fix(membership): wizard Job uses migration ServiceAccount

[Dav-14]

Summary

When feature.migrationHooks=true, the wizard Job in the membership chart picks up core.job.annotations (via the merge .Values.config.wizard.job.annotations block at the top of wizard/job.yaml) and renders as a pre-install,pre-upgrade hook with weight 10. The Job was still pointing its serviceAccountName at core.serviceAccountName — the regular ServiceAccount, a plain release resource. Hooks are installed before release resources, so the wizard pod can't schedule: serviceaccount "<name>" not found.

Switching to core.postgres.job.serviceAccountName reuses the migration Job's SA, which core.postgres.job.sa.annotations already marks as a hook at weight 0 (i.e. it's created before the wizard tries to mount it). ArgoCD's hook translation lines up the same way. No new value knobs: the wizard needs the same Postgres/IAM access as the migration Job, and operators already configure that via config.migration.serviceAccount.annotations.

This is the same class of fix as #358 (which made the migration Job + its SA stable under Helm and ArgoCD) — extended to the wizard, which had been overlooked because it lives under wizard/.

Cascade: membership 3.6.0 → 3.6.1, cloudprem 4.10.0 → 4.10.1, formance 1.14.0 → 1.14.1.

Test plan

• Render with feature.migrationHooks=true and confirm the wizard Job's serviceAccountName resolves to the migration SA.
• Render with feature.migrationHooks=false and confirm nothing else changes (the helper falls back to the same name as before in that path).
• Deploy to a dev env and verify the wizard pod schedules on first upgrade after enabling migrationHooks.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• charts/membership/templates/wizard/configmap.yaml is excluded by !**/*.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 24104e87-324f-4979-87a3-ce60f08494ad

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Version badges updated in the root README.md Helm charts table and in the individual chart READMEs: cloudprem bumped from 4.10.0 to 4.10.1, formance from 1.14.0 to 1.14.1, and membership from 3.6.0 to 3.6.1.

Changes

Helm Chart Version Badge Bumps

Layer / File(s)	Summary
Version bumps across all READMEs README.md, charts/cloudprem/README.md, charts/formance/README.md, charts/membership/README.md	Root README table entries and per-chart Artifact Hub/version badges updated for cloudprem (4.10.0→4.10.1), formance (1.14.0→1.14.1), and membership (3.6.0→3.6.1).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• formancehq/helm#383: Updates the same three chart READMEs (cloudprem, formance, membership) and root README table with equivalent patch version bumps.
• formancehq/helm#372: Bumps the formance chart version badge in charts/formance/README.md and the root README table entry, identical change pattern.
• formancehq/helm#374: Updates charts/membership/README.md version badge, same documentation artifact and bump pattern.

Suggested labels

docs, release

Suggested reviewers

• sylr

Poem

🐇 Hop, hop, hooray, the versions align,
Three badges now shimmer and perfectly shine!
Cloudprem, formance, and membership too,
Each patch bumped with care, each README brand new.
A rabbit rejoices — the charts are in sync! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title describes fixing a wizard Job's ServiceAccount issue in the membership chart, which is the core functional change, though the title doesn't mention the version bumps also included in the changeset.
Description check	✅ Passed	The PR description provides a detailed explanation of the ServiceAccount resolution issue, the solution, and references to related fixes, directly corresponding to the actual changes made.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/membership-wizard-job-sa

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[NumaryBot]

🛑 Changes requested — automated review

The main fix works for the hook-created migration ServiceAccount path, but it introduces a scheduling failure for configurations that disable creation of the migration ServiceAccount without naming an existing one. That is a regression for the wizard Job.

[NumaryBot]

🟠 [major] Keep wizard on an existing SA when migration SA is disabled

When config.migration.serviceAccount.create=false and no config.migration.serviceAccount.name is supplied, this helper renders default-migrate, but the chart does not create that ServiceAccount. The wizard Job previously used core.serviceAccountName in this configuration, so it could run with the normal chart/default SA; after this change the wizard pod will fail to schedule unless operators manually create default-migrate or set a name.

[NumaryBot]

🛑 Changes requested — automated review

The patch fixes the hook ordering case but also changes the rendered ServiceAccount for the default non-hook path, which can break existing configurations that only provision/configure the regular ServiceAccount.

[NumaryBot]

🟠 [major] Preserve the existing SA when hooks are disabled

When feature.migrationHooks=false, this still switches the wizard Job from the regular core.serviceAccountName to the migration ServiceAccount. In the non-hook path there is no hook-ordering issue, and installs that only configure IAM/RBAC on serviceAccount.annotations (or disable/create a differently named migration SA) will now run the wizard with an unconfigured or missing ServiceAccount even though hooks are off. Consider keeping the previous ServiceAccount unless migration hooks are enabled.