Guide to Flagger

Progressive delivery is a modern software deployment methodology that aims to mitigate the risks associated with releasing new features. In essence, progressive delivery rolls out changes to a select group of users before a wider release. While this approach is not new — canary releases and blue-green deployments have been around for over a decade — it has been challenging to implement in DevOps due to limitations in tooling. However, today, GitOps, with its unique blend of principles and tooling, gives you the best of both worlds - fully automated deployments and reduced risk of failures. Flagger is central to this approach, and this article covers all you need to know to get started with progressive delivery using Flagger.

Flagger: Automating progressive delivery in Kubernetes

Flagger, a CNCF project, is Kubernetes's progressive delivery operator and automation engine. It manages the release cycle of applications by incrementally directing user traffic to updated releases. Throughout this process, Flagger evaluates a variety of metrics and conducts conformance tests to ensure the new version meets specified criteria.

The synergy between Flagger and GitOps

Flagger isn't just compatible with GitOps — it's designed to thrive in a GitOps setting. It works hand-in-hand with Flux CD, the leading GitOps pipeline management tool that enables Git-based automation every step of the way to production. Integrated with Flux CD, Flagger creates automated pipelines specifically for canary deployments. This makes it more than just a deployment aid — it's a key player in a GitOps-centric ecosystem.

What sets Flagger apart is its adaptability. It doesn't just reroute traffic between different versions of an application. It also allows for custom validations, meaning you can incorporate your metrics and webhooks for specialized tests, such as load or acceptance tests.

Moreover, it is compatible with a range of service meshes, including Istio, Linkerd, and AWS App Mesh, as well as various Ingress controllers like NGINX and Contour. This adaptability ensures that Flagger can be tailored to meet diverse infrastructure requirements.

How does Flagger work?

Flagger streamlines the Kubernetes application release cycle, minimizing risks when rolling out new software in a live environment. It does this by incrementally routing traffic to the new version while continuously monitoring key performance metrics and running conformance tests.

It creates a series of Kubernetes custom resources and leverages service meshes or ingress controllers for traffic routing. It configures the canary object and creates several new Kubernetes objects to manage the deployment process. For example, it takes over the original deployment and scales it to zero, creating a "primary" deployment that serves the production workload.

Flagger’s Deployment Strategies

Flagger offers a rich set of deployment strategies, each tailored to meet specific requirements and use cases.

Canary releases / Progressive traffic shifting

In a Canary release, Flagger incrementally routes a small percentage of user traffic to the new application version. This allows for real-time monitoring and assessment. If the new version performs well based on predefined metrics, Flagger gradually increases the traffic until the new version is serving all the requests. This strategy is particularly useful for applications with large user bases where issues can be isolated and fixed without affecting the entire population.

With session affinity

Flagger integrates cookie-based routing along with regular weight-based routing to allow for session affinity. If a user encounters the newer version of the application, their subsequent requests will always be directed to that version, avoiding any back-and-forth with the older version.

Blue/Green deployments

In a Blue/Green deployment, Flagger maintains two production-ready environments. The Blue environment hosts the existing app version, while the Green environment contains the new release. Initially, Flagger routes all traffic to the Blue setup. After comprehensive tests, the traffic is rerouted to the Green environment, ensuring a smooth transition and zero downtime for updates.

A/B Testing

For frontend apps that need session affinity, Flagger employs HTTP headers or cookie matching conditions. This guarantees that a specific group of users remains on the same app version throughout the canary testing phase. You have the flexibility to define the HTTP matching conditions and the number of test cycles for A/B testing.

Blue/Green Mirroring

Flagger can also handle Blue/Green deployments with a feature called traffic mirroring. This method duplicates each incoming request, sending duplicates to both the primary and canary services. Metrics are gathered from both services, and the deployment progresses only when the canary metrics show stable performance. This is useful for idempotent requests or those capable of being processed twice.

Rolling updates

When it comes to rolling updates, Flagger takes a straightforward approach. It swaps out old pods for new ones incrementally, ensuring a segment of the application stays up and running throughout the update process. This approach works well for apps that can withstand short lapses in consistency or availability.

Rollback

Flagger's rollback capabilities are a safety net for all the above strategies. If any anomalies are detected during the rollout, Flagger can automatically revert to the previous stable version, minimizing the impact of any issues.

Emergency cases

For urgent deployments, Flagger offers a ”spec.skipAnalysis: true” option. When activated, Flagger bypasses the usual metrics and analysis phase, promoting the canary version to primary if it's deemed healthy. This is useful for critical bug fixes that need to be deployed immediately.

Installing Flagger

Flagger's installation process is designed to be as flexible as possible, accommodating a variety of Kubernetes-based platforms. Whether you're using a standard Kubernetes cluster, Google's GKE with Istio, Amazon's EKS App Mesh, or Alibaba ServiceMesh, the core requirements remain consistent: you'll need ‘kubectl’ and ‘helm’.

If you're already immersed in the GitOps world, you're in luck. Flagger can be effortlessly integrated into your existing Flux CD workflow. Just define a HelmRelease and you're good to go. Here are the instructions to install Flagger on Kubernetes.

However, there are some special considerations. For instance, if you're on GKE with Istio, be aware that you must set up Prometheus manually. Furthermore, Alibaba ServiceMesh users should note that a specific region and ACK IDs are required for proper monitoring. Here are instructions to install Flagger with Flux CD.

To confirm that your installation was successful, a quick ‘helm list -n flagger-system’ should show Flagger among your installed Helm releases.

Quick tutorial: Canary Deployment with Flagger

Let’s walk you through setting up a canary deployment using Flagger and Linkerd. This will give you a hands-on experience of Flagger's capabilities in a real-world scenario.

Initial Setup

• Bootstrap your environment: Before you start, make sure you have Linkerd and Flagger installed in your Kubernetes cluster.
• Deploy your application: Deploy an application, let's say ‘podinfo’, to your cluster. Flagger will automatically create a primary deployment, scaling the original podinfo deployment to zero.

Canary Analysis

• Routing traffic: Post-bootstrap, traffic aimed at ‘podinfo.test’ will be directed towards the main pods. During the canary analysis, you can use ‘podinfo-canary.test’ to directly target the canary pods.
• Monitoring: Flagger will automatically monitor key performance indicators like error rates and latencies, gradually increasing traffic to the canary instance.
• Rollback or promote: If the canary instance meets the criteria, Flagger will route all traffic to the new version. If it fails, Flagger will automatically roll back to the previous stable version.

This was just a snapshot of how Flagger orchestrates canary deployments. For a more detailed tutorial, click here or watch the demo video below.

Monitoring Progressive Delivery

Flagger offers a robust monitoring framework that integrates seamlessly with popular monitoring tools like Prometheus, Grafana, Datadog, Amazon CloudWatch, New Relic among others. Each provider has its own way of setting up custom metric checks, which usually involves creating a secret with the necessary API credentials. Click here to read more.

The key to its monitoring capabilities lies in its flexibility to define custom metrics. You can specify a range of accepted values for each metric using thresholdRange and set the time window for the metric evaluation with intervals. This flexibility in customization lets you fine-tune the monitoring settings to meet the specific requirements of both your application and your chosen deployment method.

While each monitoring tool has unique features, Flagger's architecture allows you to tap into these capabilities without much hassle. Whether you're using Prometheus for its raw data power, Grafana for its visualization, or Datadog for its advanced analytics, Flagger can query these services to validate the canary's performance during the rollout. This ensures a smooth and monitored transition from your old version to the new one, minimizing risks and enhancing the user experience.

Benefits of using Flagger

There are many unique advantages of using Flagger. Let’s look at the key ones below.

• Kubernetes-native: Flagger stands out for its Kubernetes-native design, meaning it works harmoniously with your existing Kubernetes resources without introducing new ones which makes it a seamless addition to your current workflows.
• Built-in load testing capabilities: During the canary analysis, Flagger can automatically generate synthetic traffic, providing a more comprehensive view of how your system behaves under different conditions.
• Tight integration with Flux CD: If you're already using Flux CD for your GitOps workflows, incorporating Flagger feels almost like a natural extension. The two tools work well together, enhancing the automation and rollback capabilities and making your entire CI/CD pipeline more resilient and efficient.

While other solutions like Argo Rollouts offer similar functionalities, Flagger's native compatibility with Kubernetes, built-in load testing, and synergy with Flux CD make it a compelling choice for those looking to optimize their deployment strategies.

Flux CD & Flagger - Better together

Imagine a deployment pipeline that operates with clock-like precision. You commit a code change to your Git repository, and Flux CD immediately detects it. The tool syncs these changes with your Kubernetes cluster, ensuring that your desired state is consistently reflected. Now, before the new version is fully deployed, Flagger intervenes. It diverts a fraction of the traffic to the updated release, closely monitoring key performance indicators and running automated load tests.

As the new release meets the predefined performance thresholds, Flagger incrementally shifts more traffic to it. Meanwhile, you can focus on other high-priority tasks, confident that your deployment process is both automated and secure. If any issues arise, the seamless integration between Flux CD and Flagger enables an immediate rollback, minimizing any impact on end users.

In this scenario, the advantages are clear — you achieve a high level of automation, reducing the likelihood of manual errors and freeing up valuable developer resources. Plus the risk associated with new deployments is mitigated through Flagger's progressive delivery capabilities. Lastly, the synergy between Flux CD and Flagger fortifies your entire CI/CD pipeline, making it more resilient and efficient.

This isn't just about accelerating deployments; it's about enhancing them in a smart, risk-averse manner.

Policies for Progressive Delivery

In the enterprise landscape, policies are not just guidelines but strategic levers for control and automation in software deployments. Flagger enables you to configure policies that dictate the behavior of your deployments, offering granular control over key performance indicators, rollback conditions, and more. This level of automation ensures that deployments adhere to predefined standards, reducing manual oversight and the potential for errors.

For organizations looking to extend this policy-driven approach across their entire GitOps pipeline, Weave GitOps Enterprise (WGE) offers a robust solution. WGE provides an extensive library of pre-configured policies that align with compliance standards such as SOC2, GDPR, and HIPAA. These policies are not just limited to deployments but extend across the infrastructure, ensuring a secure and compliant operational environment.

By integrating Flagger's policy capabilities with WGE's comprehensive policy management, organizations can achieve a fully automated, end-to-end deployment pipeline that is not only efficient but also compliant with industry standards. This synergy ensures that you're not just deploying faster, but smarter and safer as well.

Automate Progressive Delivery with Weave GitOps

The integration of Flagger with Weave GitOps Enterprise offers a streamlined, secure, and efficient solution for your progressive delivery needs. This powerful combination ensures that your deployments are not only fast but also smart, aligning with organizational and security standards. The future of deployments is here, and it's automated, secure, and efficient.

Interested in taking your deployments to the next level? Request a demo today!