THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD CONNECTIVITY COMPANY Kong Academyを日本語でお届け！#3 KGLL-106 - Reduce the Risk of new software versions with Canary deployments 施文翰(Wenhan Shi) – Solutions Engineer June 2022

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan wenhan.shi@konghq.com

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 本セッションについて このセッションはKong Academy KGLL-106 Learning Lab: Reduce the Risk of new software versions with Canary deployments をベースに日本語でお届けします - https://education.konghq.com/ - 全てレベル100、無償でオンライン受講可能（自習形式） - レベル200以上は有償で提供（サブスクリプション） - 講師によるトレーニングを実施 - Kong認定証を授与

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. ● Canary deployment intro ● Config Canary deployment ○ Set a Period ○ Set a Percentage ○ Define whitelist or blacklist ● Demo Agenda

THE CLOUD CONNECTIVITY COMPANY 5 © Kong Inc. 5 Canary deployment intro

THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. 6 • When a new version of an application is deployed, the previous version of the application is run in parallel and only some users access the new version. • Also called as canary release and canary test What is Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ External Endpoint New version Old version 5% to 10% of the total request Rest of the request

THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. 7 • Only a small percentage, 5% or 10% of requests will be distributed to the new version • Reduce the risk of upgrade to a new version. • Increase the percentage while confirming that no problem occurs. Why Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ Users accessing the new version likened to a "canary" that detects poisonous gas in a coal mine.

THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. 8 • Easy config • Quick rollback • Decoupling from the infrastructure • Multiple platform support Why use Kong gateway for Canary deployment

THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. 9 Config Canary Release plugin

THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. 10 Using Canary deployment in Kong - 1 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. 11 Using Canary deployment in Kong - 2 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. 12 Using Canary deployment in Kong - 3 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2 a Period(in linear time) a Fixed Percentage Whitelist/Blacklist Group

THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. 13 Using Canary deployment in Kong - 4 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. 14 Using Canary deployment in Kong - 5 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. 15 Config Canary release plugin a Period(in linear time) ● config.start: Future time in seconds since epoch, when the release will start. This value must be in the future. ● config.duration: The duration of the transition in seconds. ● Ignored when the percentage is set or when using whitelist or blacklist

THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. 16 Config Canary release plugin a Fixed Percentage ● config.percentage: Fixed % of traffic to be routed to new target, if given, it overrides start and duration

THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. 17 Config Canary release plugin Whitelist/Blacklist Group ● config.groups: An array (of strings) with the group names that are white/blacklisted. When setting this parameter, make sure that you set config.hash to either whitelist (the listed groups go into the canary) or blacklist (the listed groups will NOT go into the canary.) blacklist whitelist

THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 Demo

THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Demo environment http://localhost:8000 Route Service API Client (Consumer) http://httpbin.org/xml v1 http://httpbin.org/json v2

THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 • Add a Service • Add a Route Setup Up Kong & expose a service & route http POST localhost:8001/services \ name=canary-api-service \ url=http://httpbin.org/xml http -f POST localhost:8001/services/canary-api-service/routes \ name=canary-api-route \ paths=/api/canary

THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 • Verify Setup Up Kong & expose a service & route ❯ http GET localhost:8000/api/canary HTTP/1.1 200 OK … Wake up to WonderWidgets! …

THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 • Set a Period • The canary release will be started in 10s, and will continue for 60s. • The canary release will be routed to httpbin.org:80/json Demo - 1 - Set a Period (in linear time) $ current_time=`expr $(date "+%s") + 10` && http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.start=$current_time \ config.duration=60 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none

THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 • Verify Demo - 1 - Set a Period (in linear time) for num in {1..120}; do echo "Calling API #$num" http -h http://localhost:8000/api/canary sleep 0.5 done | tee demo.data

THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. 24 • Set a Percentage • The canary release have a 50-50 chance of routing to httpbin.org:80/json Demo - 2 - Set a Fixed Percentage http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.percentage=50 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none

THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. 25 • Verify • Change the percentage Demo - 2 - Set a Fixed Percentage for num in {1..10}; do echo "Calling API #$num" http http://localhost:8000/api/canary sleep 0.5 done $ plugin_id=$(http -f http://localhost:8001/routes/canary-api-route/plugins | jq -r '.data[].id') $ http -f PUT http://localhost:8001/routes/canary-api-route/plugins/$plugin_id \ name=canary \ config.percentage=90 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none

THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Demo - 3 - Whitelist/Blacklist http://wenhan.io Route (/echo) Service API Client (Consumer) httpbin v1 httpbin v2 Key Authentication - Determine Consumer via API Key Access Control Lists (ACL) - Restrict access via Control List

THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 • Create Consumer, API Keys and ACL Group Demo - 3 - Whitelist/Blacklist # Set up API Key Authentication policy on Canary route. # This is used to identify our consumers. http http://localhost:8001/routes/canary-api-route/plugins name=key-auth # Create Consumers, API Keys and add them to ACL groups http http://localhost:8001/consumers username=vip-consumer http http://localhost:8001/consumers/vip-consumer/key-auth key=vip-api http http://localhost:8001/consumers/vip-consumer/acls group=vip-acl http http://localhost:8001/consumers username=general-consumer http http://localhost:8001/consumers/general-consumer/key-auth key=general-api http http://localhost:8001/consumers/general-consumer/acls group=general-acl

THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 • Add Canary Policy Demo - 3 - Whitelist/Blacklist http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.hash=whitelist \ config.groups=vip-acl \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json

THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Demo - 3 - Whitelist/Blacklist http://wenhan.io Route Service Consumer (general) httpbin v1 httpbin v2 Consumer (VIP)

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 • Verify Demo - 3 - Whitelist/Blacklist $ http http://localhost:8000/api/canary \ apiKey:vip-api HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 429 Content-Type: application/json … { "slideshow": { "author": "Yours Truly", "date": "date of publication", "slides": [ { … $ http http://localhost:8000/api/canary \ apiKey:general-api HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 522 Content-Type: application/xml …

THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 • Update the service to the new version • Remove all plugins assigned to the canary route • Now the requests are always redirected to the new version Demo - 4 - Finalize the Canary release http -f PUT :8001/services/canary-api-service url=http://httpbin.org/json http :8001/routes/canary-api-route/plugins | jq -r -c '.data[].id' | while read id; do http --ignore-stdin DELETE http://localhost:8001/plugins/$id done http http://localhost:8000/api/canary

THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 Thank you