Skip to main content

Control maintenance updates with upgrade pipelines Limited availability

Control when your Aiven managed services receive maintenance updates and test maintenance updates in development or staging environments before they reach production.

important

Controlled upgrade pipeline is a limited availability feature. Contact Aiven to request access.

Aiven performs automatic service maintenance for security fixes, minor software updates, and other platform changes. The controlled upgrade pipeline feature lets you link services of the same type in an ordered sequence to control when each service receives updates. After a maintenance update upgrades a service at the initial pipeline step, you validate that service version before the update proceeds to the service at the next pipeline step. Validating means approving the new version as safe to roll out to the next service. Validation can be manual or automatic after a configurable delay.

Why use controlled upgrade pipelines

Controlled upgrade pipelines prevent production incidents caused by automatic updates reaching production before teams can test the new version in a lower environment. They give you full oversight of the update process:

  • Risk mitigation: Prevents unexpected maintenance updates from breaking your production environment by ensuring they are tested in a non-production setting first.
  • Stability: Keeps destination services (such as production) on a known-good version until you, or the automatic timer, confirm the new version is safe.
  • Process control: Allows platform teams to standardize their deployment and maintenance lifecycle across environments.

About controlled upgrade pipelines

Upgrade steps

An upgrade step is a pair of services linked by an upgrade constraint:

  • Source service: The service that receives maintenance updates first
  • Destination service: The service that waits for validation before receiving updates

Each destination service can have only one source service. A source service can have multiple destination services.

Upgrade pipelines

An upgrade pipeline is a chain of upgrade steps that spans multiple environments. For example:

  • Single chain: development → staging → production
  • Multiple destinations: development → production-eu and development → production-na

How validation works

When a maintenance update upgrades your source service:

  1. The source service receives the update first.
  2. Test the updated source service to verify it works as expected.
  3. Validate the update manually using the API or CLI, or wait for automatic validation after the configured delay. The default delay is 7 days.
  4. After validation, the destination service becomes eligible for the same maintenance update.

If one source service has multiple destination services, one validation for the source service applies to all connected destination services.

Nodes in the destination service maintain the validated version until a newer version is validated, either when you validate it manually or when automatic validation applies after the configured delay. When a node is recycled, it uses the same validated version, not the latest available version.

When you create a step, the destination service keeps the newest version that is already validated at that moment. If the destination service is already applying maintenance during step creation, the in-progress target version becomes the initial validated version.

warning

A powered-off source service cannot receive maintenance updates, so you cannot validate it. If you power off services earlier in the chain, the destination service upgrades regardless. For example, in a development → staging → production chain, if both development and staging are powered off, production upgrades without testing and validation in the earlier environments. Keep services in the chain powered on to preserve the protection that upgrade pipelines provide.

Limitations and considerations

  • Same service type: You can only link services of the same type. For example, two Aiven for PostgreSQL services.
  • Chain length: The maximum chain depth is 3 services, which is 2 steps.
  • No cycles: You cannot create circular dependencies between services.
  • Emergency overrides: Aiven can apply critical security or stability fixes to a destination service before explicit validation.
  • Supported services: This feature supports all Aiven service types except Aiven for Apache Flink® and Aiven for MySQL.
  • No permanent blocking: You cannot prevent an update indefinitely. Automatic validation applies after the configured delay, up to the maximum delay.

Use controlled upgrade pipelines

Prerequisites

To use controlled upgrade pipelines, you need the following:

  • The feature enabled by Aiven (Limited availability)

  • Dev tool of your choice:

  • Write access to the source and destination projects

  • At least two services of the same type (for example, two Aiven for PostgreSQL® services)

  • Services can be in different projects in the same organization

Set up an upgrade pipeline

Use the Aiven CLI or API to create upgrade steps between your services.

note

The upgrade-pipeline CLI commands require Aiven CLI version 4.x or later. Command names and parameters may change before general availability.

Create an upgrade step

Create a step to link a source service and a destination service:

avn upgrade-pipeline step create \
  --organization-id ORGANIZATION_ID \
  [--source-project SOURCE_PROJECT] SOURCE_SERVICE \
  [--destination-project DESTINATION_PROJECT] DESTINATION_SERVICE \
  [--auto-validation-delay-days DAYS]

Options

  • --organization-id is required.
  • --source-project and --destination-project are optional. If you omit either project option, Aiven CLI uses the current default project set with avn project switch.
  • --auto-validation-delay-days is optional. Defaults to 7 days if not specified.

Parameters:

  • source_project_name: Name of the project containing the source service
  • source_service_name: Name of the source service
  • destination_project_name: Name of the project containing the destination service
  • destination_service_name: Name of the destination service
  • auto_validation_delay_days: Optional. Number of days before automatic validation. The value must be at least 1. The default is 7 days.

The maximum delay you can configure is 30 days.

List upgrade steps

View all upgrade steps you have access to:

avn upgrade-pipeline step list --organization-id ORGANIZATION_ID

View a specific step

Get details about a specific upgrade step, including the last validation:

avn upgrade-pipeline step get \
  --organization-id ORGANIZATION_ID \
  STEP_ID

The step details include last_validation values such as validated_at, validated_by_user, and comment when validation exists (available through the API).

Validate an upgrade

After testing your source service with the new update, validate the version to allow the destination service to receive the same update.

Manual validation

Validate the current version of your source service:

avn upgrade-pipeline step validate-for-service \
  --project SOURCE_PROJECT \
  SERVICE_NAME \
  [--comment "COMMENT"]

--comment is optional. Use it to record a note about the validation, for example "Tested and verified in development".

Automatic validation

If you do not manually validate an update, the system automatically validates the source service version after the configured delay. Auto-validation starts from when the source service receives the update.

Manage upgrade steps

Update a step

Modify the automatic validation delay for an existing step:

avn upgrade-pipeline step update \
  --organization-id ORGANIZATION_ID \
  --auto-validation-delay-days 14 \
  STEP_ID

Delete a step

Remove an upgrade step to allow the destination service to receive updates independently:

avn upgrade-pipeline step delete --organization-id ORGANIZATION_ID STEP_ID

Find STEP_ID from the upgrade step list command.

Deleting a step removes all associated validations.

Example: Three-environment pipeline

Create a pipeline that promotes updates from development to staging to production:

  1. Create a step from development to staging:

    avn upgrade-pipeline step create \
      --organization-id ORGANIZATION_ID \
      --source-project dev-project \
      --destination-project staging-project \
      --auto-validation-delay-days 3 \
      pg-dev pg-staging

  2. Create a step from staging to production:

    avn upgrade-pipeline step create \
      --organization-id ORGANIZATION_ID \
      --source-project staging-project \
      --destination-project prod-project \
      --auto-validation-delay-days 7 \
      pg-staging pg-prod

When a maintenance update arrives:

  1. The development service receives the update.
  2. After testing, validate the development version or wait 3 days for auto-validation.
  3. The staging service receives the update.
  4. After testing, validate the staging version or wait 7 days for auto-validation.
  5. The production service receives the update.

Related pages