explicit about what permissions are workflow/job requires. (#589)
• CI: allow dyff job to work on forks. (#589, #594)
• Tests: don't check services matching labels against terminating pods. (#595, #598)
• Add yamllint ct dependency to poetry.toml. (#596)
• Prepare for 25.7.0 release. (#597)
• CI: run the preview-changelog job on main and manually as well as PRs. (#599)

25.6.2

ESS Community Helm Chart 25.6.2 (2025-06-19)

Fixed

• matrix-tools: Skip any completed pods when scaling down synapse pods in syn2mas migration. (#546)
• Fix Matrix RTC's SFU constructing an invalid Service if given too wide a nodePort range. (#549)
• Fix comments around the image tag and digest in the values file. (#553)
• Fix certificate name inconsistencies between setup docs and values file fragments. (#555)
• Fix MatrixRTC RTCSession Error if a push-rules Synapse worker is enabled. (#557)
• Fix extraEnv with duplicate keys not being correctly merged. (#559)
• Document the need for removal of generated secrets & deployment marker configmap when uninstalling. (#567)

Changed

• Omit the UDP port range metadata for Matrix RTC's SFU if the range is larger than 100 ports. (#549)

• Remove warning about deprecated prometheus_port config value in Matrix RTC SFU. (#550)

• Upgrade Matrix RTC SFU to v1.9.0.

  Full changelogs:

  • v1.8.0
  • v1.8.1 - no changelog
  • v1.8.2 - no changelog
  • v1.8.3
  • v1.8.4
  • v1.9.0

  (#552)

• Document extraEnv in values.yaml for every workload. (#559)

• Consistently handle user provided extraEnv versus chart configured env.

  Chart configured env should win. (#559)

• Upgrade Matrix Authentication Service to v0.17.1.

  Highlights:

  • Support Registration Tokens

  Full changelog:

  • v0.17.0
  • v0.17.1

  (#564)

• Upgrade Element Web to v1.11.104.

  Highlights:

  • Implement MSC4155 invite filtering
  • Add /share?msg= endpoint using the forward message dialogue

  Full changelog:

  • v1.11.104

  (#565)

• Upgrade Synapse to v1.132.0.

  Highlights:

  • Implement MSC4155 invite filtering
  • Successful requests to /_matrix/app/v1/ping will now force Synapse to reattempt delivering transactions to appservices.

  Full changelog:

  • v1.132.0

  (#566)

Internal

• CI: Test upgrades against the nearest reachable tag and not the most recently created. (#547)
• CI: Enhance dyff jobs output to print yaml manifests in a single block code. (#548)
• Ensure example NodePort values use ports within kind's NodePort range. (#551)
• Run integration tests with kind 0.29.0. (#563)