🔀 Merge develop into master (Release)

apis/vshn/v1/common_types.go

@@ -86,6 +86,19 @@ type VSHNDBaaSMaintenanceScheduleSpec struct {
 	// TimeOfDay for installing updates in UTC.
 	// Format: "hh:mm:ss".
 	TimeOfDay TimeOfDay `json:"timeOfDay,omitempty"`
+
+	// PinImageTag allows pinning the service to a specific image tag.
+	// When set, the exact specified tag will be used, even if it's older than the currently deployed version.
+	// WARNING: User takes full responsibility for version management and security updates.
+	// Downgrades are allowed when pinning - the customer assumes all risk.
+	PinImageTag string `json:"pinImageTag,omitempty"`
+
+	// +kubebuilder:default=false
+	// DisableAppcatRelease disables automatic AppCat composition revision rollouts during maintenance windows.
+	// When enabled, the instance will not automatically receive new AppCat composition revisions
+	// which may contain bug fixes, security patches, and new features.
+	// WARNING: Strongly discouraged - may leave instance without security patches and bug fixes.
+	DisableAppcatRelease bool `json:"disableAppcatRelease,omitempty"`
 }
 
 // GetMaintenanceDayOfWeek returns the currently set day of week
@@ -108,6 +121,21 @@ func (n *VSHNDBaaSMaintenanceScheduleSpec) SetMaintenanceTimeOfDay(tod TimeOfDay
 	n.TimeOfDay = tod
 }
 
+// GetPinImageTag returns the pinned image tag if set
+func (n *VSHNDBaaSMaintenanceScheduleSpec) GetPinImageTag() string {
+	return n.PinImageTag
+}
+
+// IsPinImageTagSet returns true if an image tag is pinned
+func (n *VSHNDBaaSMaintenanceScheduleSpec) IsPinImageTagSet() bool {
+	return n.PinImageTag != ""
+}
+
+// IsAppcatReleaseDisabled returns true if AppCat release updates are disabled
+func (n *VSHNDBaaSMaintenanceScheduleSpec) IsAppcatReleaseDisabled() bool {
+	return n.DisableAppcatRelease
+}
+
 // VSHNSizeSpec contains settings to control the sizing of a service.
 type VSHNSizeSpec struct {
 	// CPU defines the amount of Kubernetes CPUs for an instance.

apis/vshn/v1/common_types_test.go

@@ -108,3 +108,59 @@ func Test_IsSet(t *testing.T) {
 		})
 	}
 }
+
+func Test_PinImageTag(t *testing.T) {
+	tests := []struct {
+		name         string
+		scheduleSpec VSHNDBaaSMaintenanceScheduleSpec
+		wantTag      string
+		wantIsSet    bool
+	}{
+		{
+			name: "GivenPinImageTagSet_ThenExpectTagAndTrue",
+			scheduleSpec: VSHNDBaaSMaintenanceScheduleSpec{
+				PinImageTag: "7.2.5",
+			},
+			wantTag:   "7.2.5",
+			wantIsSet: true,
+		},
+		{
+			name:         "GivenDefaultValue_ThenExpectEmptyAndFalse",
+			scheduleSpec: VSHNDBaaSMaintenanceScheduleSpec{},
+			wantTag:      "",
+			wantIsSet:    false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.wantTag, tt.scheduleSpec.GetPinImageTag())
+			assert.Equal(t, tt.wantIsSet, tt.scheduleSpec.IsPinImageTagSet())
+		})
+	}
+}
+
+func Test_IsAppcatReleaseDisabled(t *testing.T) {
+	tests := []struct {
+		name         string
+		scheduleSpec VSHNDBaaSMaintenanceScheduleSpec
+		want         bool
+	}{
+		{
+			name: "GivenDisableAppcatReleaseTrue_ThenExpectTrue",
+			scheduleSpec: VSHNDBaaSMaintenanceScheduleSpec{
+				DisableAppcatRelease: true,
+			},
+			want: true,
+		},
+		{
+			name:         "GivenDefaultValue_ThenExpectFalse",
+			scheduleSpec: VSHNDBaaSMaintenanceScheduleSpec{},
+			want:         false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, tt.scheduleSpec.IsAppcatReleaseDisabled())
+		})
+	}
+}

apis/vshn/v1/dbaas_vshn_forgejo.go

@@ -172,6 +172,8 @@ type VSHNForgejoStatus struct {
 	// InitialMaintenance tracks the status of the initial maintenance job,
 	// including when it ran and whether it succeeded or failed.
 	InitialMaintenance InitialMaintenanceStatus `json:"initialMaintenance,omitempty"`
+	// CurrentReleaseTag contains the currently deployed image tag.
+	CurrentReleaseTag string `json:"currentReleaseTag,omitempty"`
 
 	// ResourceStatus represents the observed state of a managed resource.
 	xpv1.ResourceStatus `json:",inline"`

apis/vshn/v1/dbaas_vshn_keycloak.go

@@ -227,6 +227,8 @@ type VSHNKeycloakStatus struct {
 	// InitialMaintenance tracks the status of the initial maintenance job,
 	// including when it ran and whether it succeeded or failed.
 	InitialMaintenance InitialMaintenanceStatus `json:"initialMaintenance,omitempty"`
+	// CurrentReleaseTag contains the currently deployed image tag.
+	CurrentReleaseTag string `json:"currentReleaseTag,omitempty"`
 	// ResourceStatus represents the observed state of a managed resource.
 	xpv1.ResourceStatus `json:",inline"`
 	// LastConfigHash is the hash of last applied customConfigurationRef.

apis/vshn/v1/dbaas_vshn_postgresql.go

@@ -168,9 +168,11 @@ type VSHNPostgreSQLServiceSpec struct {
 	EnableEnvoy bool `json:"enableEnvoy,omitempty"`
 
 	// +kubebuilder:default=true
-	// This is default option if neither repack or vacuum are selected
+	// RepackEnabled defines if `pg_repack` should be performed during the maintenance. Defaults to true.
 	RepackEnabled bool `json:"repackEnabled,omitempty"`
+
 	// +kubebuilder:default=false
+	// VacuumEnabled defines if `VACUUM` should be performed during the maintenace. Defaults to false.
 	VacuumEnabled bool `json:"vacuumEnabled,omitempty"`
 
 	// Access defines additional users and databases for this instance.

apis/vshn/v1/dbaas_vshn_redis.go

@@ -156,6 +156,8 @@ type VSHNRedisStatus struct {
 	// InitialMaintenance tracks the status of the initial maintenance job,
 	// including when it ran and whether it succeeded or failed.
 	InitialMaintenance InitialMaintenanceStatus `json:"initialMaintenance,omitempty"`
+	// CurrentReleaseTag contains the currently deployed image tag.
+	CurrentReleaseTag string `json:"currentReleaseTag,omitempty"`
 	// ResourceStatus represents the observed state of a managed resource.
 	xpv1.ResourceStatus `json:",inline"`
 }

apis/vshn/v1/vshn_minio.go

@@ -105,6 +105,8 @@ type VSHNMinioStatus struct {
 	// InitialMaintenance tracks the status of the initial maintenance job,
 	// including when it ran and whether it succeeded or failed.
 	InitialMaintenance InitialMaintenanceStatus `json:"initialMaintenance,omitempty"`
+	// CurrentReleaseTag contains the currently deployed image tag.
+	CurrentReleaseTag string `json:"currentReleaseTag,omitempty"`
 	// ResourceStatus represents the observed state of a managed resource.
 	xpv1.ResourceStatus `json:",inline"`
 }

apis/vshn/v1/vshn_nextcloud.go

@@ -184,6 +184,8 @@ type VSHNNextcloudStatus struct {
 	// InitialMaintenance tracks the status of the initial maintenance job,
 	// including when it ran and whether it succeeded or failed.
 	InitialMaintenance InitialMaintenanceStatus `json:"initialMaintenance,omitempty"`
+	// CurrentReleaseTag contains the currently deployed image tag.
+	CurrentReleaseTag string `json:"currentReleaseTag,omitempty"`
 	// ResourceStatus represents the observed state of a managed resource.
 	xpv1.ResourceStatus `json:",inline"`
 }

cmd/maintenance.go

@@ -164,6 +164,17 @@ func (c *controller) runMaintenance(cmd *cobra.Command, _ []string) error {
 		panic("service name is mandatory")
 	}
 
+	pinImageTag := viper.GetString("PIN_IMAGE_TAG")
+	disableAppcatRelease, err := strconv.ParseBool(viper.GetString("DISABLE_APPCAT_RELEASE"))
+	if err != nil {
+		return fmt.Errorf("cannot parse env variable DISABLE_APPCAT_RELEASE to bool: %w", err)
+	}
+
+	if disableAppcatRelease && pinImageTag != "" {
+		log.Info("AppCat release disabled and image tag pinned, skipping...")
+		return nil
+	}
+
 	if err = errors.Join(
 		// Run backup before any changes, then release, then maintenance
 		func() error {
@@ -176,6 +187,11 @@ func (c *controller) runMaintenance(cmd *cobra.Command, _ []string) error {
 			return nil
 		}(),
 		func() error {
+			if disableAppcatRelease {
+				log.Info("AppCat release updates disabled by user configuration")
+				return nil
+			}
+
 			enabled, err := strconv.ParseBool(viper.GetString("RELEASE_MANAGEMENT_ENABLED"))
 			if err != nil {
 				return fmt.Errorf("cannot determine if release management is enabled: %w", err)
@@ -196,7 +212,13 @@ func (c *controller) runMaintenance(cmd *cobra.Command, _ []string) error {
 
 			return m.ReleaseLatest(ctx, enabled, maintClient, minAge)
 		}(),
-		m.DoMaintenance(ctx),
+		func() error {
+			if pinImageTag != "" {
+				log.Info("Image tag pinned by user configuration, skipping service maintenance", "pinnedTag", pinImageTag)
+				return nil
+			}
+			return m.DoMaintenance(ctx)
+		}(),
 	); err != nil {
 		return fmt.Errorf("maintenance failed: %w", err)
 	}

crds/vshn.appcat.vshn.io_vshnforgejoes.yaml

@@ -95,6 +95,21 @@ spec:
                             - saturday
                             - sunday
                           type: string
+                        disableAppcatRelease:
+                          default: false
+                          description: |-
+                            DisableAppcatRelease disables automatic AppCat composition revision rollouts during maintenance windows.
+                            When enabled, the instance will not automatically receive new AppCat composition revisions
+                            which may contain bug fixes, security patches, and new features.
+                            WARNING: Strongly discouraged - may leave instance without security patches and bug fixes.
+                          type: boolean
+                        pinImageTag:
+                          description: |-
+                            PinImageTag allows pinning the service to a specific image tag.
+                            When set, the exact specified tag will be used, even if it's older than the currently deployed version.
+                            WARNING: User takes full responsibility for version management and security updates.
+                            Downgrades are allowed when pinning - the customer assumes all risk.
+                          type: string
                         timeOfDay:
                           description: |-
                             TimeOfDay for installing updates in UTC.
@@ -4758,6 +4773,9 @@ spec:
                   x-kubernetes-list-map-keys:
                     - type
                   x-kubernetes-list-type: map
+                currentReleaseTag:
+                  description: CurrentReleaseTag contains the currently deployed image tag.
+                  type: string
                 initialMaintenance:
                   description: |-
                     InitialMaintenance tracks the status of the initial maintenance job,
@@ -4852,6 +4870,21 @@ spec:
                             - saturday
                             - sunday
                           type: string
+                        disableAppcatRelease:
+                          default: false
+                          description: |-
+                            DisableAppcatRelease disables automatic AppCat composition revision rollouts during maintenance windows.
+                            When enabled, the instance will not automatically receive new AppCat composition revisions
+                            which may contain bug fixes, security patches, and new features.
+                            WARNING: Strongly discouraged - may leave instance without security patches and bug fixes.
+                          type: boolean
+                        pinImageTag:
+                          description: |-
+                            PinImageTag allows pinning the service to a specific image tag.
+                            When set, the exact specified tag will be used, even if it's older than the currently deployed version.
+                            WARNING: User takes full responsibility for version management and security updates.
+                            Downgrades are allowed when pinning - the customer assumes all risk.
+                          type: string
                         timeOfDay:
                           description: |-
                             TimeOfDay for installing updates in UTC.

crds/vshn.appcat.vshn.io_vshnkeycloaks.yaml

@@ -98,6 +98,21 @@ spec:
                             - saturday
                             - sunday
                           type: string
+                        disableAppcatRelease:
+                          default: false
+                          description: |-
+                            DisableAppcatRelease disables automatic AppCat composition revision rollouts during maintenance windows.
+                            When enabled, the instance will not automatically receive new AppCat composition revisions
+                            which may contain bug fixes, security patches, and new features.
+                            WARNING: Strongly discouraged - may leave instance without security patches and bug fixes.
+                          type: boolean
+                        pinImageTag:
+                          description: |-
+                            PinImageTag allows pinning the service to a specific image tag.
+                            When set, the exact specified tag will be used, even if it's older than the currently deployed version.
+                            WARNING: User takes full responsibility for version management and security updates.
+                            Downgrades are allowed when pinning - the customer assumes all risk.
+                          type: string
                         timeOfDay:
                           description: |-
                             TimeOfDay for installing updates in UTC.
@@ -4810,6 +4825,21 @@ spec:
                                     - saturday
                                     - sunday
                                   type: string
+                                disableAppcatRelease:
+                                  default: false
+                                  description: |-
+                                    DisableAppcatRelease disables automatic AppCat composition revision rollouts during maintenance windows.
+                                    When enabled, the instance will not automatically receive new AppCat composition revisions
+                                    which may contain bug fixes, security patches, and new features.
+                                    WARNING: Strongly discouraged - may leave instance without security patches and bug fixes.
+                                  type: boolean
+                                pinImageTag:
+                                  description: |-
+                                    PinImageTag allows pinning the service to a specific image tag.
+                                    When set, the exact specified tag will be used, even if it's older than the currently deployed version.
+                                    WARNING: User takes full responsibility for version management and security updates.
+                                    Downgrades are allowed when pinning - the customer assumes all risk.
+                                  type: string
                                 timeOfDay:
                                   description: |-
                                     TimeOfDay for installing updates in UTC.
@@ -9496,7 +9526,7 @@ spec:
                                   x-kubernetes-preserve-unknown-fields: true
                                 repackEnabled:
                                   default: true
-                                  description: This is default option if neither repack or vacuum are selected
+                                  description: RepackEnabled defines if `pg_repack` should be performed during the maintenance. Defaults to true.
                                   type: boolean
                                 serviceLevel:
                                   default: besteffort
@@ -9518,6 +9548,7 @@ spec:
                                   default: {}
                                 vacuumEnabled:
                                   default: false
+                                  description: VacuumEnabled defines if `VACUUM` should be performed during the maintenace. Defaults to false.
                                   type: boolean
                               type: object
                               default: {}
@@ -9708,6 +9739,9 @@ spec:
                   x-kubernetes-list-map-keys:
                     - type
                   x-kubernetes-list-type: map
+                currentReleaseTag:
+                  description: CurrentReleaseTag contains the currently deployed image tag.
+                  type: string
                 initialMaintenance:
                   description: |-
                     InitialMaintenance tracks the status of the initial maintenance job,
@@ -9808,6 +9842,21 @@ spec:
                             - saturday
                             - sunday
                           type: string
+                        disableAppcatRelease:
+                          default: false
+                          description: |-
+                            DisableAppcatRelease disables automatic AppCat composition revision rollouts during maintenance windows.
+                            When enabled, the instance will not automatically receive new AppCat composition revisions
+                            which may contain bug fixes, security patches, and new features.
+                            WARNING: Strongly discouraged - may leave instance without security patches and bug fixes.
+                          type: boolean
+                        pinImageTag:
+                          description: |-
+                            PinImageTag allows pinning the service to a specific image tag.
+                            When set, the exact specified tag will be used, even if it's older than the currently deployed version.
+                            WARNING: User takes full responsibility for version management and security updates.
+                            Downgrades are allowed when pinning - the customer assumes all risk.
+                          type: string
                         timeOfDay:
                           description: |-
                             TimeOfDay for installing updates in UTC.