26.3.2

ESS Community Helm Chart 26.3.2 (2026-04-01)

Added

• Allow configuration of storage.storageClassName and storage.resourcePolicy as defaults across all constructed PersistentVolumeClaims.

  The individual values can still be overridden on a per-PersistentVolumeClaim basis as before. (#1203)

Changed

• Upgrade Matrix RTC SFU to 1.10.0.

  Resolves CVE-2026-33186.

  Full Changelogs:

  • v1.10.0

  (#1191)

• Configure Synapse to use the system CA trust store for Postgres connections if sslMode: verify-full. (#1202)

• Upgrade Matrix RTC LiveKit JWT Service to v0.4.2.

  Resolves CVE-2026-26014 and CVE-2026-33186.

  Full Changelogs:

  • v0.4.2

  (#1205)

• Switch back to ESS Synapse variant.

  Regression in 26.3.1. (#1210)

Internal

• CI: Publish ESS tests as a python package for use in external projects and developers environments. (#1185, #1192, #1193, #1196, #1197, #1199)
• CI: Use a python script to generate logs. (#1192)
• CI: Cache pyhelm pulled chart relatively to the runner directory, not to the script install path. (#1198)
• Developers: Move .ca to ~/.config/ess-helm-ca. (#1198, #1201)
• CI: Log the content of the cache when pyhelm cache fails to hit. (#1200)

26.3.1

ESS Community Helm Chart 26.3.1 (2026-03-25)

Changed

• Synapse: Change database.args.database and replace with database.args.dbname. (#1151)

• Upgrade Element Admin to v0.1.11.

  Highlights:

  • Rename Moderation to Supervision
  • Use upstream nginx configuration

  Full Changelogs:

  • v0.1.11

  (#1170)

• Raise the default size of Synapse's connection pool.

  Goes from 3-5 (min-max) to 5-10.
  These settings can be overridden with additional Synapse configuration. (#1171)

• Upgrade Element Web to v1.12.13.

  Highlights:

  • Upgrade Element Call for new picture-in-picture designs
  • Fix "key storage out of sync" appearing when key storage is actually fine

  Full Changelogs:

  • v1.12.13

  (#1173)

• Allow configuration of the resources for Synapse's check config Job.

  Rather than using the resources for the Synapse main process. (#1174)

• Upgrade Synapse to v1.150.0.

  Highlights:

  • When Matrix Authentication Service (MAS) integration is enabled, allow MAS to set the user locked status in Synapse
  • Fix a bug introduced in v1.26.0 that caused deactivated, erased users to not be removed from the user directory
  • Allow caching of the /versions and /auth_metadata public endpoints

  Full Changelogs:

  • v1.150.0

  (#1175)

• Upgrade Matrix Authentication Service to v1.14.0.

  Highlights:

  • Synchronise the user locked flag to Synapse
  • Respect HTTP Proxy environment variables in outgoing HTTP requests

  Full Changelogs:

  • v1.14.0

  (#1176)

Fixed

• Fix extra quotes being added around the Redis password in the Synapse configuration template. (#1164)
• Element Web: Fix Cache-Control header on /i18n. (#1167)

Documentation

• Migration: Adjust Migrating documentation to use the new ess-migration-tool command. (#1147)
• Improve developer documentation. (#1172)

Internal

• CI: Separate the ingress manifests tests in 3 test runs. (#1144)
• Ensure the test cluster can see the external IP correctly. (#1177)

26.3.0

ESS Community Helm Chart 26.3.0 (2026-03-18)

Removed / Breaking Changes

• Matrix RTC: Change the default ports to move them to the proper default Kubernetes static range.

  Kubernetes default static range contains ports 30000-30085. The new Matrix RTC exposed services have been moved to :

  • Matrix RTC TCP : 30001
  • Matrix RTC UDP : 30002
  • Matrix RTC Turn TLS: 30003
  • Matrix RTC Turn: 30004

  If you want to keep using the previously set static ports, you can do so by adding the following to your values files :

  matrixRTC:
    sfu:
      exposedServices:
        rtcTcp:
          port: 30881
        rtcMuxedUdp:
          port: 30882
        turnTLS:
          port: 31443
        turn:
          port: 31748

  (#1118, #1123)

Added

• Add example config for Caddy reverse proxy. (#1087)
• Added support for external Redis configuration (synapse.redis, hookshot.redis) allowing use of managed Redis services (AWS Elasticache, Azure Cache for Redis, etc.) instead of the internal Redis deployment. Each Redis-using component uses the chart Redis unless it has been independently configured with an external Redis. When external Redis is configured for all components, the internal Redis Deployment, Service, ConfigMap, and ServiceAccount are automatically skipped. (#1143)

Changed

• Remove unstable MSC2965 details from Well Known Files.

  Native OIDC (Matrix Authentication Service) support is advertised through /auth_metadata availability.

  The classic Element applications need to be upgraded to the following versions:

  • Element Android: v1.6.50
  • Element iOS: v1.11.34

  (#898)

• Use double quotes string-scalar in Chart.yaml for consistency with CI values files. (#1081, #1084)

• Add optional file pattern argument to scripts/ct-lint.sh to allow selective linting of files, similar to scripts/assemble_ci_values_files_from_fragments.sh. (#1103)

• Matrix Authentication Service: Remove hardcoded kid from secret keys in the config file, and let Matrix Authentication Service automatically derive them.

  Matrix Authentication Service includes the kid it used when signing JWTs, like id_tokens, which helps consumers verify using the right key. The Matrix specifications doesn't make use of id_tokens, so there is no impact changing the kid and letting it derive one automatically at runtime. (#1112)

• Upgrade Element Web to v1.12.12.

  Highlights:

  • Add stable support for MSC4380 invite blocking
  • Hide the names of banned users behind a spoiler tag

  Full Changelogs:

  • v1.12.12

  (#1120)

• Upgrade Matrix Authentication Service to v1.13.0.

  Highlights:

  • Support MSC4198 login_hint in account management URI

  Full Changelogs:

  • v1.13.0

  (#1121)

• Upgrade Synapse to v1.149.1.

  Highlights:

  • Add stable support for MSC4380 invite blocking
  • Add experimental support for MSC4388: Secure out-of-band channel for sign in with QR
  • Fix /sync missing membership event in state_after (experimental MSC4222 implementation) in some scenarios

  Full Changelogs:

  • v1.149.0
  • v1.149.1

  (#1122)

• Upgrade Matrix RTC SFU to 1.9.12.

  Full Changelogs:

  • v1.9.2
  • v1.9.3
  • v1.9.4
  • v1.9.6
  • v1.9.7
  • v1.9.8
  • v1.9.9
  • v1.9.10
  • v1.9.11
  • v1.9.12

  (#1127)

• Upgrade MatrixRTC authoriser to v0.4.1 for MSC4195 compliance.

  Highlights:

  • Introduces the new MSC4195-compliant request flow

  Full Changelogs:

  • v0.4.0
  • v0.4.1

  (#1128)

Fixed

• Matrix RTC: Fix an issue where LiveKit would crash if setting exposedServices.turnTLS.port to 443 when not using HostPort portType. (#1079)

• Fix HAProxy memory leak in dual-stack clusters.

  In dual-stack clusters the IP of the backend server for each Synapse Pod
  flaps between the IPv4 & IPv6 address every second or so. This causes a memory leak.

  Configure HAProxy to only use the IPv4 or IPv6 address based on the value of
  networking.ipFamily. In the case of dual-stack (the default value), the IPv4
  address is used. As such IPv6 only clusters must now set networking.ipFamily: ipv6. (#1124)

• Fix Element Admin not starting in an IPv6 only cluster. (#1125)

• Fix Hookshot not starting in an IPv6 only cluster. (#1126)

Documentation

• Fix the link to the "Quick setup" section in the README. (#1136)

Internal

• Migration script : Add supports automatically discovering extra files referenced by Synapse configuration and outputs them to Kubernetes ConfigMaps manifests. (#1067, #1085, #1117)
• Add support for Synapse workers discovery in migration script. (#1080, #1106)
• Add support for Matrix Authentication Service to migration scripts. (#1083)
• CI: Verify nested values behaviour in migration scripts. (#1077)
• CI: Log the last exception happening when waiting for an ingress to become ready. (#1078)
• CI: Use a composite action to share the ASDF cache run steps. (#1082)
• CI: Cache asdf in manifests tests. (#1082)
• Use helm standard function to transform string to env var name. (#1094)
• CI: Fix KeyError being raised when logging the reason a volume could not be found in configuration consistency tests. (#1095)
• CI: exempt dependabot from copyright-dates check. (#1096)
• CI: skip trying to login to DockerHub on forks. (#1096)
• Scripts: Do not escape strings automatically in our Jinja files. (#1097)
• Rewrite postgres databases handling to enhance the script readability. (#1101)
• Improve error messages in chart_from_ci_cache to include specific details about missing charts and cache locations. (#1102)
• CI: Run zizmor security scan against ess-helm github action workflows. (#1107, #1114, #1115, #1116, #1119, #1140)
• CI: Document manifests tests with docstring and better assertion messages. (#1108)
• CI: Matrix RTC pytest now uses DynamicNodePort to avoid port conflicts. (#1118)
• CI: Replace poetry with uv for python package manager. (#1129)
• CI: Fix an issue with matrix-tools image sometimes not being pushed until we retry the job. (#1142)

26.2.3

ESS Community Helm Chart 26.2.3 (2026-02-26)

Added

• Add a script to migrate existing Synapse configuration to ESS Community values.

  • The script will generate a valid ESS Values file based on an existing Synapse configuration.
  • The script supports automatically discovering secrets and outputs them to Kubernetes Secrets manifests.

  (#1052, #1056, #1058)

• Add tlsTerminationOnPod property to matrix-rtc TURN TLS service for external TLS termination support. (#1053)

Changed

• Upgrade Matrix Authentication Service to v1.12.0.

  Highlights:

  • Allow + in usernames, as per the Matrix spec
  • Fix compat token refresh giving back a consumed token
  • Add a default Message-ID when sending emails

  Full Changelogs:

  • v1.12.0

  (#1066)

• Upgrade Element Web to v1.12.11.

  Highlights:

  • Update the room list visuals in order to have better contrast
  • Remove server acl status/summaries from timeline

  Full Changelogs:

  • v1.12.11

  (#1068)

• Upgrade Synapse to v1.148.0.

  Highlights:

  • Support sending and receiving MSC4354 Sticky Event metadata

  Full Changelogs:

  • v1.148.0

  (#1069)

Fixed

• Ensure all Deployments and StatefulSets have restartPolicy: Always in their spec.template.spec so that their Pods are always correctly restarted. (#1055)
• Ensure all Jobs have restartPolicy: Never in their spec.template.spec so that failed Pods are kept around. (#1055)
• Don't wait for the chart Synapse to be available to start Hookshot when an external Synapse is used. (#1062)

Documentation

• Document how to troubleshoot Matrix RTC SFU connectivity. (#1051)

Internal

• CI: Cache Helm OCI dependencies for the current week. (#1057, #1070)
• CI: test that all references to Services in the chart exist. (#1062)
• Make scripts/assemble_ci_values_files_from_fragments.sh use standard characters classes and not GNU extensions for improved portability. (#1063)
• Allow passing of additional options when creating the k3d cluster. (#1064)
• CI: Export k3d debug logs. (#1070)
• CI: Do not setup cert-manager in integration tests as its only used for local testing. (#1070)
• CI: Retry setting up prometheus operator CRDs to kill flakes. (#1072)
• CI: Retry Turn TLS connectivity in case of unexpected EOF Errors. (#1073, #1074)
• CI: Cache dependencies installed with asdf. (#1075)

26.2.2

ESS Community Helm Chart 26.2.2 (2026-02-18)

Changed

• Upgrade Matrix Authentication Service to v1.11.0.

  Highlights:

  • Make the compat login SSO redirect query parameters ignore invalid values
  • Clean up unsupported threepids from already deactivated users
  • Cleanup finished OAuth 2.0 sessions
  • Cleanup finished user/browser sessions
  • Clear out last active IP on each session after 30 days

  Full Changelogs:

  • v1.11.0

  (#1035)

• Update matrix-tools base image to Debian 13.

  For compatibility with syn2mas v1.11 (#1042)

Documentation

• Update README diagram to represent Hookshot. (#1039)

26.2.1

ESS Community Helm Chart 26.2.1 (2026-02-13)

Changed

• Upgrade Synapse to v1.147.1.

  Highlights:

  • Don't retry joining partial state rooms all at once on startup.
  • Block federation requests and events authenticated using a known insecure signing key. See CVE-2026-24044 / ELEMENTSEC-2025-1670.

  Full Changelogs:

  • v1.147.0

  (#1031)

• Upgrade Element Web to v1.12.10.

  Highlights:

  • Allow Element Call widgets to receive sticky events
  • Add option for sorting by rooms with unread messages in the room list view

  Full Changelogs:

  • v1.12.10

  (#1034)

Documentation

• Document how to manually fix CVE-2026-24044/ELEMENTSEC-2025-1670. (#1037)

Internal

• Add strict schema validation test for MAS config. (#1026, #1030)
• Merge matrix-tools fixes related to CVE-2026-24044 / ELEMENTSEC-2025-1670 to main. (#1036)

26.2.0

ESS Community Helm Chart 26.2.0 (2026-02-05)

Changed

• Set default permissions on Hookshot so that local users only have permissions to manage integrations and connections. (#1010, #1014)

  Permissions should be adjusted to give specific users the ability to administer integrations, e.g.

  hookshot:
    additional:
      permissions.yaml:
        config: |
          permissions:
          - actor: {{ $.Values.serverName | quote }}
            services:
            - service: "*"
              level: manageConnections
          - action: "@an-admin-user:{{ $.Values.serverName }}"
            services:
            - service: "*"
              level: admin

• Update the test cluster values so that Hookshot can make requests to cluster-internal IP addresses. (#1010, #1018, #1023)

Fixed

• Fix Hookshot widgets not being available when using the Synapse Ingress / not having a dedicated Hookshot Ingress. (#1010)

Internal

• CI: Export logs of all k3d namespaces. (#1015)
• CI: Remove code duplication that existed between pytest integration test suite and setup_test_cluster.sh script. (#1016, #1017)
• CI: Use OCI repository to install cert-manager and prometheus-operator-crds. (#1020)
• CI: Support --rollback-on-failure helm 4 parameter. (#1022)

26.1.3

ESS Community Helm Chart 26.1.3 (2026-01-28)

Changed

• Upgrade Element Web to v1.12.9.

  Highlights:

  • Allow local log downloads instead of a bug report endpoint URL.
  • Support for stable MSC4191 account management action parameter
  • Support for stable m.oauth UIA stage from MSC4312

  Full Changelogs:

  • v1.12.9

  (#981)

• Upgrade Matrix Authentication Service to v1.10.0.

  Highlights:

  • Support for stable MSC3824 (OAuth 2.0 API aware clients) values
  • Support for stable MSC4191 account management actions
  • Cleanup various old, soft-deleted entities from the database.

  Full Changelogs:

  • v1.10.0

  (#990)

• Upgrade Synapse to v1.146.0.

  Highlights:

  • Stabilise support for MSC4312's m.oauth User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API.
  • Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are.
  • Fixed parallel calls to /_matrix/media/v1/create being rate-limited for appservices even if rate_limited: false was set in the registration.

  Full Changelogs:

  • v1.146.0

  (#992)

26.1.2

ESS Community Helm Chart 26.1.2 (2026-01-27)

Added

• Add support for configuring internalTrafficPolicy for services behind ingresses. (#999)

• Add support for configuring externalTrafficPolicy for NodePort and LoadBalancer services behind ingresses. (#1000)

• Add support for configuring externalTrafficPolicy to exposedServices. (#1001)

• Add support for configuring internalTrafficPolicy to exposedServices. (#1001)

• Add support to customize nodePort of exposed services.

  nodePort property of exposedServices.* is now a string template taking two parameters:
  - context: The exposed service values context *.exposedServices.<svc>

  • root : The helm $ root values context

  On Matrix RTC values, the nodePort template defaults to {{ .context.port }} so that the nodePort
  is the same as port. Setting the template to an empty string will skip setting nodePort
  on the service.

  (#1002)

• Add support for configuring externalIPs of exposed services. (#1006)

• Add support for configuring annotations of Ingress services. (#1007)

• Add support for configuring externalIPs of Ingress services. (#1007)

Changed

• Hookshot: Disable encryption by default as it is still experimental. (#995)

• Hookshot: Use appservice fully qualified domain name in the registration file. (#996)

• Hookshot: Publish service unready address. (#996)

• Hookshot: Enable adding widgets in rooms where it is invited by default. (#997)

• Change default externalTrafficPolicy for the SFU exposed services from Local to Kubernetes defaults Cluster. (#1001)

• Update Hookshot to 7.3.1.

  Highlights :

  • Add generic webhook transformation JS snippet which can handle GitLab Pipeline payloads under contrib/jsTransformationFunctions/gitlab-pipeline.js
  • Add generic webhook transformation JS snippet to format text as code block under contrib/jsTransformationFunctions/format-as-code.js
  • Fix the !hookshot help command not working

  Full Changelogs:

  • 7.3.1

  (#1008)

Fixed

• Matrix RTC: Fix a templating issue when turn was enabled with a cert-manager issuer to generate the tls secret. (#989)
• Hookshot: Fix a templating issue when Matrix Authentication Service is enabled if Hookshot was enabled without an Ingress. (#993)

Documentation

• Document how to setup and configure Hookshot. (#988)

Internal

• CI: pin Helm to 3.19.4 in the manifest tests to avoid a bug with merging null values. (#994)
• CI: Add test running Hookshot with Matrix Authentication Service enabled. (#995)
• Build services schema using a common service.json file. (#1003)

26.1.1

ESS Community Helm Chart 26.1.1 (2026-01-22)

Removed / Breaking Changes

• Move Synapse's Redis to a top-level shared component that can be used by multiple components of the chart.

  There is no impact when using the default values, but if you have customised values under the synapse.redis key, you will need to update them to be under the new top-level redis redis. (#972)

Added

• Add extraInitContainers support to all workloads. (#971)

• Matrix RTC: Add support for configuring Turn TLS to help RTC traffic go through corporate Wifi networks and firewalls. (#976)

• Add support for generating appservice registration files with matrix-tools. (#979)

• Add support for Hookshot installation in ESS Community.

  Hookshot is a Matrix Bot for connecting to external services.
  It is not enabled by default, but can be enabled by setting hookshot.enabled: true. (#979, #986)

• Matrix RTC: Add support for configuring UDP Turn. (#982)

Changed

• Support generator arguments in matrix-tools secret generation. (#973)
• Support configuring the RSA key size generated by matrix-tools. (#973)
• Support exporting RSA key as DER and PEM matrix-tools. (#973)
• matrixRTC.sfu.exposedServices.*.portType are now an enum, and only accepts NodePort, HostPort and LoadBalancer. (#976)
• Few corrections to the README. (#980)
• Specify service type ClusterIP for internal services of Matrix RTC and Synapse. (#985)

Documentation

• Make documentation clearer that some configuration options can't be changed by the additional configuration mechanism. (#975)