feat: daemonset maxsurge to prevent unavailability on config changes (#819)

dervoeti · dervoeti · commit 5feaa82299a6 · 2026-04-08T12:24:47.000+02:00
* feat: add maxSurge to DaemonSet rolling update strategy

* chore: add TODO to use PreferSameNode once k8s 1.35 is minimum

* test: assert DaemonSet rolling update strategy in smoke test

* chore: update changelog

* chore: lint fixes
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,13 @@ All notable changes to this project will be documented in this file.
 
 - Support `configOverrides` for `config.json` (#818).
 
+### Changed
+
+- Set `maxSurge=1` and `maxUnavailable=0` on the OPA DaemonSet rolling update strategy to eliminate
+  availability gaps during rolling updates ([#819]).
+
 [#818]: https://github.com/stackabletech/opa-operator/pull/818
+[#819]: https://github.com/stackabletech/opa-operator/pull/819
 
 ## [26.3.0] - 2026-03-16
 
diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs
@@ -35,7 +35,7 @@ use stackable_operator::{
     k8s_openapi::{
         DeepMerge,
         api::{
-            apps::v1::{DaemonSet, DaemonSetSpec},
+            apps::v1::{DaemonSet, DaemonSetSpec, DaemonSetUpdateStrategy, RollingUpdateDaemonSet},
             core::v1::{
                 ConfigMap, EmptyDirVolumeSource, EnvVar, EnvVarSource, HTTPGetAction,
                 ObjectFieldSelector, Probe, SecretVolumeSource, ServiceAccount,
@@ -1183,6 +1183,13 @@ fn build_server_rolegroup_daemonset(
             ..LabelSelector::default()
         },
         template: pod_template,
+        update_strategy: Some(DaemonSetUpdateStrategy {
+            type_: Some("RollingUpdate".to_string()),
+            rolling_update: Some(RollingUpdateDaemonSet {
+                max_surge: Some(IntOrString::Int(1)),
+                max_unavailable: Some(IntOrString::Int(0)),
+            }),
+        }),
         ..DaemonSetSpec::default()
     };
 
diff --git a/rust/operator-binary/src/service.rs b/rust/operator-binary/src/service.rs
@@ -63,6 +63,12 @@ pub(crate) fn build_server_role_service(
         type_: Some(opa.spec.cluster_config.listener_class.k8s_service_type()),
         ports: Some(data_service_ports(opa.spec.cluster_config.tls_enabled())),
         selector: Some(service_selector_labels.into()),
+        // This ensures that products (e.g. Trino) on a node always talk to the OPA pod on the
+        // same node, avoiding cross-node latency. The downside is that if the local OPA pod is
+        // unavailable, requests fail instead of falling back to another node.
+        // TODO: Once our minimum supported Kubernetes version is 1.35, use
+        // `trafficDistribution: PreferSameNode` instead, which prefers the local node but
+        // gracefully falls back to other nodes if the local pod is unavailable.
         internal_traffic_policy: Some("Local".to_string()),
         ..ServiceSpec::default()
     };
diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2
@@ -9,6 +9,11 @@ kind: DaemonSet
 metadata:
   name: test-opa-server-default
 spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
   template:
     spec:
       containers:
