Full‑Chain Gray Release with Alibaba Service Mesh (ASM) and Kruise Rollout
This guide explains how to implement full‑link gray release using Alibaba Service Mesh (ASM) swimlane isolation together with the open‑source Kruise Rollout framework, providing step‑by‑step configurations, Kubernetes manifests, and command‑line examples for traffic routing, canary deployments, and rollback in a cloud‑native environment.
Gray release is an effective microservice deployment strategy that gradually shifts a small portion of traffic to a new version, validates it, and then incrementally increases traffic, reducing risk compared with full or blue‑green releases.
When services form a call chain, full‑link gray release requires isolating the entire request path so that only traffic destined for the new version travels through the upgraded services. ASM (Alibaba Service Mesh) provides swimlane functionality to isolate traffic by version tags and defines a baseline version that automatically falls back when a newer version fails.
Kruise Rollout, an open‑source progressive delivery framework, integrates with ASM to automate canary, blue‑green, and A/B testing, offering batch rollout, pause, and seamless integration with existing workloads such as Deployment, CloneSet, and StatefulSet.
Best‑practice steps
1. Create ingressgateway rule
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- '*'2. Deploy baseline applications (mocka, mockb, mockc)
apiVersion: v1
kind: Service
metadata:
name: mocka
labels:
app: mocka
service: mocka
spec:
ports:
- port: 8000
name: http
selector:
app: mocka
---
apiVersion: v1
kind: Service
metadata:
name: mockb
labels:
app: mockb
service: mockb
spec:
ports:
- port: 8000
name: http
selector:
app: mockb
---
apiVersion: v1
kind: Service
metadata:
name: mockc
labels:
app: mockc
service: mockc
spec:
ports:
- port: 8000
name: http
selector:
app: mockc
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mocka-v1
labels:
app: mocka
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: mocka
template:
metadata:
labels:
app: mocka
version: v1
ASM_TRAFFIC_TAG: base
spec:
containers:
- name: default
image: registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/go-http-sample:1.0
env:
- name: version
value: v1
- name: app
value: mocka
- name: upstream_url
value: "http://mockb:8000/"
ports:
- containerPort: 8000
---
# Similar Deployment definitions for mockb-v1 and mockc-v1 omitted for brevity3. Deploy ASM swimlane group and swimlanes
apiVersion: istio.alibabacloud.com/v1
kind: ASMSwimLaneGroup
metadata:
name: rollout
spec:
ingress:
gateway:
name: ingressgateway
namespace: istio-system
type: ASM
ingressRouting:
ingressRoutingStrategy: rule_based
weightedRoutingRule:
hosts:
- '*'
requestMatches:
- uri:
exact: /mock
isPermissive: true
permissiveModeConfiguration:
fallbackTarget: base
routeHeader: x-asm-prefer-tag
traceHeader: my-request-id
autoUpdate: true
services:
- cluster:
id: c8f823ca6f5de404486e1b83d61b4e812
name: test
name: mockb
namespace: default
- cluster:
id: ce9724f7548914f9bbc0c09bbf0481623
name: test
name: mocka
namespace: default
- cluster:
id: ce9724f7548914f9bbc0c09bbf0481623
name: test
name: mockc
namespace: default
---
apiVersion: istio.alibabacloud.com/v1
kind: ASMSwimLane
metadata:
labels:
swimlane-group: rollout
name: base
spec:
ingressRules:
- hosts:
- '*'
match:
headers:
x-asm-prefer-tag:
exact: base
uri:
exact: /mock
name: base
online: true
route:
destination:
host: mocka.default.svc.cluster.local
ingressWeight:
destination: {}
labelSelector:
ASM_TRAFFIC_TAG: base
services:
- cluster:
id: ce9724f7548914f9bbc0c09bbf0481623
name: test
name: mockb
namespace: default
- cluster:
id: ce9724f7548914f9bbc0c09bbf0481623
name: test
name: mocka
namespace: default
- cluster:
id: ce9724f7548914f9bbc0c09bbf0481623
name: test
name: mockc
namespace: default
---
apiVersion: istio.alibabacloud.com/v1
kind: ASMSwimLane
metadata:
labels:
swimlane-group: rollout
name: canary
spec:
ingressRules:
- hosts:
- '*'
match:
headers:
x-asm-prefer-tag:
exact: canary
uri:
exact: /mock
name: canary
online: true
route:
destination:
host: mocka.default.svc.cluster.local
labelSelector:
ASM_TRAFFIC_TAG: canary
services: []4. Deploy Kruise Rollout resources for each service
apiVersion: rollouts.kruise.io/v1beta1
kind: Rollout
metadata:
name: rollouts-mocka
spec:
workloadRef:
apiVersion: apps/v1
kind: Deployment
name: mocka-v1
strategy:
canary:
enableExtraWorkloadForCanary: true
steps:
- replicas: 1
patchPodTemplateMetadata:
labels:
ASM_TRAFFIC_TAG: canary
---
apiVersion: rollouts.kruise.io/v1beta1
kind: Rollout
metadata:
name: rollouts-mockb
spec:
workloadRef:
apiVersion: apps/v1
kind: Deployment
name: mockb-v1
strategy:
canary:
enableExtraWorkloadForCanary: true
steps:
- replicas: 1
patchPodTemplateMetadata:
labels:
ASM_TRAFFIC_TAG: canary
---
apiVersion: rollouts.kruise.io/v1beta1
kind: Rollout
metadata:
name: rollouts-mockc
namespace: demo
spec:
workloadRef:
apiVersion: apps/v1
kind: Deployment
name: mockc-v1
strategy:
canary:
enableExtraWorkloadForCanary: true
steps:
- replicas: 1
patchPodTemplateMetadata:
labels:
ASM_TRAFFIC_TAG: canary5. Publish new version of mocka
kubectl patch deployment mocka-v1 \
-p '{"spec": {"template": {"spec": {"containers": [{"name": "default", "image": "registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/go-http-sample:2.0"}]}}}}'After the patch, Kruise Rollout creates a canary deployment; the ASM swimlane routes traffic with header x-asm-prefer-tag: canary to the new version.
6. Verify traffic routing
% curl ${ASM_GATEWAY}/mock -H 'x-asm-prefer-tag: base' -H 'my-request-id: 10001'
% -> mocka(version: v2, ip: 172.16.0.88)-> mockb(version: v1, ip: 172.16.0.97)-> mockc(version: v1, ip: 172.16.0.89)
% curl ${ASM_GATEWAY}/mock -H 'x-asm-prefer-tag: canary' -H 'my-request-id: 10002'
% -> mocka(version: v2, ip: 172.16.0.88)-> mockb(version: v1, ip: 172.16.0.97)-> mockc(version: v1, ip: 172.16.0.89)Repeat the patch and verification steps for mockb and mockc , then approve the rollouts to promote the canary versions to the baseline:
% kubectl kruise rollout approve rollout/rollouts-mockb
% kubectl kruise rollout approve rollout/rollouts-mocka
% kubectl kruise rollout approve rollout/rollouts-mockcAfter approval, the DestinationRule objects contain only the base subset, indicating that the new versions have become the baseline.
7. Optional canary rollback
kubectl kruise rollout undo rollout/rollouts-mockaBy combining ASM swimlane isolation with Kruise Rollout, you achieve a fully automated, low‑cost, and reliable full‑link gray release workflow for microservice applications.
Alibaba Cloud Infrastructure
For uninterrupted computing services
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.