fix(core): make migration Job hooks stable across Helm + ArgoCD

[Dav-14]

Summary

core.job.annotations has hit three real-world failures across Formance projects (membership, portal, console-v3 — and any chart that consumes it):

1. Identity flip on first upgrade. Conditional {{- if and (not .Release.IsInstall) .Values.feature.migrationHooks }} meant the Job was a plain release resource on helm install and a pre-upgrade hook on the next helm upgrade. Helm tracks hooks outside the release manifest, so the resource flips identity. First upgrade after enabling the feature fails with Job already exists; helm uninstall later leaves orphans.
2. hook-succeeded swallowed logs, leaving kubectl logs empty post-migration when operators try to investigate failures.
3. ArgoCD's helm template mode ignored Helm hook annotations entirely, so under Argo the Job re-applied on every sync as a plain resource and tripped Job-spec immutability on the second sync.

Changes

• Rewrite core.job.annotations to always emit hook annotations covering Helm install + Helm upgrade + ArgoCD sync:

  helm.sh/hook: pre-install,pre-upgrade
  helm.sh/hook-delete-policy: before-hook-creation
  helm.sh/hook-weight: "10"
  argocd.argoproj.io/hook: PreSync
  argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
  argocd.argoproj.io/sync-wave: "10"

• Restore core.postgres.job.sa.annotations from a deprecated alias to a real helper. SA now uses hook-weight: "0" / sync-wave: "0" so it's created BEFORE the Job that references it (previously both were weight 10 → SA could be missing when the Job's pod tried to schedule).
• feature.migrationHooks is no longer consulted. Hooks are always emitted because every other mode is broken in some way. Consumers can drop the value with no behaviour change. The old alias core.postgres.job.annotations is kept (still deprecated) for backward compat.
• Bump core to 1.6.0 (minor: helper semantics change, no breaking API).

What this lets consumer charts do

• Stop using feature.migrationHooks.
• Get a clean pre-install,pre-upgrade lifecycle on plain Helm AND a clean PreSync lifecycle on ArgoCD.
• Use a dedicated migration ServiceAccount via core.postgres.job.serviceAccountName + core.postgres.job.sa.annotations without the SA-not-yet-existing race.

Test plan

• helm install + helm upgrade cycle: Job is a hook on both, identity stable, no orphans.
• ArgoCD sync: Job runs as PreSync, recreated each sync via BeforeHookCreation.
• Failed migration: Job pod stays around for kubectl logs.
• Successful migration: Job cleaned up by ttlSecondsAfterFinished, not by Helm hook policy.
• Consumer chart (terraform-hcp-proxy) updated to use the new helpers — see follow-up PR.

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 281fa185-f9a0-437c-abbc-b16f8ecc11f1

📥 Commits

Reviewing files that changed from the base of the PR and between a3f9e1e and 0f394bb.

⛔ Files ignored due to path filters (1)

• charts/core/Chart.yaml is excluded by !**/*.yaml

📒 Files selected for processing (2)

• charts/core/templates/_job.tpl
• charts/core/templates/_postgres.tpl

---

Walkthrough

The Helm Job template annotation strategy is consolidated to unconditionally apply combined Helm and ArgoCD hook annotations (pre-install, pre-upgrade, PreSync) with synchronized policies. The Postgres Job template is updated to delegate to the refactored base template and add explicit service-account-specific hook metadata.

Changes

Hook Annotation Consolidation

Layer / File(s)	Summary
Base Template & Documentation charts/core/templates/_job.tpl	Job annotation docstring and core.job.annotations block replaced; conditional pre-upgrade gating removed in favor of unconditional, combined Helm (pre-install, pre-upgrade) and ArgoCD (PreSync) hooks with unified hook-delete-policy and sync-wave.
Dependent Template Updates charts/core/templates/_postgres.tpl	core.postgres.job.annotations redefined with deprecation note delegating to core.job.annotations; new core.postgres.job.sa.annotations added with explicit Helm/ArgoCD hook metadata (pre-install, pre-upgrade, hook-weight, PreSync, BeforeHookCreation) for service-account migrations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

A rabbit hops through Helm charts with glee, 🐰
No more conditions to gate what should be,
Hooks sync together, Argo and Helm as one,
Migrations run smooth—the refactoring's done! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: making migration Job hooks stable across Helm and ArgoCD deployment systems.
Description check	✅ Passed	The description comprehensively documents the three real-world failures being fixed, the specific changes made, and the test plan for verification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/job-hooks-and-migration-sa

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}