Skip to content

Implement Synapse to MAS migration #454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 56 commits into from
Jun 6, 2025
Merged

Implement Synapse to MAS migration #454

merged 56 commits into from
Jun 6, 2025

Conversation

gaelgatelement
Copy link
Member

@gaelgatelement gaelgatelement commented May 16, 2025
edited
Loading

WIP.

Options below are the one we envisioned. In the end we are going for the option B.2.

Option A: From Synapse to MAS-Enabled in 1 values file change.. This would allow the user to enable matrixAuthenticationService and run the migrate job at the same time. 2 ways to approach this :

  1. With Syn2MAS as a pre-upgrade job. This does not work as the postgres database might not exist at this step :
    - We could run a pre-upgrade hook to initialize it before the syn2mas job runs. This breaks if MAS is using the in-cluster postgres DB, and it was not initialized as no component was using it before
    - The strategy could be to initialize a statefulset during the pre-upgrade hook. It would create the PVC during this step as well. But this would conflict with any currently running postgres.
  2. With Syn2MAS as a post-upgrade job, Synapse is reconfigured to delegate auth to MAS before the job is run. We could configure Synapse so that it does not delegate authentication if Syn2Mas is running, but then we need need a 2-steps helm upgrade process.

Option B: From Synapse to MAS-Enabled in 2-steps values file change.

  1. Handle Synapse replicas in the chart depending on syn2mas value.

    1. Enabling the migration:
    • Synapse replicas are set to 0 as matrixAuthenticationService.migrate.enabled is true
    • matrixAuthenticationService is not deployed
    • syn2mas post-install/post-upgrade hook
    1. Migration ran properly, disable matrixAuthenticationService.migrate.enabled
    • Synapse replicas are set back
    • matrixAuthenticationService is deployed

  2. Handle Synapse replicas from the migration job.

    1. Enabling MAS, enable migration in dryRun mode
      - MAS is deployed together with its DB.
      - Synapse does not delegate auth to MAS.
      - MAS is in read-only mode OR its ingress is not enabled.
      - The migration dry runs as a post-upgrade hook job.
    2. Enabling the actual migration
      - The migration runs as a pre-hook upgrade.
      - This pre-hook actually scales down synapse during the migration run.
      - If it fails or if it succeeds, in any case it scales back synapse.
      - matrixAuthenticationService read-only is disabled OR its ingress is enabled
      - Synapse delegated its authentication to MAS

@gaelgatelement gaelgatelement requested a review from a team as a code owner May 16, 2025 13:38
@gaelgatelement gaelgatelement marked this pull request as draft May 16, 2025 13:38
@github-actions GitHub Actions
Copy link

github-actions bot commented May 16, 2025
edited
Loading

dyff of changes in rendered templates of CI manifests

example-default-enabled-components-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- efb6e8d6b6df14472e7ee432a3515c23a5868014
+ fe0adbde95417ca187e9879ceed72dfe8dd57872

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- efb6e8d6b6df14472e7ee432a3515c23a5868014
+ fe0adbde95417ca187e9879ceed72dfe8dd57872

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
job-release-name-deployment-markers-post.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.spec.containers.deployment-markers.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.containers.deployment-markers.command @@
! - two list entries removed:
- - "release-name-markers:MATRIX_STACK_MSC3861:delegated_auth:delegated_auth"
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=deployment-markers,app.kubernetes.io/instance=release-name-deployment-markers,app.kubernetes.io/version=0.4.0"
! + two list entries added:
+   - "release-name-markers:MATRIX_STACK_MSC3861:delegated_auth:delegated_auth;syn2mas_migrated"
+   - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=deployment-markers,app.kubernetes.io/instance=release-name-deployment-markers,app.kubernetes.io/version=0.5.0"
job-release-name-deployment-markers-pre.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.spec.containers.deployment-markers.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.containers.deployment-markers.command @@
! - two list entries removed:
- - "release-name-markers:MATRIX_STACK_MSC3861:delegated_auth:delegated_auth"
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=deployment-markers,app.kubernetes.io/instance=release-name-deployment-markers,app.kubernetes.io/version=0.4.0"
! + two list entries added:
+   - "release-name-markers:MATRIX_STACK_MSC3861:delegated_auth:delegated_auth;syn2mas_migrated"
+   - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=deployment-markers,app.kubernetes.io/instance=release-name-deployment-markers,app.kubernetes.io/version=0.5.0"
job-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.spec.containers.init-secrets.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.containers.init-secrets.command @@
! - one list entry removed:
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.4.0"
! + one list entry added:
+   - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.5.0"
job-release-name-synapse-check-config.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
role-release-name-deployment-markers-post.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
role-release-name-deployment-markers-pre.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
role-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
rolebinding-release-name-deployment-markers-post.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
rolebinding-release-name-deployment-markers-pre.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
rolebinding-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
serviceaccount-release-name-deployment-markers-post.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
serviceaccount-release-name-deployment-markers-pre.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
serviceaccount-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
statefulset-release-name-synapse-main.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
matrix-authentication-service-checkov-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
job-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.spec.containers.init-secrets.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.containers.init-secrets.command @@
! - one list entry removed:
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.4.0"
! + one list entry added:
+   - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.5.0"
role-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
rolebinding-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
serviceaccount-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
matrix-authentication-service-external-synapse-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
job-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.spec.containers.init-secrets.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.containers.init-secrets.command @@
! - one list entry removed:
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.4.0"
! + one list entry added:
+   - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.5.0"
role-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
rolebinding-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
serviceaccount-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
matrix-authentication-service-keep-auth-in-synapse-values.yaml **configmap-release-name-haproxy.yaml** (removed)

configmap-release-name-matrix-authentication-service.yaml (removed)

configmap-release-name-postgres.yaml (removed)

configmap-release-name-synapse-haproxy.yaml (removed)

configmap-release-name-synapse-hook.yaml (removed)

configmap-release-name-synapse.yaml (removed)

deployment-release-name-haproxy.yaml (removed)

deployment-release-name-matrix-authentication-service.yaml (removed)

ingress-release-name-matrix-authentication-service.yaml (removed)

ingress-release-name-synapse.yaml (removed)

job-release-name-deployment-markers-post.yaml (removed)

job-release-name-deployment-markers-pre.yaml (removed)

job-release-name-init-secrets.yaml (removed)

job-release-name-synapse-check-config.yaml (removed)

persistentvolumeclaim-release-name-postgres-data.yaml (removed)

persistentvolumeclaim-release-name-synapse-media.yaml (removed)

role-release-name-deployment-markers-post.yaml (removed)

role-release-name-deployment-markers-pre.yaml (removed)

role-release-name-init-secrets.yaml (removed)

rolebinding-release-name-deployment-markers-post.yaml (removed)

rolebinding-release-name-deployment-markers-pre.yaml (removed)

rolebinding-release-name-init-secrets.yaml (removed)

secret-release-name-matrix-authentication-service.yaml (removed)

secret-release-name-synapse-hook.yaml (removed)

secret-release-name-synapse.yaml (removed)

service-release-name-haproxy.yaml (removed)

service-release-name-matrix-authentication-service.yaml (removed)

service-release-name-postgres.yaml (removed)

service-release-name-synapse-main.yaml (removed)

service-release-name-synapse.yaml (removed)

serviceaccount-release-name-deployment-markers-post.yaml (removed)

serviceaccount-release-name-deployment-markers-pre.yaml (removed)

serviceaccount-release-name-haproxy.yaml (removed)

serviceaccount-release-name-init-secrets.yaml (removed)

serviceaccount-release-name-matrix-authentication-service.yaml (removed)

serviceaccount-release-name-postgres.yaml (removed)

serviceaccount-release-name-synapse-check-config.yaml (removed)

serviceaccount-release-name-synapse.yaml (removed)

servicemonitor-release-name-haproxy.yaml (removed)

servicemonitor-release-name-matrix-authentication-service.yaml (removed)

servicemonitor-release-name-postgres.yaml (removed)

servicemonitor-release-name-synapse.yaml (removed)

statefulset-release-name-postgres.yaml (removed)

statefulset-release-name-synapse-main.yaml (removed)

matrix-authentication-service-minimal-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
job-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0

@@ spec.template.spec.containers.init-secrets.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.containers.init-secrets.command @@
! - one list entry removed:
- - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.4.0"
! + one list entry added:
+   - "app.kubernetes.io/managed-by=Helm,app.kubernetes.io/part-of=matrix-stack,app.kubernetes.io/component=matrix-tools,app.kubernetes.io/name=init-secrets,app.kubernetes.io/instance=release-name-init-secrets,app.kubernetes.io/version=0.5.0"
role-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
rolebinding-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
serviceaccount-release-name-init-secrets.yaml (changed) 
@@ metadata.labels.app.kubernetes.io/version @@
! ± value change
- 0.4.0
+ 0.5.0
matrix-authentication-service-postgres-secrets-externally-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
matrix-authentication-service-postgres-secrets-in-helm-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
matrix-authentication-service-secrets-externally-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- fe0be81c09d56546fc0e532deb3be79273438302
+ c8bffa7793f9de5562568bcbceb12574dcf4f6e3

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- fe0be81c09d56546fc0e532deb3be79273438302
+ c8bffa7793f9de5562568bcbceb12574dcf4f6e3

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
matrix-authentication-service-secrets-in-helm-values.yaml
deployment-release-name-matrix-authentication-service.yaml (changed) 
@@ metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- 4b6696118edcec5bdf58be050c4c426d2a005471
+ 05f69e738f0761e1c4623a0e7c41c79876ba255a

@@ spec.template.metadata.labels @@
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
! ± value change
- 4b6696118edcec5bdf58be050c4c426d2a005471
+ 05f69e738f0761e1c4623a0e7c41c79876ba255a

@@ spec.template.spec.initContainers.render-config.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0

@@ spec.template.spec.initContainers.db-wait.image @@
! ± value change
- ghcr.io/element-hq/ess-helm/matrix-tools:0.4.0
+ ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0
matrix-authentication-service-synapse-secrets-externally-values.yaml **configmap-release-name-haproxy.yaml** (removed)

configmap-release-name-matrix-authentication-service.yaml (removed)

configmap-release-name-synapse-haproxy.yaml (removed)

configmap-release-name-synapse-hook.yaml (removed)

configmap-release-name-synapse.yaml (removed)

deployment-release-name-haproxy.yaml (removed)

deployment-release-name-matrix-authentication-service.yaml (removed)

ingress-release-name-matrix-authentication-service.yaml (removed)

ingress-release-name-synapse.yaml (removed)

job-release-name-deployment-markers-post.yaml (removed)

job-release-name-deployment-markers-pre.yaml (removed)

job-release-name-synapse-check-config.yaml (removed)

persistentvolumeclaim-release-name-synapse-media.yaml (removed)

role-release-name-deployment-markers-post.yaml (removed)

role-release-name-deployment-markers-pre.yaml (removed)

rolebinding-release-name-deployment-markers-post.yaml (removed)

rolebinding-release-name-deployment-markers-pre.yaml (removed)

secret-release-name-matrix-authentication-service.yaml (removed)

secret-release-name-synapse-hook.yaml (removed)

secret-release-name-synapse.yaml (removed)

service-release-name-haproxy.yaml (removed)

service-release-name-matrix-authentication-service.yaml (removed)

service-release-name-synapse-main.yaml (removed)

service-release-name-synapse.yaml (removed)

serviceaccount-release-name-deployment-markers-post.yaml (removed)

serviceaccount-release-name-deployment-markers-pre.yaml (removed)

serviceaccount-release-name-haproxy.yaml (removed)

serviceaccount-release-name-matrix-authentication-service.yaml (removed)

serviceaccount-release-name-synapse-check-config.yaml (removed)

serviceaccount-release-name-synapse.yaml (removed)

servicemonitor-release-name-haproxy.yaml (removed)

servicemonitor-release-name-matrix-authentication-service.yaml (removed)

servicemonitor-release-name-synapse.yaml (removed)

statefulset-release-name-synapse-main.yaml (removed)

matrix-authentication-service-synapse-secrets-in-helm-values.yaml **configmap-release-name-haproxy.yaml** (removed)

configmap-release-name-matrix-authentication-service.yaml (removed)

configmap-release-name-synapse-haproxy.yaml (removed)

configmap-release-name-synapse-hook.yaml (removed)

configmap-release-name-synapse.yaml (removed)

deployment-release-name-haproxy.yaml (removed)

deployment-release-name-matrix-authentication-service.yaml (removed)

ingress-release-name-matrix-authentication-service.yaml (removed)

ingress-release-name-synapse.yaml (removed)

job-release-name-deployment-markers-post.yaml (removed)

job-release-name-deployment-markers-pre.yaml (removed)

job-release-name-synapse-check-config.yaml (removed)

persistentvolumeclaim-release-name-synapse-media.yaml (removed)

role-release-name-deployment-markers-post.yaml (removed)

role-release-name-deployment-markers-pre.yaml (removed)

rolebinding-release-name-deployment-markers-post.yaml (removed)

rolebinding-release-name-deployment-markers-pre.yaml (removed)

secret-release-name-matrix-authentication-service-hook.yaml (removed)

secret-release-name-matrix-authentication-service.yaml (removed)

secret-release-name-synapse-hook.yaml (removed)

secret-release-name-synapse.yaml (removed)

service-release-name-haproxy.yaml (removed)

service-release-name-matrix-authentication-service.yaml (removed)

service-release-name-synapse-main.yaml (removed)

service-release-name-synapse.yaml (removed)

serviceaccount-release-name-deployment-markers-post.yaml (removed)

serviceaccount-release-name-deployment-markers-pre.yaml (removed)

serviceaccount-release-name-haproxy.yaml (removed)

serviceaccount-release-name-matrix-authentication-service.yaml (removed)

serviceaccount-release-name-synapse-check-config.yaml (removed)

serviceaccount-release-name-synapse.yaml (removed)

servicemonitor-release-name-haproxy.yaml (removed)

servicemonitor-release-name-matrix-authentication-service.yaml (removed)

servicemonitor-release-name-synapse.yaml (removed)

statefulset-release-name-synapse-main.yaml (removed)

matrix-authentication-service-synapse-syn2mas-dry-run-secrets-externally-values.yaml
configmap-release-name-haproxy.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/haproxy/configmap.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-stack-ingress
+     app.kubernetes.io/name: haproxy
+     app.kubernetes.io/instance: release-name-haproxy
+     app.kubernetes.io/version: "3.1-alpine"
+   name: release-name-haproxy
+   namespace: ess-ci
+ data:
+   haproxy.cfg: |
+     global
+       maxconn 40000
+       log stdout format raw local0 info
+ 
+       # Allow for rewriting HTTP headers (e.g. Authorization) up to 4k
+       # https://github.com/haproxy/haproxy/issues/1743
+       tune.maxrewrite 4096
+ 
+       # Allow HAProxy Stats sockets
+       stats socket [email protected]:1999 level admin
+ 
+     defaults
+       mode http
+       fullconn 20000
+ 
+       maxconn 20000
+ 
+       log global
+ 
+       # wait for 5s when connecting to a server
+       timeout connect 5s
+ 
+       # ... but if there is a backlog of requests, wait for 60s before returning a 500
+       timeout queue 60s
+ 
+       # close client connections 5m after the last request
+       # (as recommened by https://support.cloudflare.com/hc/en-us/articles/212794707-General-Best-Practices-for-Load-Balancing-with-CloudFlare)
+       timeout client 900s
+ 
+       # give clients 5m between requests (otherwise it defaults to the value of 'timeout http-request')
+       timeout http-keep-alive 900s
+ 
+       # give clients 10s to complete a request (either time between handshake and first request, or time spent sending headers)
+       timeout http-request 10s
+ 
+       # time out server responses after 90s
+       timeout server 180s
+ 
+       # allow backend sessions to be shared across frontend sessions
+       http-reuse aggressive
+ 
+       # limit the number of concurrent requests to each server, to stop
+       # the python process having to juggle hundreds of queued
+       # requests. Any requests beyond this limit are held in a queue for
+       # up to <timeout-queue> seconds, before being rejected according
+       # to "errorfile 503" below.
+       #
+       # (bear in mind that we have two haproxies, each of which will use
+       # up to this number of connections, so the actual number of
+       # connections to the server may be up to twice this figure.)
+       #
+       # Note that this is overridden for some servers and backends.
+       default-server maxconn 500
+ 
+       option redispatch
+ 
+       compression algo gzip
+       compression type text/plain text/html text/xml application/json text/css
+ 
+       # if we hit the maxconn on a server, and the queue timeout expires, we want
+       # to avoid returning 503, since that will cause cloudflare to mark us down.
+       #
+       # https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#1.3.1 says:
+       #
+       #   503  when no server was available to handle the request, or in response to
+       #        monitoring requests which match the "monitor fail" condition
+       #
+       errorfile 503 /usr/local/etc/haproxy/429.http
+ 
+       # Use a consistent hashing scheme so that worker with balancing going down doesn't cause
+       # the traffic for all others to be shuffled around.
+       hash-type consistent sdbm
+ 
+     resolvers kubedns
+       parse-resolv-conf
+       accepted_payload_size 8192
+       hold timeout 600s
+       hold refused 600s
+ 
+     frontend prometheus
+       bind *:8405
+       http-request use-service prometheus-exporter if { path /metrics }
+       monitor-uri /haproxy_test
+       no log
+ 
+     frontend http-blackhole
+       bind *:8009
+ 
+       # same as http log, with %Th (handshake time)
+       log-format "%ci:%cp [%tr] %ft %b/%s %Th/%TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ 
+       capture request header Host len 32
+       capture request header Referer len 200
+       capture request header User-Agent len 200
+ 
+       http-request deny content-type application/json string '{"errcode": "M_FORBIDDEN", "error": "Blocked"}'
+ 
+ 
+     frontend startup
+        bind *:8406
+        acl synapse_dead nbsrv(synapse-main) lt 1
+ 
+        monitor-uri   /synapse_ready
+        monitor fail  if synapse_dead
+ 
+     frontend synapse-http-in
+       bind *:8008
+ 
+       # same as http log, with %Th (handshake time)
+       log-format "%ci:%cp [%tr] %ft %b/%s %Th/%TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ 
+       capture request header Host len 32
+       capture request header Referer len 200
+       capture request header User-Agent len 200
+ 
+       # before we change the 'src', stash it in a session variable
+       http-request set-var(sess.orig_src) src if !{ var(sess.orig_src) -m found }
+ 
+       # in case this is not the first request on the connection, restore the
+       # 'src' to the original, in case we fail to parse the x-f-f header.
+       http-request set-src var(sess.orig_src)
+ 
+       # Traditionally do this only for traffic from some limited IP addreses
+       # but the incoming router being what it is, means we have no fixed IP here.
+       http-request set-src hdr(x-forwarded-for)
+ 
+       # We always add a X-Forwarded-For header (clobbering any existing
+       # headers).
+       http-request set-header X-Forwarded-For %[src]
+ 
+       # Ingresses by definition run on both 80 & 443 and there's no customising of that
+       # It is up to the ingress controller and any annotations provided to it whether
+       # it sets any additional headers or not or whether it redirects http -> https
+       # We don't have control (or even visiblity) on what the ingress controller is or does
+       # So we can't guarantee the header is present
+       # https is a more sensible default than http for the missing header as we force public_baseurl to https
+       http-request set-header X-Forwarded-Proto https if !{ hdr(X-Forwarded-Proto) -m found }
+       http-request set-var(txn.x_forwarded_proto) hdr(x-forwarded-proto)
+       http-response add-header Strict-Transport-Security max-age=31536000 if { var(txn.x_forwarded_proto) -m str -i "https" }
+ 
+       # If we get here then we want to proxy everything to synapse or a worker.
+ 
+       # try to extract a useful access token from either the auth header or a
+       # query-param
+       http-request set-var(req.access_token) urlp("access_token") if { urlp("access_token") -m found }
+       http-request set-var(req.access_token) req.fhdr(Authorization),word(2," ") if { hdr_beg("Authorization") -i "Bearer " }
+ 
+       # We also need a http header format to allow us to loadbalance and make decisions:
+       http-request set-header X-Access-Token %[var(req.access_token)]
+ 
+       # Disable Google FLoC
+       http-response set-header Permissions-Policy "interest-cohort=()"
+ 
+       # Load the backend from one of the map files.
+       acl has_get_map path -m reg -M -f /synapse/path_map_file_get
+ 
+       http-request set-var(req.backend) path,map_reg(/synapse/path_map_file_get,main) if has_get_map METH_GET
+       http-request set-var(req.backend) path,map_reg(/synapse/path_map_file,main) unless { var(req.backend) -m found }
+       use_backend return_204_synapse if { method OPTIONS }
+ 
+ 
+ 
+ 
+       acl backend_unavailable str(),concat('synapse-',req.backend),nbsrv lt 1
+ 
+       use_backend synapse-%[var(req.backend)]
+ 
+     backend synapse-main
+       default-server maxconn 250
+ 
+       option httpchk
+       http-check connect port 8080
+       http-check send meth GET uri /health
+ 
+       # Use DNS SRV service discovery on the headless service
+       server-template main 1 _synapse-http._tcp.release-name-synapse-main.ess-ci.svc.cluster.local resolvers kubedns init-addr none check
+ 
+     # a backend which responds to everything with a 204 mirroring https://github.com/element-hq/synapse/blob/v1.124.0/synapse/http/server.py#L901-L932
+     backend return_204_synapse
+       http-request return status 204 hdr "Access-Control-Allow-Origin" "*" hdr "Access-Control-Allow-Methods" "GET, HEAD, POST, PUT, DELETE, OPTIONS" hdr "Access-Control-Allow-Headers" "Origin, X-Requested-With, Content-Type, Accept, Authorization, Date" hdr "Access-Control-Expose-Headers" "Synapse-Trace-Id, Server"
+ 
+ 
+     # a fake backend which fonxes every request with a 500. Useful for
+     # handling overloads etc.
+     backend return_500
+       http-request deny deny_status 500
+   429.http: |
+     HTTP/1.0 429 Too Many Requests
+     Cache-Control: no-cache
+     Connection: close
+     Content-Type: application/json
+     access-control-allow-origin: *
+     access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
+     access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
+ 
+     {"errcode":"M_UNKNOWN","error":"Server is unavailable"}
configmap-release-name-matrix-authentication-service-pre.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/matrix-authentication-service/configmap_hook.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   name: release-name-matrix-authentication-service-pre
+   namespace: ess-ci
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-authentication
+     app.kubernetes.io/name: matrix-authentication-service
+     app.kubernetes.io/instance: release-name-matrix-authentication-service
+     app.kubernetes.io/version: "0.16.0"
+   annotations:
+     "helm.sh/hook": pre-install,pre-upgrade
+     "helm.sh/hook-weight": "-5"
+ data:
+   config.yaml: |
+     http:
+       public_base: "https://mas.ess.localhost"
+       listeners:
+       - name: web
+         binds:
+         - host: 0.0.0.0
+           port: 8080
+         resources:
+         - name: human
+         - name: discovery
+         - name: oauth
+         - name: compat
+         - name: assets
+         - name: graphql
+           # This lets us use the GraphQL API with an OAuth 2.0 access token,
+           # which we currently use in the ansible modules and in synapse-admin
+           undocumented_oauth2_access: true
+         - name: adminapi
+       - name: internal
+         binds:
+         - host: 0.0.0.0
+           port: 8081
+         resources:
+         - name: health
+         - name: prometheus
+         - name: connection-info
+ 
+ 
+     database:
+       uri: "postgresql://mas:${POSTGRES_PASSWORD}@postgres:/mas?application_name=matrix-authentication-service"
+ 
+     telemetry:
+       metrics:
+         exporter: prometheus
+     matrix:
+       homeserver: "ess.localhost"
+       secret: ${SYNAPSE_SHARED_SECRET}
+       endpoint: "http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"
+       kind: synapse_read_only
+ 
+     policy:
+       data:
+         admin_clients: []
+         admin_users: []
+         client_registration:
+           allow_host_mismatch: false
+           allow_insecure_uris: false
+     clients:
+     - client_id: "0000000000000000000SYNAPSE"
+       client_auth_method: client_secret_basic
+       client_secret: ${SYNAPSE_OIDC_CLIENT_SECRET}
+ 
+     secrets:
+       encryption: ${ENCRYPTION_SECRET}
+ 
+       keys:
+       - kid: rsa
+         key_file: /secrets/release-name-mas-external/keysRSA
+       - kid: prime256v1
+         key_file: /secrets/release-name-mas-external/keysEcdsaPrime256v1
+ 
+       - kid: secp256k1
+         key_file: /secrets/release-name-mas-external/keysEcdsaSecp256k1
+ 
+       - kid: secp384r1
+         key_file: /secrets/release-name-mas-external/keysEcdsaSecp384r1
+     experimental:
+       access_token_ttl: 86400  # 1 day, up from 5 mins, until EX can better handle refresh tokens
configmap-release-name-matrix-authentication-service.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/matrix-authentication-service/configmap.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   name: release-name-matrix-authentication-service
+   namespace: ess-ci
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-authentication
+     app.kubernetes.io/name: matrix-authentication-service
+     app.kubernetes.io/instance: release-name-matrix-authentication-service
+     app.kubernetes.io/version: "0.16.0"
+ data:
+   config.yaml: |
+     http:
+       public_base: "https://mas.ess.localhost"
+       listeners:
+       - name: web
+         binds:
+         - host: 0.0.0.0
+           port: 8080
+         resources:
+         - name: human
+         - name: discovery
+         - name: oauth
+         - name: compat
+         - name: assets
+         - name: graphql
+           # This lets us use the GraphQL API with an OAuth 2.0 access token,
+           # which we currently use in the ansible modules and in synapse-admin
+           undocumented_oauth2_access: true
+         - name: adminapi
+       - name: internal
+         binds:
+         - host: 0.0.0.0
+           port: 8081
+         resources:
+         - name: health
+         - name: prometheus
+         - name: connection-info
+ 
+ 
+     database:
+       uri: "postgresql://mas:${POSTGRES_PASSWORD}@postgres:/mas?application_name=matrix-authentication-service"
+ 
+     telemetry:
+       metrics:
+         exporter: prometheus
+     matrix:
+       homeserver: "ess.localhost"
+       secret: ${SYNAPSE_SHARED_SECRET}
+       endpoint: "http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"
+       kind: synapse_read_only
+ 
+     policy:
+       data:
+         admin_clients: []
+         admin_users: []
+         client_registration:
+           allow_host_mismatch: false
+           allow_insecure_uris: false
+     clients:
+     - client_id: "0000000000000000000SYNAPSE"
+       client_auth_method: client_secret_basic
+       client_secret: ${SYNAPSE_OIDC_CLIENT_SECRET}
+ 
+     secrets:
+       encryption: ${ENCRYPTION_SECRET}
+ 
+       keys:
+       - kid: rsa
+         key_file: /secrets/release-name-mas-external/keysRSA
+       - kid: prime256v1
+         key_file: /secrets/release-name-mas-external/keysEcdsaPrime256v1
+ 
+       - kid: secp256k1
+         key_file: /secrets/release-name-mas-external/keysEcdsaSecp256k1
+ 
+       - kid: secp384r1
+         key_file: /secrets/release-name-mas-external/keysEcdsaSecp384r1
+     experimental:
+       access_token_ttl: 86400  # 1 day, up from 5 mins, until EX can better handle refresh tokens
configmap-release-name-synapse-haproxy.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/synapse/synapse_haproxy_configmap.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-server
+     app.kubernetes.io/name: synapse
+     app.kubernetes.io/instance: release-name-synapse
+     app.kubernetes.io/version: "v1.131.0"
+     k8s.element.io/synapse-instance: release-name-synapse
+   name: release-name-synapse-haproxy
+   namespace: ess-ci
+ data:
+   path_map_file: |
+     # A map file that is used in haproxy config to map from matrix paths to the
+     # named backend. The format is: path_regexp backend_name
+   path_map_file_get: |
+     # A map file that is used in haproxy config to map from matrix paths to the
+     # named backend. The format is: path_regexp backend_name
configmap-release-name-synapse-hook.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/synapse/synapse_configmap_hook.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-server
+     app.kubernetes.io/name: synapse-check-config
+     app.kubernetes.io/instance: release-name-synapse-check-config
+     app.kubernetes.io/version: "v1.131.0"
+     k8s.element.io/synapse-instance: release-name-synapse-check-config
+   annotations:
+     "helm.sh/hook": pre-install,pre-upgrade
+     "helm.sh/hook-weight": "-5"
+   name: release-name-synapse-hook
+   namespace: ess-ci
+ data:
+   01-homeserver-underrides.yaml: |
+     report_stats: false
+ 
+     require_auth_for_profile_requests: true
+   04-homeserver-overrides.yaml: |
+     public_baseurl: https://synapse.ess.localhost/
+     server_name: ess.localhost
+     signing_key_path: /secrets/release-name-synapse-external/signingKey
+     enable_metrics: true
+     log_config: "/conf/log_config.yaml"
+     macaroon_secret_key_path:  /secrets/release-name-synapse-external/macaroon
+     registration_shared_secret_path: /secrets/release-name-synapse-external/registrationSharedSecret
+ 
+     database:
+       name: psycopg2
+       args:
+         user: synapse_user
+         password: ${SYNAPSE_POSTGRES_PASSWORD}
+         database: synapse
+         host: ess-postgres
+         port: 5432
+         sslmode: prefer
+ 
+         application_name: ${APPLICATION_NAME}
+         keepalives: 1
+         keepalives_idle: 10
+         keepalives_interval: 10
+         keepalives_count: 3
+ 
+     # The default as of 1.27.0
+     ip_range_blacklist:
+     - '127.0.0.0/8'
+     - '10.0.0.0/8'
+     - '172.16.0.0/12'
+     - '192.168.0.0/16'
+     - '100.64.0.0/10'
+     - '192.0.0.0/24'
+     - '169.254.0.0/16'
+     - '192.88.99.0/24'
+     - '198.18.0.0/15'
+     - '192.0.2.0/24'
+     - '198.51.100.0/24'
+     - '203.0.113.0/24'
+     - '224.0.0.0/4'
+     - '::1/128'
+     - 'fe80::/10'
+     - 'fc00::/7'
+     - '2001:db8::/32'
+     - 'ff00::/8'
+     - 'fec0::/10'
+     app_service_config_files:
+      - /as/0/bridge_registration.yaml
+ 
+     send_federation: true
+ 
+     # This is still required despite media_storage_providers as otherwise Synapse attempts to mkdir /media_store
+     media_store_path: "/media/media_store"
+     max_upload_size: "100M"
+ 
+     start_pushers: true
+ 
+     instance_map:
+       main:
+         host: release-name-synapse-main.ess-ci.svc.cluster.local.
+         port: 9093
+   05-main.yaml: |
+     worker_app: synapse.app.homeserver
+     listeners:
+     - port: 8008
+       tls: false
+       bind_addresses: ['0.0.0.0']
+       type: http
+       x_forwarded: true
+       resources:
+       - names:
+         - client
+         - federation
+         compress: false
+     - port: 9093
+       tls: false
+       bind_addresses: ['0.0.0.0']
+       type: http
+       x_forwarded: false
+       resources:
+       - names: [replication]
+         compress: false
+     - type: metrics
+       port: 9001
+       bind_addresses: ['0.0.0.0']
+     - port: 8080
+       tls: false
+       bind_addresses: ['0.0.0.0']
+       type: http
+       x_forwarded: false
+       resources:
+       - names: [health]
+         compress: false
+     enable_media_repo: true
+   log_config.yaml: |
+     version: 1
+ 
+     formatters:
+       precise:
+         format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+ 
+     handlers:
+       console:
+         class: logging.StreamHandler
+         formatter: precise
+ 
+     loggers:
+       synapse.storage.SQL:
+         level: "INFO"
+ 
+     root:
+       level: "INFO"
+       handlers:
+       - console
+ 
+     disable_existing_loggers: false
configmap-release-name-synapse.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/synapse/synapse_configmap.yaml
+ apiVersion: v1
+ kind: ConfigMap
+ metadata:
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-server
+     app.kubernetes.io/name: synapse
+     app.kubernetes.io/instance: release-name-synapse
+     app.kubernetes.io/version: "v1.131.0"
+     k8s.element.io/synapse-instance: release-name-synapse
+   name: release-name-synapse
+   namespace: ess-ci
+ data:
+   01-homeserver-underrides.yaml: |
+     report_stats: false
+ 
+     require_auth_for_profile_requests: true
+   04-homeserver-overrides.yaml: |
+     public_baseurl: https://synapse.ess.localhost/
+     server_name: ess.localhost
+     signing_key_path: /secrets/release-name-synapse-external/signingKey
+     enable_metrics: true
+     log_config: "/conf/log_config.yaml"
+     macaroon_secret_key_path:  /secrets/release-name-synapse-external/macaroon
+     registration_shared_secret_path: /secrets/release-name-synapse-external/registrationSharedSecret
+ 
+     database:
+       name: psycopg2
+       args:
+         user: synapse_user
+         password: ${SYNAPSE_POSTGRES_PASSWORD}
+         database: synapse
+         host: ess-postgres
+         port: 5432
+         sslmode: prefer
+ 
+         application_name: ${APPLICATION_NAME}
+         keepalives: 1
+         keepalives_idle: 10
+         keepalives_interval: 10
+         keepalives_count: 3
+ 
+     # The default as of 1.27.0
+     ip_range_blacklist:
+     - '127.0.0.0/8'
+     - '10.0.0.0/8'
+     - '172.16.0.0/12'
+     - '192.168.0.0/16'
+     - '100.64.0.0/10'
+     - '192.0.0.0/24'
+     - '169.254.0.0/16'
+     - '192.88.99.0/24'
+     - '198.18.0.0/15'
+     - '192.0.2.0/24'
+     - '198.51.100.0/24'
+     - '203.0.113.0/24'
+     - '224.0.0.0/4'
+     - '::1/128'
+     - 'fe80::/10'
+     - 'fc00::/7'
+     - '2001:db8::/32'
+     - 'ff00::/8'
+     - 'fec0::/10'
+     app_service_config_files:
+      - /as/0/bridge_registration.yaml
+ 
+     send_federation: true
+ 
+     # This is still required despite media_storage_providers as otherwise Synapse attempts to mkdir /media_store
+     media_store_path: "/media/media_store"
+     max_upload_size: "100M"
+ 
+     start_pushers: true
+ 
+     instance_map:
+       main:
+         host: release-name-synapse-main.ess-ci.svc.cluster.local.
+         port: 9093
+   05-main.yaml: |
+     worker_app: synapse.app.homeserver
+     listeners:
+     - port: 8008
+       tls: false
+       bind_addresses: ['0.0.0.0']
+       type: http
+       x_forwarded: true
+       resources:
+       - names:
+         - client
+         - federation
+         compress: false
+     - port: 9093
+       tls: false
+       bind_addresses: ['0.0.0.0']
+       type: http
+       x_forwarded: false
+       resources:
+       - names: [replication]
+         compress: false
+     - type: metrics
+       port: 9001
+       bind_addresses: ['0.0.0.0']
+     - port: 8080
+       tls: false
+       bind_addresses: ['0.0.0.0']
+       type: http
+       x_forwarded: false
+       resources:
+       - names: [health]
+         compress: false
+     enable_media_repo: true
+   log_config.yaml: |
+     version: 1
+ 
+     formatters:
+       precise:
+         format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+ 
+     handlers:
+       console:
+         class: logging.StreamHandler
+         formatter: precise
+ 
+     loggers:
+       synapse.storage.SQL:
+         level: "INFO"
+ 
+     root:
+       level: "INFO"
+       handlers:
+       - console
+ 
+     disable_existing_loggers: false
deployment-release-name-haproxy.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/haproxy/deployment.yaml
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-stack-ingress
+     app.kubernetes.io/name: haproxy
+     app.kubernetes.io/instance: release-name-haproxy
+     app.kubernetes.io/version: "3.1-alpine"
+     k8s.element.io/shared-haproxy-config-hash: "fd20d9a19443e197695ba05016322854a7dfce6a"
+     k8s.element.io/synapse-haproxy-config-hash: "dd15ae90396e08033c4449b6fe41a8513198f7c3"
+   name: release-name-haproxy
+   namespace: ess-ci
+ spec:
+   replicas: 1
+   strategy:
+     type: RollingUpdate
+     rollingUpdate:
+       maxUnavailable: 0
+       maxSurge: 2
+   selector:
+     matchLabels:
+       app.kubernetes.io/instance: release-name-haproxy
+   template:
+     metadata:
+       labels:
+         app.kubernetes.io/managed-by: Helm
+         app.kubernetes.io/part-of: matrix-stack
+         app.kubernetes.io/component: matrix-stack-ingress
+         app.kubernetes.io/name: haproxy
+         app.kubernetes.io/instance: release-name-haproxy
+         app.kubernetes.io/version: "3.1-alpine"
+         k8s.element.io/shared-haproxy-config-hash: fd20d9a19443e197695ba05016322854a7dfce6a
+         k8s.element.io/synapse-haproxy-config-hash: dd15ae90396e08033c4449b6fe41a8513198f7c3
+     spec:
+       automountServiceAccountToken: false
+       serviceAccountName: release-name-haproxy
+       securityContext:
+         fsGroup: 10001
+         runAsGroup: 10001
+         runAsNonRoot: true
+         runAsUser: 10001
+         seccompProfile:
+           type: RuntimeDefault
+         supplementalGroups: []
+       containers:
+         - name: haproxy
+           args:
+             - "-f"
+             - "/usr/local/etc/haproxy/haproxy.cfg"
+             - "-dW"
+           image: "docker.io/library/haproxy:3.1-alpine"
+           imagePullPolicy: Always
+           securityContext:
+             allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+                 - ALL
+             readOnlyRootFilesystem: true
+           ports:
+             - containerPort: 8008
+               name: haproxy-synapse
+               protocol: TCP
+             - containerPort: 8009
+               name: haproxy-403
+               protocol: TCP
+             - containerPort: 8405
+               name: haproxy-metrics
+               protocol: TCP
+             - containerPort: 8406
+               name: synapse-ready
+               protocol: TCP
+           startupProbe:
+             failureThreshold: 150
+             periodSeconds: 2
+             successThreshold: 1
+             timeoutSeconds: 1
+             httpGet:
+               path: /synapse_ready
+               port: synapse-ready
+           livenessProbe:
+             failureThreshold: 3
+             periodSeconds: 10
+             successThreshold: 1
+             timeoutSeconds: 5
+             httpGet:
+               path: /haproxy_test
+               port: haproxy-metrics
+           readinessProbe:
+             failureThreshold: 3
+             periodSeconds: 10
+             successThreshold: 1
+             timeoutSeconds: 5
+             httpGet:
+               path: /haproxy_test
+               port: haproxy-metrics
+           resources:
+             limits:
+               memory: 200Mi
+             requests:
+               cpu: 100m
+               memory: 100Mi
+           volumeMounts:
+             - name: haproxy-config
+               mountPath: "/usr/local/etc/haproxy"
+               readOnly: true
+             - name: synapse-haproxy
+               mountPath: "/synapse"
+               readOnly: true
+       volumes:
+         - configMap:
+             name: "release-name-haproxy"
+             defaultMode: 420
+           name: haproxy-config
+         - configMap:
+             name: "release-name-synapse-haproxy"
+             defaultMode: 420
+           name: synapse-haproxy
deployment-release-name-matrix-authentication-service.yaml (added) 
+ ---
+ # Source: matrix-stack/templates/matrix-authentication-service/deployment.yaml
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+   labels:
+     helm.sh/chart: "matrix-stack-25.6.1-dev"
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/part-of: matrix-stack
+     app.kubernetes.io/component: matrix-authentication
+     app.kubernetes.io/name: matrix-authentication-service
+     app.kubernetes.io/instance: release-name-matrix-authentication-service
+     app.kubernetes.io/version: "0.16.0"
+     k8s.element.io/matrix-authentication-service-config-hash: 6ecef4f221234599c3a148d1de32e67180610e0e
+     k8s.element.io/matrix-authentication-service-secret-hash: 628d4ed5a1ac825d4f2812da250fea810db902c9
+     k8s.element.io/postgres-password-matrixauthenticationservice-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1
+   name: release-name-matrix-authentication-service
+   namespace: ess-ci
+ spec:
+   replicas: 1
+   strategy:
+     type: RollingUpdate
+     rollingUpdate:
+       maxUnavailable: 0
+       maxSurge: 2
+   selector:
+     matchLabels:
+       app.kubernetes.io/instance: release-name-matrix-authentication-service
+   template:
+     metadata:
+       labels:
+         app.kubernetes.io/managed-by: Helm
+         app.kubernetes.io/part-of: matrix-stack
+         app.kubernetes.io/component: matrix-authentication
+         app.kubernetes.io/name: matrix-authentication-service
+         app.kubernetes.io/instance: release-name-matrix-authentication-service
+         app.kubernetes.io/version: "0.16.0"
+         k8s.element.io/matrix-authentication-service-config-hash: "6ecef4f221234599c3a148d1de32e67180610e0e"
+         k8s.element.io/matrix-authentication-service-secret-hash: "628d4ed5a1ac825d4f2812da250fea810db902c9"
+         k8s.element.io/postgres-password-matrixauthenticationservice-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1
+     spec:
+       automountServiceAccountToken: false
+       serviceAccountName: release-name-matrix-authentication-service
+       securityContext:
+         fsGroup: 10005
+         runAsGroup: 10005
+         runAsNonRoot: true
+         runAsUser: 10005
+         seccompProfile:
+           type: RuntimeDefault
+         supplementalGroups: []
+       initContainers:
+         - name: render-config
+           image: "ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0"
+           imagePullPolicy: Always
+           securityContext:
+             allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+                 - ALL
+             readOnlyRootFilesystem: true
+           command:
+             - "/matrix-tools"
+             - render-config
+             - -output
+             - /conf/config.yaml
+             - /secrets/release-name-matrix-authentication-service/user-password-scheme.yml
+             - /config-templates/config.yaml
+           env:
+             - name: POSTGRES_PASSWORD
+               value: >-
+                 {{ readfile "/secrets/release-name-mas-external/postgresPassword" | urlencode }}
+             - name: ENCRYPTION_SECRET
+               value: >-
+                 {{ readfile "/secrets/release-name-mas-external/encryption" | quote }}
+             - name: SYNAPSE_SHARED_SECRET
+               value: >-
+                 {{ readfile "/secrets/release-name-mas-external/synapseShared" | quote }}
+             - name: SYNAPSE_OIDC_CLIENT_SECRET
+               value: >-
+                 {{ readfile "/secrets/release-name-mas-external/synapseOIDC" | quote }}
+             - name: "MAS_CONFIG"
+               value: "/conf/config.yaml"
+           resources:
+             limits:
+               memory: 350Mi
+             requests:
+               cpu: 50m
+               memory: 50Mi
+           volumeMounts:
+             - mountPath: /config-templates
+               name: plain-config
+               readOnly: true
+             - mountPath: /secrets/release-name-matrix-authentication-service
+               name: "secret-2e2425976d1f"
+               readOnly: true
+             - mountPath: /secrets/release-name-mas-external
+               name: "secret-ae8c3e0e8ec0"
+               readOnly: true
+             - mountPath: /conf
+               name: rendered-config
+               readOnly: false
+         - name: db-wait
+           image: "ghcr.io/element-hq/ess-helm/matrix-tools:0.5.0"
+           imagePullPolicy: Always
+           securityContext:
+             allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+                 - ALL
+             readOnlyRootFilesystem: true
+           command:
+             - "/matrix-tools"
+             - tcpwait
+             - -address
+             - "postgres:5432"
+           resources:
+             limits:
+               memory: 350Mi
+             requests:
+               cpu: 50m
+               memory: 50Mi
+         - name: database-migrate
+           args: ["database", "migrate"]
+           image: "ghcr.io/element-hq/matrix-authentication-service:0.16.0"
+           imagePullPolicy: Always
+           securityContext:
+             allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+                 - ALL
+             readOnlyRootFilesystem: true
+           env:
+             - name: "MAS_CONFIG"
+               value: "/conf/config.yaml"
+           resources:
+             limits:
+               memory: 350Mi
+             requests:
+               cpu: 50m
+               memory: 50Mi
+           volumeMounts:
+             - mountPath: "/conf/config.yaml"
+               name: rendered-config
+               subPath: config.yaml
+               readOnly: true
+             - mountPath: /secrets/release-name-matrix-authentication-service
+               name: "secret-2e2425976d1f"
+               readOnly: true
+             - mountPath: /secrets/release-name-mas-extern...*[Comment body truncated]*

@benbz
Copy link
Member

benbz commented May 20, 2025

My thoughts:

  • We must do a 2 stage deploy due to the Postgres issue
    • We may not have had a Postgres running previously if Synapse used an external Postgres and MAS is to use the in-cluster Postgres
    • We can't spin up one in a pre-install/pre-upgrade hook as we may have an in-cluster Postgres currently and the PVC can't be shared
  • We can't do the migration in a post-install/post-upgrade hook as the Synapse config will be wrong at some point during the deploy
    • If we update it for MAS then there's a period of time before the post-install/post-upgrade hook runs that Synapse is pointing at MAS that hasn't had data migrated to it
    • If we don't update it for MAS then after the post-install/post-upgrade hook runs the config isn't setup for MAS
      • To say nothing for what happens if a subsequent helm install -U/helm upgrade occurs
  • We should have "modes" for migration rather than a set of boolean flags so that we can eliminate bad states and make the helm upgrade --reuse-values incantations as simple as possible
  • By default the chart should store markers in-cluster as to the state of the migration.
    • I don't think adding a syn2mas marker is sufficient as I think we also want a marker for Synapse has been run with MAS, a migration will be required
    • We'll also want MAS prepared but not migrated to & MAS deployed and used for auth (be it migrated to or from the beginning.
    • The MAS prepared but not migrated to marker must be removable in-case the admin redeploys the chart with different MAS DB config

@gaelgatelement
Copy link
Member Author

We should have "modes" for migration rather than a set of boolean flags so that we can eliminate bad states and make the helm upgrade --reuse-values incantations as simple as possible

With current booleans it feels simple :

helm upgrade --reuse-values --set matrixAuthenticationService.enabled=true --set matrixAuthenticationService.syn2mas=true

On success, apply the migration :

helm upgrade --reuse-values --set matrixAuthenticationService.syn2mas.dryRun=false

I'm not sure a "mode" would make it simpler here.

Regarding markers, I'm not sure to see in which context they are required. I'm not a huge fan of storing state when we can just avoid it. What type of critical error scenario those states would prevent ?

@benbz
Copy link
Member

benbz commented May 20, 2025

We should have "modes" for migration rather than a set of boolean flags so that we can eliminate bad states and make the helm upgrade --reuse-values incantations as simple as possible

With current booleans it feels simple :

helm upgrade --reuse-values --set matrixAuthenticationService.enabled=true --set matrixAuthenticationService.syn2mas=true

On success, apply the migration :

helm upgrade --reuse-values --set matrixAuthenticationService.syn2mas.dryRun=false

I'm not sure a "mode" would make it simpler here.

# Edit values.yaml to enable MAS and configure matrixAuthenticationService.migrationState=preparation
$ helm upgrade -f values.yaml
# Move through the migration steps
$ helm upgrade --reuse-values --set matrixAuthenticationService.migrationState=dryRun
$ helm upgrade --reuse-values --set matrixAuthenticationService.migrationState=migrate
# Edit values.yaml to remove matrixAuthenticationService.migrationState from values.yaml

If we've only got matrixAuthenticationService.syn2mas.{enabled,dryRun} it probably isn't necessary but if we need the preparation step (i.e. what preMigrationSynapseHandlesAuth did) then a single mode variable is better than booleans.

Regarding markers, I'm not sure to see in which context they are required. I'm not a huge fan of storing state when we can just avoid it. What type of critical error scenario those states would prevent ?

  • Prevents upgrading the chart with MAS enabled but no migration flags/mode if Synapse has been deployed before
  • Prevents upgrading the chart with MAS disabled if MAS has been migrated to / was initially deployed
  • Prevents upgrading the chart with MAS migration turned on but has already been completed

@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 5 times, most recently from 9f5e019 to 6ae7f65 Compare May 20, 2025 15:07
@gaelgatelement
Copy link
Member Author

I think we can somehow skip doing deployment markers, as they will conflict with the "all components are optional" philosophy.

For example I would argue the following points:

Prevents upgrading the chart with MAS enabled but no migration flags/mode if Synapse has been deployed before

This could still result in a valid deployment as long as no user registered on Synapse. So a 2 step deployment where Synapse is enabled first, and then the admin adds MAS right away would work.

Prevents upgrading the chart with MAS disabled if MAS has been migrated to / was initially deployed

This could be a check that we'd enforce for a lot of components. Does that actually make sense ? Let's imagine that one wants to migrate to MAS external to the chart, that should remain possible.

Prevents upgrading the chart with MAS migration turned on but has already been completed

I think this is fine as it will run as a pre-upgrade hook job, so it will fail without doing any harm.

@benbz
Copy link
Member

benbz commented May 22, 2025

I think we can somehow skip doing deployment markers, as they will conflict with the "all components are optional" philosophy.

For example I would argue the following points:

Prevents upgrading the chart with MAS enabled but no migration flags/mode if Synapse has been deployed before

This could still result in a valid deployment as long as no user registered on Synapse. So a 2 step deployment where Synapse is enabled first, and then the admin adds MAS right away would work.

Yes no-one might have registered on Synapse but that feels like an edge case given MAS is default enabled. Given how wrong things will go if MAS is enabled but not migrated to, in ways that will take DB wrangling to untangle, I think we want to prevent this.

This is the scenario I'm most worried about given if we tell people to deploy with MAS off to enable some incompatible component and then we make that component compatible, people will shoot themselves in the foot turning MAS on.

Prevents upgrading the chart with MAS disabled if MAS has been migrated to / was initially deployed

This could be a check that we'd enforce for a lot of components. Does that actually make sense ? Let's imagine that one wants to migrate to MAS external to the chart, that should remain possible.

If the admin wants to move to an external MAS they can remove the marker. Again removing MAS and falling back to Synapse auth will make things go very wrong in DB wrangling required ways to fix. I don't think this particularly conflicts with the everything is optional approach - MAS is optional until the point you use it and there's an escape hatch to move to an external instance. MAS is fundamentally different to bridges, clients, etc. Disabling Synapse after initial deploy would require significant reconfiguration too.

This is the least likely scenario but still worth protecting IMO.

Prevents upgrading the chart with MAS migration turned on but has already been completed

I think this is fine as it will run as a pre-upgrade hook job, so it will fail without doing any harm.

If it is a pre-upgrade hook then yes syn2mas will fail but if we're adding markers for the above 2 cases we might be able to make a cleaner/more obvious error.

This scenario will happen often and so if we can improve the UX of it, great.

My thinking was that we'd mark these markers part of initSecrets/check config. Or do something very similar. If people have RBAC, etc concerns then they turn those off and don't get this protection.

@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 2 times, most recently from 15a2f9a to d391d04 Compare May 27, 2025 15:54
@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 5 times, most recently from 8a73ab4 to 76fb3e4 Compare June 3, 2025 12:53
benbz
benbz reviewed Jun 3, 2025
View reviewed changes
@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 2 times, most recently from 750f227 to 0cf8164 Compare June 4, 2025 08:50
benbz
benbz reviewed Jun 4, 2025
View reviewed changes
@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 5 times, most recently from 0a0aade to 2e52832 Compare June 5, 2025 08:54
@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 5 times, most recently from 16002ae to eb948b5 Compare June 5, 2025 15:27
@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 3 times, most recently from c22fae2 to 41f1a4d Compare June 5, 2025 15:39
@gaelgatelement gaelgatelement force-pushed the gaelg/add-syn2mas branch 3 times, most recently from 495f4f2 to 226a0c8 Compare June 5, 2025 15:54
@gaelgatelement gaelgatelement merged commit 5d1dbf8 into main Jun 6, 2025
58 checks passed
@gaelgatelement gaelgatelement deleted the gaelg/add-syn2mas branch June 6, 2025 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benbz benbz benbz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gaelgatelement @benbz