-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathCanary-Deployment-with-Istio-Service-Mesh
More file actions
455 lines (339 loc) Β· 12.6 KB
/
Canary-Deployment-with-Istio-Service-Mesh
File metadata and controls
455 lines (339 loc) Β· 12.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
# Canary Deployment with Istio Service Mesh
A proof-of-concept implementation of canary deployments using Istio service mesh on Kubernetes to reduce the impact of potential issues in production applications.
## π Table of Contents
- [Overview](#overview)
- [Architecture](#architecture)
- [Prerequisites](#prerequisites)
- [Project Structure](#project-structure)
- [Quick Start](#quick-start)
- [Configuration](#configuration)
- [Testing](#testing)
- [Monitoring](#monitoring)
- [Troubleshooting](#troubleshooting)
- [Best Practices](#best-practices)
- [Contributing](#contributing)
## π― Overview
This project demonstrates how to implement canary deployments using Istio service mesh to:
- Gradually roll out new application versions
- Minimize risk by routing only a percentage of traffic to new versions
- Enable quick rollbacks if issues are detected
- Maintain high availability during deployments
### Key Features
- **Traffic Splitting**: 80% stable / 20% canary traffic distribution
- **Zero Downtime**: Seamless deployment without service interruption
- **Security First**: Custom Istio configuration following security best practices
- **Observability**: Built-in metrics and monitoring capabilities
- **Easy Rollback**: Quick reversion to stable version if needed
## ποΈ Architecture
```
βββββββββββββββββββ βββββββββββββββββββ
β Internet β β Istio Gateway β
β Traffic βββββΆβ (Port 8080) β
βββββββββββββββββββ βββββββββββββββββββ
β
βββββββββββββββββββ
β VirtualService β
β Traffic β
β Splitting β
βββββββββββββββββββ
β β
80% β β 20%
βΌ βΌ
ββββββββββββββββ ββββββββββββββββ
β api-stable β β api-canary β
β Service β β Service β
β (v1) β β (v2) β
ββββββββββββββββ ββββββββββββββββ
β β
βΌ βΌ
ββββββββββββββββ ββββββββββββββββ
β Stable Pods β β Canary Pods β
β (2 replicas) β β (3 replicas) β
ββββββββββββββββ ββββββββββββββββ
```
## β
Prerequisites
- Kubernetes cluster (v1.20+)
- kubectl configured and working
- Sufficient cluster resources (minimum 4 CPU cores, 8GB RAM)
- Administrator access to install Istio
- Internet access for downloading Istio
### Verified Environments
- β
Google Kubernetes Engine (GKE)
- β
Amazon Elastic Kubernetes Service (EKS)
- β
Azure Kubernetes Service (AKS)
- β
Local clusters (minikube, kind, k3s)
## π Project Structure
```
canary-deployments/
βββ README.md
βββ k8s/
β βββ app-stable-deployment.yaml # Stable version deployment
β βββ app-stable-service.yaml # Stable version service
β βββ app-canary-deployment.yaml # Canary version deployment
β βββ app-canary-service.yaml # Canary version service
βββ istio/
β βββ istio-security-config.yaml # Security team configuration
β βββ gateway.yaml # Istio Gateway configuration
β βββ virtualservice.yaml # Traffic routing rules
βββ scripts/
βββ deploy.sh # Automated deployment script
βββ test-traffic.sh # Traffic testing script
βββ cleanup.sh # Environment cleanup script
```
## π Quick Start
### 1. Clone and Setup
```bash
# Create project directory
mkdir ~/canary-deployments && cd ~/canary-deployments
# Create subdirectories
mkdir -p k8s istio scripts
```
### 2. Deploy Stable Application
```bash
# Deploy stable version (v1)
kubectl apply -f k8s/app-stable-deployment.yaml
kubectl apply -f k8s/app-stable-service.yaml
# Verify deployment
kubectl get pods -l app=api,lifecycle=stable
```
### 3. Install Istio
```bash
# Download Istio 1.17.0
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.17.0 TARGET_ARCH=x86_64 sh -
# Install istioctl
sudo mv istio-1.17.0/bin/istioctl /usr/local/bin
# Install Istio with security configuration
istioctl install -f istio/istio-security-config.yaml -y
# Enable sidecar injection
kubectl label namespace default istio-injection=enabled
```
### 4. Deploy Canary Application
```bash
# Deploy canary version (v2)
kubectl apply -f k8s/app-canary-deployment.yaml
kubectl apply -f k8s/app-canary-service.yaml
# Restart deployments to inject sidecars
kubectl rollout restart deployment/api-stable
kubectl rollout restart deployment/api-canary
```
### 5. Configure Traffic Routing
```bash
# Create Istio Gateway
kubectl apply -f istio/gateway.yaml
# Configure traffic splitting (80/20)
kubectl apply -f istio/virtualservice.yaml
```
### 6. Test the Setup
```bash
# Get ingress gateway external IP
kubectl get svc istio-ingressgateway -n istio-system
# Test traffic distribution
for i in {1..20}; do
curl -s <EXTERNAL-IP>:8080
echo ""
done
```
## βοΈ Configuration
### Application Versions
| Version | Response | Traffic % | Replicas |
|---------|----------|-----------|----------|
| Stable (v1) | `{'runs_on':'kubernetes','lifecycle':'stable','api_version':'v1'}` | 80% | 2 |
| Canary (v2) | `{'runs_on':'kubernetes','lifecycle':'canary','api_version':'v2'}` | 20% | 3 |
### Traffic Routing Configuration
The VirtualService can be adjusted for different traffic splits:
```yaml
# Conservative approach (5% canary)
- destination:
host: api-stable
weight: 95
- destination:
host: api-canary
weight: 5
# Aggressive approach (30% canary)
- destination:
host: api-stable
weight: 70
- destination:
host: api-canary
weight: 30
```
### Security Configuration
The Istio installation includes:
- Custom security policies
- Resource limits and requests
- Network policies
- TLS configuration
- Access controls
## π§ͺ Testing
### Manual Testing
```bash
# Test stable version directly
kubectl port-forward service/api-stable 8081:80
curl localhost:8081
# Test canary version directly
kubectl port-forward service/api-canary 8082:80
curl localhost:8082
# Test through Istio Gateway
kubectl port-forward -n istio-system svc/istio-ingressgateway 8080:8080
curl localhost:8080
```
### Automated Testing
```bash
# Run traffic distribution test
./scripts/test-traffic.sh
# Expected output shows ~80% stable, ~20% canary responses
```
### Load Testing
```bash
# Install hey load testing tool
go install github.com/rakyll/hey@latest
# Run load test
hey -n 1000 -c 10 http://<EXTERNAL-IP>:8080
```
## π Monitoring
### Built-in Istio Observability
```bash
# Access Istio dashboard (if installed)
istioctl dashboard kiali
# View Grafana dashboards
istioctl dashboard grafana
# Access Jaeger tracing
istioctl dashboard jaeger
```
### Metrics and Monitoring
Key metrics to monitor:
- **Request Success Rate**: Should remain above 99.5%
- **Response Time**: Monitor P95 and P99 latencies
- **Error Rate**: Should not increase during canary deployment
- **Traffic Distribution**: Verify actual vs. configured percentages
### Custom Monitoring
```bash
# Check pod resource usage
kubectl top pods -l app=api
# View application logs
kubectl logs -l app=api,lifecycle=canary -f
# Monitor Istio proxy metrics
kubectl exec deployment/api-canary -c istio-proxy -- curl localhost:15000/stats
```
## π§ Troubleshooting
### Common Issues
#### 1. Pods Not Starting
```bash
# Check pod status and events
kubectl describe pod <pod-name>
kubectl get events --sort-by=.metadata.creationTimestamp
```
#### 2. Sidecar Injection Not Working
```bash
# Verify namespace labeling
kubectl get namespace default --show-labels
# Check sidecar injector
kubectl get mutatingwebhookconfigurations
```
#### 3. Traffic Not Routing Correctly
```bash
# Verify VirtualService configuration
kubectl describe virtualservice api
# Check Gateway status
kubectl describe gateway api
# Validate Istio proxy configuration
istioctl proxy-config routes deployment/api-stable
```
#### 4. External IP Pending
```bash
# Check LoadBalancer service
kubectl describe svc istio-ingressgateway -n istio-system
# Use NodePort if LoadBalancer unavailable
kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"type":"NodePort"}}'
```
### Debug Commands
```bash
# Check Istio configuration
istioctl analyze
# Verify proxy configuration
istioctl proxy-status
# View Envoy configuration
istioctl proxy-config cluster deployment/api-stable
# Check mTLS status
istioctl authn tls-check api-stable.default.svc.cluster.local
```
### Logs and Diagnostics
```bash
# Application logs
kubectl logs -l app=api --all-containers=true
# Istio proxy logs
kubectl logs -l app=api -c istio-proxy
# Istio control plane logs
kubectl logs -n istio-system -l app=istiod
```
## π Best Practices
### Deployment Strategy
1. **Start Small**: Begin with 1-5% canary traffic
2. **Monitor Closely**: Watch metrics for at least 30 minutes
3. **Gradual Increase**: Increment by 10-20% if metrics look good
4. **Quick Rollback**: Be prepared to route 100% traffic to stable
### Traffic Management
- Use **weighted routing** for percentage-based splits
- Implement **header-based routing** for specific user groups
- Configure **timeout and retry policies** for resilience
- Set up **circuit breakers** to prevent cascade failures
### Security
- Always use **custom Istio configurations** provided by security team
- Enable **mutual TLS (mTLS)** between services
- Implement **proper RBAC policies**
- Regularly **update Istio** to latest stable version
### Monitoring and Alerting
- Set up **alerts for error rate increases**
- Monitor **resource utilization** during deployments
- Track **business metrics** alongside technical metrics
- Use **distributed tracing** to debug issues
## π Rollback Procedures
### Immediate Rollback (Emergency)
```bash
# Route 100% traffic to stable version
kubectl patch virtualservice api --type='merge' -p='{"spec":{"http":[{"route":[{"destination":{"host":"api-stable"},"weight":100}]}]}}'
```
### Gradual Rollback
```bash
# Reduce canary traffic to 10%
kubectl patch virtualservice api --type='merge' -p='{"spec":{"http":[{"route":[{"destination":{"host":"api-stable"},"weight":90},{"destination":{"host":"api-canary"},"weight":10}]}]}}'
# Then to 0%
kubectl patch virtualservice api --type='merge' -p='{"spec":{"http":[{"route":[{"destination":{"host":"api-stable"},"weight":100}]}]}}'
```
## π§Ή Cleanup
```bash
# Remove application deployments
kubectl delete -f k8s/
# Remove Istio configurations
kubectl delete -f istio/gateway.yaml
kubectl delete -f istio/virtualservice.yaml
# Uninstall Istio (optional)
istioctl uninstall --purge
kubectl delete namespace istio-system
```
## π€ Contributing
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request
### Development Guidelines
- Follow Kubernetes resource naming conventions
- Include proper labels and annotations
- Add comprehensive documentation
- Test configurations in multiple environments
- Follow security best practices
## π License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## π Support
- **Internal Team**: Contact DevOps team for cluster-specific issues
- **Istio Documentation**: https://istio.io/latest/docs/
- **Kubernetes Documentation**: https://kubernetes.io/docs/
- **Security Team**: For questions about security configurations
## π·οΈ Version History
- **v1.0.0** - Initial implementation with Istio 1.17.0
- **v1.1.0** - Added monitoring and alerting configurations
- **v1.2.0** - Enhanced security configurations
- **v2.0.0** - Migration to Istio 1.18.0 (planned)
---
**Note**: This is a proof-of-concept implementation. For production deployments, ensure proper testing, monitoring, and security reviews are completed before implementation.