From 9fe3a4c6aa533202c6943eda590b1150f26857d9 Mon Sep 17 00:00:00 2001
From: Luca Miccini <lmiccini@redhat.com>
Date: Wed, 17 Jun 2026 09:06:10 +0200
Subject: [PATCH] Require all pods updated before reporting IsReady
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

During rolling updates, ReadyReplicas can match the desired count while
UpdatedReplicas lags behind — old pods are still ready but running stale
config. Add UpdatedReplicas == Spec.Replicas to both deployment.IsReady()
and statefulset.IsReady() so consumers (e.g. transport secret rotation
guards) don't act on stale readiness.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 modules/common/deployment/deployment.go   | 2 ++
 modules/common/statefulset/statefulset.go | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/modules/common/deployment/deployment.go b/modules/common/deployment/deployment.go
index 5fa3baa8..cae6daf9 100644
--- a/modules/common/deployment/deployment.go
+++ b/modules/common/deployment/deployment.go
@@ -132,10 +132,12 @@ func GetDeploymentWithName(
 // IsReady - validates when deployment is ready deployed to whats being requested
 // - the requested replicas in the spec matches the ReadyReplicas of the status
 // - the Status.Replicas match Status.ReadyReplicas. if a deployment update is in progress, Replicas > ReadyReplicas
+// - all pods run the current spec (UpdatedReplicas == requested replicas)
 // - both when the Generatation of the object matches the ObservedGeneration of the Status
 func IsReady(deployment appsv1.Deployment) bool {
 	return deployment.Spec.Replicas != nil &&
 		*deployment.Spec.Replicas == deployment.Status.ReadyReplicas &&
+		*deployment.Spec.Replicas == deployment.Status.UpdatedReplicas &&
 		deployment.Status.Replicas == deployment.Status.ReadyReplicas &&
 		deployment.Generation == deployment.Status.ObservedGeneration
 }
diff --git a/modules/common/statefulset/statefulset.go b/modules/common/statefulset/statefulset.go
index 04fe21c2..9f87a2a8 100644
--- a/modules/common/statefulset/statefulset.go
+++ b/modules/common/statefulset/statefulset.go
@@ -152,9 +152,11 @@ func (s *StatefulSet) Delete(
 
 // IsReady - validates when deployment is ready deployed to whats being requested
 // - the requested replicas in the spec matches the ReadyReplicas of the status
+// - all pods run the current spec (UpdatedReplicas == requested replicas)
 // - both when the Generatation of the object matches the ObservedGeneration of the Status
 func IsReady(deployment appsv1.StatefulSet) bool {
 	return deployment.Spec.Replicas != nil &&
 		*deployment.Spec.Replicas == deployment.Status.ReadyReplicas &&
+		*deployment.Spec.Replicas == deployment.Status.UpdatedReplicas &&
 		deployment.Generation == deployment.Status.ObservedGeneration
 }