Canary Rollout

Make sure you have already enabled the addon, our canary rollout capability relies on the rollouts from OpenKruise.
Please make sure one of the is available in your Kubernetes cluster. You can also enable the ingress-nginx or addon if you don’t have any:
Please refer to the addon doc to get the access address of gateway.
Some of the commands such as rollback relies on vela-cli >=1.5.0-alpha.1, please upgrade the command line for convenience. You don’t need to upgrade the controller.

Limitation

Kubernetes resources can be anything, this canary rollout works for the scenarios within the following limits:

The Kubernetes resources contain a service pointing to the workload along with an ingress routing to the service.
Workloads supported including Kubernetes Deployment, StatefulSet, and OpenKruise Cloneset. That means the workload specified must be one of these three types.

When you want to use the canary rollout, you need to add the kruise-rollout trait at the first time, this configuration will take effect at next release process. Deploy the application with traits like below:

cat <<EOF | vela up -f -
apiVersion: core.oam.dev/v1beta1
kind: Application
metadata:
  name: canary-demo
  namespace: default
  annotations:
    app.oam.dev/publishVersion: v1
spec:
  components:
    - name: canary-demo
      properties:
        objects:
          - apiVersion: apps/v1
            kind: Deployment
            metadata:
              name: canary-demo
            spec:
              replicas: 5
              selector:
                matchLabels:
                  app: demo
              template:
                metadata:
                  labels:
                    app: demo
                spec:
                  containers:
                    - image: barnett/canarydemo:v1
                      name: demo
                      ports:
                        - containerPort: 8090
          - apiVersion: v1
            kind: Service
              labels:
                app: demo
              name: canary-demo
              namespace: default
            spec:
              ports:
                - name: http
                  port: 8090
                  protocol: TCP
                  targetPort: 8090
              selector:
                app: demo
          - apiVersion: networking.k8s.io/v1
            kind: Ingress
              labels:
                app: demo
              name: canary-demo
              namespace: default
            spec:
              ingressClassName: nginx
              rules:
                - host: canary-demo.com
                  http:
                    paths:
                      - backend:
                          service:
                            name: canary-demo
                            port:
                              number: 8090
                        path: /version
                        pathType: ImplementationSpecific
      type: k8s-objects
      traits:
        - type: kruise-rollout
          properties:
            canary:
              steps:
                # The first batch of Canary releases 20% Pods, and 20% traffic imported to the new version, require manual confirmation before subsequent releases are completed
                - weight: 20
                # The second batch of Canary releases 90% Pods, and 90% traffic imported to the new version.
                - weight: 90
              trafficRoutings:
                - type: nginx
EOF

Here’s an overview about what will happen when upgrade under this kruise-rollout trait configuration, the whole process will be divided into 3 steps:

When the upgrade start, a new canary deployment will be created with 20% of the total replicas. In our example, we have 5 total replicas, it will keep all the old ones and create 5 * 20% = 1 for the new canary, and serve for 20% of the traffic. It will wait for a manual approval when everything gets ready.
- By default, the percent of replicas are aligned with the traffic, you can also configure the replicas individually according to this doc.
After the manual approval, the second batch starts. It will create 5 * 90% = 4.5 which is actually 5 replicas of new version in the system with the 90% traffic. As a result, the system will totally have 10 replicas now. It will wait for a second manual approval.

Let’s continue our demo, the first deployment has no difference with a normal deploy, you can check the status of application to make sure it’s running for our next step.

vela status canary-demo

Access the gateway endpoint with the specific host.

$ curl -H "Host: canary-demo.com" <ingress-controller-address>/version
Demo: V1

Modify the image tag from v1 to v2 as follows:

It will create a canary deployment and wait for manual approval, check the status of the application:

$ vela status canary-demo
About:
  Name:         canary-demo                  
  Namespace:    default                      
  Created at:   2022-06-09 16:43:10 +0800 CST
  Status:       runningWorkflow              
  mode: DAG
  finished: false
  Suspend: false
  Terminated: false
  Steps
  - id:8adxa11wku
    name:canary-demo
    type:apply-component
    phase:running 
    message:wait healthy
Services:
  - Name: canary-demo  
    Cluster: local  Namespace: default
    Type: webservice
    Unhealthy Ready:5/5
    Traits:
      ✅ scaler      ✅ gateway: No loadBalancer found, visiting by using 'vela port-forward canary-demo'
      ❌ kruise-rollout: Rollout is in step(1/1), and you need manually confirm to enter the next step

The application’s status is runningWorkflow that means the application’s rollout process has not finished yet.

View topology graph again, you will see kruise-rollout trait created a v2 pod, and this pod will serve the canary traffic. Meanwhile, the pods of v1 are still running and server non-canary traffic.

Access the gateway endpoint again. You will find out there is about 20% chance to meet Demo: v2 result.

$ curl -H "Host: canary-demo.com" <ingress-controller-address>/version
Demo: V2

Continue Canary Process

vela workflow resume canary-demo

Access the gateway endpoint again multi times. You will find out the chance to meet result Demo: v2 is highly increased, almost 90%.

$ curl -H "Host: canary-demo.com" <ingress-controller-address>/version
Demo: V2

In the end, you can resume again to finish the rollout process.

Access the gateway endpoint again multi times. You will find out the result always is Demo: v2.

$ curl -H "Host: canary-demo.com" <ingress-controller-address>/version
Demo: V2

Canary verification failed, rollback the release

If you want to cancel the rollout process and rollback the application to the latest version, after manually check. You can rollback the rollout workflow:

You should suspend the workflow before rollback:

$ vela workflow suspend canary-demo
Rollout default/canary-demo in cluster  suspended.
Successfully suspend workflow: canary-demo

Then rollback:

$ vela workflow rollback canary-demo
Application spec rollback successfully.
Application status rollback successfully.
Rollout default/canary-demo in cluster  rollback.
Successfully rollback rolloutApplication outdated revision cleaned up.

Access the gateway endpoint again. You can see the result always is Demo: V1.

Demo: V1

Any rollback operation in middle of a runningWorkflow will rollback to the latest succeeded revision of this application. So, if you deploy a successful v1 and upgrade to v2, but this version didn’t succeed while you continue to upgrade to v3. The rollback of v3 will automatically to v1, because release v2 is not a succeeded one.