Skip to content

fix(membership): wizard Job uses migration ServiceAccount#388

Merged
Dav-14 merged 2 commits into
mainfrom
fix/membership-wizard-job-sa
Jun 24, 2026
Merged

fix(membership): wizard Job uses migration ServiceAccount#388
Dav-14 merged 2 commits into
mainfrom
fix/membership-wizard-job-sa

Conversation

@Dav-14

@Dav-14 Dav-14 commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

When feature.migrationHooks=true, the wizard Job in the membership chart picks up core.job.annotations (via the merge .Values.config.wizard.job.annotations block at the top of wizard/job.yaml) and renders as a pre-install,pre-upgrade hook with weight 10. The Job was still pointing its serviceAccountName at core.serviceAccountName — the regular ServiceAccount, a plain release resource. Hooks are installed before release resources, so the wizard pod can't schedule: serviceaccount "<name>" not found.

Switching to core.postgres.job.serviceAccountName reuses the migration Job's SA, which core.postgres.job.sa.annotations already marks as a hook at weight 0 (i.e. it's created before the wizard tries to mount it). ArgoCD's hook translation lines up the same way. No new value knobs: the wizard needs the same Postgres/IAM access as the migration Job, and operators already configure that via config.migration.serviceAccount.annotations.

This is the same class of fix as #358 (which made the migration Job + its SA stable under Helm and ArgoCD) — extended to the wizard, which had been overlooked because it lives under wizard/.

Cascade: membership 3.6.0 → 3.6.1, cloudprem 4.10.0 → 4.10.1, formance 1.14.0 → 1.14.1.

Test plan

  • Render with feature.migrationHooks=true and confirm the wizard Job's serviceAccountName resolves to the migration SA.
  • Render with feature.migrationHooks=false and confirm nothing else changes (the helper falls back to the same name as before in that path).
  • Deploy to a dev env and verify the wizard pod schedules on first upgrade after enabling migrationHooks.

@Dav-14 Dav-14 requested a review from a team as a code owner June 22, 2026 14:58
@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 828f350c-cb5b-4103-8f71-308b076f3607

📥 Commits

Reviewing files that changed from the base of the PR and between 85e0169 and 4610a38.

⛔ Files ignored due to path filters (7)
  • charts/cloudprem/Chart.lock is excluded by !**/*.lock, !**/*.lock
  • charts/cloudprem/Chart.yaml is excluded by !**/*.yaml
  • charts/formance/Chart.lock is excluded by !**/*.lock, !**/*.lock
  • charts/formance/Chart.yaml is excluded by !**/*.yaml
  • charts/membership/Chart.yaml is excluded by !**/*.yaml
  • charts/membership/templates/wizard/configmap.yaml is excluded by !**/*.yaml
  • charts/membership/templates/wizard/job.yaml is excluded by !**/*.yaml
📒 Files selected for processing (4)
  • README.md
  • charts/cloudprem/README.md
  • charts/formance/README.md
  • charts/membership/README.md
✅ Files skipped from review due to trivial changes (3)
  • charts/formance/README.md
  • charts/cloudprem/README.md
  • charts/membership/README.md

Walkthrough

Version badges were updated in the root README.md charts table and in the individual chart READMEs for cloudprem, formance, and membership.

Changes

Helm Chart Version Badge Bumps

Layer / File(s) Summary
Version bumps across all READMEs
README.md, charts/cloudprem/README.md, charts/formance/README.md, charts/membership/README.md
Root README table entries and per-chart version badges were updated for cloudprem (4.10.0→4.10.1), formance (1.14.2→1.14.3), and membership (3.6.0→3.6.1).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • formancehq/helm#176: Updates the same root README chart table and per-chart chart READMEs with chart version bumps.
  • formancehq/helm#360: Also updates charts/formance/README.md and the root chart version table.
  • formancehq/helm#383: Updates the same three chart READMEs and the root README table with version bumps.

Suggested reviewers

  • sylr

Poem

🐇 Hop-hop, the badges all gleam,
Three chart versions drift with the stream.
A tiny bump here, a tiny bump ત્યાં,
And every README sings “ta-da!”

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main fix: the membership wizard Job now uses the migration ServiceAccount.
Description check ✅ Passed The description is directly related to the ServiceAccount fix and version bumps described in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/membership-wizard-job-sa

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added bug Something isn't working docs release labels Jun 22, 2026

@NumaryBot NumaryBot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Changes requested — automated review

The main fix works for the hook-created migration ServiceAccount path, but it introduces a scheduling failure for configurations that disable creation of the migration ServiceAccount without naming an existing one. That is a regression for the wizard Job.

securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
serviceAccountName: {{ include "core.serviceAccountName" . }}
serviceAccountName: {{ include "core.postgres.job.serviceAccountName" . }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [major] Keep wizard on an existing SA when migration SA is disabled

When config.migration.serviceAccount.create=false and no config.migration.serviceAccount.name is supplied, this helper renders default-migrate, but the chart does not create that ServiceAccount. The wizard Job previously used core.serviceAccountName in this configuration, so it could run with the normal chart/default SA; after this change the wizard pod will fail to schedule unless operators manually create default-migrate or set a name.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this problem will be resolved in another pr

flemzord
flemzord previously approved these changes Jun 22, 2026

@NumaryBot NumaryBot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Changes requested — automated review

The patch fixes the hook ordering case but also changes the rendered ServiceAccount for the default non-hook path, which can break existing configurations that only provision/configure the regular ServiceAccount.

securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
serviceAccountName: {{ include "core.serviceAccountName" . }}
serviceAccountName: {{ include "core.postgres.job.serviceAccountName" . }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [major] Preserve the existing SA when hooks are disabled

When feature.migrationHooks=false, this still switches the wizard Job from the regular core.serviceAccountName to the migration ServiceAccount. In the non-hook path there is no hook-ordering issue, and installs that only configure IAM/RBAC on serviceAccount.annotations (or disable/create a differently named migration SA) will now run the wizard with an unconfigured or missing ServiceAccount even though hooks are off. Consider keeping the previous ServiceAccount unless migration hooks are enabled.

@Dav-14 Dav-14 Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the helper already does that job ?

@Dav-14 Dav-14 enabled auto-merge (squash) June 23, 2026 07:54
@Dav-14 Dav-14 requested a review from flemzord June 23, 2026 07:54
Dav-14 added 2 commits June 24, 2026 15:18
The wizard Job picks up `core.job.annotations` (via
`merge .Values.config.wizard.job.annotations`), so when
`feature.migrationHooks=true` it renders as a `pre-install,pre-upgrade`
hook at weight `10`. The Job was still pointing at
`core.serviceAccountName` — the regular SA, which is a plain release
resource. Hooks run before release resources are installed, so the
wizard pod can't schedule: the SA doesn't exist yet.

Switching to `core.postgres.job.serviceAccountName` reuses the
migration Job's SA, which `core.postgres.job.sa.annotations` already
marks as a hook at weight `0`. The SA exists before the wizard pod
tries to mount it, and ArgoCD's hook translation lines up the same
way. No new value knobs: the wizard needs the same Postgres/IAM
access as the migration Job, and operators already configure that on
`config.migration.serviceAccount.annotations`.

Cascade: bumps membership 3.6.0 → 3.6.1, cloudprem 4.10.0 → 4.10.1,
formance 1.14.2 → 1.14.3.
The wizard Job mounts a ConfigMap (`<release>-wizard`) for its
`/config/config.yaml`. When `feature.migrationHooks=true` the Job
renders as a `pre-install,pre-upgrade` hook, but the ConfigMap was a
plain release resource — applied after hooks, so the wizard pod's
`volumes` reference points at nothing and the container fails to
start with `CreateContainerConfigError`.

Annotates the ConfigMap with `core.job.annotations` so it lands in
the same `pre-install,pre-upgrade` wave as the Job. Both at weight
`10`: Helm/Argo apply weight-10 hooks as a batch, and k8s retries
the pod's mount until the ConfigMap exists — soft race, but
consistent with the Job's own gating and avoids dragging the
ConfigMap into the weight-`0` SA tier.
@Dav-14 Dav-14 force-pushed the fix/membership-wizard-job-sa branch from ab80b58 to 4610a38 Compare June 24, 2026 13:22

@NumaryBot NumaryBot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Changes requested — automated review

The hook-mode issue is addressed, but the ServiceAccount change is unconditional and changes/breaks non-hook configurations that previously rendered a schedulable wizard Job.

securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
serviceAccountName: {{ include "core.serviceAccountName" . }}
serviceAccountName: {{ include "core.postgres.job.serviceAccountName" . }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [major] Use the migration ServiceAccount only when hooks need it

When feature.migrationHooks=false this still switches the wizard Job from core.serviceAccountName to core.postgres.job.serviceAccountName, so existing non-hook installs start running the wizard under the migration SA instead of the chart's normal SA. In particular, if operators set config.migration.serviceAccount.create=false without providing a migration SA name, this renders default-migrate even though that ServiceAccount is not created by the chart, whereas the previous template used the regular default/configured service account and could schedule.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the helper already does that job and know about wether to use the global / job serviceAccount

@Dav-14 Dav-14 requested a review from NumaryBot June 24, 2026 13:25
@Dav-14 Dav-14 merged commit d9a98b1 into main Jun 24, 2026
5 checks passed
@Dav-14 Dav-14 deleted the fix/membership-wizard-job-sa branch June 24, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working docs release

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants