Merge pull request #454 from element-hq/gaelg/add-syn2mas

Implement Synapse to MAS migration

Author: gaelgatelement

charts/matrix-stack/ci/fragments/matrix-authentication-service-auth-synapse.yaml

@@ -0,0 +1,14 @@
+# Copyright 2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id

charts/matrix-stack/ci/fragments/matrix-authentication-service-migrated-password-scheme.yaml

@@ -19,6 +19,11 @@ matrixAuthenticationService:
       configSecret: "{{ $.Release.Name }}-pytest-admin"
       configSecretKey: "admin.yaml"
 
+  syn2mas:
+    extraEnv:
+    - name: DEBUG_RENDERING
+      value: "1"
+
 postgres:
   podSecurityContext:
     runAsGroup: 0

charts/matrix-stack/ci/fragments/matrix-authentication-service-pytest-extras.yaml

@@ -0,0 +1,18 @@
+# Copyright 2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+matrixAuthenticationService:
+  syn2mas:
+    enabled: true
+    dryRun: true
+
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id

charts/matrix-stack/ci/fragments/matrix-authentication-service-syn2mas-dryrun.yaml

@@ -0,0 +1,18 @@
+# Copyright 2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+matrixAuthenticationService:
+  syn2mas:
+    enabled: true
+    dryRun: false
+
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id

charts/matrix-stack/ci/fragments/matrix-authentication-service-syn2mas-migrate.yaml

@@ -2,13 +2,22 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 #
-# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-postgres.yaml matrix-authentication-service-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-postgres.yaml synapse-postgres-secrets-externally.yaml synapse-secrets-externally.yaml
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-postgres.yaml matrix-authentication-service-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-postgres.yaml synapse-postgres-secrets-externally.yaml synapse-secrets-externally.yaml matrix-authentication-service-syn2mas-dryrun.yaml
 # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
 
 # initSecrets, postgres don't have any required properties to be set and defaults to enabled
 elementWeb:
   enabled: false
 matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id
   encryptionSecret:
     secret: '{{ $.Release.Name }}-mas-external'
     secretKey: encryption
@@ -34,6 +43,9 @@ matrixAuthenticationService:
     rsa:
       secret: '{{ $.Release.Name }}-mas-external'
       secretKey: keysRSA
+  syn2mas:
+    dryRun: true
+    enabled: true
   synapseOIDCClientSecret:
     secret: '{{ $.Release.Name }}-mas-external'
     secretKey: synapseOIDC

charts/matrix-stack/ci/matrix-authentication-service-keep-auth-in-synapse-values.yaml

@@ -2,13 +2,22 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 #
-# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-postgres.yaml matrix-authentication-service-postgres-secrets-in-helm.yaml  matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-postgres.yaml synapse-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-postgres.yaml matrix-authentication-service-postgres-secrets-in-helm.yaml  matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-postgres.yaml synapse-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml matrix-authentication-service-syn2mas-dryrun.yaml
 # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
 
 # initSecrets, postgres don't have any required properties to be set and defaults to enabled
 elementWeb:
   enabled: false
 matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id
   encryptionSecret:
     value: CHANGEME-ahohhohgiavee5Koh8ahwo
   ingress:
@@ -42,6 +51,9 @@ matrixAuthenticationService:
         -----BEGIN RSA PRIVATE KEY-----
         MIIEowIBAAKCAQEA6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
         ------END RSA PRIVATE KEY-----
+  syn2mas:
+    dryRun: true
+    enabled: true
   synapseOIDCClientSecret:
     value: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0
   synapseSharedSecret:

charts/matrix-stack/ci/matrix-authentication-service-synapse-secrets-externally-values.yaml renamed to charts/matrix-stack/ci/matrix-authentication-service-synapse-syn2mas-dry-run-secrets-externally-values.yaml

@@ -0,0 +1,81 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-postgres.yaml matrix-authentication-service-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-postgres.yaml synapse-postgres-secrets-externally.yaml synapse-secrets-externally.yaml matrix-authentication-service-syn2mas-dryrun.yaml matrix-authentication-service-syn2mas-migrate.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+# initSecrets, postgres don't have any required properties to be set and defaults to enabled
+elementWeb:
+  enabled: false
+matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id
+  encryptionSecret:
+    secret: '{{ $.Release.Name }}-mas-external'
+    secretKey: encryption
+  ingress:
+    host: mas.ess.localhost
+  postgres:
+    database: mas
+    host: postgres
+    password:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: postgresPassword
+    user: mas
+  privateKeys:
+    ecdsaPrime256v1:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysEcdsaPrime256v1
+    ecdsaSecp256k1:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysEcdsaSecp256k1
+    ecdsaSecp384r1:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysEcdsaSecp384r1
+    rsa:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysRSA
+  syn2mas:
+    dryRun: false
+    enabled: true
+  synapseOIDCClientSecret:
+    secret: '{{ $.Release.Name }}-mas-external'
+    secretKey: synapseOIDC
+  synapseSharedSecret:
+    secret: '{{ $.Release.Name }}-mas-external'
+    secretKey: synapseShared
+matrixRTC:
+  enabled: false
+serverName: ess.localhost
+synapse:
+  appservices:
+    - secret: '{{ $.Release.Name }}-synapse-external'
+      secretKey: bridge_registration.yaml
+  ingress:
+    host: synapse.ess.localhost
+  macaroon:
+    secret: '{{ $.Release.Name }}-synapse-external'
+    secretKey: macaroon
+  postgres:
+    database: synapse
+    host: ess-postgres
+    password:
+      secret: '{{ $.Release.Name }}-synapse-external'
+      secretKey: postgresPassword
+    user: synapse_user
+  registrationSharedSecret:
+    secret: '{{ $.Release.Name }}-synapse-external'
+    secretKey: registrationSharedSecret
+  signingKey:
+    secret: '{{ $.Release.Name }}-synapse-external'
+    secretKey: signingKey
+wellKnownDelegation:
+  enabled: false

charts/matrix-stack/ci/matrix-authentication-service-synapse-secrets-in-helm-values.yaml renamed to charts/matrix-stack/ci/matrix-authentication-service-synapse-syn2mas-dry-run-secrets-in-helm-values.yaml

@@ -0,0 +1,80 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-postgres.yaml matrix-authentication-service-postgres-secrets-in-helm.yaml  matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-postgres.yaml synapse-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml matrix-authentication-service-syn2mas-dryrun.yaml matrix-authentication-service-syn2mas-migrate.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+# initSecrets, postgres don't have any required properties to be set and defaults to enabled
+elementWeb:
+  enabled: false
+matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+            - version: 2
+              algorithm: argon2id
+  encryptionSecret:
+    value: CHANGEME-ahohhohgiavee5Koh8ahwo
+  ingress:
+    host: mas.ess.localhost
+  postgres:
+    database: mas
+    host: postgres
+    password:
+      value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
+    user: mas
+  privateKeys:
+    ecdsaPrime256v1:
+      value: |
+        -----BEGIN EC PRIVATE KEY-----
+        MHcCAQEEIYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        AwEAAKBcZW5jb2duZXQwgggYMIINL6Ado018734nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEH
+        ------END EC PRIVATE KEY-----
+    ecdsaSecp256k1:
+      value: |
+        -----BEGIN EC PRIVATE KEY-----
+        MHcCAQEEZFQZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        ------END EC PRIVATE KEY-----
+    ecdsaSecp384r1:
+      value: |
+        -----BEGIN EC PRIVATE KEY-----
+         MHcCAQEEZFQZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+         ------END EC PRIVATE KEY-----
+    rsa:
+      value: |
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIEowIBAAKCAQEA6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        ------END RSA PRIVATE KEY-----
+  syn2mas:
+    dryRun: false
+    enabled: true
+  synapseOIDCClientSecret:
+    value: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0
+  synapseSharedSecret:
+    value: CHANGEME-iaw8eeSef4zeefie8ii3akien9tiaYah
+matrixRTC:
+  enabled: false
+serverName: ess.localhost
+synapse:
+  ingress:
+    host: synapse.ess.localhost
+  macaroon:
+    value: CHANGEME-eek3Eigoh8ux8laeTingeej1
+  postgres:
+    database: synapse
+    host: ess-postgres
+    password:
+      value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
+    user: synapse_user
+  registrationSharedSecret:
+    value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
+  signingKey:
+    value: ed25519 0 bNQOzBUDszff7Ax81z6w0uZ1IPWoxYaazT7emaZEfpw
+wellKnownDelegation:
+  enabled: false