Track changes in ConfigMaps and Secrets

README.md

@@ -38,6 +38,9 @@ ClusterIP [services](https://kubernetes.io/docs/concepts/services-networking/ser
 Istio [virtual services](https://istio.io/docs/reference/config/istio.networking.v1alpha3/#VirtualService)) 
 to drive the canary analysis and promotion.
 
+Flagger keeps track of ConfigMaps and Secrets referenced by a Kubernetes Deployment and triggers a canary analysis if any of those objects change. 
+When promoting a workload in production, both code (container images) and configuration (config maps and secrets) are being synchronised.
+
 ![flagger-overview](https://raw.githubusercontent.com/stefanprodan/flagger/master/docs/diagrams/flagger-canary-overview.png)
 
 Gated canary promotion stages:
@@ -48,28 +51,28 @@ Gated canary promotion stages:
  * halt advancement if a rolling update is underway
  * halt advancement if pods are unhealthy
 * increase canary traffic weight percentage from 0% to 5% (step weight)
+* call webhooks and check results
 * check canary HTTP request success rate and latency
  * halt advancement if any metric is under the specified threshold
  * increment the failed checks counter
 * check if the number of failed checks reached the threshold
  * route all traffic to primary
  * scale to zero the canary deployment and mark it as failed
- * wait for the canary deployment to be updated (revision bump) and start over
+ * wait for the canary deployment to be updated and start over
 * increase canary traffic weight by 5% (step weight) till it reaches 50% (max weight) 
  * halt advancement while canary request success rate is under the threshold
  * halt advancement while canary request duration P99 is over the threshold
  * halt advancement if the primary or canary deployment becomes unhealthy 
  * halt advancement while canary deployment is being scaled up/down by HPA
 * promote canary to primary
+ * copy ConfigMaps and Secrets from canary to primary
  * copy canary deployment spec template over primary
 * wait for primary rolling update to finish
  * halt advancement if pods are unhealthy
 * route all traffic to primary
 * scale to zero the canary deployment
 * mark rollout as finished
-* wait for the canary deployment to be updated (revision bump) and start over
-
-You can change the canary analysis _max weight_ and the _step weight_ percentage in the Flagger's custom resource.
+* wait for the canary deployment to be updated and start over
 
 For a deployment named _podinfo_, a canary promotion can be defined using Flagger's custom resource:
 
@@ -248,6 +251,9 @@ kubectl -n test set image deployment/podinfo \
 podinfod=quay.io/stefanprodan/podinfo:1.4.0
 ```
 
+**Note** that Flagger tracks changes in the deployment `PodSpec` but also in `ConfigMaps` and `Secrets` 
+that are referenced in the pod's volumes and containers environment variables.
+
 Flagger detects that the deployment revision changed and starts a new canary analysis:
 
 ```
@@ -336,6 +342,8 @@ Events:
  Warning Synced 1m flagger Canary failed! Scaling down podinfo.test
 ```
 
+**Note** that if you apply new changes to the deployment during the canary analysis, Flagger will restart the analysis.
+
 ### Monitoring
 
 Flagger comes with a Grafana dashboard made for canary analysis.

artifacts/configs/canary.yaml

@@ -0,0 +1,58 @@
+apiVersion: flagger.app/v1alpha3
+kind: Canary
+metadata:
+ name: podinfo
+ namespace: test
+spec:
+ # deployment reference
+ targetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: podinfo
+ # the maximum time in seconds for the canary deployment
+ # to make progress before it is rollback (default 600s)
+ progressDeadlineSeconds: 60
+ # HPA reference (optional)
+ autoscalerRef:
+ apiVersion: autoscaling/v2beta1
+ kind: HorizontalPodAutoscaler
+ name: podinfo
+ service:
+ # container port
+ port: 9898
+ # Istio gateways (optional)
+ gateways:
+ - public-gateway.istio-system.svc.cluster.local
+ # Istio virtual service host names (optional)
+ hosts:
+ - app.iowa.weavedx.com
+ canaryAnalysis:
+ # schedule interval (default 60s)
+ interval: 10s
+ # max number of failed metric checks before rollback
+ threshold: 10
+ # max traffic percentage routed to canary
+ # percentage (0-100)
+ maxWeight: 50
+ # canary increment step
+ # percentage (0-100)
+ stepWeight: 5
+ # Istio Prometheus checks
+ metrics:
+ - name: istio_requests_total
+ # minimum req success rate (non 5xx responses)
+ # percentage (0-100)
+ threshold: 99
+ interval: 1m
+ - name: istio_request_duration_seconds_bucket
+ # maximum req duration P99
+ # milliseconds
+ threshold: 500
+ interval: 30s
+ # external checks (optional)
+ webhooks:
+ - name: load-test
+ url: http://flagger-loadtester.test/
+ timeout: 5s
+ metadata:
+ cmd: "hey -z 1m -q 10 -c 2 http://podinfo.test:9898/"

artifacts/configs/configs.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: podinfo-config-env
+ namespace: test
+data:
+ color: blue
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: podinfo-config-vol
+ namespace: test
+data:
+ output: console
+ textmode: "true"

artifacts/configs/deployment.yaml

@@ -0,0 +1,89 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: podinfo
+ namespace: test
+ labels:
+ app: podinfo
+spec:
+ minReadySeconds: 5
+ revisionHistoryLimit: 5
+ progressDeadlineSeconds: 60
+ strategy:
+ rollingUpdate:
+ maxUnavailable: 0
+ type: RollingUpdate
+ selector:
+ matchLabels:
+ app: podinfo
+ template:
+ metadata:
+ annotations:
+ prometheus.io/scrape: "true"
+ labels:
+ app: podinfo
+ spec:
+ containers:
+ - name: podinfod
+ image: quay.io/stefanprodan/podinfo:1.3.0
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 9898
+ name: http
+ protocol: TCP
+ command:
+ - ./podinfo
+ - --port=9898
+ - --level=info
+ - --random-delay=false
+ - --random-error=false
+ env:
+ - name: PODINFO_UI_COLOR
+ valueFrom:
+ configMapKeyRef:
+ name: podinfo-config-env
+ key: color
+ - name: SECRET_USER
+ valueFrom:
+ secretKeyRef:
+ name: podinfo-secret-env
+ key: user
+ livenessProbe:
+ exec:
+ command:
+ - podcli
+ - check
+ - http
+ - localhost:9898/healthz
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ readinessProbe:
+ exec:
+ command:
+ - podcli
+ - check
+ - http
+ - localhost:9898/readyz
+ initialDelaySeconds: 5
+ timeoutSeconds: 5
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 512Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ volumeMounts:
+ - name: configs
+ mountPath: /etc/podinfo/configs
+ readOnly: true
+ - name: secrets
+ mountPath: /etc/podinfo/secrets
+ readOnly: true
+ volumes:
+ - name: configs
+ configMap:
+ name: podinfo-config-vol
+ - name: secrets
+ secret:
+ secretName: podinfo-secret-vol

artifacts/configs/hpa.yaml

@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: podinfo
+ namespace: test
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: podinfo
+ minReplicas: 1
+ maxReplicas: 4
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ # scale up if usage is above
+ # 99% of the requested CPU (100m)
+ targetAverageUtilization: 99

artifacts/configs/secrets.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: podinfo-secret-env
+ namespace: test
+data:
+ password: cGFzc3dvcmQ=
+ user: YWRtaW4=
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: podinfo-secret-vol
+ namespace: test
+data:
+ key: cGFzc3dvcmQ=

docs/gitbook/how-it-works.md

@@ -97,38 +97,42 @@ the Istio Virtual Service. The container port from the target deployment should
 
 ![Flagger Canary Stages](https://raw.githubusercontent.com/stefanprodan/flagger/master/docs/diagrams/flagger-canary-steps.png)
 
+A canary deployment is triggered by changes in any of the following objects:
+
+* Deployment PodSpec (container image, command, ports, env, resources, etc)
+* ConfigMaps mounted as volumes or mapped to environment variables
+* Secrets mounted as volumes or mapped to environment variables
+
 Gated canary promotion stages:
 
 * scan for canary deployments
-* creates the primary deployment if needed
 * check Istio virtual service routes are mapped to primary and canary ClusterIP services
 * check primary and canary deployments status
- * halt advancement if a rolling update is underway
- * halt advancement if pods are unhealthy
-* increase canary traffic weight percentage from 0% to 5% \(step weight\)
+ * halt advancement if a rolling update is underway
+ * halt advancement if pods are unhealthy
+* increase canary traffic weight percentage from 0% to 5% (step weight)
+* call webhooks and check results
 * check canary HTTP request success rate and latency
- * halt advancement if any metric is under the specified threshold
- * increment the failed checks counter
+  * halt advancement if any metric is under the specified threshold
+  * increment the failed checks counter
 * check if the number of failed checks reached the threshold
- * route all traffic to primary
- * scale to zero the canary deployment and mark it as failed
- * wait for the canary deployment to be updated \(revision bump\) and start over
-* increase canary traffic weight by 5% \(step weight\) till it reaches 50% \(max weight\)
- * halt advancement if the primary or canary deployment becomes unhealthy
- * halt advancement while canary deployment is being scaled up/down by HPA
- * halt advancement if any of the webhook calls are failing
- * halt advancement while canary request success rate is under the threshold
- * halt advancement while canary request duration P99 is over the threshold
+ * route all traffic to primary
+ * scale to zero the canary deployment and mark it as failed
+ * wait for the canary deployment to be updated and start over
+* increase canary traffic weight by 5% (step weight) till it reaches 50% (max weight) 
+ * halt advancement while canary request success rate is under the threshold
+ * halt advancement while canary request duration P99 is over the threshold
+ * halt advancement if the primary or canary deployment becomes unhealthy 
+ * halt advancement while canary deployment is being scaled up/down by HPA
 * promote canary to primary
- * copy canary deployment spec template over primary
+ * copy ConfigMaps and Secrets from canary to primary
+ * copy canary deployment spec template over primary
 * wait for primary rolling update to finish
- * halt advancement if pods are unhealthy
+  * halt advancement if pods are unhealthy
 * route all traffic to primary
 * scale to zero the canary deployment
-* mark the canary deployment as finished
-* wait for the canary deployment to be updated \(revision bump\) and start over
-
-You can change the canary analysis _max weight_ and the _step weight_ percentage in the Flagger's custom resource.
+* mark rollout as finished
+* wait for the canary deployment to be updated and start over
 
 ### Canary Analysis
 

docs/gitbook/usage/progressive-delivery.md

@@ -24,7 +24,7 @@ kubectl -n test apply -f ${REPO}/artifacts/loadtester/deployment.yaml
 kubectl -n test apply -f ${REPO}/artifacts/loadtester/service.yaml
 ```
 
-Create a canary custom resource \(replace example.com with your own domain\):
+Create a canary custom resource (replace example.com with your own domain):
 
 ```yaml
 apiVersion: flagger.app/v1alpha3
@@ -146,6 +146,8 @@ Events:
  Normal Synced 5s flagger Promotion completed! Scaling down podinfo.test
 ```
 
+**Note** that if you apply new changes to the deployment during the canary analysis, Flagger will restart the analysis.
+
 You can monitor all canaries with:
 
 ```bash
@@ -181,7 +183,8 @@ Generate latency:
 watch curl http://podinfo-canary:9898/delay/1
 ```
 
-When the number of failed checks reaches the canary analysis threshold, the traffic is routed back to the primary, the canary is scaled to zero and the rollout is marked as failed.
+When the number of failed checks reaches the canary analysis threshold, the traffic is routed back to the primary, 
+the canary is scaled to zero and the rollout is marked as failed.
 
 ```text
 kubectl -n test describe canary/podinfo

pkg/apis/flagger/v1alpha3/types.go

@@ -93,6 +93,8 @@ type CanaryStatus struct {
  FailedChecks int `json:"failedChecks"`
  CanaryWeight int `json:"canaryWeight"`
  // +optional
+ TrackedConfigs *map[string]string `json:"trackedConfigs,omitempty"`
+ // +optional
  LastAppliedSpec string `json:"lastAppliedSpec,omitempty"`
  // +optional
  LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`

pkg/controller/controller.go

@@ -74,6 +74,11 @@ func NewController(
  kubeClient: kubeClient,
  istioClient: istioClient,
  flaggerClient: flaggerClient,
+ configTracker: ConfigTracker{
+ logger: logger,
+ kubeClient: kubeClient,
+ flaggerClient: flaggerClient,
+ },
  }
 
  router := CanaryRouter{