⚠️ remove sliding sync proxy support; use ghcr.io/element-hq/synapse (#…

…631)

* fix rebase of main

* helm-docs: automated action

* upgrade halfshot/matrix-hookshot tag to v6.0.1

* helm-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -25,35 +25,34 @@ helm show values matrix/matrix > values.yaml
 helm install my-release-name matrix/matrix --values values.yaml
 ```
 
-**NOTE: The most important helm parameter is `matrix.hostname`. Without it, this chart may not work!**
+> [!IMPORTANT]
+> The most important helm parameter is `matrix.hostname`. Without it, this chart may not work!**
+
+> [!WARNING]
+> This chart used to support the Sliding Sync Proxy, but as it is deprecated, we no longer support it. See this [matrix blog post](https://matrix.org/blog/2024/11/14/moving-to-native-sliding-sync/) for more info.
 
 
 ## Current Features ✨
 
 - Latest version of [Synapse](https://github.com/element-hq/synapse) (the official matrix homeserver)
-- Ingress definitions for federated Synapse (Matrix homeserver) and Element (client for matrix)
+- Ingress definitions for federated Synapse (aka Matrix homeserver) and Element (default client for matrix)
 
 ### Optional Features
 
-- Use (existing) Kubernetes Secrets for confidential data, such as passwords
-- Use OIDC configs for SSO either directly via synapse (see [docs](https://github.com/element-hq/synapse/blob/develop/docs/openid.md) for more info) or via MAS
+- Use existing Persistent Volume Claims
+- Use existing Kubernetes Secrets for confidential data, such as passwords
+- Use OIDC configs for SSO either directly via Synapse (see [docs](https://github.com/element-hq/synapse/blob/develop/docs/openid.md) for more info) or via MAS
   - Use MAS ([matrix-org/matrix-authentication-service](https://github.com/matrix-org/matrix-authentication-service)) via [matrix-authentication-service-chart](https://github.com/small-hack/matrix-authentication-service-chart) as a sub chart for using [element-x] which recommends  for OIDC auth
 - Latest version of the [Element web app](https://element.io/) to provide a web interface for chat (you can disable this and still use element apps)
-- [Coturn TURN server subchart](https://github.com/small-hack/coturn-chart) for VoIP calls
 - Use s3 to store media using [element-hq/synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider/tree/main)
-- Use existing Kubernetes Secrets and existing Persistent Volume Claims
-- [mautrix/discord](https://github.com/mautrix/discord) - Discord bridge for syncing between matrix and Discord
 - [small-hack/matrix-alertmanager](https://github.com/small-hack/matrix-alertmanager) - Prometheus Alertmanager bridge for syncing between matrix and Alertmanager
 
-
-#### Features that may not be needed anymore
-
-- Use [matrix-sliding-sync-chart](https://github.com/small-hack/matrix-sliding-sync-chart) as a sub chart for using [element-x] which requires [matrix-org/sliding-sync](https://github.com/matrix-org/sliding-sync) (Note: as of Synapse [v1.114.0](https://github.com/element-hq/synapse/releases/tag/v1.114.0) you can now use simplified sliding sync, which doesn't require the separate proxy chart [more info here](https://matrix.org/blog/2024/10/29/matrix-2.0-is-here/#1-simplified-sliding-sync))
-
 #### ⚠️ Untested Features
 
-These features still need to be tested, but are technically baked into the chart from the fork:
+These features still need to be tested, but are technically baked into the chart from the fork or from previous versions of this chart:
 
+- [mautrix/discord](https://github.com/mautrix/discord) - Discord bridge for syncing between matrix and Discord (we no longer test this directly but we're open to PRs to improve support!)
+- [Coturn TURN server subchart](https://github.com/small-hack/coturn-chart) for VoIP calls (may not be needed in Matrix 2.0 API)
 - Use of lightweight Exim relay
 - [matrix-org/matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) IRC bridge
 - [tulir/mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) WhatsApp bridge
@@ -65,7 +64,6 @@ These features still need to be tested, but are technically baked into the chart
 * [Federation](#federation)
     * [Federation not Working](#federation-not-working)
     * [Addiing Trusted Key Servers from an existing Secret](#addiing-trusted-key-servers-from-an-existing-secret)
-* [Notes on using Matrix Sliding Sync](#notes-on-using-matrix-sliding-sync)
 * [Notes on using MAS (Matrix Authentication Service)](#notes-on-using-mas-matrix-authentication-service)
 * [Bridges](#bridges)
     * [Alertmanager](#alertmanager)
@@ -200,50 +198,6 @@ stringData:
           ed25519:auto: abcdefghijklmnopqrstuvwxyz1234567890
 ```
 
-## Notes on using Matrix Sliding Sync
-
-To use [sliding sync](https://github.com/matrix-org/sliding-sync), which is required for [element-x], you'll need to ensure that requests to `.well-known/matrix/client` return the [correct json](https://github.com/matrix-org/sliding-sync/blob/main/README.md). To do that, you'll want update your `matrix.extra_well_known_client_content` values and set `syncv3.enabled` to `true`. Example below:
-
-```yaml
-matrix:
-  hostname: my-synapse-hostname.com
-  extra_well_known_client_content:
-     "org.matrix.msc3575.proxy":
-       "url": "https://your-sliding-sync-hostname.com"
-
-
-syncv3:
-  # this enables this subchart: https://github.com/small-hack/matrix-sliding-sync-chart
-  # which deploys this: https://github.com/matrix-org/sliding-sync
-  enabled: true
-  server: "https://my-synapse-hostname.com"
-  secret: "this.is.a.test.secret"
-  bindaddr: "127.0.0.1:8008"
-  # note: you'll still have to actually fill out parameters
-  # under slidingSync.postgresql, but it is truncated here for brevity
-  # check out values.yaml for all possible slidingSync.postgresql values
-  postgresql:
-    enabled: true
-```
-
-After synapse is up, you should be able to verify it's returning correctly by doing:
-
-```console
-$ curl https://matrix.example.com/.well-known/matrix/client | jq
-  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
-                                 Dload  Upload   Total   Spent    Left  Speed
-100   136  100   136    0     0   1818      0 --:--:-- --:--:-- --:--:--  1837
-{
-  "m.homeserver": {
-    "base_url": "https://matrix.example.com"
-  },
-  "org.matrix.msc3575.proxy": {
-    "url": "https://matrix.example.com"
-  }
-}
-
-```
-
 ## Notes on using MAS (Matrix Authentication Service)
 
 MAS is currently the only way to use OIDC with [element-x]. If you're using MAS (Matrix Authentication Service), you'll need to set `mas.enabled` to `true`. You'll also need to setup proper routes for synapse to redirect to MAS. See example below:
@@ -561,4 +515,3 @@ Our goal is to provide regular updates using renovatebot and provide some level
 
 <!-- links -->
 [element-x]: https://element.io/labs/element-x "element x link"
-[sliding sync]: https://github.com/matrix-org/sliding-sync "matrix sliding sync"

charts/matrix/Chart.lock

@@ -5,11 +5,8 @@ dependencies:
 - name: coturn
   repository: https://small-hack.github.io/coturn-chart
   version: 7.0.4
-- name: matrix-sliding-sync
-  repository: https://small-hack.github.io/matrix-sliding-sync-chart
-  version: 1.2.0
 - name: matrix-authentication-service
   repository: https://small-hack.github.io/matrix-authentication-service-chart
   version: 1.1.0
-digest: sha256:c6892321cbd9487d6b3f5cc6397d211f4cbdaa30f50372647d2fe4c725ddf118
-generated: "2024-12-15T13:18:44.882396843Z"
+digest: sha256:af15ea88fa54b0f325f5a2ae16bdc5c246d3f3dce81e72d2ae90630d876533bc
+generated: "2024-12-15T14:23:06.762902+01:00"

charts/matrix/Chart.yaml

@@ -8,10 +8,10 @@ sources:
 
 type: application
 
-version: 17.4.0
+version: 18.0.0
 
-# renovate: image=matrixdotorg/synapse
-appVersion: v1.117.0
+# renovate: image=ghcr.io/element-hq/synapse
+appVersion: v1.121.1
 
 maintainers:
   - name: "jessebot"
@@ -28,12 +28,6 @@ dependencies:
     repository: https://small-hack.github.io/coturn-chart
     condition: coturn.enabled
 
-  - name: matrix-sliding-sync
-    version: 1.2.0
-    repository: https://small-hack.github.io/matrix-sliding-sync-chart
-    alias: syncv3
-    condition: syncv3.enabled
-
   - name: matrix-authentication-service
     alias: mas
     version: 1.1.0

charts/matrix/README.md

@@ -1,6 +1,6 @@
 # matrix
 
-![Version: 17.4.0](https://img.shields.io/badge/Version-17.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.117.0](https://img.shields.io/badge/AppVersion-v1.117.0-informational?style=flat-square)
+![Version: 18.0.0](https://img.shields.io/badge/Version-18.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.121.1](https://img.shields.io/badge/AppVersion-v1.121.1-informational?style=flat-square)
 
 A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 
@@ -22,7 +22,6 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 |------------|------|---------|
 | https://small-hack.github.io/coturn-chart | coturn | 7.0.4 |
 | https://small-hack.github.io/matrix-authentication-service-chart | mas(matrix-authentication-service) | 1.1.0 |
-| https://small-hack.github.io/matrix-sliding-sync-chart | syncv3(matrix-sliding-sync) | 1.2.0 |
 | oci://registry-1.docker.io/bitnamicharts | postgresql | 16.3.1 |
 
 ## Values
@@ -285,7 +284,7 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 | bridges.hookshot.existingSecret.registration | string | `""` | optionally use existing kubernetes Secret for registration |
 | bridges.hookshot.image.pullPolicy | string | `"IfNotPresent"` | hookshot bridge docker image pull policy. If tag is "latest", set tag to "Always" |
 | bridges.hookshot.image.repository | string | `"halfshot/matrix-hookshot"` | hookshot bridge docker image |
-| bridges.hookshot.image.tag | string | `"6.0.0"` | hookshot bridge docker image tag |
+| bridges.hookshot.image.tag | string | `"6.0.1"` | hookshot bridge docker image tag |
 | bridges.hookshot.passkey | string | `""` | If bridges.hookshot.passkey AND bridges.hookshot.existingSecret.passkey are BOTH empty strings, we will generate a passkey for you. To Generate yourself: openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 |
 | bridges.hookshot.podSecurityContext | object | `{}` | hookshot pod security context |
 | bridges.hookshot.registration.existingSecret | string | `""` |  |
@@ -824,58 +823,6 @@ A Helm chart to deploy a Matrix homeserver stack on Kubernetes
 | synapse.service.federation.type | string | `"ClusterIP"` |  |
 | synapse.service.port | int | `80` | service port for synapse |
 | synapse.service.type | string | `"ClusterIP"` | service type for synpase |
-| syncv3.enabled | bool | `false` | enable the sliding sync proxy (required for using element-x if using Synapse older than v1.114). You can see all possible values [here](https://github.com/small-hack/matrix-sliding-sync-chart). If enabled, you must also provide `matrix.extra_well_known_client_content`. After Synapse v1.114, this is no longer required. Learn more in the matrix [blog post](https://matrix.org/blog/2024/10/29/matrix-2.0-is-here/#1-simplified-sliding-sync) |
-| syncv3.existingEnvSecret | string | `""` | existing kubernetes secret for ALL syncv3 env vars listed below. if set, ignores all values under syncv3 including syncv3.db and syncv3.otlp. |
-| syncv3.externalDatabase.database | string | `"syncv3"` | name of the database to try and connect to |
-| syncv3.externalDatabase.enabled | bool | `false` | enable using an external database *instead of* the Bitnami PostgreSQL sub-chart if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
-| syncv3.externalDatabase.hostname | string | `""` | hostname of db server. Can be left blank if using postgres subchart |
-| syncv3.externalDatabase.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
-| syncv3.externalDatabase.port | int | `5432` | which port to use to connect to your database server |
-| syncv3.externalDatabase.sslcert | string | `""` | optional: tls/ssl cert for postgresql connections |
-| syncv3.externalDatabase.sslkey | string | `""` | optional: tls/ssl key for postgresql connections |
-| syncv3.externalDatabase.sslmode | string | `""` | sslmode to use, example: verify-full |
-| syncv3.externalDatabase.sslrootcert | string | `""` | optional: tls/ssl root cert for postgresql connections |
-| syncv3.externalDatabase.username | string | `"syncv3"` | username of matrix-sliding-sync postgres user |
-| syncv3.ingress.annotations | object | `{}` |  |
-| syncv3.ingress.className | string | `""` |  |
-| syncv3.ingress.enabled | bool | `false` |  |
-| syncv3.ingress.hosts[0].host | string | `"chart-example.local"` |  |
-| syncv3.ingress.hosts[0].paths[0].path | string | `"/"` |  |
-| syncv3.ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
-| syncv3.ingress.tls | list | `[]` |  |
-| syncv3.networkPolicies.enabled | bool | `true` | whether to enable kubernetes network policies or not |
-| syncv3.postgresql.enabled | bool | `false` | Whether to deploy the Bitnami Postgresql sub chart If postgresql.enabled is set to true, externalDatabase.enabled must be set to false else if externalDatabase.enabled is set to true, postgresql.enabled must be set to false |
-| syncv3.postgresql.global.postgresql.auth.database | string | `"syncv3"` | name of the database |
-| syncv3.postgresql.global.postgresql.auth.existingSecret | string | `""` | Name of existing secret to use for PostgreSQL credentials |
-| syncv3.postgresql.global.postgresql.auth.password | string | `"changeme"` | password of matrix-sliding-sync postgres user - ignored using exsitingSecret |
-| syncv3.postgresql.global.postgresql.auth.port | int | `5432` | which port to use to connect to your database server |
-| syncv3.postgresql.global.postgresql.auth.secretKeys.adminPasswordKey | string | `"postgresPassword"` | key in existingSecret with the admin postgresql password |
-| syncv3.postgresql.global.postgresql.auth.secretKeys.database | string | `"database"` | key in existingSecret with name of the database |
-| syncv3.postgresql.global.postgresql.auth.secretKeys.databaseHostname | string | `"hostname"` | key in existingSecret with hostname of the database |
-| syncv3.postgresql.global.postgresql.auth.secretKeys.databaseUsername | string | `"username"` | key in existingSecret with username for matrix to connect to db |
-| syncv3.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existingSecret with password for matrix to connect to db |
-| syncv3.postgresql.global.postgresql.auth.username | string | `"syncv3"` | username of matrix-sliding-sync postgres user |
-| syncv3.postgresql.persistence.enabled | bool | `false` |  |
-| syncv3.postgresql.volumePermissions.enabled | bool | `true` | Enable init container that changes the owner and group of the PVC |
-| syncv3.syncv3.bindaddr | string | `"0.0.0.0:8008"` | SYNCV3_BINDADDR - The interface and port to listen on. (Supports unix socket: /path/to/socket) |
-| syncv3.syncv3.db | string | `""` | SYNCV3_DB - db connection string: https://www.postgresql.org/docs/current/libpq-connect.html if db is empty, you must either provide postgresql or externalDatabase parameters, OR set syncv3.existingDbSecret and syncv3.dbSecretKey |
-| syncv3.syncv3.dbSecretKey | string | `"SYNCV3_DB"` | db key in existing Db Secret for |
-| syncv3.syncv3.existingDbSecret | string | `""` | use an existing kubernetes secret for the db connection connection string. if set, ignores syncv3.db |
-| syncv3.syncv3.existingSyncv3Secret | string | `""` | if set, we'll grab your SYNCV3_SECRET from an existing kubernetes secret and ignore syncv3.secret |
-| syncv3.syncv3.logLevel | string | `"info"` | SYNCV3_LOG_LEVEL - The level of verbosity for messages logged. Available values are trace, debug, info, warn, error and fatal |
-| syncv3.syncv3.maxDbConn | string | `""` | SYNCV3_MAX_DB_CONN - Default: unset. Max database connections to use when communicating with postgres. Unset or 0 means no limit. |
-| syncv3.syncv3.otlp.existingSecret | string | `""` |  |
-| syncv3.syncv3.otlp.password | string | `""` | SYNCV3_OTLP_PASSWORD - Default: unset. The OTLP password for Basic auth. If unset, does not send an Authorization header. |
-| syncv3.syncv3.otlp.url | string | `""` | SYNCV3_OTLP_URL - Default: unset. The OTLP HTTP URL to send spans to e.g https://localhost:4318 - if unset does not send OTLP traces. |
-| syncv3.syncv3.otlp.username | string | `""` | SYNCV3_OTLP_USERNAME - Default: unset. The OTLP username for Basic auth. If unset, does not send an Authorization header. |
-| syncv3.syncv3.pprof | string | `""` | SYNCV3_PPROF - Default: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen. |
-| syncv3.syncv3.prom | string | `""` | SYNCV3_PROM - Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address. |
-| syncv3.syncv3.secret | string | `""` | SYNCV3_SECRET - Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database. If both syncv3.secret and syncv3.existingSecret are not set, we will autogenerate this value |
-| syncv3.syncv3.sentryDsn | string | `""` | SYNCV3_SENTRY_DSN - Default: unset. The Sentry DSN to report events to e.g https://[email protected]/123 - if unset does not send sentry events. |
-| syncv3.syncv3.server | string | `""` | SYNCV3_SERVER - Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org' (Supports unix socket: /path/to/socket) |
-| syncv3.syncv3.syncv3SecretKey | string | `"SYNCV3_SECRET"` | secret key to get synvcv3 secret from in existing kubernetes secret. |
-| syncv3.syncv3.tlsCert | string | `""` | SYNCV3_TLS_CERT - Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address. |
-| syncv3.syncv3.tlsKey | string | `""` | SYNCV3_TLS_KEY - Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file. |
 | volumes.extraPipPackages.capacity | string | `"100Mi"` | Capacity of the extra pip packages PVC. Note: 1Mi is more than enough, but some cloud providers set a min PVC size of 1Mi or 1Gi, adjust as necessary |
 | volumes.extraPipPackages.existingClaim | string | `""` | name of an existing persistent volume claim for the extra pip packages |
 | volumes.extraPipPackages.storageClass | string | `""` | Storage class (optional) |