CONNECTIVITY COMPANY Kong Academyを日本語でお届け!#3 KGLL-106 - Reduce the Risk of new software versions with Canary deployments 施文翰(Wenhan Shi) – Solutions Engineer June 2022
am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]
When a new version of an application is deployed, the previous version of the application is run in parallel and only some users access the new version. • Also called as canary release and canary test What is Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ External Endpoint New version Old version 5% to 10% of the total request Rest of the request
Only a small percentage, 5% or 10% of requests will be distributed to the new version • Reduce the risk of upgrade to a new version. • Increase the percentage while confirming that no problem occurs. Why Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ Users accessing the new version likened to a "canary" that detects poisonous gas in a coal mine.
Canary deployment in Kong - 3 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2 a Period(in linear time) a Fixed Percentage Whitelist/Blacklist Group
Canary release plugin a Period(in linear time) • config.start: Future time in seconds since epoch, when the release will start. This value must be in the future. • config.duration: The duration of the transition in seconds. • Ignored when the percentage is set or when using whitelist or blacklist
Canary release plugin Whitelist/Blacklist Group • config.groups: An array (of strings) with the group names that are white/blacklisted. When setting this parameter, make sure that you set config.hash to either whitelist (the listed groups go into the canary) or blacklist (the listed groups will NOT go into the canary.) blacklist whitelist
Add a Service • Add a Route Setup Up Kong & expose a service & route http POST localhost:8001/services \ name=canary-api-service \ url=http://httpbin.org/xml http -f POST localhost:8001/services/canary-api-service/routes \ name=canary-api-route \ paths=/api/canary
Verify Setup Up Kong & expose a service & route ❯ http GET localhost:8000/api/canary HTTP/1.1 200 OK … <?xml version='1.0' encoding='us-ascii'?> <!-- A SAMPLE set of slides --> <slideshow title="Sample Slide Show" date="Date of publication" author="Yours Truly" > <!-- TITLE SLIDE --> <slide type="all"> <title>Wake up to WonderWidgets!</title> </slide> …
Set a Period • The canary release will be started in 10s, and will continue for 60s. • The canary release will be routed to httpbin.org:80/json Demo - 1 - Set a Period (in linear time) $ current_time=`expr $(date "+%s") + 10` && http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.start=$current_time \ config.duration=60 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none
Verify Demo - 1 - Set a Period (in linear time) for num in {1..120}; do echo "Calling API #$num" http -h http://localhost:8000/api/canary sleep 0.5 done | tee demo.data
Set a Percentage • The canary release have a 50-50 chance of routing to httpbin.org:80/json Demo - 2 - Set a Fixed Percentage http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.percentage=50 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none
- 3 - Whitelist/Blacklist http://wenhan.io Route (/echo) Service API Client (Consumer) httpbin v1 httpbin v2 Key Authentication - Determine Consumer via API Key Access Control Lists (ACL) - Restrict access via Control List
Create Consumer, API Keys and ACL Group Demo - 3 - Whitelist/Blacklist # Set up API Key Authentication policy on Canary route. # This is used to identify our consumers. http http://localhost:8001/routes/canary-api-route/plugins name=key-auth # Create Consumers, API Keys and add them to ACL groups http http://localhost:8001/consumers username=vip-consumer http http://localhost:8001/consumers/vip-consumer/key-auth key=vip-api http http://localhost:8001/consumers/vip-consumer/acls group=vip-acl http http://localhost:8001/consumers username=general-consumer http http://localhost:8001/consumers/general-consumer/key-auth key=general-api http http://localhost:8001/consumers/general-consumer/acls group=general-acl
Update the service to the new version • Remove all plugins assigned to the canary route • Now the requests are always redirected to the new version Demo - 4 - Finalize the Canary release http -f PUT :8001/services/canary-api-service url=http://httpbin.org/json http :8001/routes/canary-api-route/plugins | jq -r -c '.data[].id' | while read id; do http --ignore-stdin DELETE http://localhost:8001/plugins/$id done http http://localhost:8000/api/canary
xibuka
coconala_engineer
yuhta28
pauli
__allllllllez__
lycorptech_jp
itkq
kenjikondobai
nagix
doradora09
chibiegg
kaz29
bryan
maltzj
philhawksworth
thekraken
thoeni
addyosmani
pedronauck
ddemaree
jmmastey
lara
lauravandoore
dougneiner
