Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kong Academyを日本語でお届け!#3

Kong Academyを日本語でお届け!#3

KGLL-106 - Reduce the Risk of new software versions with Canary deployments

Wenhan Shi

June 16, 2022
Tweet

More Decks by Wenhan Shi

Other Decks in Technology

Transcript

  1. THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD

    CONNECTIVITY COMPANY Kong Academyを日本語でお届け!#3 KGLL-106 - Reduce the Risk of new software versions with Canary deployments 施文翰(Wenhan Shi) – Solutions Engineer June 2022
  2. THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who

    am I 施 文翰(シ ブンカン) Wenhan Shi • 日立製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]
  3. THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 本セッションについて

    このセッションはKong Academy KGLL-106 Learning Lab: Reduce the Risk of new software versions with Canary deployments をベースに日本語でお届けします - https://education.konghq.com/ - 全てレベル100、無償でオンライン受講可能(自習形式) - レベル200以上は有償で提供(サブスクリプション) - 講師によるトレーニングを実施 - Kong認定証を授与
  4. THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. • Canary

    deployment intro • Config Canary deployment ◦ Set a Period ◦ Set a Percentage ◦ Define whitelist or blacklist • Demo Agenda
  5. THE CLOUD CONNECTIVITY COMPANY 6 © Kong Inc. 6 •

    When a new version of an application is deployed, the previous version of the application is run in parallel and only some users access the new version. • Also called as canary release and canary test What is Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ External Endpoint New version Old version 5% to 10% of the total request Rest of the request
  6. THE CLOUD CONNECTIVITY COMPANY 7 © Kong Inc. 7 •

    Only a small percentage, 5% or 10% of requests will be distributed to the new version • Reduce the risk of upgrade to a new version. • Increase the percentage while confirming that no problem occurs. Why Canary deployment https://magazine.cim.org/en/in-search/who-brought-the-canary-into-the-coal-mine-en/ Users accessing the new version likened to a "canary" that detects poisonous gas in a coal mine.
  7. THE CLOUD CONNECTIVITY COMPANY 8 © Kong Inc. 8 •

    Easy config • Quick rollback • Decoupling from the infrastructure • Multiple platform support Why use Kong gateway for Canary deployment
  8. THE CLOUD CONNECTIVITY COMPANY 10 © Kong Inc. 10 Using

    Canary deployment in Kong - 1 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2
  9. THE CLOUD CONNECTIVITY COMPANY 11 © Kong Inc. 11 Using

    Canary deployment in Kong - 2 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2
  10. THE CLOUD CONNECTIVITY COMPANY 12 © Kong Inc. 12 Using

    Canary deployment in Kong - 3 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2 a Period(in linear time) a Fixed Percentage Whitelist/Blacklist Group
  11. THE CLOUD CONNECTIVITY COMPANY 13 © Kong Inc. 13 Using

    Canary deployment in Kong - 4 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2
  12. THE CLOUD CONNECTIVITY COMPANY 14 © Kong Inc. 14 Using

    Canary deployment in Kong - 5 http://wenhan.io Route (/echo) Service API Client (Consumer) http://wenhan.io/echo httpbin v1 httpbin v2
  13. THE CLOUD CONNECTIVITY COMPANY 15 © Kong Inc. 15 Config

    Canary release plugin a Period(in linear time) • config.start: Future time in seconds since epoch, when the release will start. This value must be in the future. • config.duration: The duration of the transition in seconds. • Ignored when the percentage is set or when using whitelist or blacklist
  14. THE CLOUD CONNECTIVITY COMPANY 16 © Kong Inc. 16 Config

    Canary release plugin a Fixed Percentage • config.percentage: Fixed % of traffic to be routed to new target, if given, it overrides start and duration
  15. THE CLOUD CONNECTIVITY COMPANY 17 © Kong Inc. 17 Config

    Canary release plugin Whitelist/Blacklist Group • config.groups: An array (of strings) with the group names that are white/blacklisted. When setting this parameter, make sure that you set config.hash to either whitelist (the listed groups go into the canary) or blacklist (the listed groups will NOT go into the canary.) blacklist whitelist
  16. THE CLOUD CONNECTIVITY COMPANY 19 © Kong Inc. 19 Demo

    environment http://localhost:8000 Route Service API Client (Consumer) http://httpbin.org/xml v1 http://httpbin.org/json v2
  17. THE CLOUD CONNECTIVITY COMPANY 20 © Kong Inc. 20 •

    Add a Service • Add a Route Setup Up Kong & expose a service & route http POST localhost:8001/services \ name=canary-api-service \ url=http://httpbin.org/xml http -f POST localhost:8001/services/canary-api-service/routes \ name=canary-api-route \ paths=/api/canary
  18. THE CLOUD CONNECTIVITY COMPANY 21 © Kong Inc. 21 •

    Verify Setup Up Kong & expose a service & route ❯ http GET localhost:8000/api/canary HTTP/1.1 200 OK … <?xml version='1.0' encoding='us-ascii'?> <!-- A SAMPLE set of slides --> <slideshow title="Sample Slide Show" date="Date of publication" author="Yours Truly" > <!-- TITLE SLIDE --> <slide type="all"> <title>Wake up to WonderWidgets!</title> </slide> …
  19. THE CLOUD CONNECTIVITY COMPANY 22 © Kong Inc. 22 •

    Set a Period • The canary release will be started in 10s, and will continue for 60s. • The canary release will be routed to httpbin.org:80/json Demo - 1 - Set a Period (in linear time) $ current_time=`expr $(date "+%s") + 10` && http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.start=$current_time \ config.duration=60 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none
  20. THE CLOUD CONNECTIVITY COMPANY 23 © Kong Inc. 23 •

    Verify Demo - 1 - Set a Period (in linear time) for num in {1..120}; do echo "Calling API #$num" http -h http://localhost:8000/api/canary sleep 0.5 done | tee demo.data
  21. THE CLOUD CONNECTIVITY COMPANY 24 © Kong Inc. 24 •

    Set a Percentage • The canary release have a 50-50 chance of routing to httpbin.org:80/json Demo - 2 - Set a Fixed Percentage http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.percentage=50 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none
  22. THE CLOUD CONNECTIVITY COMPANY 25 © Kong Inc. 25 •

    Verify • Change the percentage Demo - 2 - Set a Fixed Percentage for num in {1..10}; do echo "Calling API #$num" http http://localhost:8000/api/canary sleep 0.5 done $ plugin_id=$(http -f http://localhost:8001/routes/canary-api-route/plugins | jq -r '.data[].id') $ http -f PUT http://localhost:8001/routes/canary-api-route/plugins/$plugin_id \ name=canary \ config.percentage=90 \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json \ config.hash=none
  23. THE CLOUD CONNECTIVITY COMPANY 26 © Kong Inc. 26 Demo

    - 3 - Whitelist/Blacklist http://wenhan.io Route (/echo) Service API Client (Consumer) httpbin v1 httpbin v2 Key Authentication - Determine Consumer via API Key Access Control Lists (ACL) - Restrict access via Control List
  24. THE CLOUD CONNECTIVITY COMPANY 27 © Kong Inc. 27 •

    Create Consumer, API Keys and ACL Group Demo - 3 - Whitelist/Blacklist # Set up API Key Authentication policy on Canary route. # This is used to identify our consumers. http http://localhost:8001/routes/canary-api-route/plugins name=key-auth # Create Consumers, API Keys and add them to ACL groups http http://localhost:8001/consumers username=vip-consumer http http://localhost:8001/consumers/vip-consumer/key-auth key=vip-api http http://localhost:8001/consumers/vip-consumer/acls group=vip-acl http http://localhost:8001/consumers username=general-consumer http http://localhost:8001/consumers/general-consumer/key-auth key=general-api http http://localhost:8001/consumers/general-consumer/acls group=general-acl
  25. THE CLOUD CONNECTIVITY COMPANY 28 © Kong Inc. 28 •

    Add Canary Policy Demo - 3 - Whitelist/Blacklist http -f POST http://localhost:8001/routes/canary-api-route/plugins \ name=canary \ config.hash=whitelist \ config.groups=vip-acl \ config.upstream_host=httpbin.org \ config.upstream_port=80 \ config.upstream_uri=/json
  26. THE CLOUD CONNECTIVITY COMPANY 29 © Kong Inc. 29 Demo

    - 3 - Whitelist/Blacklist http://wenhan.io Route Service Consumer (general) httpbin v1 httpbin v2 Consumer (VIP)
  27. THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 •

    Verify Demo - 3 - Whitelist/Blacklist $ http http://localhost:8000/api/canary \ apiKey:vip-api HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 429 Content-Type: application/json … { "slideshow": { "author": "Yours Truly", "date": "date of publication", "slides": [ { … $ http http://localhost:8000/api/canary \ apiKey:general-api HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 522 Content-Type: application/xml … <?xml version='1.0' encoding='us-ascii'?> <!-- A SAMPLE set of slides --> <slideshow title="Sample Slide Show" …
  28. THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 •

    Update the service to the new version • Remove all plugins assigned to the canary route • Now the requests are always redirected to the new version Demo - 4 - Finalize the Canary release http -f PUT :8001/services/canary-api-service url=http://httpbin.org/json http :8001/routes/canary-api-route/plugins | jq -r -c '.data[].id' | while read id; do http --ignore-stdin DELETE http://localhost:8001/plugins/$id done http http://localhost:8000/api/canary