ESS Community Helm Chart 25.12.2 (2025-12-19)

Security

• Fix critical security issue tracked as ELEMENTSEC-2025-1670.

  This release is a critical security update to address an issue affecting all versions of ESS Community and ESS Pro. ESS Classic and other Synapse-based deployments are not affected.

  The issue only has an impact when federation APIs are exposed to an untrusted network. Deployments that are not currently federating, or that only federate in a closed, trusted federation, are not impacted. These deployments should not enable public federation without first applying this update.

  We advise you to apply the update as quickly as possible. (#943)

ESS Community Helm Chart 25.12.1 (2025-12-12)

Removed / Breaking Changes

• The MatrixRTC SFU now restricts creation of calls to users on the local homeserver.

  This can be changed back to allowing anyone to create calls on the SFU by by setting matrixRTC.restrictRoomCreationToLocalUsers: false. (#926)

Changed

• Upgrade Synapse to v1.144.0.

  Highlights:

  • Add experimental implementation of MSC4380 (invite blocking).
  • Allow the restarting delayed events endpoint for MatrixRTC to be served by workers.

  Full Changelogs:

  • v1.144.0

  (#915)

• Upgrade Matrix Authentication Service to v1.8.0.

  Highlights:

  • Add more options to deal with localpart conflicts on upstream OAuth 2.0 login.
  • Option to skip confirmation when registering through an upstream OAuth provider.

  Full Changelogs:

  • v1.8.0

  (#916)

• Support configuring IPv4-only, IPv6-only or Dual-Stack component binds by configuring networking.ipFamily.

  Defaults to dual-stack but if you are in a cluster where IPv6 support is either disabled at boot or compiled out you may need to set this to ipv4 (#921)

• Allow Synapse and Matrix Authentication Service to receive traffic over IPv6. (#921)

• Removed some unused code from the initSecrets generation container.

  Also complete the docs on the secret types it supports. (#927)

• Upgrade Element Admin to v0.1.10.

  Highlights :

  • Fixed a crash in the moderation tab when the Adminbot endpoint is unavailable
  • Added the ability to delete rooms
  • Made the language switcher keyboard navigable
  • Updated translations for better user experience

  Full Changelogs:

  • v0.1.10

  (#932)

ESS Community Helm Chart 25.12.0 (2025-12-04)

Removed / Breaking Changes

• Remove imagePullSecrets in favour of image.pullSecrets.

  As of 25.10.1 imagePullSecrets was deprecated in favour of image.pullSecrets.
  It has now been removed and attempting to use imagePullSecrets will trigger a schema
  validation error. (#901)

• Remove the ability to set rtc.{use_external_ip,node_ip} via matrixRTC.sfu.additional in favour of matrixRTC.sfu.{useStunToDiscoverPublicIP,manualIP}.

  As of 25.9.1 matrixRTC.sfu.{useStunToDiscoverPublicIP,manualIP} were introduced to provide direct values for these settings. Attempting to set
  these via matrixRTC.sfu.additional will result in your values being ignored. (#901)

Changed

• Upgrade Element Web to v1.12.6.

  Highlights:

  • Remove mentions from forwarded messages.
  • Improve aria attributes on the emoji picker.
  • Support using Element Call for voice calls in DMs.

  Full Changelogs:

  • v1.12.4
  • v1.12.5
  • v1.12.6

  (#865, #903, #918)

• Remove hard-coded podAntiAffinity for Deployments that had set replicas > 2. (#867)

• Support topologySpreadConstraints on all workloads, not just select ones. (#867)

• Set a soft, default topologySpreadConstraints for all workloads.

  The can be removed by setting topologySpreadConstraints to [] at the top-level or
  overridden on a per-component basis by setting that component's topologySpreadConstraints. (#867)

• Unify management of StatefulSet.spec along with Deployment.spec. (#872)

• Upgrade Synapse to v1.143.0.

  Highlights:

  • Update MSC4140 delayed event support, for separate endpoints.

  Full Changelogs:

  • v1.143.0

  (#876)

• Upgrade Matrix Authentication Service to v1.7.0.

  Highlights:

  • Interactively help users choosing a username.

  Full Changelogs:

  • v1.7.0

  (#878)

• Change Element Web and MatrixRTC SFU Ingresses to target Service port names rather than numbers. (#879)

• Harmonise the hook weights and reduce the number of distinct hook weight values.

  This should speed up installs and upgrades as now there are only 2 distinct pre-install/pre-upgrade hook weights. (#880)

• Better handle the only worker-capable delayed-events endpoint. (#889)

• Remove explicit configuration of HAProxy maxconn at the global and backend level.

  This improves the compatibility with microk8s clusters that don't raise ulimits by default. (#890)

• Upgrade Element Admin to v0.1.9.

  Highlights:

  • Integration with the ESS Pro Adminbot

  Full Changelogs:

  • v0.1.9

  (#900)

• Listen for HAProxy traffic over IPv6. (#905)

• Change ipFamilyPolicy to PreferDualStack for all services to expose them over dual-stack where possible. (#907)

• Change Matrix Authentication Service deployment maxSurge to 0.

  We have seen migrations race conditions happening during Matrix Authentication Service pods
  rollout. This sets maxSurge to 0 to try to make sure only 1 pod at a time runs the
  migration process. (#910, #914)

Fixed

• Change Postgres emptyDirs to be memory backed. (#894)
• Ensure Postgres is fully setup before marking as available or live. (#897)
• Fix Matrix Authentication Service secrets config generation so private keys coming from an external secret are correctly referenced. (#908)

Internal

• CI: switch from kind to k3d for integration tests. (#871)
• CI: simplify manifest test setup now that we care less about which deployables are in-use for a given values file. (#877)
• CI: add tests covering the weights and phases of Helm hooks. (#880, #884)
• Document why we don't use passfile for Synapse & MAS' Postgres configuration. (#881)
• CI: Don't add New Vector Ltd copyright to new ci values files. (#882)
• CI: add concurrency limit per branch to prevent too many concurrent jobs. (#883)
• CI: validate that all emptyDirs are memory backed. (#894)
• CI: Make sure init-secrets job is not created when no secrets needs to be generated. (#896)
• CI: Enhance manifests caching in manifests pytest runs. (#899)
• CI: Make cached manifests immutable to avoid issues where they might be mutated during test runs, causing races. (#899)
• CI: stop flakes in test_pods_monitored. (#902)
• CI: fix image verifications step failing on PRs on forks. (#909)
• CI: adjust expected status codes to retry on the upgrade integration tests. (#913)

ESS Community Helm Chart 25.11.1 (2025-11-14)

Changed

• Upgrade Matrix Authentication Service to v1.6.0.

  Highlights:

  • Be strict about undefined variables in templates

  Full Changelogs:

  • v1.6.0

  (#852)

• Upgrade Synapse to v1.142.0.

  Highlights:

  • Add an Admin API to allow an admin to fetch the space/room hierarchy for a given space.

  Full Changelogs:

  • v1.142.0

  (#853)

Internal

• CI: validate that images are AMD64 & ARM64. (#859)
• CI: unify manifest tests around Pod replicas. (#866)

ESS Community Helm Chart 25.11.0 (2025-11-06)

Changed

• Upgrade Element Web to v1.12.3.

  Highlights:

  • Fix sort order in space hierarchy.
  • New Room list: don't display message preview of thread.

  Full Changelogs:

  • v1.12.3

  (#842)

• Re-add the chart's icon. (#848)

• Update README. (#854)

• Configure experimental MSC4143 advertisement in Synapse when MatrixRTC is enabled.

  This is in addition to the MSC4143 advertisement on the client well-known endpoint for now, but it is expected to replace it in time. (#855)

• Update Element Web's default bug report URL to use the dedicated subdomain for bug reporting. (#856)

Fixed

• Fix an issue where the chart could not be deployed against clusters returning an experimental build. (#850)

Documentation

• Document setting alternative STUN servers for MatrixRTC. (#851)

Internal

• CI: Use Element customised pyhelm3 dependency for running tests. (#848)

ESS Community Helm Chart 25.10.3 (2025-10-31)

Changed

• Update example-default-enabled-components-values.yaml to include MatrixRTC as it is enabled by default. (#516)

• Upgrade Element Web to v1.12.2.

  Highlights:

  • Improve handling of animated images.
  • Fix duration of voice message in timeline.
  • Improve keyboard navigation on invite dialog.

  Full Changelogs:

  • v1.12.2

  (#809)

• Update Element Admin to v0.1.8.

  Highlights:

  • Allow admins to generate personal access tokens for users
  • Fix the ESS version not loading after a refresh

  Full Changelogs:

  • v0.1.5
  • v0.1.6
  • v0.1.7
  • v0.1.8

  (#816, #843, #844)

• Update Chart metadata to enhance tooling like renovate and artifacthub.io. (#818)

• Update Synapse to v1.141.0.

  Highlights:

  • Update docker image to use Debian trixie as the base and thus Python 3.13
  • Allow using MSC4190 behaviour without the opt-in registration flag
  • Stabilize support for MSC4326: Device masquerading for appservices

  Full Changelogs:

  • v1.141.0

  (#826)

• Ensure there's at least 2 newlines at the end of the haproxy.cfg file. (#829)

• Upgrade Matrix Authentication Service to v1.5.0.

  Highlights:

  • Initial support for admins managing Personal Access Tokens for users using the Admin APIs.

  Full Changelogs:

  • v1.5.0

  (#830)

• Add 'Element Creations Ltd' copyright to every file. (#835)

Fixed

• Postgres: Fix the ess-updater container do not have access to the local data directory. (#817)

• Prioritize wellKnownDelegation.baseDomainRedirect.url over elementWeb.ingress.host.

  Previously, whenever elementWeb was enabled, the url property was silently ignored instead of, as expected, taking precedence. (#819)

• Fix a Matrix compatible JSON response not being correctly sent when a Synapse backend is down. (#829)

Documentation

• Values Fragments: Make serverName unique to 1 fragment. (#806)
• Matrix RTC: Document the SFU CrashLoopBackOff issue. (#825)

Internal

• CI: New implementation of the configuration consistency checks. (#817, #831, #832, #833)
• CI: check that matrix-tools containers only ever set args and not command. (#820)
• CI: check that all changed files have copyright notices for the new Element legal entity. (#822)
• Update SPDX check script to handle multiple Copyright headers. (#822, #835)
• Allow cloning of the source repository on Windows. (#827)
• Rename Removed changelog sections to Removed / Breaking Changes and make more prominent. (#828)
• CI: test that all multi-line config files end up in cluster with a trailing newline. (#829)
• CI: adapt integration test cluster creation for latest pytest-kubernetes. (#841)

ESS Community Helm Chart 25.10.2 (2025-10-16)

Security

• Update Matrix Authentication Service to v1.4.1.

  This is a security release which includes a fix for CVE-2025-62425 / GHSA-6wfp-jq3r-j9xh, which affects servers using the local password database, starting MAS 0.20.0 and later. See the advisory for details.

  Full Changelogs:

  • v1.4.1

  (#813)

Changed

• Upgrade Postgres Exporter to 0.18.1.

  Full Changelogs:

  • 0.18.0
  • 0.18.1

  (#812)

ESS Community Helm Chart 25.10.1 (2025-10-15)

Added

• List deprecations in NOTES.txt when running helm install/helm upgrade. (#796)

• Support overriding the default imagePullPolicy for every component by setting image.pullPolicy.

  Per-image overrides can be set by setting <path.to>.image.pullPolicy as before.

  If image.pullPolicy or per-image overrides aren't set IfNotPresent is used by default for images
  referenced by digest and Always is used by default images referenced by tag as previously. (#798)

Changed

• Update Matrix Authentication Service to v1.4.0.

  Highlights:

  • Make it possible to allow password registration without email verification.
  • Add Admin API to finish individual sessions.

  Full Changelogs:

  • v1.4.0

  (#787)

• Ensure consistent captured headers in HAProxy log lines, between all HTTP request processing HAProxy frontends. (#788)

• Correct the handling of multiple X-Forwarded-For headers to Synapse.

  This may have exhibit itself as requests being incorrectly rate-limited by Synapse.

  The source IP logged by HAProxy is now always the IP connecting to HAProxy rather than
  a value extracted from the X-Forwarded-For header (if present). This is usually an IP
  for the ingress controller. (#788)

• Log the X-Forwarded-For header and stop logging the Referer header in HAProxy. (#788)

• Upgrade HAProxy to 3.2.

  Release notes:

  • 3.2

  (#790)

• Upgrade Element Admin to v0.1.4.

  Highlights:

  • Use authenticated media endpoints for thumbnails
  • Keep selected item when changing filters

  Full Changelogs:

  • v0.1.4

  (#793)

• Inform chart users, in helm install/helm upgrade notes of the deprecations around rtc.{use_external_ip,node_ip} that happened in 25.9.1. (#796)

• Move the top-level imagePullSecrets list to image.pullSecrets.

  Setting imagePullSecrets is deprecated and will be removed in 25.11. If you set imagePullSecrets in your values files, please migrate to image.pullSecrets or you will see schema errors on upgrading to 25.11 when it is released. (#798)

• Upgrade Synapse to v1.140.0.

  Highlights:

  • Add a new Media Query by ID Admin API that allows server admins to query and investigate the metadata of local or cached remote media via the origin/media_id identifier found in a Matrix Content URI
  • Add experimental implementation of the GET /_matrix/client/v1/rtc/transports endpoint for the latest draft of MSC4143: MatrixRTC

  Full Changelogs:

  • v1.140.0

  (#799)

Fixed

• Fix templated <component>.ingress.host values not being rendered correctly in NOTES.txt. (#791)
• Fix the Matrix RTC SFU not restarting when user-provided configuration is set via matrixRTC.sfu.additional.<name>.config. (#805)

Internal

• CI: simplify the MatrixRTC integration test with Synapse + Well-Knowns. (#785)
• Ensure all kubectl commands in scripts/setup_test_cluster.sh specify the context. (#789)
• CI: add a test that we don't have anything that looks like a template string in the rendered files. (#791)
• CI: check that all go files are formatted correctly as per gofmt. (#792)
• Run gofmt over matrix-tools. (#792)
• CI: Use poetry 2.x. (#794)
• CI: handle a user already existing in MAS across subsequent test runs. (#795)
• CI: recreate cached user access tokens when they're not valid (from a previous test run). (#795)
• CI: don't attempt to manage MAS user passwords if password login is disabled. (#795)
• CI: check that user-provided inline configuration changes a hash label on some workloads and thus restarts Pods. (#805)

ESS Community Helm Chart 25.10.0 (2025-10-08)

Added

• Add a validation check to make sure no component is sharing any postgres database. (#778)

Changed

• Update Element Web to v1.12.1.

  Highlights:

  • Update Message Sound for Element
  • New Room List: Don't clear filters on space change
  • Rich Text Editor: Add emoji suggestion support

  Full Changelogs:

  • v1.12.1

  (#779)

• Upgrade Synapse to v1.139.2.

  Highlights:

  • Fix CVE-2025-61672 / GHSA-fh66-fcv5-jjfr. Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.

  Full Changelogs:

  • v1.139.1
  • v1.139.2

  (#780, #783)

Fixed

• Fix an issue where matrix-tools would fail to render configuration on containers restarts not causing a new pod cycle. (#771, #782)

Documentation

• Add initial troubleshooting guide around MISSING_MATRIX_RTC_FOCUS. (#768)

Internal

• CI: remove test exclusions relating to versions 25.9.1 or older. (#767)
• Add a documentation type to the changelog. (#768, #781)

ESS Community Helm Chart 25.9.3 (2025-10-02)

Fixed

• Fix Matrix RTC SFU manualIP setting so that it correctly propagates through. (#765)

Internal

• CI: update Matrix RTC values files to cover STUN, Manual IP, and Node IP cases correctly. (#765)