feat(plugin-fees): add multi-tenant support and fix AVP secret rendering#1229
Merged
feat(plugin-fees): add multi-tenant support and fix AVP secret rendering#1229
Conversation
Adds MULTI_TENANT_* configmap and secret fields (conditional on MULTI_TENANT_ENABLED=true) following the matcher and plugin-br-bank-transfer chart patterns. Includes required validation for critical fields, useExistingSecret guard on the in-tree Secret, and checksum annotations to trigger pod restarts on config/secret changes. Migrates the fees Secret from `data:` + `b64enc` to `stringData:` to fix silent argocd-vault-plugin substitution failures. The previous pattern base64-encoded the `<path:...>` placeholder before AVP could resolve it, causing chart defaults to be used in production instead of the actual Vault values.
|
Caution Review failedPull request was closed or merged during review WalkthroughThis pull request updates the plugin-fees Helm chart from v5.0.0 to v5.1.0, introducing multi-tenant support via tenant-manager. Changes include new ConfigMap and Secret fields for multi-tenant configuration, migration of Secret storage format from Base64-encoded data to plaintext stringData, pod annotation checksums to trigger rollouts on resource changes, and corresponding values.yaml entries. Changes
Comment |
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### ⚠ BREAKING CHANGES * **plugin-access-manager:** Values path changed from 'auth.backend.migrations.image' (string) to 'auth.backend.migrations.image.repository' + '.tag' (object). Same for 'auth.initUser.image' and 'auth.initUser.imagePullPolicy'. Existing values overrides using the old string format will need updating. * **midaz:** Ledger service is now enabled by default, replacing the separate onboarding and transaction services. - ledger.enabled now defaults to true - onboarding and transaction services are automatically disabled when ledger is enabled - Existing deployments using onboarding/transaction need to explicitly set ledger.enabled=false to maintain current behavior Migration guide: docs/UPGRADE-5.0.md ### Features * add bootstrap-mongodb.yaml for idempotent MongoDB user/db provisioning ([c36e378](c36e378)) * **fetcher:** add common configmap and secrets templates for shared configuration ([7f75dd0](7f75dd0)) * **midaz:** add conditional deployment logic for onboarding service and update ingress routing ([f2e3c76](f2e3c76)) * **midaz:** add conditional deployment logic for transaction service ([df12827](df12827)) * **reporter:** add configurable secret for KEDA TriggerAuthentication ([d84a26d](d84a26d)) * **midaz:** add CRM service with MongoDB integration and complete Kubernetes manifests ([a9368d2](a9368d2)) * **product-console:** add dynamic OTEL host injection support ([4f473e9](4f473e9)) * **midaz:** add external OTEL collector support ([f38af29](f38af29)) * **scripts:** add fallback to root image.tag in chart version update script ([4fdcb77](4fdcb77)) * **fetcher:** add fetcher helm chart with manager and worker components ([363c0cf](363c0cf)) * add Helm chart for plugin-br-bank-transfer-jd ([2ee97b9](2ee97b9)) * **plugin-br-pix-indirect-btg:** add HMAC validation and mTLS BTG config envs ([d1563c4](d1563c4)) * add IAM Roles Anywhere sidecar support for fetcher and matcher ([a67b756](a67b756)) * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **reporter:** add IAM Roles Anywhere sidecar support ([2b76810](2b76810)) * **underwriter:** add initial Helm chart for Underwriter service ([7bbba1a](7bbba1a)) * **plugin-br-pix-indirect-btg:** add INTERNAL_WEBHOOK_SECRET and bump to 1.0.0-rc.26 ([e5ef789](e5ef789)) * **midaz:** add ledger service configuration and restructure values files ([d4332f9](d4332f9)) * **midaz:** add ledger service with unified API and migration helpers ([0ee6e83](0ee6e83)) * **plugin-fees:** add M2M and AWS_REGION env vars to chart ([f026d18](f026d18)) * **fetcher:** add manager component Kubernetes manifests with full deployment configuration ([12ec0dd](12ec0dd)) * **matcher:** add matcher helm chart ([6a235c1](6a235c1)) * **matcher:** add missing env vars for matcher v1.0.0+ ([0bf1e7f](0bf1e7f)) * **plugin-br-pix-indirect-btg:** add missing inbound webhook entity envs and security tier config ([ca62f49](ca62f49)) * **charts:** add missing NEU app env vars to reporter and fetcher ([8d4db13](8d4db13)) * **product-console:** add MONGO_PARAMETERS env var for TLS/auth options ([164468c](164468c)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) * **plugin-fees:** add new env vars for v3.1.0 ([f824431](f824431)), closes [#1195](#1195) * **fetcher:** add OpenTelemetry HOST_IP injection support ([0ea3d75](0ea3d75)) * **product-console:** add product-console helm chart ([c956078](c956078)) * **fetcher:** add RabbitMQ bootstrap job with definitions for external RabbitMQ instances ([90c5edc](90c5edc)) * add rate limit configuration to midaz, fetcher, and reporter charts ([db2ec46](db2ec46)) * **plugin-br-pix-indirect-btg:** add required validation for INTERNAL_WEBHOOK_SECRET ([df410e2](df410e2)) * **reporter:** add ServiceAccount annotations support for IRSA ([3685103](3685103)) * **fetcher:** add ServiceAccount support for worker ([aa616c7](aa616c7)) * **tracer:** add tracer helm chart ([275c30e](275c30e)) * **plugin-br-pix-indirect-btg:** add validation to ensure INTERNAL_WEBHOOK_SECRET matches ([0f485b2](0f485b2)) * **matcher:** add values-template and rabbitmq definitions ([3063245](3063245)) * **matcher:** add VERSION env var and OTEL support ([cee8f96](cee8f96)) * **fetcher:** add worker component Kubernetes manifests with deployment, configmap and secrets ([fd8d8f3](fd8d8f3)) * add worker reconciliation config ([596c5a9](596c5a9)) * **reporter,fetcher:** auto-set VERSION and OTEL_RESOURCE_SERVICE_VERSION from image tag ([bcc28f1](bcc28f1)) * **midaz:** enable ledger service by default ([1abf1f1](1abf1f1)) * **matcher:** finalize matcher helm chart for v1.0.0 ([2be45e9](2be45e9)) * **midaz:** improve RabbitMQ bootstrap script with smart URL handling and enhanced logging ([8d99add](8d99add)) * **bootstrap-mongodb:** make app user and roles configurable via values ([5a37252](5a37252)) * **plugin-access-manager:** make createDatabase configurable ([1574601](1574601)) * **plugin-br-bank-transfer:** move CLIENT_IDs to secrets ([d3e36c0](d3e36c0)) * **midaz:** remove console service and nginx components ([68be4ac](68be4ac)) * **reporter:** support external KEDA operator ([0f19cbe](0f19cbe)) * **fetcher:** update fetcher-manager@1.1.0, fetcher-worker@1.1.0 - new env vars ([345798a](345798a)) * **fetcher:** update fetcher-manager@1.2.0, fetcher-worker@1.2.0 - new env vars ([47785ab](47785ab)) * **fetcher:** update fetcher-manager@1.3.0, fetcher-worker@1.3.0 - new env vars ([679fd73](679fd73)) * **product-console:** update image tag to 1.5.0 and add upgrade guide ([a289f8c](a289f8c)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.5.0, plugin-br-pix-indirect-btg-worker-reconciliation@1.5.0, plugin-br-pix-indirect-btg-worker-inbound@1.5.0, plugin-br-pix-indirect-btg-worker-outbound@1.5.0 - new env vars ([80fe4fc](80fe4fc)) * **plugin-fees:** update plugin-fees@3.1.0 - new env vars ([0111ef7](0111ef7)) * **reporter:** update reporter-manager@1.2.0, reporter-worker@1.2.0 - new env vars ([624ec97](624ec97)) ### Bug Fixes * **plugin-access-manager:** add configurable DB_SSLMODE for auth PostgreSQL connections ([dd1d626](dd1d626)) * **new:** add DEFAULT_MIDAZ_ORGANIZATION_ID to configmap for enhanced multi-tenancy support ([d7b66a0](d7b66a0)) * **charts:** add http:// prefix to OTEL_EXPORTER_OTLP_ENDPOINT ([33adde3](33adde3)) * **charts:** add http:// prefix to OTEL_EXPORTER_OTLP_ENDPOINT ([5f8ca7b](5f8ca7b)) * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * add kindIs guard for backward compat with string image values ([313d9f6](313d9f6)) * **matcher:** add missing env vars for systemplane and multi-tenant ([965da94](965da94)) * add missing MONGO_HOST/MONGO_PORT and align MONGODB_DB_NAME ([0725fa2](0725fa2)) * **midaz:** add missing MONGO_PARAMETERS to CRM configmap ([2bfecc2](2bfecc2)) * **product-console:** add MongoDB connection info to NOTES.txt ([b4d6557](b4d6557)) * **product-console:** add mongodb.enabled flag to values-template ([7024d9d](7024d9d)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **plugin-access-manager:** add new configuration options for logging, rate limiting, and MFA in configmap.yaml ([d1e83b2](d1e83b2)) * add plugin-br-bank-transfer-jd section to README version matrix ([ccd19ac](ccd19ac)) * **fetcher:** add RabbitMQ and storage configuration options, remove unused secret template ([865613d](865613d)) * add required validation for Roles Anywhere ARNs and README migration note ([50e4718](50e4718)), closes [#1](#1) [#3](#3) [#1113](#1113) * **plugin-br-pix-indirect-btg:** add WEBHOOK_DEFAULT_URL to outbound configmap ([0dd6d81](0dd6d81)) * address CodeRabbit CLI review findings ([974bbb8](974bbb8)) * **plugin-br-pix-indirect-btg:** address coderabbit review feedback ([bb664a9](bb664a9)) * **product-console:** address CodeRabbit review on NOTES.txt ([e8cf8d7](e8cf8d7)) * address CodeRabbit security and quality issues ([eb80852](eb80852)) * address remaining CodeRabbit review comments ([6f26a8b](6f26a8b)) * **pix-btg:** adjust default url ([51c4753](51c4753)) * **midaz:** adjust ledger component port from 3000 to 3002 ([8e01518](8e01518)) * **midaz:** adjust ledger component port from 3000 to 3002 ([bb58334](bb58334)) * **midaz:** adjust midaz-crm repository image ([5f9fdcb](5f9fdcb)) * align comment with actual template keys per CodeRabbit review ([338e19c](338e19c)) * **matcher:** align default securityContext with distroless nonroot UID ([87f0c59](87f0c59)) * **matcher:** align OTEL env vars with app and bump to v1.0.0-beta.3 ([d1616fb](d1616fb)) * always set VERSION and OTEL_RESOURCE_SERVICE_VERSION from image.tag ([56bfc66](56bfc66)) * clean dead OTEL defaults and fix SWAGGER_HOST service names ([76909b8](76909b8)) * complete standardization of VERSION across all remaining charts ([63adbb9](63adbb9)) * **plugin-access-manager:** construct dataSourceName at runtime with environment variables ([ac4fd9f](ac4fd9f)) * **bank-transfer:** correct encryption key env var names ([fb79deb](fb79deb)) * **midaz:** correct RabbitMQ bootstrap secret key reference from RABBITMQ_TRANSACTION_PASS to RABBITMQ_DEFAULT_PASS ([f86aa98](f86aa98)) * **plugin-access-manager:** correct REDIS_PASSWORD reference in identity secrets ([2c6c323](2c6c323)) * **fetcher:** correct repository URL in Chart.yaml home field ([378a458](378a458)) * **product-console:** derive MongoDB service name dynamically in NOTES.txt ([4bbf749](4bbf749)) * **midaz:** enable external service bootstrap jobs by default for RabbitMQ and PostgreSQL ([f65f8ff](f65f8ff)) * **matcher:** fix configmap archival condition and S3 endpoint for IAM Roles Anywhere ([53232ae](53232ae)) * **plugin-br-pix-indirect-btg:** fix useExistingSecrets typo in all deployments ([fa2dc49](fa2dc49)) * **plugin-br-pix-indirect-btg:** improve reconciliation config and remove vault annotations ([ad64484](ad64484)) * move MONGO_URI to secrets and support JD sandbox mode ([6d41468](6d41468)) * **reporter:** prevent null env in manager and worker deployments ([51a72c6](51a72c6)) * **reporter:** prevent null env in ScaledJob when no env vars are configured ([7fa29b4](7fa29b4)) * **fetcher:** remove common secret to match reporter pattern ([37050a0](37050a0)) * remove duplicate reporter-manager/secret.yaml with incorrect template references ([e8cc8b6](e8cc8b6)) * **release:** remove generate_changelog dependency from back-merge step ([40dfa39](40dfa39)) * remove hardcoded namespaceOverride to use release namespace ([f650315](f650315)) * **plugin-access-manager:** remove imagePullSecrets from values.yaml for identity and auth sections ([238ca51](238ca51)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **plugin-br-pix-indirect-btg:** remove trailing newline from values.yaml ([938bf17](938bf17)) * **plugin-br-bank-transfer:** rename chart to include -helm suffix ([f393e35](f393e35)) * **bank-transfer:** rename MULTI_TENANT_INFRA_ENABLED to MULTI_TENANT_ENABLED for consistency ([0fb14a6](0fb14a6)) * **plugin-fees:** revert MIDAZ_TRANSACTION_URL to midaz-transaction default ([0871187](0871187)) * **plugin-br-pix-indirect-btg:** set DB_SSL_MODE default to disable ([29f2348](29f2348)) * **product-console:** set image tag to 1.3.0 in values.yaml ([a535b88](a535b88)) * **plugin-br-pix-indirect-btg:** set REDIS_TLS default to false in reconciliation configmap ([b8dc4d1](b8dc4d1)) * **plugin-access-manager:** split migrations and initUser image into repository/tag fields ([5be206a](5be206a)) * standardize VERSION/OTEL_RESOURCE_SERVICE_VERSION in remaining charts ([4172495](4172495)) * **configmap:** update APPLICATION_NAME default value to crm ([53b65c3](53b65c3)) * **product-console:** update appVersion to 1.3.0 ([c708e76](c708e76)) * **midaz:** update console@3.4.8, onboarding@3.4.8, transaction@3.4.8 and add back-merge workflow ([2400460](2400460)) * **bank-transfer:** update DEFAULT_TENANT_ID to allow empty default value in configmap ([10ea45e](10ea45e)) * **plugin-access-manager:** update identity@2.1.1, auth@2.4.0 and use image.tag for version fields ([e260dee](e260dee)) * **plugin-access-manager:** update image tags and add CORS, rate limiting, multi-tenancy, and circuit breaker configurations ([628ad1d](628ad1d)) * **midaz:** update ledger service default port from 3000 to 3002 ([2878908](2878908)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392)) * **plugin-access-manager:** update plugin-auth@2.6.0 ([6b5b3d8](6b5b3d8)) * **plugin-access-manager:** update plugin-auth@2.6.1 ([253b5e8](253b5e8)) * **plugin-br-bank-transfer-jd:** update plugin-br-bank-transfer-jd@1.0.0 ([afcdded](afcdded)) * **plugin-br-bank-transfer:** update plugin-br-bank-transfer@2.1.0 ([3e29c6c](3e29c6c)) * update plugin-br-pix-indirect-btg pix OTEL_RESOURCE_SERVICE_VERSION ([4fa8d3f](4fa8d3f)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg-worker-reconciliation@1.1.1 ([4397bc6](4397bc6)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg-worker-reconciliation@1.1.3 ([b9a4b68](b9a4b68)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg-worker-reconciliation@1.2.0 ([5e4b893](5e4b893)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.1.0 ([df6de7b](df6de7b)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.1.2 ([ffb414d](ffb414d)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.1 ([adbe456](adbe456)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.2 ([2c2b639](2c2b639)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.3 ([e08d78a](e08d78a)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.4 ([a42a959](a42a959)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.6 ([fe3749c](fe3749c)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.7 ([793be45](793be45)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.2.8 ([55681de](55681de)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.3.0 ([35c27d1](35c27d1)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.4.1, plugin-br-pix-indirect-btg-worker-reconciliation@1.4.1, plugin-br-pix-indirect-btg-worker-inbound@1.4.1, plugin-br-pix-indirect-btg-worker-outbound@1.4.1 ([3c6970f](3c6970f)) * **plugin-br-pix-indirect-btg:** update plugin-br-pix-indirect-btg@1.5.1, plugin-br-pix-indirect-btg-worker-reconciliation@1.5.1, plugin-br-pix-indirect-btg-worker-inbound@1.5.1, plugin-br-pix-indirect-btg-worker-outbound@1.5.1 ([226f506](226f506)) * **plugin-fees:** update plugin-fees@3.0.7 ([844537d](844537d)) * **plugin-fees:** update plugin-fees@3.0.8 ([8c5579c](8c5579c)) * **plugin-access-manager:** update plugin-identity@2.4.2 ([8b01a14](8b01a14)) * **midaz:** update README with ledger service documentation and remove console/nginx references ([e472f4f](e472f4f)) * **reporter:** update reporter-manager@1.0.0, reporter-worker@1.0.0 ([d586bf1](d586bf1)) * **reporter:** update reporter-manager@1.1.1 ([4f98acf](4f98acf)) * **matcher:** update securityContext to run as root ([8de4a13](8de4a13)) * **plugin-br-bank-transfer:** update service port and server address to 4027 in configuration files ([dd4e2a0](dd4e2a0)) * **reporter:** update worker default image tag to match latest stable release ([147ed4c](147ed4c)) * **bootstrap-mongodb:** use /bin/bash instead of /bin/sh for mongosh container ([b956943](b956943)) * **matcher:** use configmap value for OBJECT_STORAGE_ENDPOINT with IAM Roles Anywhere ([c0f19a4](c0f19a4)) * **midaz:** use dig function for safer nested value access in ledger init container timeout ([86ee67d](86ee67d)) * use dynamic service names based on release name ([cc9e734](cc9e734)) * **plugin-fees:** use midaz-ledger service for MIDAZ_TRANSACTION_URL default ([9515b35](9515b35)) * **bootstrap-mongodb:** use name helpers instead of hardcoded names ([d932f48](d932f48)) * **reporter:** use RABBITMQ_URI for KEDA scaler host ([60809c9](60809c9)) * **plugin-access-manager:** use separate repository and tag for auth backend image ([01b9a5c](01b9a5c)) * **reporter:** use unique names for cluster-scoped resources ([5cdaa80](5cdaa80)) * **bootstrap-mongodb:** use updateUser + process.env for safer reconciliation ([13ee1dc](13ee1dc)), closes [#1187](#1187) ### Reverts * **plugin-br-pix-indirect-btg:** move INTERNAL_WEBHOOK_SECRET from global to component-level secrets ([653594c](653594c)) * **plugin-br-pix-indirect-btg:** move INTERNAL_WEBHOOK_SECRET validation from global to pix.secrets ([f95be82](f95be82))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add M2M and AWS_REGION env vars to chart ([f026d18](f026d18)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add M2M and AWS_REGION env vars to chart ([f026d18](f026d18)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add M2M and AWS_REGION env vars to chart ([f026d18](f026d18)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add M2M and AWS_REGION env vars to chart ([f026d18](f026d18)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
lerian-studio-midaz-push-bot bot
pushed a commit
that referenced
this pull request
Apr 17, 2026
## (2026-04-17) ### Features * **plugin-fees:** add IAM Roles Anywhere sidecar support ([d9621a1](d9621a1)) * **plugin-fees:** add M2M and AWS_REGION env vars to chart ([f026d18](f026d18)) * **plugin-fees:** add MULTI_TENANT_ALLOW_INSECURE_HTTP to configmap template ([48cf209](48cf209)) * **plugin-fees:** add multi-tenant support and fix AVP secret rendering ([#1229](#1229)) ([04e12ac](04e12ac)) ### Bug Fixes * **product-console:** add image annotation for product-console 1.6.0 ([03c927c](03c927c)) * **configmap:** add new configuration options for deployment mode, private upstreams, and reconciliation settings ([f1a475e](f1a475e)) * **product-console:** remove inconsistent artifacthub image annotation ([77e46c4](77e46c4)) * **plugin-fees:** remove MULTI_TENANT_SETTINGS_CHECK_INTERVAL_SEC from configmap ([f3e7f9b](f3e7f9b)) * **midaz:** update midaz-crm@3.6.2, midaz-ledger@3.6.2 ([960a392](960a392))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
plugin-feeschart following the same pattern used bymatcherandplugin-br-bank-transferfeesSecret fromdata:+b64enctostringData:useExistingSecretguard,requiredvalidation, andchecksum/config|secretpod annotationsChanges
Chart.yaml5.0.0 → 5.1.0templates/fees/configmap.yamlMULTI_TENANT_*env vars (conditional onMULTI_TENANT_ENABLED=true);MULTI_TENANT_URLandMULTI_TENANT_REDIS_HOSTuserequiredtemplates/fees/secrets.yamlstringData:; wrapped in{{- if not .Values.fees.useExistingSecret }}; addedMULTI_TENANT_SERVICE_API_KEY(required when enabled) andMULTI_TENANT_REDIS_PASSWORD(optional)templates/fees/deployment.yamlchecksum/configandchecksum/secretpod annotationsvalues.yamlCHANGELOG.mdWhy the data → stringData migration
Verified empirically that the existing
data:+b64encpattern was breaking AVP substitution in production:Helm runs
b64encon the literal<path:secret/data/...#KEY>placeholder string before AVP gets a chance to substitute it, so the actual Vault value never reaches the rendered manifest. Theplugin-br-bank-transferchart already usesstringData:correctly for the same reason.Breaking notes for consumers
After upgrading, the next ArgoCD sync will rotate
MONGO_PASSWORD,CLIENT_SECRET,LICENSE_KEY, andORGANIZATION_IDSfrom chart defaults to actual Vault values. Operators must verify that downstream services (MongoDB user, OAuth client) are provisioned with the credentials stored in Vault before upgrading.If any consumer was storing pre-base64-encoded values in Vault, switch them to plaintext.
Validation
helm lint charts/plugin-fees— passeshelm template(default, multi-tenant off) — renders cleanly, noMULTI_TENANT_*keys in ConfigMaphelm template --set fees.configmap.MULTI_TENANT_ENABLED=true— fails fast with clear error:fees.secrets.MULTI_TENANT_SERVICE_API_KEY is required when MULTI_TENANT_ENABLED=truehelm templatewith all required fields — renders allMULTI_TENANT_*configmap keys, both Secret keys, andchecksum/config+checksum/secretannotationshelm template --set fees.useExistingSecret=true --set fees.existingSecretName=external-secret— in-tree Secret skipped, deployment referencesexternal-secretTest plan
developplugin-fees-helm:5.1.0to Docker Hub OCI registrymidaz-firmino-gitopsto pin chart version5.1.0and verify the multi-tenant rollout in Clotilde dev