Implement Synapse to MAS migration #454

gaelgatelement · 2025-05-16T13:38:35Z

WIP.

Options below are the one we envisioned. In the end we are going for the option B.2.

Option A: From Synapse to MAS-Enabled in 1 values file change.. This would allow the user to enable matrixAuthenticationService and run the migrate job at the same time. 2 ways to approach this :

With Syn2MAS as a pre-upgrade job. This does not work as the postgres database might not exist at this step :
- We could run a pre-upgrade hook to initialize it before the syn2mas job runs. This breaks if MAS is using the in-cluster postgres DB, and it was not initialized as no component was using it before
- The strategy could be to initialize a statefulset during the pre-upgrade hook. It would create the PVC during this step as well. But this would conflict with any currently running postgres.
With Syn2MAS as a post-upgrade job, Synapse is reconfigured to delegate auth to MAS before the job is run. We could configure Synapse so that it does not delegate authentication if Syn2Mas is running, but then we need need a 2-steps helm upgrade process.

Option B: From Synapse to MAS-Enabled in 2-steps values file change.

Handle Synapse replicas in the chart depending on syn2mas value.
1. Enabling the migration:
- Synapse replicas are set to 0 as matrixAuthenticationService.migrate.enabled is true
- matrixAuthenticationService is not deployed
- syn2mas post-install/post-upgrade hook
1. Migration ran properly, disable matrixAuthenticationService.migrate.enabled
- Synapse replicas are set back
- matrixAuthenticationService is deployed
Handle Synapse replicas from the migration job.
1. Enabling MAS, enable migration in dryRun mode
  - MAS is deployed together with its DB.
  - Synapse does not delegate auth to MAS.
  - MAS is in read-only mode OR its ingress is not enabled.
  - The migration dry runs as a post-upgrade hook job.
2. Enabling the actual migration
  - The migration runs as a pre-hook upgrade.
  - This pre-hook actually scales down synapse during the migration run.
  - If it fails or if it succeeds, in any case it scales back synapse.
  - matrixAuthenticationService read-only is disabled OR its ingress is enabled
  - Synapse delegated its authentication to MAS

github-actions · 2025-05-16T13:39:22Z

dyff of changes in rendered templates of CI manifests

example-default-enabled-components-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"ess.localhost"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"ess.localhost"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- efb6e8d6b6df14472e7ee432a3515c23a5868014
+ fe0adbde95417ca187e9879ceed72dfe8dd57872

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- efb6e8d6b6df14472e7ee432a3515c23a5868014
+ fe0adbde95417ca187e9879ceed72dfe8dd57872

@@ metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

matrix-authentication-service-checkov-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

matrix-authentication-service-external-synapse-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

matrix-authentication-service-keep-auth-in-synapse-values.yaml (removed)

matrix-authentication-service-minimal-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- a4a8da72ba974a0617eb2a46841d71c595300dc2
+ 09b7d4b328250209e2a29d99fb473082f4349a7a

matrix-authentication-service-postgres-secrets-externally-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-mas-external/keysRSA↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaPrime256v1↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp256k1↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp384r1↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-mas-external/keysRSA↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaPrime256v1↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp256k1↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp384r1↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 0b9068f6ff846b00c516d0ce3c52c21540d173e3

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

matrix-authentication-service-postgres-secrets-in-helm-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-mas-external/keysRSA↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaPrime256v1↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp256k1↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp384r1↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-mas-external/keysRSA↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaPrime256v1↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp256k1↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp384r1↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 1948e596bb7d7398c3f5fb302bbb2aa3a0f0a447

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 4a4cbc0060346e6f381f354fa69b63f3e980c16f
+ 802d8b16e441326c553fe00dc53520249156bf3c

matrix-authentication-service-secrets-externally-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://mas:${POSTGRES_PASSWORD}@postgres:/mas?application_name=matrix-authentication-service"↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-mas-external/keysRSA↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaPrime256v1↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp256k1↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp384r1↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://mas:${POSTGRES_PASSWORD}@postgres:/mas?application_name=matrix-authentication-service"↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-mas-external/keysRSA↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaPrime256v1↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp256k1↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-mas-external/keysEcdsaSecp384r1↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- fe0be81c09d56546fc0e532deb3be79273438302
+ c8bffa7793f9de5562568bcbceb12574dcf4f6e3

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 6d435fe0873b55e5450b5ddb036f4130863359d1

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- fe0be81c09d56546fc0e532deb3be79273438302
+ c8bffa7793f9de5562568bcbceb12574dcf4f6e3

matrix-authentication-service-secrets-in-helm-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://mas:${POSTGRES_PASSWORD}@postgres:/mas?application_name=matrix-authentication-service"↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/ECDSA_SECP256K1_PRIVATE_KEY↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/ECDSA_SECP384R1_PRIVATE_KEY↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://mas:${POSTGRES_PASSWORD}@postgres:/mas?application_name=matrix-authentication-service"↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ··-·kid:·secp256k1↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/ECDSA_SECP256K1_PRIVATE_KEY↵
  ↵
  ··-·kid:·secp384r1↵
  ····key_file:·/secrets/release-name-matrix-authentication-service/ECDSA_SECP384R1_PRIVATE_KEY↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 4b6696118edcec5bdf58be050c4c426d2a005471
+ 05f69e738f0761e1c4623a0e7c41c79876ba255a

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: 36b6712184ed0835f61aaf6c6a32ef277936bf37

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 4b6696118edcec5bdf58be050c4c426d2a005471
+ 05f69e738f0761e1c4623a0e7c41c79876ba255a

matrix-authentication-service-synapse-secrets-externally-values.yaml (removed)

matrix-authentication-service-synapse-secrets-in-helm-values.yaml (removed)

matrix-authentication-service-synapse-syn2mas-dry-run-secrets-externally-values.yaml (added)

matrix-authentication-service-synapse-syn2mas-dry-run-secrets-in-helm-values.yaml (added)

matrix-authentication-service-synapse-syn2mas-migrate-secrets-externally-values.yaml (added)

matrix-authentication-service-synapse-syn2mas-migrate-secrets-in-helm-values.yaml (added)

pytest-matrix-authentication-service-syn2mas-values.yaml (added)

pytest-matrix-authentication-service-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"ess.localhost"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://mas.ess.localhost"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"ess.localhost"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- efb6e8d6b6df14472e7ee432a3515c23a5868014
+ fe0adbde95417ca187e9879ceed72dfe8dd57872

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- efb6e8d6b6df14472e7ee432a3515c23a5868014
+ fe0adbde95417ca187e9879ceed72dfe8dd57872

@@ metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

pytest-matrix-rtc-synapse-wellknown-values.yaml (changed)

@@ metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

pytest-synapse-values.yaml (changed)

@@ metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-event-persister
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-event-persister
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-media-repository
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-media-repository
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-sliding-sync
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-sliding-sync
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

quick-setup-certificates-pg-external-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://account.your.tld"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://your-matrix-auth-service-user:${POSTGRES_PASSWORD}@your-db-host.tld:5432/your-matrix-auth-service-database-name?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"your.tld"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://account.your.tld"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://your-matrix-auth-service-user:${POSTGRES_PASSWORD}@your-db-host.tld:5432/your-matrix-auth-service-database-name?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"your.tld"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: c89798ba11b4d2ab8d5baf10ecac48451adad762
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: c89798ba11b4d2ab8d5baf10ecac48451adad762

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 421a4e480cbba715266ff86b8061fb5de9ef693a
+ d5bbfadb01bb891fc3a3cbbce8d3e1285a694884

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: c89798ba11b4d2ab8d5baf10ecac48451adad762
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: c89798ba11b4d2ab8d5baf10ecac48451adad762

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 421a4e480cbba715266ff86b8061fb5de9ef693a
+ d5bbfadb01bb891fc3a3cbbce8d3e1285a694884

@@ metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba

@@ spec.template.metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba

@@ spec.template.metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: cc016d8f0d65c939ce7a5f01e09481dff72eebba

quick-setup-certificates-pg-with-helm-values.yaml (changed)

@@ data.config.yaml @@
# v1/ConfigMap/ess-ci/release-name-matrix-authentication-service
! ± whitespace only change
- ↵
  http:↵
  ··public_base:·"https://account.your.tld"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"your.tld"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵
  

+ http:↵
  ··public_base:·"https://account.your.tld"↵
  ··listeners:↵
  ··-·name:·web↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8080↵
  ····resources:↵
  ····-·name:·human↵
  ····-·name:·discovery↵
  ····-·name:·oauth↵
  ····-·name:·compat↵
  ····-·name:·assets↵
  ····-·name:·graphql↵
  ······#·This·lets·us·use·the·GraphQL·API·with·an·OAuth·2.0·access·token,↵
  ······#·which·we·currently·use·in·the·ansible·modules·and·in·synapse-admin↵
  ······undocumented_oauth2_access:·true↵
  ····-·name:·adminapi↵
  ··-·name:·internal↵
  ····binds:↵
  ····-·host:·0.0.0.0↵
  ······port:·8081↵
  ····resources:↵
  ····-·name:·health↵
  ····-·name:·prometheus↵
  ····-·name:·connection-info↵
  ↵
  ↵
  database:↵
  ··uri:·"postgresql://matrixauthenticationservice_user:${POSTGRES_PASSWORD}@release-name-postgres.ess-ci.svc.cluster.local:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"↵
  ↵
  ↵
  telemetry:↵
  ··metrics:↵
  ····exporter:·prometheus↵
  matrix:↵
  ··homeserver:·"your.tld"↵
  ··secret:·${SYNAPSE_SHARED_SECRET}↵
  ··endpoint:·"http://release-name-synapse-main.ess-ci.svc.cluster.local:8008"↵
  ↵
  policy:↵
  ··data:↵
  ····admin_clients:·[]↵
  ····admin_users:·[]↵
  ····client_registration:↵
  ······allow_host_mismatch:·false↵
  ······allow_insecure_uris:·false↵
  clients:↵
  -·client_id:·"0000000000000000000SYNAPSE"↵
  ··client_auth_method:·client_secret_basic↵
  ··client_secret:·${SYNAPSE_OIDC_CLIENT_SECRET}↵
  ↵
  secrets:↵
  ··encryption:·${ENCRYPTION_SECRET}↵
  ↵
  ··keys:↵
  ··-·kid:·rsa↵
  ····key_file:·/secrets/release-name-generated/MAS_RSA_PRIVATE_KEY↵
  ··-·kid:·prime256v1↵
  ····key_file:·/secrets/release-name-generated/MAS_ECDSA_PRIME256V1_PRIVATE_KEY↵
  ↵
  ↵
  experimental:↵
  ··access_token_ttl:·86400··#·1·day,·up·from·5·mins,·until·EX·can·better·handle·refresh·tokens↵

@@ metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 832351ab83798cb0f55071baad121df6d7911a9c
+ b4b34b098abb823c8789825337f4d7c0b6ced327

@@ spec.strategy.rollingUpdate.maxUnavailable @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 1
+ 0

@@ spec.template.metadata.labels @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-matrixauthenticationservice-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels.k8s.element.io/matrix-authentication-service-config-hash @@
# apps/v1/Deployment/ess-ci/release-name-matrix-authentication-service
! ± value change
- 832351ab83798cb0f55071baad121df6d7911a9c
+ b4b34b098abb823c8789825337f4d7c0b6ced327

@@ metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ spec.template.metadata.labels @@
# batch/v1/Job/ess-ci/release-name-synapse-check-config-hook
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44eda433c1be814c6e8531633da8a67

@@ metadata.labels @@
# apps/v1/StatefulSet/ess-ci/release-name-synapse-main
! - one map entry removed:
- k8s.element.io/postgres-password-hash: da9c3f72f44eda433c1be814c6e8531633da8a67
! + one map entry added:
+   k8s.element.io/postgres-password-synapse-hash: da9c3f72f44...*[Comment body truncated]*

benbz · 2025-05-20T08:48:53Z

My thoughts:

We must do a 2 stage deploy due to the Postgres issue
- We may not have had a Postgres running previously if Synapse used an external Postgres and MAS is to use the in-cluster Postgres
- We can't spin up one in a pre-install/pre-upgrade hook as we may have an in-cluster Postgres currently and the PVC can't be shared
We can't do the migration in a post-install/post-upgrade hook as the Synapse config will be wrong at some point during the deploy
- If we update it for MAS then there's a period of time before the post-install/post-upgrade hook runs that Synapse is pointing at MAS that hasn't had data migrated to it
- If we don't update it for MAS then after the post-install/post-upgrade hook runs the config isn't setup for MAS
  - To say nothing for what happens if a subsequent helm install -U/helm upgrade occurs
We should have "modes" for migration rather than a set of boolean flags so that we can eliminate bad states and make the helm upgrade --reuse-values incantations as simple as possible
By default the chart should store markers in-cluster as to the state of the migration.
- I don't think adding a syn2mas marker is sufficient as I think we also want a marker for Synapse has been run with MAS, a migration will be required
- We'll also want MAS prepared but not migrated to & MAS deployed and used for auth (be it migrated to or from the beginning.
- The MAS prepared but not migrated to marker must be removable in-case the admin redeploys the chart with different MAS DB config

gaelgatelement · 2025-05-20T12:09:41Z

We should have "modes" for migration rather than a set of boolean flags so that we can eliminate bad states and make the helm upgrade --reuse-values incantations as simple as possible

With current booleans it feels simple :

helm upgrade --reuse-values --set matrixAuthenticationService.enabled=true --set matrixAuthenticationService.syn2mas=true

On success, apply the migration :

helm upgrade --reuse-values --set matrixAuthenticationService.syn2mas.dryRun=false

I'm not sure a "mode" would make it simpler here.

Regarding markers, I'm not sure to see in which context they are required. I'm not a huge fan of storing state when we can just avoid it. What type of critical error scenario those states would prevent ?

benbz · 2025-05-20T12:47:27Z

We should have "modes" for migration rather than a set of boolean flags so that we can eliminate bad states and make the helm upgrade --reuse-values incantations as simple as possible

With current booleans it feels simple :
helm upgrade --reuse-values --set matrixAuthenticationService.enabled=true --set matrixAuthenticationService.syn2mas=true
On success, apply the migration :
helm upgrade --reuse-values --set matrixAuthenticationService.syn2mas.dryRun=false
I'm not sure a "mode" would make it simpler here.

# Edit values.yaml to enable MAS and configure matrixAuthenticationService.migrationState=preparation
$ helm upgrade -f values.yaml
# Move through the migration steps
$ helm upgrade --reuse-values --set matrixAuthenticationService.migrationState=dryRun
$ helm upgrade --reuse-values --set matrixAuthenticationService.migrationState=migrate
# Edit values.yaml to remove matrixAuthenticationService.migrationState from values.yaml

If we've only got matrixAuthenticationService.syn2mas.{enabled,dryRun} it probably isn't necessary but if we need the preparation step (i.e. what preMigrationSynapseHandlesAuth did) then a single mode variable is better than booleans.

Regarding markers, I'm not sure to see in which context they are required. I'm not a huge fan of storing state when we can just avoid it. What type of critical error scenario those states would prevent ?

Prevents upgrading the chart with MAS enabled but no migration flags/mode if Synapse has been deployed before
Prevents upgrading the chart with MAS disabled if MAS has been migrated to / was initially deployed
Prevents upgrading the chart with MAS migration turned on but has already been completed

…gress

gaelgatelement · 2025-05-20T16:01:05Z

I think we can somehow skip doing deployment markers, as they will conflict with the "all components are optional" philosophy.

For example I would argue the following points:

Prevents upgrading the chart with MAS enabled but no migration flags/mode if Synapse has been deployed before

This could still result in a valid deployment as long as no user registered on Synapse. So a 2 step deployment where Synapse is enabled first, and then the admin adds MAS right away would work.

Prevents upgrading the chart with MAS disabled if MAS has been migrated to / was initially deployed

This could be a check that we'd enforce for a lot of components. Does that actually make sense ? Let's imagine that one wants to migrate to MAS external to the chart, that should remain possible.

Prevents upgrading the chart with MAS migration turned on but has already been completed

I think this is fine as it will run as a pre-upgrade hook job, so it will fail without doing any harm.

gaelgatelement requested a review from a team as a code owner May 16, 2025 13:38

gaelgatelement marked this pull request as draft May 16, 2025 13:38

gaelgatelement force-pushed the gaelg/add-syn2mas branch 4 times, most recently from 34bcd80 to 9f5e019 Compare May 20, 2025 14:48

gaelgatelement added 20 commits May 20, 2025 17:06

init syn2mas work

f3c0c34

add syn2mas manifests

4887d41

document how to use preMigrationSynapseHandlesAuth

7ac4da1

add syn2mas fixture

81c99b6

mas: add readyToHandleAuth case

f61429e

matrix-tools: add syn2mas capabilities

1c8e0bf

add syn2mas role binding

727574d

syn2mas: pass templating

57c0ad1

validate syn2mas manifests

fbc64d2

pass manifests tests

1dfc473

run integration tests on syn2mas job

e93d9e7

run job but fail as DB is missing

e3b63ff

synapse: only configure rendez vous if mas is ready to handle auth

43cb658

syn2mas values: configure password scheme

e6b47a3

syn2mas job: dryRun as post-hook, actual run as pre-hook

00aaaaa

dropme: build matrix tools in tests

42cdc0e

tests: verify that access tokens work after migration

7e6d96d

matrix-tools: log more during upgrade

baedc09

syn2mas: run the actual migration as a pre-upgrade hook and enable in…

907553e

…gress

run MAS Syn2Mas test manifests

2f18699

gaelgatelement added 2 commits May 20, 2025 17:06

fix postgres labels

6d4bd1c

fix job indentation

6ae7f65

gaelgatelement force-pushed the gaelg/add-syn2mas branch from 9f5e019 to 6ae7f65 Compare May 20, 2025 15:07

gaelgatelement added 9 commits May 20, 2025 17:11

fix python lint

d967f74

fix copyright dates

bed667d

add newsfragments

4c23cc2

fix missing extraEnv in syn2mas

d8dd47c

test syn2mas manifests without the ingress tests

9ec8c17

test syn2mas in secrets

a459a79

fix syn2mas job idempotency

b48c58d

fix labels on syn2mas job

9e6117e

syn2mas job: enhance synapse & mas context usage

2a81eb6

scripts lint

1910868

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement Synapse to MAS migration #454

Implement Synapse to MAS migration #454

gaelgatelement commented May 16, 2025 •

edited

Loading

github-actions bot commented May 16, 2025 •

edited

Loading

benbz commented May 20, 2025

gaelgatelement commented May 20, 2025

benbz commented May 20, 2025

gaelgatelement commented May 20, 2025

Implement Synapse to MAS migration #454

Are you sure you want to change the base?

Implement Synapse to MAS migration #454

Conversation

gaelgatelement commented May 16, 2025 • edited Loading

github-actions bot commented May 16, 2025 • edited Loading

dyff of changes in rendered templates of CI manifests

benbz commented May 20, 2025

gaelgatelement commented May 20, 2025

benbz commented May 20, 2025

gaelgatelement commented May 20, 2025

gaelgatelement commented May 16, 2025 •

edited

Loading

github-actions bot commented May 16, 2025 •

edited

Loading