Flagger
Search…
Contour Canary Deployments
This guide shows you how to use Contour ingress controller and Flagger to automate canary releases and A/B testing.
Flagger Contour Overview

Prerequisites

Flagger requires a Kubernetes cluster v1.16 or newer and Contour v1.0 or newer.
Install Contour on a cluster with LoadBalancer support:
1
kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
Copied!
The above command will deploy Contour and an Envoy daemonset in the projectcontour namespace.
Install Flagger using Kustomize (kubectl 1.14) in the projectcontour namespace:
1
kubectl apply -k https://github.com/fluxcd/flagger//kustomize/contour?ref=main
Copied!
The above command will deploy Flagger and Prometheus configured to scrape the Contour's Envoy instances.
Or you can install Flagger using Helm v3:
1
helm repo add flagger https://flagger.app
2
3
helm upgrade -i flagger flagger/flagger \
4
--namespace projectcontour \
5
--set meshProvider=contour \
6
--set ingressClass=contour \
7
--set prometheus.install=true
Copied!
You can also enable Slack, Discord, Rocket or MS Teams notifications, see the alerting docs.

Bootstrap

Flagger takes a Kubernetes deployment and optionally a horizontal pod autoscaler (HPA), then creates a series of objects (Kubernetes deployments, ClusterIP services and Contour HTTPProxy). These objects expose the application in the cluster and drive the canary analysis and promotion.
Create a test namespace:
1
kubectl create ns test
Copied!
Install the load testing service to generate traffic during the canary analysis:
1
kubectl apply -k https://github.com/fluxcd/flagger//kustomize/tester?ref=main
Copied!
Create a deployment and a horizontal pod autoscaler:
1
kubectl apply -k https://github.com/fluxcd/flagger//kustomize/podinfo?ref=main
Copied!
Create a canary custom resource (replace app.example.com with your own domain):
1
apiVersion: flagger.app/v1beta1
2
kind: Canary
3
metadata:
4
name: podinfo
5
namespace: test
6
spec:
7
# deployment reference
8
targetRef:
9
apiVersion: apps/v1
10
kind: Deployment
11
name: podinfo
12
# HPA reference
13
autoscalerRef:
14
apiVersion: autoscaling/v2beta2
15
kind: HorizontalPodAutoscaler
16
name: podinfo
17
service:
18
# service port
19
port: 80
20
# container port
21
targetPort: 9898
22
# Contour request timeout
23
timeout: 15s
24
# Contour retry policy
25
retries:
26
attempts: 3
27
perTryTimeout: 5s
28
# define the canary analysis timing and KPIs
29
analysis:
30
# schedule interval (default 60s)
31
interval: 30s
32
# max number of failed metric checks before rollback
33
threshold: 5
34
# max traffic percentage routed to canary
35
# percentage (0-100)
36
maxWeight: 50
37
# canary increment step
38
# percentage (0-100)
39
stepWeight: 5
40
# Contour Prometheus checks
41
metrics:
42
- name: request-success-rate
43
# minimum req success rate (non 5xx responses)
44
# percentage (0-100)
45
thresholdRange:
46
min: 99
47
interval: 1m
48
- name: request-duration
49
# maximum req duration P99 in milliseconds
50
thresholdRange:
51
max: 500
52
interval: 30s
53
# testing
54
webhooks:
55
- name: acceptance-test
56
type: pre-rollout
57
url: http://flagger-loadtester.test/
58
timeout: 30s
59
metadata:
60
type: bash
61
cmd: "curl -sd 'test' http://podinfo-canary.test/token | grep token"
62
- name: load-test
63
url: http://flagger-loadtester.test/
64
type: rollout
65
timeout: 5s
66
metadata:
67
cmd: "hey -z 1m -q 10 -c 2 -host app.example.com http://envoy.projectcontour"
Copied!
Save the above resource as podinfo-canary.yaml and then apply it:
1
kubectl apply -f ./podinfo-canary.yaml
Copied!
The canary analysis will run for five minutes while validating the HTTP metrics and rollout hooks every half a minute.
After a couple of seconds Flagger will create the canary objects:
1
# applied
2
deployment.apps/podinfo
3
horizontalpodautoscaler.autoscaling/podinfo
4
canary.flagger.app/podinfo
5
6
# generated
7
deployment.apps/podinfo-primary
8
horizontalpodautoscaler.autoscaling/podinfo-primary
9
service/podinfo
10
service/podinfo-canary
11
service/podinfo-primary
12
httpproxy.projectcontour.io/podinfo
Copied!
After the boostrap, the podinfo deployment will be scaled to zero and the traffic to podinfo.test will be routed to the primary pods. During the canary analysis, the podinfo-canary.test address can be used to target directly the canary pods.

Expose the app outside the cluster

Find the external address of Contour's Envoy load balancer:
1
export ADDRESS="$(kubectl -n projectcontour get svc/envoy -ojson \
2
| jq -r ".status.loadBalancer.ingress[].hostname")"
3
echo $ADDRESS
Copied!
Configure your DNS server with a CNAME record (AWS) or A record (GKE/AKS/DOKS) and point a domain e.g. app.example.com to the LB address.
Create a HTTPProxy definition and include the podinfo proxy generated by Flagger (replace app.example.com with your own domain):
1
apiVersion: projectcontour.io/v1
2
kind: HTTPProxy
3
metadata:
4
name: podinfo-ingress
5
namespace: test
6
spec:
7
virtualhost:
8
fqdn: app.example.com
9
includes:
10
- name: podinfo
11
namespace: test
12
conditions:
13
- prefix: /
Copied!
Save the above resource as podinfo-ingress.yaml and then apply it:
1
kubectl apply -f ./podinfo-ingress.yaml
Copied!
Verify that Contour processed the proxy definition with:
1
kubectl -n test get httpproxies
2
3
NAME FQDN STATUS
4
podinfo valid
5
podinfo-ingress app.example.com valid
Copied!
Now you can access podinfo UI using your domain address.
Note that you should be using HTTPS when exposing production workloads on internet. You can obtain free TLS certs from Let's Encrypt, read this guide on how to configure cert-manager to secure Contour with TLS certificates.

Automated canary promotion

Flagger implements a control loop that gradually shifts traffic to the canary while measuring key performance indicators like HTTP requests success rate, requests average duration and pod health. Based on analysis of the KPIs a canary is promoted or aborted.
Flagger Canary Stages
A canary deployment is triggered by changes in any of the following objects:
  • Deployment PodSpec (container image, command, ports, env, resources, etc)
  • ConfigMaps and Secrets mounted as volumes or mapped to environment variables
Trigger a canary deployment by updating the container image:
1
kubectl -n test set image deployment/podinfo \
2
podinfod=stefanprodan/podinfo:3.1.1
Copied!
Flagger detects that the deployment revision changed and starts a new rollout:
1
kubectl -n test describe canary/podinfo
2
3
Status:
4
Canary Weight: 0
5
Failed Checks: 0
6
Phase: Succeeded
7
Events:
8
New revision detected! Scaling up podinfo.test
9
Waiting for podinfo.test rollout to finish: 0 of 1 updated replicas are available
10
Pre-rollout check acceptance-test passed
11
Advance podinfo.test canary weight 5
12
Advance podinfo.test canary weight 10
13
Advance podinfo.test canary weight 15
14
Advance podinfo.test canary weight 20
15
Advance podinfo.test canary weight 25
16
Advance podinfo.test canary weight 30
17
Advance podinfo.test canary weight 35
18
Advance podinfo.test canary weight 40
19
Advance podinfo.test canary weight 45
20
Advance podinfo.test canary weight 50
21
Copying podinfo.test template spec to podinfo-primary.test
22
Waiting for podinfo-primary.test rollout to finish: 1 of 2 updated replicas are available
23
Routing all traffic to primary
24
Promotion completed! Scaling down podinfo.test
Copied!
When the canary analysis starts, Flagger will call the pre-rollout webhooks before routing traffic to the canary.
Note that if you apply new changes to the deployment during the canary analysis, Flagger will restart the analysis.
You can monitor all canaries with:
1
watch kubectl get canaries --all-namespaces
2
3
NAMESPACE NAME STATUS WEIGHT LASTTRANSITIONTIME
4
test podinfo Progressing 15 2019-12-20T14:05:07Z
Copied!
If you’ve enabled the Slack notifications, you should receive the following messages:
Flagger Slack Notifications

Automated rollback

During the canary analysis you can generate HTTP 500 errors or high latency to test if Flagger pauses the rollout.
Trigger a canary deployment:
1
kubectl -n test set image deployment/podinfo \
2
podinfod=stefanprodan/podinfo:3.1.2
Copied!
Exec into the load tester pod with:
1
kubectl -n test exec -it deploy/flagger-loadtester bash
Copied!
Generate HTTP 500 errors:
1
hey -z 1m -c 5 -q 5 http://app.example.com/status/500
Copied!
Generate latency:
1
watch -n 1 curl http://app.example.com/delay/1
Copied!
When the number of failed checks reaches the canary analysis threshold, the traffic is routed back to the primary, the canary is scaled to zero and the rollout is marked as failed.
1
kubectl -n projectcontour logs deploy/flagger -f | jq .msg
2
3
New revision detected! progressing canary analysis for podinfo.test
4
Pre-rollout check acceptance-test passed
5
Advance podinfo.test canary weight 5
6
Advance podinfo.test canary weight 10
7
Advance podinfo.test canary weight 15
8
Halt podinfo.test advancement success rate 69.17% < 99%
9
Halt podinfo.test advancement success rate 61.39% < 99%
10
Halt podinfo.test advancement success rate 55.06% < 99%
11
Halt podinfo.test advancement request duration 1.20s > 500ms
12
Halt podinfo.test advancement request duration 1.45s > 500ms
13
Rolling back podinfo.test failed checks threshold reached 5
14
Canary failed! Scaling down podinfo.test
Copied!
If you’ve enabled the Slack notifications, you’ll receive a message if the progress deadline is exceeded, or if the analysis reached the maximum number of failed checks:
Flagger Slack Notifications

A/B Testing

Besides weighted routing, Flagger can be configured to route traffic to the canary based on HTTP match conditions. In an A/B testing scenario, you'll be using HTTP headers or cookies to target a certain segment of your users. This is particularly useful for frontend applications that require session affinity.
Flagger A/B Testing Stages
Edit the canary analysis, remove the max/step weight and add the match conditions and iterations:
1
analysis:
2
interval: 1m
3
threshold: 5
4
iterations: 10
5
match:
6
- headers:
7
x-canary:
8
exact: "insider"
9
webhooks:
10
- name: load-test
11
url: http://flagger-loadtester.test/
12
metadata:
13
cmd: "hey -z 1m -q 5 -c 5 -H 'X-Canary: insider' -host app.example.com http://envoy.projectcontour"
Copied!
The above configuration will run an analysis for ten minutes targeting users that have a X-Canary: insider header.
You can also use a HTTP cookie. To target all users with a cookie set to insider, the match condition should be:
1
match:
2
- headers:
3
cookie:
4
suffix: "insider"
5
webhooks:
6
- name: load-test
7
url: http://flagger-loadtester.test/
8
metadata:
9
cmd: "hey -z 1m -q 5 -c 5 -H 'Cookie: canary=insider' -host app.example.com http://envoy.projectcontour"
Copied!
Trigger a canary deployment by updating the container image:
1
kubectl -n test set image deployment/podinfo \
2
podinfod=stefanprodan/podinfo:3.1.3
Copied!
Flagger detects that the deployment revision changed and starts the A/B test:
1
kubectl -n projectcontour logs deploy/flagger -f | jq .msg
2
3
New revision detected! Progressing canary analysis for podinfo.test
4
Advance podinfo.test canary iteration 1/10
5
Advance podinfo.test canary iteration 2/10
6
Advance podinfo.test canary iteration 3/10
7
Advance podinfo.test canary iteration 4/10
8
Advance podinfo.test canary iteration 5/10
9
Advance podinfo.test canary iteration 6/10
10
Advance podinfo.test canary iteration 7/10
11
Advance podinfo.test canary iteration 8/10
12
Advance podinfo.test canary iteration 9/10
13
Advance podinfo.test canary iteration 10/10
14
Copying podinfo.test template spec to podinfo-primary.test
15
Waiting for podinfo-primary.test rollout to finish: 1 of 2 updated replicas are available
16
Routing all traffic to primary
17
Promotion completed! Scaling down podinfo.test
Copied!
The web browser user agent header allows user segmentation based on device or OS.
For example, if you want to route all mobile users to the canary instance:
1
match:
2
- headers:
3
user-agent:
4
prefix: "Mobile"
Copied!
Or if you want to target only Android users:
1
match:
2
- headers:
3
user-agent:
4
prefix: "Android"
Copied!
Or a specific browser version:
1
match:
2
- headers:
3
user-agent:
4
suffix: "Firefox/71.0"
Copied!
For an in-depth look at the analysis process read the usage docs.
Last modified 9mo ago