From 85e0169bf9dcc32aabe06613cbd3ce4673e69e92 Mon Sep 17 00:00:00 2001
From: David Ragot <35502263+Dav-14@users.noreply.github.com>
Date: Mon, 22 Jun 2026 16:54:06 +0200
Subject: [PATCH 1/2] fix(membership): wizard Job uses migration ServiceAccount
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The wizard Job picks up `core.job.annotations` (via
`merge .Values.config.wizard.job.annotations`), so when
`feature.migrationHooks=true` it renders as a `pre-install,pre-upgrade`
hook at weight `10`. The Job was still pointing at
`core.serviceAccountName` — the regular SA, which is a plain release
resource. Hooks run before release resources are installed, so the
wizard pod can't schedule: the SA doesn't exist yet.

Switching to `core.postgres.job.serviceAccountName` reuses the
migration Job's SA, which `core.postgres.job.sa.annotations` already
marks as a hook at weight `0`. The SA exists before the wizard pod
tries to mount it, and ArgoCD's hook translation lines up the same
way. No new value knobs: the wizard needs the same Postgres/IAM
access as the migration Job, and operators already configure that on
`config.migration.serviceAccount.annotations`.

Cascade: bumps membership 3.6.0 → 3.6.1, cloudprem 4.10.0 → 4.10.1,
formance 1.14.0 → 1.14.1.
---
 README.md                                   | 6 +++---
 charts/cloudprem/Chart.lock                 | 6 +++---
 charts/cloudprem/Chart.yaml                 | 2 +-
 charts/cloudprem/README.md                  | 2 +-
 charts/formance/Chart.lock                  | 6 +++---
 charts/formance/Chart.yaml                  | 2 +-
 charts/formance/README.md                   | 2 +-
 charts/membership/Chart.yaml                | 2 +-
 charts/membership/README.md                 | 2 +-
 charts/membership/templates/wizard/job.yaml | 2 +-
 10 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index cfe7ee24..1017d61c 100644
--- a/README.md
+++ b/README.md
@@ -5,11 +5,11 @@
 | Readme | Chart Version | App Version | Description | Hub |
 |--------|---------------|-------------|-------------|-----|
 | [Agent](./charts/agent/README.md) | 2.15.0 | v2.10.0 | Formance Membership Agent Helm Chart | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/agent)](https://artifacthub.io/packages/search?repo=agent) |
-| [Cloudprem](./charts/cloudprem/README.md) | 4.10.0 | latest | Formance control-plane | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cloudprem)](https://artifacthub.io/packages/search?repo=cloudprem) |
+| [Cloudprem](./charts/cloudprem/README.md) | 4.10.1 | latest | Formance control-plane | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cloudprem)](https://artifacthub.io/packages/search?repo=cloudprem) |
 | [Console-V3](./charts/console-v3/README.md) | 3.7.0 | v2.6.2 | Formance Console | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/console-v3)](https://artifacthub.io/packages/search?repo=console-v3) |
 | [Core](./charts/core/README.md) | 1.6.0 | latest | Formance Core Library | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/core)](https://artifacthub.io/packages/search?repo=core) |
-| [Formance](./charts/formance/README.md) | 1.14.0 | latest | Formance Platform - Unified Helm Chart | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/formance)](https://artifacthub.io/packages/search?repo=formance) |
-| [Membership](./charts/membership/README.md) | 3.6.0 | v2.5.0 | Formance EE Membership API. Manage stacks, organizations, regions, invitations, users, roles, and permissions. | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/membership)](https://artifacthub.io/packages/search?repo=membership) |
+| [Formance](./charts/formance/README.md) | 1.14.1 | latest | Formance Platform - Unified Helm Chart | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/formance)](https://artifacthub.io/packages/search?repo=formance) |
+| [Membership](./charts/membership/README.md) | 3.6.1 | v2.5.0 | Formance EE Membership API. Manage stacks, organizations, regions, invitations, users, roles, and permissions. | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/membership)](https://artifacthub.io/packages/search?repo=membership) |
 | [Portal](./charts/portal/README.md) | 3.7.0 | v2.6.2 | Formance Portal | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/portal)](https://artifacthub.io/packages/search?repo=portal) |
 | [Regions](./charts/regions/README.md) | 3.11.0 | latest | Formance Private Regions Helm Chart | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/regions)](https://artifacthub.io/packages/search?repo=regions) |
 | [Stargate](./charts/stargate/README.md) | 0.11.0 | latest | Formance EE Stargate gRPC Gateway | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/stargate)](https://artifacthub.io/packages/search?repo=stargate) |
diff --git a/charts/cloudprem/Chart.lock b/charts/cloudprem/Chart.lock
index b5832ec1..305d5f21 100644
--- a/charts/cloudprem/Chart.lock
+++ b/charts/cloudprem/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: membership
   repository: file://../membership
-  version: 3.6.0
+  version: 3.6.1
 - name: portal
   repository: file://../portal
   version: 3.7.0
 - name: console-v3
   repository: file://../console-v3
   version: 3.7.0
-digest: sha256:daed3f4af5ace511de313180abe29e55726644ec51b9acd1a895b1e66ed41369
-generated: "2026-06-22T09:33:02.325748+02:00"
+digest: sha256:5fb552ea26996bc58762b3c7f7cc37c176e3e8863be3fc2691e4f93e5d2c593e
+generated: "2026-06-22T16:53:05.544004+02:00"
diff --git a/charts/cloudprem/Chart.yaml b/charts/cloudprem/Chart.yaml
index d8532ffe..6a0d832d 100644
--- a/charts/cloudprem/Chart.yaml
+++ b/charts/cloudprem/Chart.yaml
@@ -31,7 +31,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.10.0
+version: 4.10.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/cloudprem/README.md b/charts/cloudprem/README.md
index 47548000..749f350a 100644
--- a/charts/cloudprem/README.md
+++ b/charts/cloudprem/README.md
@@ -1,7 +1,7 @@
 # Formance cloudprem Helm chart
 
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/cloudprem)](https://artifacthub.io/packages/search?repo=cloudprem)
-![Version: 4.10.0](https://img.shields.io/badge/Version-4.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 4.10.1](https://img.shields.io/badge/Version-4.10.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Formance control-plane
 
diff --git a/charts/formance/Chart.lock b/charts/formance/Chart.lock
index a1735b59..c40f73d4 100644
--- a/charts/formance/Chart.lock
+++ b/charts/formance/Chart.lock
@@ -7,6 +7,6 @@ dependencies:
   version: 3.11.0
 - name: cloudprem
   repository: file://../cloudprem
-  version: 4.10.0
-digest: sha256:e6e6353c32fc72665265ce60d619cb75a12a10de216257d8a5629abefb57d658
-generated: "2026-06-22T09:33:03.509948+02:00"
+  version: 4.10.1
+digest: sha256:49322c49a4facc37512fd41c2b0644eccc46d4c834ef4642662b4bb5bb7c53e1
+generated: "2026-06-22T16:53:06.658696+02:00"
diff --git a/charts/formance/Chart.yaml b/charts/formance/Chart.yaml
index 7b77a1db..3d1f64a5 100644
--- a/charts/formance/Chart.yaml
+++ b/charts/formance/Chart.yaml
@@ -10,7 +10,7 @@ maintainers:
 icon: "https://avatars.githubusercontent.com/u/84325077?s=200&v=4"
 
 type: application
-version: 1.14.0
+version: 1.14.1
 appVersion: "latest"
 # The "-0" suffix is required for GKE compatibility. GKE versions contain
 # build metadata like "v1.33.5-gke.2392000" which semver treats as pre-release.
diff --git a/charts/formance/README.md b/charts/formance/README.md
index 50fc6413..9c0f0ed2 100644
--- a/charts/formance/README.md
+++ b/charts/formance/README.md
@@ -1,6 +1,6 @@
 # formance
 
-![Version: 1.14.0](https://img.shields.io/badge/Version-1.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.14.1](https://img.shields.io/badge/Version-1.14.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Formance Platform - Unified Helm Chart
 
diff --git a/charts/membership/Chart.yaml b/charts/membership/Chart.yaml
index 5ba57862..1024d689 100644
--- a/charts/membership/Chart.yaml
+++ b/charts/membership/Chart.yaml
@@ -22,7 +22,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.6.0
+version: 3.6.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/membership/README.md b/charts/membership/README.md
index 5af76724..8b4b7bc0 100644
--- a/charts/membership/README.md
+++ b/charts/membership/README.md
@@ -1,6 +1,6 @@
 # Formance membership Helm chart
 
-![Version: 3.6.0](https://img.shields.io/badge/Version-3.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.5.0](https://img.shields.io/badge/AppVersion-v2.5.0-informational?style=flat-square)
+![Version: 3.6.1](https://img.shields.io/badge/Version-3.6.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.5.0](https://img.shields.io/badge/AppVersion-v2.5.0-informational?style=flat-square)
 Formance EE Membership API. Manage stacks, organizations, regions, invitations, users, roles, and permissions.
 
 ## Requirements
diff --git a/charts/membership/templates/wizard/job.yaml b/charts/membership/templates/wizard/job.yaml
index 891ccff2..b2970b55 100644
--- a/charts/membership/templates/wizard/job.yaml
+++ b/charts/membership/templates/wizard/job.yaml
@@ -19,7 +19,7 @@ spec:
       restartPolicy: OnFailure
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      serviceAccountName: {{ include "core.serviceAccountName" . }}
+      serviceAccountName: {{ include "core.postgres.job.serviceAccountName" . }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

From ab80b58037717d3a38101129e933693f756a3620 Mon Sep 17 00:00:00 2001
From: David Ragot <35502263+Dav-14@users.noreply.github.com>
Date: Mon, 22 Jun 2026 17:46:22 +0200
Subject: [PATCH 2/2] fix(membership): make wizard ConfigMap a hook too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The wizard Job mounts a ConfigMap (`<release>-wizard`) for its
`/config/config.yaml`. When `feature.migrationHooks=true` the Job
renders as a `pre-install,pre-upgrade` hook, but the ConfigMap was a
plain release resource — applied after hooks, so the wizard pod's
`volumes` reference points at nothing and the container fails to
start with `CreateContainerConfigError`.

Annotates the ConfigMap with `core.job.annotations` so it lands in
the same `pre-install,pre-upgrade` wave as the Job. Both at weight
`10`: Helm/Argo apply weight-10 hooks as a batch, and k8s retries
the pod's mount until the ConfigMap exists — soft race, but
consistent with the Job's own gating and avoids dragging the
ConfigMap into the weight-`0` SA tier.
---
 charts/membership/templates/wizard/configmap.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/membership/templates/wizard/configmap.yaml b/charts/membership/templates/wizard/configmap.yaml
index e8fb4cb9..08582159 100644
--- a/charts/membership/templates/wizard/configmap.yaml
+++ b/charts/membership/templates/wizard/configmap.yaml
@@ -5,6 +5,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "core.labels" . | nindent 4 }}
+  {{- with (include "core.job.annotations" . | fromYaml) }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 data:
   config.yaml: |-
     wizard: