From 64f5184dff041dfab5d3c59f84c910d4d53f39c9 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Tue, 17 Mar 2026 09:19:25 +0000
Subject: [PATCH 1/5] feat: add maxSurge to DaemonSet rolling update strategy

---
 rust/operator-binary/src/controller.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs
index f3d1567c..6599bfa1 100644
--- a/rust/operator-binary/src/controller.rs
+++ b/rust/operator-binary/src/controller.rs
@@ -34,7 +34,9 @@ use stackable_operator::{
     k8s_openapi::{
         DeepMerge,
         api::{
-            apps::v1::{DaemonSet, DaemonSetSpec},
+            apps::v1::{
+                DaemonSet, DaemonSetSpec, DaemonSetUpdateStrategy, RollingUpdateDaemonSet,
+            },
             core::v1::{
                 ConfigMap, EmptyDirVolumeSource, EnvVar, EnvVarSource, HTTPGetAction,
                 ObjectFieldSelector, Probe, SecretVolumeSource, ServiceAccount,
@@ -1153,6 +1155,13 @@ fn build_server_rolegroup_daemonset(
             ..LabelSelector::default()
         },
         template: pod_template,
+        update_strategy: Some(DaemonSetUpdateStrategy {
+            type_: Some("RollingUpdate".to_string()),
+            rolling_update: Some(RollingUpdateDaemonSet {
+                max_surge: Some(IntOrString::Int(1)),
+                max_unavailable: Some(IntOrString::Int(0)),
+            }),
+        }),
         ..DaemonSetSpec::default()
     };
 

From 3cddc20fec6e85294e38dfe078ea1f8bd819d485 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Tue, 17 Mar 2026 09:21:06 +0000
Subject: [PATCH 2/5] chore: add TODO to use PreferSameNode once k8s 1.35 is
 minimum

---
 rust/operator-binary/src/service.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/rust/operator-binary/src/service.rs b/rust/operator-binary/src/service.rs
index 5cfbbd4f..2b23ed99 100644
--- a/rust/operator-binary/src/service.rs
+++ b/rust/operator-binary/src/service.rs
@@ -63,6 +63,12 @@ pub(crate) fn build_server_role_service(
         type_: Some(opa.spec.cluster_config.listener_class.k8s_service_type()),
         ports: Some(data_service_ports(opa.spec.cluster_config.tls_enabled())),
         selector: Some(service_selector_labels.into()),
+        // This ensures that products (e.g. Trino) on a node always talk to the OPA pod on the
+        // same node, avoiding cross-node latency. The downside is that if the local OPA pod is
+        // unavailable, requests fail instead of falling back to another node.
+        // TODO: Once our minimum supported Kubernetes version is 1.35, use
+        // `trafficDistribution: PreferSameNode` instead, which prefers the local node but
+        // gracefully falls back to other nodes if the local pod is unavailable.
         internal_traffic_policy: Some("Local".to_string()),
         ..ServiceSpec::default()
     };

From 5748d3e59c0ad5460b73cf20b9790f46a6cb0b3b Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 23 Mar 2026 12:42:59 +0100
Subject: [PATCH 3/5] test: assert DaemonSet rolling update strategy in smoke
 test

---
 tests/templates/kuttl/smoke/10-assert.yaml.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tests/templates/kuttl/smoke/10-assert.yaml.j2 b/tests/templates/kuttl/smoke/10-assert.yaml.j2
index 6b86f13f..76703fb2 100644
--- a/tests/templates/kuttl/smoke/10-assert.yaml.j2
+++ b/tests/templates/kuttl/smoke/10-assert.yaml.j2
@@ -9,6 +9,11 @@ kind: DaemonSet
 metadata:
   name: test-opa-server-default
 spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
   template:
     spec:
       containers:

From d3f1d229f4a4f24c4ccc0fc597131ca5ef44d226 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 23 Mar 2026 12:50:37 +0100
Subject: [PATCH 4/5] chore: update changelog

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4ce5ea5..ec32da9a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Set `maxSurge=1` and `maxUnavailable=0` on the OPA DaemonSet rolling update strategy to eliminate
+  availability gaps during rolling updates ([#819]).
+
+[#819]: https://github.com/stackabletech/opa-operator/pull/819
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16

From 51893eadeb768546bdf10ce5e50c9330e8e08e86 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 23 Mar 2026 13:07:19 +0100
Subject: [PATCH 5/5] chore: lint fixes

---
 rust/operator-binary/src/controller.rs | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs
index 6599bfa1..41f9edbe 100644
--- a/rust/operator-binary/src/controller.rs
+++ b/rust/operator-binary/src/controller.rs
@@ -34,9 +34,7 @@ use stackable_operator::{
     k8s_openapi::{
         DeepMerge,
         api::{
-            apps::v1::{
-                DaemonSet, DaemonSetSpec, DaemonSetUpdateStrategy, RollingUpdateDaemonSet,
-            },
+            apps::v1::{DaemonSet, DaemonSetSpec, DaemonSetUpdateStrategy, RollingUpdateDaemonSet},
             core::v1::{
                 ConfigMap, EmptyDirVolumeSource, EnvVar, EnvVarSource, HTTPGetAction,
                 ObjectFieldSelector, Probe, SecretVolumeSource, ServiceAccount,