Implement Synapse to MAS migration

charts/matrix-stack/ci/fragments/matrix-authentication-service-pytest-extras.yaml

@@ -19,6 +19,11 @@ matrixAuthenticationService:
       configSecret: "{{ $.Release.Name }}-pytest-admin"
       configSecretKey: "admin.yaml"
 
+  syn2mas:
+    extraEnv:
+    - name: DEBUG_RENDERING
+      value: "1"
+
 postgres:
   podSecurityContext:
     runAsGroup: 0

charts/matrix-stack/ci/fragments/matrix-authentication-service-syn2mas-dryrun.yaml

@@ -0,0 +1,16 @@
+# Copyright 2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+matrixAuthenticationService:
+  syn2mas:
+    enabled: true
+    dryRun: true
+
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt

charts/matrix-stack/ci/fragments/matrix-authentication-service-auth-synapse.yaml → charts/matrix-stack/ci/fragments/matrix-authentication-service-syn2mas-migrate.yaml

@@ -3,4 +3,5 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 matrixAuthenticationService:
-  preMigrationSynapseHandlesAuth: true
+  syn2mas:
+    dryRun: false

charts/matrix-stack/ci/matrix-authentication-service-synapse-secrets-externally-values.yaml → charts/matrix-stack/ci/matrix-authentication-service-synapse-syn2mas-dry-run-secrets-externally-values.yaml

@@ -2,13 +2,20 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 #
-# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-externally.yaml synapse-secrets-externally.yaml
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-externally.yaml synapse-secrets-externally.yaml matrix-authentication-service-syn2mas-dryrun.yaml
 # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
 
 # initSecrets, postgres don't have any required properties to be set and defaults to enabled
 elementWeb:
   enabled: false
 matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
   encryptionSecret:
     secret: '{{ $.Release.Name }}-mas-external'
     secretKey: encryption
@@ -34,6 +41,9 @@ matrixAuthenticationService:
     rsa:
       secret: '{{ $.Release.Name }}-mas-external'
       secretKey: keysRSA
+  syn2mas:
+    dryRun: true
+    enabled: true
   synapseOIDCClientSecret:
     secret: '{{ $.Release.Name }}-mas-external'
     secretKey: synapseOIDC

charts/matrix-stack/ci/matrix-authentication-service-synapse-secrets-in-helm-values.yaml → charts/matrix-stack/ci/matrix-authentication-service-synapse-syn2mas-dry-run-secrets-in-helm-values.yaml

@@ -2,13 +2,20 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-only
 #
-# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-in-helm.yaml  matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-in-helm.yaml  matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml matrix-authentication-service-syn2mas-dryrun.yaml
 # DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
 
 # initSecrets, postgres don't have any required properties to be set and defaults to enabled
 elementWeb:
   enabled: false
 matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
   encryptionSecret:
     value: CHANGEME-ahohhohgiavee5Koh8ahwo
   ingress:
@@ -42,6 +49,9 @@ matrixAuthenticationService:
         -----BEGIN RSA PRIVATE KEY-----
         MIIEowIBAAKCAQEA6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
         ------END RSA PRIVATE KEY-----
+  syn2mas:
+    dryRun: true
+    enabled: true
   synapseOIDCClientSecret:
     value: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0
   synapseSharedSecret:

charts/matrix-stack/ci/matrix-authentication-service-synapse-syn2mas-migrate-secrets-externally-values.yaml

@@ -0,0 +1,79 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-externally.yaml matrix-authentication-service-secrets-externally.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-externally.yaml synapse-secrets-externally.yaml matrix-authentication-service-syn2mas-dryrun.yaml matrix-authentication-service-syn2mas-migrate.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+# initSecrets, postgres don't have any required properties to be set and defaults to enabled
+elementWeb:
+  enabled: false
+matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+  encryptionSecret:
+    secret: '{{ $.Release.Name }}-mas-external'
+    secretKey: encryption
+  ingress:
+    host: mas.ess.localhost
+  postgres:
+    database: mas
+    host: postgres
+    password:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: postgresPassword
+    user: mas
+  privateKeys:
+    ecdsaPrime256v1:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysEcdsaPrime256v1
+    ecdsaSecp256k1:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysEcdsaSecp256k1
+    ecdsaSecp384r1:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysEcdsaSecp384r1
+    rsa:
+      secret: '{{ $.Release.Name }}-mas-external'
+      secretKey: keysRSA
+  syn2mas:
+    dryRun: false
+    enabled: true
+  synapseOIDCClientSecret:
+    secret: '{{ $.Release.Name }}-mas-external'
+    secretKey: synapseOIDC
+  synapseSharedSecret:
+    secret: '{{ $.Release.Name }}-mas-external'
+    secretKey: synapseShared
+matrixRTC:
+  enabled: false
+serverName: ess.localhost
+synapse:
+  appservices:
+    - secret: '{{ $.Release.Name }}-synapse-external'
+      secretKey: bridge_registration.yaml
+  ingress:
+    host: synapse.ess.localhost
+  macaroon:
+    secret: '{{ $.Release.Name }}-synapse-external'
+    secretKey: macaroon
+  postgres:
+    database: synapse
+    host: ess-postgres
+    password:
+      secret: '{{ $.Release.Name }}-synapse-external'
+      secretKey: postgresPassword
+    user: synapse_user
+  registrationSharedSecret:
+    secret: '{{ $.Release.Name }}-synapse-external'
+    secretKey: registrationSharedSecret
+  signingKey:
+    secret: '{{ $.Release.Name }}-synapse-external'
+    secretKey: signingKey
+wellKnownDelegation:
+  enabled: false

charts/matrix-stack/ci/matrix-authentication-service-synapse-syn2mas-migrate-secrets-in-helm-values.yaml

@@ -0,0 +1,78 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: matrix-authentication-service-minimal.yaml matrix-authentication-service-test-postgres.yaml matrix-authentication-service-test-postgres-secrets-in-helm.yaml  matrix-authentication-service-secrets-in-helm.yaml synapse-minimal.yaml synapse-test-postgres.yaml synapse-test-postgres-secrets-in-helm.yaml synapse-secrets-in-helm.yaml matrix-authentication-service-syn2mas-dryrun.yaml matrix-authentication-service-syn2mas-migrate.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+# initSecrets, postgres don't have any required properties to be set and defaults to enabled
+elementWeb:
+  enabled: false
+matrixAuthenticationService:
+  additional:
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+  encryptionSecret:
+    value: CHANGEME-ahohhohgiavee5Koh8ahwo
+  ingress:
+    host: mas.ess.localhost
+  postgres:
+    database: mas
+    host: postgres
+    password:
+      value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
+    user: mas
+  privateKeys:
+    ecdsaPrime256v1:
+      value: |
+        -----BEGIN EC PRIVATE KEY-----
+        MHcCAQEEIYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        AwEAAKBcZW5jb2duZXQwgggYMIINL6Ado018734nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEH
+        ------END EC PRIVATE KEY-----
+    ecdsaSecp256k1:
+      value: |
+        -----BEGIN EC PRIVATE KEY-----
+        MHcCAQEEZFQZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        ------END EC PRIVATE KEY-----
+    ecdsaSecp384r1:
+      value: |
+        -----BEGIN EC PRIVATE KEY-----
+         MHcCAQEEZFQZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+         ------END EC PRIVATE KEY-----
+    rsa:
+      value: |
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIEowIBAAKCAQEA6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49AwEHoUQDQgAE6521bYjZ789034nLz+oXJyVWqgUdDmRlKxvTfHsBhFtGpOaAoGCCqGSM49
+        ------END RSA PRIVATE KEY-----
+  syn2mas:
+    dryRun: false
+    enabled: true
+  synapseOIDCClientSecret:
+    value: CHANGEME-eiv6wae8shooPhie4ief8ru2egahbah0
+  synapseSharedSecret:
+    value: CHANGEME-iaw8eeSef4zeefie8ii3akien9tiaYah
+matrixRTC:
+  enabled: false
+serverName: ess.localhost
+synapse:
+  ingress:
+    host: synapse.ess.localhost
+  macaroon:
+    value: CHANGEME-eek3Eigoh8ux8laeTingeej1
+  postgres:
+    database: synapse
+    host: ess-postgres
+    password:
+      value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
+    user: synapse_user
+  registrationSharedSecret:
+    value: CHANGEME-ooWo6jeidahhei3Hae0eer9U
+  signingKey:
+    value: ed25519 0 bNQOzBUDszff7Ax81z6w0uZ1IPWoxYaazT7emaZEfpw
+wellKnownDelegation:
+  enabled: false

charts/matrix-stack/ci/pytest-matrix-authentication-service-syn2mas-values.yaml

@@ -0,0 +1,68 @@
+# Copyright 2024-2025 New Vector Ltd
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
+# source_fragments: synapse-minimal.yaml synapse-pytest-base-extras.yaml matrix-authentication-service-pytest-extras.yaml matrix-authentication-service-syn2mas-dryrun.yaml init-secrets-minimal.yaml init-secrets-pytest-extras.yaml postgres-minimal.yaml
+# DO NOT EDIT DIRECTLY. Edit the fragment files to add / modify / remove values
+
+elementWeb:
+  enabled: false
+haproxy:
+  podSecurityContext:
+    runAsGroup: 0
+initSecrets:
+  annotations:
+    has-no-service-monitor: "true"
+  podSecurityContext:
+    runAsGroup: 0
+matrixAuthenticationService:
+  additional:
+    000-pytest-admin:
+      configSecret: '{{ $.Release.Name }}-pytest-admin'
+      configSecretKey: admin.yaml
+    password-scheme.yml:
+      config: |
+        passwords:
+          schemes:
+            - version: 1
+              algorithm: bcrypt
+  enabled: false
+  extraEnv:
+    - name: DEBUG_RENDERING
+      value: "1"
+  ingress:
+    host: mas.{{ $.Values.serverName }}
+    tlsSecret: '{{ $.Release.Name }}-mas-web-tls'
+  podSecurityContext:
+    runAsGroup: 0
+  syn2mas:
+    dryRun: true
+    enabled: true
+    extraEnv:
+      - name: DEBUG_RENDERING
+        value: "1"
+matrixRTC:
+  enabled: false
+postgres:
+  podSecurityContext:
+    runAsGroup: 0
+serverName: ess.localhost
+synapse:
+  checkConfigHook:
+    annotations:
+      has-no-service-monitor: "true"
+  extraArgs:
+    # Validate that any Synapse config that has a <foo>_path equivalent uses it
+    - --no-secrets-in-config
+  ingress:
+    host: synapse.{{ $.Values.serverName }}
+    tlsSecret: '{{ $.Release.Name }}-synapse-web-tls'
+  podSecurityContext:
+    runAsGroup: 0
+  redis:
+    annotations:
+      has-no-service-monitor: "true"
+    podSecurityContext:
+      runAsGroup: 0
+wellKnownDelegation:
+  enabled: false

charts/matrix-stack/ci/pytest-matrix-authentication-service-values.yaml

@@ -28,6 +28,10 @@ matrixAuthenticationService:
     tlsSecret: '{{ $.Release.Name }}-mas-web-tls'
   podSecurityContext:
     runAsGroup: 0
+  syn2mas:
+    extraEnv:
+      - name: DEBUG_RENDERING
+        value: "1"
 matrixRTC:
   enabled: false
 postgres:

charts/matrix-stack/configs/element-web/config.json.tpl

@@ -21,7 +21,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 {{- $_ := set $config "features" (dict "feature_video_rooms" true "feature_group_calls" true "feature_new_room_decoration_ui" true "feature_element_call_video_rooms" true) -}}
 {{- $_ := set $config "element_call" (dict "use_exclusively" true) -}}
 {{- end }}
-{{- if (and $root.Values.matrixAuthenticationService.enabled (not $root.Values.matrixAuthenticationService.preMigrationSynapseHandlesAuth)) }}
+{{- if include "element-io.matrix-authentication-service.readyToHandleAuth" (dict "root" $root) }}
 {{- $embeddedPages := dict "login_for_welcome" true -}}
 {{- $ssoRedirectOptions := dict "immediate" false -}}
 {{- $_ := set $settingDefaults "UIFeature.registration" false -}}