Flux – Install

Flagger: Flagger Install on Kubernetes with Flux

Mon, 01 Jan 0001 00:00:00 +0000

This guide walks you through setting up Flagger on a Kubernetes cluster the GitOps way. You’ll configure Flux to scan the Flagger OCI artifacts and deploy the latest stable version on Kubernetes.

Flagger OCI artifacts

Flagger OCI artifacts (container images, Helm charts, Kustomize overlays) are published to GitHub Container Registry, and they are signed with Cosign at every release.

OCI artifacts

ghcr.io/fluxcd/flagger:<version> multi-arch container images
ghcr.io/fluxcd/flagger-manifest:<version> Kubernetes manifests
ghcr.io/fluxcd/charts/flagger:<version> Helm charts

Prerequisites

To follow this guide you’ll need a Kubernetes cluster with Flux installed on it. Please see the Flux get started guide or the Flux installation guide.

Deploy Flagger with Flux

First define the namespace where Flagger will be installed:

---
apiVersion: v1
kind: Namespace
metadata:
 name: flagger-system
 labels:
 toolkit.fluxcd.io/tenant: sre-team

Define a Flux HelmRepository that points to where the Flagger Helm charts are stored:

apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
 name: flagger
 namespace: flagger-system
spec:
 interval: 1h
 url: oci://ghcr.io/fluxcd/charts
 type: oci

Define a Flux HelmRelease that verifies and installs Flagger’s latest version on the cluster:

---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
 name: flagger
 namespace: flagger-system
spec:
 interval: 1h
 releaseName: flagger
 install: # override existing Flagger CRDs
 crds: CreateReplace
 upgrade: # update Flagger CRDs
 crds: CreateReplace
 chart:
 spec:
 chart: flagger
 version: 1.x # update Flagger to the latest minor version
 interval: 6h # scan for new versions every six hours
 sourceRef:
 kind: HelmRepository
 name: flagger
 verify: # verify the chart signature with Cosign keyless
 provider: cosign 
 values:
 nodeSelector:
 kubernetes.io/os: linux

Copy the above manifests into a file called flagger.yaml, place the YAML file in the Git repository bootstrapped with Flux, then commit and push it to upstream.

After Flux reconciles the changes on your cluster, you can check if Flagger got deployed with:

$ helm list -n flagger-system
NAME NAMESPACE REVISION STATUS CHART APP VERSION
flagger flagger-system 1 deployed flagger-1.23.0 1.23.0

To uninstall Flagger, delete the flagger.yaml from your repository, then Flux will uninstall the Helm release and will remove the namespace from your cluster.

Deploy Flagger load tester with Flux

Flagger comes with a load testing service that generates traffic during analysis when configured as a webhook.

The load tester container images and deployment manifests are published to GitHub Container Registry. The container images and the manifests are signed with Cosign and GitHub Actions OIDC.

Assuming the applications managed by Flagger are in the apps namespace, you can configure Flux to deploy the load tester there.

Define a Flux OCIRepository that points to where the Flagger Kustomize overlays are stored:

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
 name: flagger-loadtester
 namespace: apps
spec:
 interval: 6h # scan for new versions every six hours
 url: oci://ghcr.io/fluxcd/flagger-manifests
 ref:
 semver: 1.x # update to the latest version 
 verify: # verify the artifact signature with Cosign keyless
 provider: cosign

Define a Flux Kustomization that deploys the Flagger load tester to the apps namespace:

---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
 name: flagger-loadtester
 namespace: apps
spec:
 interval: 6h
 wait: true
 timeout: 5m
 prune: true
 sourceRef:
 kind: OCIRepository
 name: flagger-loadtester
 path: ./tester
 targetNamespace: apps

Copy the above manifests into a file called flagger-loadtester.yaml, place the YAML file in the Git repository bootstrapped with Flux, then commit and push it to upstream.

After Flux reconciles the changes on your cluster, you can check if the load tester got deployed with:

$ flux -n apps get kustomization flagger-loadtester
NAME READY MESSAGE
flagger-loadtester True Applied revision: v1.23.0/a80af71e001

To uninstall the load tester, delete the flagger-loadtester.yaml from your repository, and Flux will delete the load tester deployment from the cluster.

Flagger: Flagger Install on Kubernetes

Mon, 01 Jan 0001 00:00:00 +0000

This guide walks you through setting up Flagger on a Kubernetes cluster with Helm v3 or Kustomize.

Prerequisites

Flagger requires a Kubernetes cluster v1.16 or newer.

Install Flagger with Helm

Add Flagger Helm repository:

helm repo add flagger https://flagger.app

Install Flagger’s Canary CRD:

kubectl apply -f https://raw.githubusercontent.com/fluxcd/flagger/main/artifacts/flagger/crd.yaml

Deploy Flagger for Istio:

helm upgrade -i flagger flagger/flagger \
--namespace=istio-system \
--set crd.create=false \
--set meshProvider=istio \
--set metricsServer=http://prometheus:9090

Note that Flagger depends on Istio telemetry and Prometheus, if you’re installing Istio with istioctl then you should be using the default profile.

For Istio multi-cluster shared control plane you can install Flagger on each remote cluster and set the Istio control plane host cluster kubeconfig:

helm upgrade -i flagger flagger/flagger \
--namespace=istio-system \
--set crd.create=false \
--set meshProvider=istio \
--set metricsServer=http://istio-cluster-prometheus:9090 \
--set controlplane.kubeconfig.secretName=istio-kubeconfig \
--set controlplane.kubeconfig.key=kubeconfig

Note that the Istio kubeconfig must be stored in a Kubernetes secret with a data key named kubeconfig. For more details on how to configure Istio multi-cluster credentials read the Istio docs.

Deploy Flagger for Linkerd:

helm upgrade -i flagger flagger/flagger \
--namespace=linkerd \
--set crd.create=false \
--set meshProvider=linkerd \
--set metricsServer=http://linkerd-prometheus:9090

Deploy Flagger for App Mesh:

helm upgrade -i flagger flagger/flagger \
--namespace=appmesh-system \
--set crd.create=false \
--set meshProvider=appmesh \
--set metricsServer=http://appmesh-prometheus:9090

Deploy Flagger for Open Service Mesh (OSM) (requires OSM to have been installed with Prometheus):

$ helm upgrade -i flagger flagger/flagger \
--namespace=osm-system \
--set crd.create=false \
--set meshProvider=osm \
--set metricsServer=http://osm-prometheus.osm-system.svc:7070

You can install Flagger in any namespace as long as it can talk to the Prometheus service on port 9090.

For ingress controllers, the install instructions are:

You can use the helm template command and apply the generated yaml with kubectl:

# generate
helm fetch --untar --untardir . flagger/flagger &&
helm template flagger ./flagger \
--namespace=istio-system \
--set metricsServer=http://prometheus.istio-system:9090 \
> flagger.yaml

# apply
kubectl apply -f flagger.yaml

To uninstall the Flagger release with Helm run:

helm delete flagger

The command removes all the Kubernetes components associated with the chart and deletes the release.

Note that on uninstall the Canary CRD will not be removed. Deleting the CRD will make Kubernetes remove all the objects owned by Flagger like Istio virtual services, Kubernetes deployments and ClusterIP services.

If you want to remove all the objects created by Flagger you have delete the Canary CRD with kubectl:

kubectl delete crd canaries.flagger.app

Install Grafana with Helm

Flagger comes with a Grafana dashboard made for monitoring the canary analysis.

Deploy Grafana in the istio-system namespace:

helm upgrade -i flagger-grafana flagger/grafana \
--namespace=istio-system \
--set url=http://prometheus.istio-system:9090 \
--set user=admin \
--set password=change-me

Or use helm template command and apply the generated yaml with kubectl:

# generate
helm fetch --untar --untardir . flagger/grafana &&
helm template flagger-grafana ./grafana \
--namespace=istio-system \
> flagger-grafana.yaml

# apply
kubectl apply -f flagger-grafana.yaml

You can access Grafana using port forwarding:

kubectl -n istio-system port-forward svc/flagger-grafana 3000:80

Install Flagger with Kustomize

As an alternative to Helm, Flagger can be installed with Kustomize 3.5.0 or newer.

Service mesh specific installers

Install Flagger for Istio:

kustomize build https://github.com/fluxcd/flagger/kustomize/istio?ref=main | kubectl apply -f -

Install Flagger for AWS App Mesh:

kustomize build https://github.com/fluxcd/flagger/kustomize/appmesh?ref=main | kubectl apply -f -

This deploys Flagger and sets the metrics server URL to App Mesh’s Prometheus instance.

Install Flagger for Linkerd:

kustomize build https://github.com/fluxcd/flagger/kustomize/linkerd?ref=main | kubectl apply -f -

This deploys Flagger in the linkerd namespace and sets the metrics server URL to Linkerd’s Prometheus instance.

Install Flagger for Open Service Mesh:

kustomize build https://github.com/fluxcd/flagger/kustomize/osm?ref=main | kubectl apply -f -

This deploys Flagger in the osm-system namespace and sets the metrics server URL to OSM’s Prometheus instance.

If you want to install a specific Flagger release, add the version number to the URL:

kustomize build https://github.com/fluxcd/flagger/kustomize/linkerd?ref=v1.0.0 | kubectl apply -f -

Generic installer

Install Flagger and Prometheus for Contour, Gloo, NGINX, Skipper, APISIX or Traefik ingress:

kustomize build https://github.com/fluxcd/flagger/kustomize/kubernetes?ref=main | kubectl apply -f -

This deploys Flagger and Prometheus in the flagger-system namespace, sets the metrics server URL to http://flagger-prometheus.flagger-system:9090 and the mesh provider to kubernetes.

The Prometheus instance has a two hours data retention and is configured to scrape all pods in your cluster that have the prometheus.io/scrape: "true" annotation.

To target a different provider you can specify it in the canary custom resource:

apiVersion: flagger.app/v1beta1
kind: Canary
metadata:
 name: app
 namespace: test
spec:
 # can be: kubernetes, istio, linkerd, appmesh, nginx, skipper, gloo, traefik, osm, apisix
 # use the kubernetes provider for Blue/Green style deployments
 provider: nginx

Customized installer

Create a kustomization file using Flagger as base and patch the container args:

cat > kustomization.yaml <<EOF
namespace: istio-system
bases:
 - https://github.com/fluxcd/flagger/kustomize/kubernetes?ref=main
patches:
- target:
 kind: Deployment
 name: flagger
 patch: |-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
 name: flagger
 spec:
 template:
 spec:
 containers:
 - name: flagger
 args:
 - -mesh-provider=istio
 - -metrics-server=http://prometheus.istio-system:9090
 - -include-label-prefix=app.kubernetes.io
EOF

Flagger: Flagger Install on GKE Istio

Mon, 01 Jan 0001 00:00:00 +0000

This guide walks you through setting up Flagger and Istio on Google Kubernetes Engine.

Prerequisites

You will be creating a cluster on Google’s Kubernetes Engine (GKE), if you don’t have an account you can sign up here for free credits.

Install the gcloud command line utility and configure your project with gcloud init.

Set the default project (replace PROJECT_ID with your own project):

gcloud config set project PROJECT_ID

Set the default compute region and zone:

gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a

Enable the Kubernetes and Cloud DNS services for your project:

gcloud services enable container.googleapis.com
gcloud services enable dns.googleapis.com

Install the kubectl command-line tool:

gcloud components install kubectl

GKE cluster setup

Create a cluster with the Istio add-on:

K8S_VERSION=$(gcloud container get-server-config --format=json \
| jq -r '.validMasterVersions[0]')

gcloud beta container clusters create istio \
--cluster-version=${K8S_VERSION} \
--zone=us-central1-a \
--num-nodes=2 \
--machine-type=n1-highcpu-4 \
--preemptible \
--no-enable-cloud-logging \
--no-enable-cloud-monitoring \
--disk-size=30 \
--enable-autorepair \
--addons=HorizontalPodAutoscaling,Istio \
--istio-config=auth=MTLS_PERMISSIVE

The above command will create a default node pool consisting of two n1-highcpu-4 (vCPU: 4, RAM 3.60GB, DISK: 30GB) preemptible VMs. Preemptible VMs are up to 80% cheaper than regular instances and are terminated and replaced after a maximum of 24 hours.

Set up credentials for kubectl:

gcloud container clusters get-credentials istio

Create a cluster admin role binding:

kubectl create clusterrolebinding "cluster-admin-$(whoami)" \
--clusterrole=cluster-admin \
--user="$(gcloud config get-value core/account)"

Validate your setup with:

kubectl -n istio-system get svc

In a couple of seconds GCP should allocate an external IP to the istio-ingressgateway service.

Cloud DNS setup

You will need an internet domain and access to the registrar to change the name servers to Google Cloud DNS.

Create a managed zone named istio in Cloud DNS (replace example.com with your domain):

gcloud dns managed-zones create \
--dns-name="example.com." \
--description="Istio zone" "istio"

Look up your zone’s name servers:

gcloud dns managed-zones describe istio

Update your registrar’s name server records with the records returned by the above command.

Wait for the name servers to change (replace example.com with your domain):

watch dig +short NS example.com

Create a static IP address named istio-gateway using the Istio ingress IP:

export GATEWAY_IP=$(kubectl -n istio-system get svc/istio-ingressgateway -ojson \
| jq -r .status.loadBalancer.ingress[0].ip)

gcloud compute addresses create istio-gateway --addresses ${GATEWAY_IP} --region us-central1

Create the following DNS records (replace example.com with your domain):

DOMAIN="example.com"

gcloud dns record-sets transaction start --zone=istio

gcloud dns record-sets transaction add --zone=istio \
--name="${DOMAIN}" --ttl=300 --type=A ${GATEWAY_IP}

gcloud dns record-sets transaction add --zone=istio \
--name="www.${DOMAIN}" --ttl=300 --type=A ${GATEWAY_IP}

gcloud dns record-sets transaction add --zone=istio \
--name="*.${DOMAIN}" --ttl=300 --type=A ${GATEWAY_IP}

gcloud dns record-sets transaction execute --zone istio

Verify that the wildcard DNS is working (replace example.com with your domain):

watch host test.example.com

Install Helm

Install the Helm command-line tool:

brew install kubernetes-helm

Create a service account and a cluster role binding for Tiller:

kubectl -n kube-system create sa tiller

kubectl create clusterrolebinding tiller-cluster-rule \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller

Deploy Tiller in the kube-system namespace:

helm init --service-account tiller

You should consider using SSL between Helm and Tiller, for more information on securing your Helm installation see docs.helm.sh.

Install cert-manager

Jetstack’s cert-manager is a Kubernetes operator that automatically creates and manages TLS certs issued by Let’s Encrypt.

You’ll be using cert-manager to provision a wildcard certificate for the Istio ingress gateway.

Install cert-manager’s CRDs:

CERT_REPO=https://raw.githubusercontent.com/jetstack/cert-manager

kubectl apply -f ${CERT_REPO}/release-0.10/deploy/manifests/00-crds.yaml

Create the cert-manager namespace and disable resource validation:

kubectl create namespace cert-manager

kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

Install cert-manager with Helm:

helm repo add jetstack https://charts.jetstack.io && \
helm repo update && \
helm upgrade -i cert-manager \
--namespace cert-manager \
--version v0.10.0 \
jetstack/cert-manager

Istio Gateway TLS setup

Create a generic Istio Gateway to expose services outside the mesh on HTTPS:

REPO=https://raw.githubusercontent.com/fluxcd/flagger/main

kubectl apply -f ${REPO}/artifacts/gke/istio-gateway.yaml

Create a service account with Cloud DNS admin role (replace my-gcp-project with your project ID):

GCP_PROJECT=my-gcp-project

gcloud iam service-accounts create dns-admin \
--display-name=dns-admin \
--project=${GCP_PROJECT}

gcloud iam service-accounts keys create ./gcp-dns-admin.json \
--iam-account=dns-admin@${GCP_PROJECT}.iam.gserviceaccount.com \
--project=${GCP_PROJECT}

gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
--member=serviceAccount:dns-admin@${GCP_PROJECT}.iam.gserviceaccount.com \
--role=roles/dns.admin

Create a Kubernetes secret with the GCP Cloud DNS admin key:

kubectl create secret generic cert-manager-credentials \
--from-file=./gcp-dns-admin.json \
--namespace=istio-system

Create a letsencrypt issuer for CloudDNS (replace email@example.com with a valid email address and my-gcp-projectwith your project ID):

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
 name: letsencrypt-prod
 namespace: istio-system
spec:
 acme:
 server: https://acme-v02.api.letsencrypt.org/directory
 email: email@example.com
 privateKeySecretRef:
 name: letsencrypt-prod
 dns01:
 providers:
 - name: cloud-dns
 clouddns:
 serviceAccountSecretRef:
 name: cert-manager-credentials
 key: gcp-dns-admin.json
 project: my-gcp-project

Save the above resource as letsencrypt-issuer.yaml and then apply it:

kubectl apply -f ./letsencrypt-issuer.yaml

Create a wildcard certificate (replace example.com with your domain):

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
 name: istio-gateway
 namespace: istio-system
spec:
 secretName: istio-ingressgateway-certs
 issuerRef:
 name: letsencrypt-prod
 commonName: "*.example.com"
 acme:
 config:
 - dns01:
 provider: cloud-dns
 domains:
 - "*.example.com"
 - "example.com"

Save the above resource as istio-gateway-cert.yaml and then apply it:

kubectl apply -f ./istio-gateway-cert.yaml

In a couple of seconds cert-manager should fetch a wildcard certificate from letsencrypt.org:

kubectl -n istio-system describe certificate istio-gateway

Events:
 Type Reason Age From Message
 ---- ------ ---- ---- -------
 Normal CertIssued 1m52s cert-manager Certificate issued successfully

Recreate Istio ingress gateway pods:

kubectl -n istio-system get pods -l istio=ingressgateway

Note that Istio gateway doesn’t reload the certificates from the TLS secret on cert-manager renewal. Since the GKE cluster is made out of preemptible VMs the gateway pods will be replaced once every 24h, if your not using preemptible nodes then you need to manually delete the gateway pods every two months before the certificate expires.

Install Prometheus

The GKE Istio add-on does not include a Prometheus instance that scrapes the Istio telemetry service. Because Flagger uses the Istio HTTP metrics to run the canary analysis you have to deploy the following Prometheus configuration that’s similar to the one that comes with the official Istio Helm chart.

Find the GKE Istio version with:

kubectl -n istio-system get deploy istio-pilot -oyaml | grep image:

Install Prometheus in istio-system namespace:

kubectl -n istio-system apply -f \
https://storage.googleapis.com/gke-release/istio/release/1.0.6-gke.3/patches/install-prometheus.yaml

Install Flagger and Grafana

Add Flagger Helm repository:

helm repo add flagger https://flagger.app

Install Flagger’s Canary CRD:

kubectl apply -f https://raw.githubusercontent.com/fluxcd/flagger/main/artifacts/flagger/crd.yaml

Deploy Flagger in the istio-system namespace with Slack notifications enabled:

helm upgrade -i flagger flagger/flagger \
--namespace=istio-system \
--set crd.create=false \
--set metricsServer=http://prometheus.istio-system:9090 \
--set slack.url=https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK \
--set slack.channel=some-channel-name \
--set slack.user=flagger

Deploy Grafana in the istio-system namespace:

helm upgrade -i flagger-grafana flagger/grafana \
--namespace=istio-system \
--set url=http://prometheus.istio-system:9090 \
--set user=admin \
--set password=replace-me

Expose Grafana through the public gateway by creating a virtual service (replace example.com with your domain):

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
 name: grafana
 namespace: istio-system
spec:
 hosts:
 - "grafana.example.com"
 gateways:
 - public-gateway.istio-system.svc.cluster.local
 http:
 - route:
 - destination:
 host: flagger-grafana

Save the above resource as grafana-virtual-service.yaml and then apply it:

kubectl apply -f ./grafana-virtual-service.yaml

Navigate to http://grafana.example.com in your browser and you should be redirected to the HTTPS version.

Flagger: Flagger Install on EKS App Mesh

Mon, 01 Jan 0001 00:00:00 +0000

This guide walks you through setting up Flagger and AWS App Mesh on EKS.

App Mesh

The App Mesh integration with EKS is made out of the following components:

Kubernetes custom resources
- mesh.appmesh.k8s.aws defines a logical boundary for network traffic between the services
- virtualnode.appmesh.k8s.aws defines a logical pointer to a Kubernetes workload
- virtualservice.appmesh.k8s.aws defines the routing rules for a workload inside the mesh
CRD controller - keeps the custom resources in sync with the App Mesh control plane
Admission controller - injects the Envoy sidecar and assigns Kubernetes pods to App Mesh virtual nodes
Telemetry service - Prometheus instance that collects and stores Envoy’s metrics

Create a Kubernetes cluster

In order to create an EKS cluster you can use eksctl. Eksctl is an open source command-line utility made by Weaveworks in collaboration with Amazon.

On MacOS you can install eksctl with Homebrew:

brew tap weaveworks/tap
brew install weaveworks/tap/eksctl

Create an EKS cluster with:

eksctl create cluster --name=appmesh \
--region=us-west-2 \
--nodes 3 \
--node-volume-size=120 \
--appmesh-access

The above command will create a two nodes cluster with App Mesh IAM policy attached to the EKS node instance role.

Verify the install with:

kubectl get nodes

Install Helm

Install the Helm v3 command-line tool:

brew install helm

Add the EKS repository to Helm:

helm repo add eks https://aws.github.io/eks-charts

Enable horizontal pod auto-scaling

Install the Horizontal Pod Autoscaler (HPA) metrics provider:

helm upgrade -i metrics-server stable/metrics-server \
--namespace kube-system \
--set args[0]=--kubelet-preferred-address-types=InternalIP

After a minute, the metrics API should report CPU and memory usage for pods. You can very the metrics API with:

kubectl -n kube-system top pods

Install the App Mesh components

Install the App Mesh CRDs:

kubectl apply -k github.com/aws/eks-charts/stable/appmesh-controller//crds?ref=master

Create the appmesh-system namespace:

kubectl create ns appmesh-system

Install the App Mesh controller:

helm upgrade -i appmesh-controller eks/appmesh-controller \
--wait --namespace appmesh-system

In order to collect the App Mesh metrics that Flagger needs to run the canary analysis, you’ll need to setup a Prometheus instance to scrape the Envoy sidecars.

Install the App Mesh Prometheus:

helm upgrade -i appmesh-prometheus eks/appmesh-prometheus \
--wait --namespace appmesh-system

Install Flagger

Add Flagger Helm repository:

helm repo add flagger https://flagger.app

Install Flagger’s Canary CRD:

kubectl apply -f https://raw.githubusercontent.com/fluxcd/flagger/main/artifacts/flagger/crd.yaml

Deploy Flagger in the appmesh-system namespace:

helm upgrade -i flagger flagger/flagger \
--namespace=appmesh-system \
--set crd.create=false \
--set meshProvider=appmesh:v1beta2 \
--set metricsServer=http://appmesh-prometheus:9090

Install Grafana

Deploy App Mesh Grafana that comes with a dashboard for monitoring Flagger’s canary releases:

helm upgrade -i appmesh-grafana eks/appmesh-grafana \
--namespace appmesh-system

You can access Grafana using port forwarding:

kubectl -n appmesh-system port-forward svc/appmesh-grafana 3000:3000

Now that you have Flagger running, you can try the App Mesh canary deployments tutorial.

Flagger: Flagger Install on Alibaba ServiceMesh

Mon, 01 Jan 0001 00:00:00 +0000

This guide walks you through setting up Flagger on Alibaba ServiceMesh.

Prerequisites

Created an ACK( Alibabacloud Container Service for Kubernetes) cluster instance.
Create an ASM( Alibaba ServiceMesh) enterprise instance and add ACK cluster.

Variables declaration

$ACK_CONFIG: the kubeconfig file path of ACK, which be treated as$HOME/.kube/config in the rest of guide.
$MESH_CONFIG: the kubeconfig file path of ASM.

Enable Data-plane KubeAPI access in ASM

In the Alibaba Cloud Service Mesh (ASM) console, on the basic information page, make sure Data-plane KubeAPI access is enabled. When enabled, the Istio resources of the control plane can be managed through the Kubeconfig of the data plane cluster.

Enable Prometheus

In the Alibaba Cloud Service Mesh (ASM) console, click Settings to enable the collection of Prometheus monitoring metrics. You can use the self-built Prometheus monitoring, or you can use the Alibaba Cloud ARMS Prometheus monitoring plug-in that has joined the ACK cluster, and use ARMS Prometheus to collect monitoring indicators.

Install Flagger

Add Flagger Helm repository:

helm repo add flagger https://flagger.app

Install Flagger’s Canary CRD:

kubectl apply -f https://raw.githubusercontent.com/fluxcd/flagger/v1.21.0/artifacts/flagger/crd.yaml

Deploy Flagger for Istio

Add data plane cluster to Alibaba Cloud Service Mesh (ASM)

In the Alibaba Cloud Service Mesh (ASM) console, click Cluster & Workload Management, select the Kubernetes cluster, select the target ACK cluster, and add it to ASM.

Prometheus address

If you are using Alibaba Cloud Container Service for Kubernetes (ACK) ARMS Prometheus monitoring, replace {Region-ID} in the link below with your region ID, such as cn-hangzhou. {ACKID} is the ACK ID of the data plane cluster that you added to Alibaba Cloud Service Mesh (ASM). Visit the following links to query the public and intranet addresses monitored by ACK’s ARMS Prometheus: https://arms.console.aliyun.com/#/promDetail/{Region-ID}/{ACK-ID}/setting

An example of an intranet address is as follows: http://{Region-ID}-intranet.arms.aliyuncs.com:9090/api/v1/prometheus/{Prometheus-ID}/{u-id}/{ACK-ID}/{Region-ID}

Deploy Flagger

Replace the value of metricsServer with your Prometheus address.

helm upgrade -i flagger flagger/flagger \
--namespace=istio-system \
--set crd.create=false \
--set meshProvider=istio \
--set metricsServer=http://prometheus:9090