Alibaba Cloud Service Mesh:Perform a canary upgrade of an ASM gateway

Prerequisites

• A Container Service for Kubernetes (ACK) cluster is added to an ASM instance of version 1.20 or later. For more information, see Add a cluster to an ASM instance. For more information about how to update an ASM instance, see Update an ASM instance.

• An ingress gateway is deployed. For more information, see Create an ingress gateway.

Background information

An ASM gateway manages the ingress or egress of service traffic. It is required to be highly available. To ensure business continuity after the upgrade of an ASM gateway, you can perform a canary upgrade of the ASM gateway. You can start a new version of a gateway pod to verify that traffic can be properly forwarded from the pod. Then, you can fully upgrade the ASM gateway. If an issue occurs when traffic is forwarded from the pod, you can delete the new version of the pod at any time. After the issue is resolved, you can proceed with the upgrade.

Introduction to canary upgrades of ASM gateways

Upgrades of the control plane and the data plane of an ASM instance are independent from each other. You can upgrade the data plane after the control plane upgrade is complete. The following section describes how a canary upgrade of an ASM gateway works:

Create a Deployment that provisions only one pod on the data plane that corresponds to the control plane. This Deployment is known as a Canary Deployment. The Canary Deployment belongs to the same Service as the original Deployment of the ASM gateway. The difference is that the name of the Canary Deployment is suffixed with -canary.

• In-place upgrade of an ASM instance

  After the control plane of an ASM instance is upgraded, the ASM gateway is still in the original version. You can create a Canary Deployment first. After the Canary Deployment is ready, some traffic is forwarded to the pod created by the Canary Deployment. Observe whether traffic is properly forwarded to the pod created by the Canary Deployment. If not, retain the error logs and delete the Canary Deployment. Resolve the issue and redeploy the Canary Deployment for traffic distribution verification. After you confirm that traffic can be properly forwarded to the pod created by the Canary Deployment, upgrade the ASM gateway to the desired version.

• Canary upgrade of an ASM instance

  If you perform a canary upgrade of an ASM instance, you can also implement a canary upgrade of an ASM gateway. During the canary upgrade of the ASM instance, the ASM gateway enters the to-be-upgraded state after the control plane of the new version is used by default. You can deploy a Canary Deployment for the ASM gateway for traffic distribution verification. After you confirm that traffic can be forwarded to the pod created by the Canary Deployment, upgrade the ASM gateway.

  After the ASM gateway is upgraded to the new version, you can modify configurations to delete the deployed Canary Deployment.

Step 1: Upgrade the control plane

To minimize the risk of traffic loss during the upgrade, enable the graceful shutdown feature for the ASM gateway before you upgrade the ASM gateway. For more information, see Enable graceful shutdown to prevent traffic loss.

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Upgrade Management.

3. On the In-place Upgrades tab of the Upgrade Management page, click Perform Upgrade Precheck. In the Note message, click OK.

   Note

   If the Currently, it is the latest version and does not need to be upgraded message appears on the page, the ASM instance is of the latest version and cannot be upgraded.

4. After the upgrade precheck is passed, click Upgrade. In the Note message, click OK.

Step 2: Deploy a Canary Deployment for the ASM gateway

You can add an annotation to deploy a Canary Deployment.

1. Use either of the following methods to add the asm.alibabacloud.com/enable-canary-deployment: "true" annotation to the YAML file of the ASM gateway to deploy a Canary Deployment:

   Method 1: Use the ASM console

   1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

   2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

   3. On the Ingress Gateway page, find the desired ingress gateway and click YAML in the Actions column. In the Edit dialog box, add the asm.alibabacloud.com/enable-canary-deployment: "true" annotation to the annotations field in the metadata section and click OK.

   Method 2: Run a kubectl command

   1. Run the following command to open the YAML file of the ASM gateway:

      kubectl edit IstioGateway <YOUR-INGRESSGATEWAY-NAME> -n istio-system

   2. Modify the YAML file to add the asm.alibabacloud.com/enable-canary-deployment: "true" annotation to the annotations field in the metadata section, and then save the file.

   Show the sample YAML code to which the annotation is added

   apiVersion: istio.alibabacloud.com/v1beta1
   kind: IstioGateway
   metadata:
     labels:
       asm-gateway-type: ingress
     annotations:
       asm.alibabacloud.com/enable-canary-deployment: "true" # Add this annotation. 
     name: ingressgateway
     namespace: istio-system
   spec:
     clusterIds:
       - xxxxxxxxxxxxxx
     disableContainerPortExposed: true
     dnsPolicy: ClusterFirst
     externalTrafficPolicy: Local
     gatewayType: ingress
     ports:
       - name: http-0
         port: 80
         protocol: HTTP
         targetPort: 80
     replicaCount: 1
     resources:
       limits:
         cpu: '2'
         memory: 4G
       requests:
         cpu: 200m
         memory: 256Mi
     rollingMaxSurge: 25%
     rollingMaxUnavailable: 25%
     serviceAnnotations:
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: 'on'
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: '10'
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-instance-charge-type: PayByCLCU
       service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
     serviceType: LoadBalancer

2. Use kubectl to connect to the data plane based on the information in the kubeconfig file, and run the following command to view the deployed Canary Deployment.

   In this example, the name of the ASM gateway is ingressgateway. Replace it with the name of your gateway.

   kubectl -n istio-system get deployment | grep ingressgateway

   Expected output:

   istio-ingressgateway                1/1     1            1           10m
   istio-ingressgateway-canary         1/1     1            1           55s

   The Deployment suffixed with -canary is the Canary Deployment.

   After the Canary Deployment is ready, observe whether some traffic flows to the pod created by the Canary Deployment. If an exception occurs, retain the ASM gateway logs and delete the added annotation. The Canary Deployment is deleted and all traffic flows to the pod created by the original Deployment whose name is not suffixed with -canary. After the issue is resolved, redeploy the Canary Deployment for traffic distribution verification.

Step 3: Upgrade the ASM gateway after the traffic distribution verification is passed

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Instance > Upgrade Management.

3. In the Upgrade column of the Data Plane section, select the ASM gateway that you want to upgrade and click Upgrade Gateway. In the Note message, click OK.

Step 4: Delete the Canary Deployment

After the ASM gateway is upgraded, delete the annotation that is added in Step 2. The Canary Deployment is automatically deleted.