Slide 1

Slide 1 text

THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD CONNECTIVITY COMPANY Kong Academyを日本語でお届け!#3 KGLL-106 - Reduce the Risk of new software versions with Canary deployments 施文翰(Wenhan Shi) – Solutions Engineer June 2022

Slide 2

Slide 2 text

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]

Slide 3

Slide 3 text

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 本セッションについて このセッションはKong Academy KGLL-106 Learning Lab: Reduce the Risk of new software versions with Canary deployments をベースに日本語でお届けします - https://education.konghq.com/ - 全てレベル100、無償でオンライン受講可能(自習形式) - レベル200以上は有償で提供(サブスクリプション) - 講師によるトレーニングを実施 - Kong認定証を授与

Slide 4

Slide 4 text

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. ● Canary deployment intro ● Config Canary deployment ○ Set a Period ○ Set a Percentage ○ Define whitelist or blacklist ● Demo Agenda

Slide 5

Slide 5 text

THE CLOUD CONNECTIVITY COMPANY 5 © Kong Inc. 5 Canary deployment intro

Slide 6

Slide 6 text

THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. 6 • When a new version of an application is deployed, the previous version of the application is run in parallel and only some users access the new version. • Also called as canary release and canary test What is Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ External Endpoint New version Old version 5% to 10% of the total request Rest of the request

Slide 7

Slide 7 text

THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. 7 • Only a small percentage, 5% or 10% of requests will be distributed to the new version • Reduce the risk of upgrade to a new version. • Increase the percentage while confirming that no problem occurs. Why Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ Users accessing the new version likened to a "canary" that detects poisonous gas in a coal mine.

Slide 8

Slide 8 text

THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. 8 • Easy config • Quick rollback • Decoupling from the infrastructure • Multiple platform support Why use Kong gateway for Canary deployment

Slide 9

Slide 9 text

THE CLOUD CONNECTIVITY COMPANY 9 © Kong Inc. 9 Config Canary Release plugin

Slide 10

Slide 10 text

THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. 10 Using Canary deployment in Kong - 1 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

Slide 11

Slide 11 text

THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. 11 Using Canary deployment in Kong - 2 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

Slide 12

Slide 12 text

THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. 12 Using Canary deployment in Kong - 3 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2 a Period(in linear time) a Fixed Percentage Whitelist/Blacklist Group

Slide 13

Slide 13 text

THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. 13 Using Canary deployment in Kong - 4 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

Slide 14

Slide 14 text

THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. 14 Using Canary deployment in Kong - 5 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2

Slide 15

Slide 15 text

THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. 15 Config Canary release plugin a Period(in linear time) ● config.start: Future time in seconds since epoch, when the release will start. This value must be in the future. ● config.duration: The duration of the transition in seconds. ● Ignored when the percentage is set or when using whitelist or blacklist

Slide 16

Slide 16 text

THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. 16 Config Canary release plugin a Fixed Percentage ● config.percentage: Fixed % of traffic to be routed to new target, if given, it overrides start and duration

Slide 17

Slide 17 text

THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. 17 Config Canary release plugin Whitelist/Blacklist Group ● config.groups: An array (of strings) with the group names that are white/blacklisted. When setting this parameter, make sure that you set config.hash to either whitelist (the listed groups go into the canary) or blacklist (the listed groups will NOT go into the canary.) blacklist whitelist

Slide 18

Slide 18 text

THE CLOUD CONNECTIVITY COMPANY 18 © Kong Inc. 18 Demo

Slide 19

Slide 19 text

THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Demo environment http://localhost:8000 Route Service API Client (Consumer) http://httpbin.org/xml v1 http://httpbin.org/json v2

Slide 20

Slide 20 text

THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 • Add a Service • Add a Route Setup Up Kong & expose a service & route http POST localhost:8001/services \ name=canary-api-service \ url=http://httpbin.org/xml http -f POST localhost:8001/services/canary-api-service/routes \ name=canary-api-route \ paths=/api/canary

Slide 21

Slide 21 text

THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 • Verify Setup Up Kong & expose a service & route ❯ http GET localhost:8000/api/canary HTTP/1.1 200 OK … Wake up to WonderWidgets! …

Slide 22

Slide 22 text

THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 • Set a Period • The canary release will be started in 10s, and will continue for 60s. • The canary release will be routed to httpbin.org:80/json Demo - 1 - Set a Period (in linear time) $ current_time=`expr $(date "+%s") + 10` && http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.start=$current_time \ config.duration=60 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none

Slide 23

Slide 23 text

THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 • Verify Demo - 1 - Set a Period (in linear time) for num in {1..120}; do echo "Calling API #$num" http -h http://localhost:8000/api/canary sleep 0.5 done | tee demo.data

Slide 24

Slide 24 text

THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. 24 • Set a Percentage • The canary release have a 50-50 chance of routing to httpbin.org:80/json Demo - 2 - Set a Fixed Percentage http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.percentage=50 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none

Slide 25

Slide 25 text

THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. 25 • Verify • Change the percentage Demo - 2 - Set a Fixed Percentage for num in {1..10}; do echo "Calling API #$num" http http://localhost:8000/api/canary sleep 0.5 done $ plugin_id=$(http -f http://localhost:8001/routes/canary-api-route/plugins | jq -r '.data[].id') $ http -f PUT http://localhost:8001/routes/canary-api-route/plugins/$plugin_id \ name=canary \ config.percentage=90 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none

Slide 26

Slide 26 text

THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Demo - 3 - Whitelist/Blacklist http://wenhan.io Route (/echo) Service API Client (Consumer) httpbin v1 httpbin v2 Key Authentication - Determine Consumer via API Key Access Control Lists (ACL) - Restrict access via Control List

Slide 27

Slide 27 text

THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 • Create Consumer, API Keys and ACL Group Demo - 3 - Whitelist/Blacklist # Set up API Key Authentication policy on Canary route. # This is used to identify our consumers. http http://localhost:8001/routes/canary-api-route/plugins name=key-auth # Create Consumers, API Keys and add them to ACL groups http http://localhost:8001/consumers username=vip-consumer http http://localhost:8001/consumers/vip-consumer/key-auth key=vip-api http http://localhost:8001/consumers/vip-consumer/acls group=vip-acl http http://localhost:8001/consumers username=general-consumer http http://localhost:8001/consumers/general-consumer/key-auth key=general-api http http://localhost:8001/consumers/general-consumer/acls group=general-acl

Slide 28

Slide 28 text

THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 • Add Canary Policy Demo - 3 - Whitelist/Blacklist http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.hash=whitelist \ config.groups=vip-acl \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json

Slide 29

Slide 29 text

THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Demo - 3 - Whitelist/Blacklist http://wenhan.io Route Service Consumer (general) httpbin v1 httpbin v2 Consumer (VIP)

Slide 30

Slide 30 text

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 • Verify Demo - 3 - Whitelist/Blacklist $ http http://localhost:8000/api/canary \ apiKey:vip-api HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 429 Content-Type: application/json … { "slideshow": { "author": "Yours Truly", "date": "date of publication", "slides": [ { … $ http http://localhost:8000/api/canary \ apiKey:general-api HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 522 Content-Type: application/xml …

Slide 31

Slide 31 text

THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 • Update the service to the new version • Remove all plugins assigned to the canary route • Now the requests are always redirected to the new version Demo - 4 - Finalize the Canary release http -f PUT :8001/services/canary-api-service url=http://httpbin.org/json http :8001/routes/canary-api-route/plugins | jq -r -c '.data[].id' | while read id; do http --ignore-stdin DELETE http://localhost:8001/plugins/$id done http http://localhost:8000/api/canary

Slide 32

Slide 32 text

THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 Thank you