Depending on your level of expertise in this area, you may wonder why Istio’s support for canary deployment is even needed, given that platforms like Kubernetes already provide a way to do version rollout and canary deployment. Problem solved, right? Well, not exactly. Although doing a rollout this way works in simple cases, it’s very limited, especially in large scale cloud environments receiving lots of (and especially varying amounts of) traffic, where autoscaling is needed.

  resource.customizations.ignoreDifferences.apps_Deployment: |
    jsonPointers:
      - /spec/template/metadata/creationTimestamp
  resource.customizations.ignoreDifferences.apps_StatefulSet: |
    jsonPointers:
      - /spec/template/metadata/creationTimestamp
  resource.customizations.ignoreDifferences.apps_DaemonSet: |
    jsonPointers:
      - /spec/template/metadata/creationTimestamp

• https://linkerd.io/releases/

• django = simple poc

AssignPrivateIpAddresses
UnassignPrivateIpAddresses
AttachNetworkInterface
CreateNetworkInterface

• https://docs.aws.amazon.com/ec2/latest/devguide/ec2-api-throttling.html (how to ask for limit increase)

• https://docs.aws.amazon.com/ec2/latest/devguide/monitor.html (how to enable metrics)

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#health_check

Condensed annotations doc

# INGRESS GROUP

alb.ingress.kubernetes.io/group.name: my-group
# [-1000,1000] default 0, not sure who has priority: bigger or smaller?
alb.ingress.kubernetes.io/group.order:

# TRAFFIC LISTENING

alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
#Once defined on a single Ingress, it impacts every Ingress within IngressGroup.
alb.ingress.kubernetes.io/ssl-redirect: '443'

# TAFFIC ROUTING

alb.ingress.kubernetes.io/load-balancer-name: custom-name
alb.ingress.kubernetes.io/target-type: ip

# protocol to reach backend HTTP, HTTPS
alb.ingress.kubernetes.io/backend-protocol: HTTP

# protocol version to reach backend : HTTP1 (default) or GRPC or HTTP2
alb.ingress.kubernetes.io/backend-protocol-version: HTTP1
# can use subnetName tag!
alb.ingress.kubernetes.io/subnets: subnet-name-a, subnet-name-b, subnet-name-c

# ACCESS CONTROL

# internal or internet-facing
alb.ingress.kubernetes.io/scheme: internal

# When this annotation is not present, the controller will automatically create one security group
# we can use sg name!
alb.ingress.kubernetes.io/security-groups: nameOfSg1, nameOfSg2

# AUTHENTICATION (oidc)
alb.ingress.kubernetes.io/auth-type: oidc
alb.ingress.kubernetes.io/auth-idp-oidc: '{"issuer":"https://example.com","authorizationEndpoint":"https://authorization.example.com","tokenEndpoint":"https://token.example.com","userInfoEndpoint":"https://userinfo.example.com","secretName":"my-k8s-secret"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
alb.ingress.kubernetes.io/auth-session-timeout: '86400'
alb.ingress.kubernetes.io/auth-session-cookie: auth-service-a

# HEALTH CHECK

alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
alb.ingress.kubernetes.io/healthcheck-path: /ping

# The range is 5-300. Default to 30
alb.ingress.kubernetes.io/healthcheck-interval-seconds: 5

# The range is 2–120 seconds, default to 6
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: 2

#  The range is 2-10. Defaults to 3.
alb.ingress.kubernetes.io/healthy-threshold-count: 2

# The range is 2-10. Defaults to 3.
alb.ingress.kubernetes.io/unhealthy-threshold-count: 2

# TLS
# can be discovered automatically see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/ingress/cert_discovery/
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

# CUSTOM

# enable access log to s3
alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=my-access-log-bucket,access_logs.s3.prefix=my-app

# enable http2 support
alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true

Main Ingress example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: shared-ingress-a
  namespace: default
  annotations:
    # Ingress group
    alb.ingress.kubernetes.io/group.name: shared-ingress-a
    # Traffic Listening
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    # Traffic routing
    alb.ingress.kubernetes.io/load-balancer-name: shared-ingress-a
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/subnets: subnet-name-a, subnet-name-b, subnet-name-c
    # Access control
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/security-groups: nameOfSg1, nameOfSg2
    # Health check
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/healthcheck-path: /ping
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: 5
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: 2
    alb.ingress.kubernetes.io/healthy-threshold-count: 2
    alb.ingress.kubernetes.io/unhealthy-threshold-count: 2
    # TLS => should be autodiscovered
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx

spec:
  ingressClassName: alb

Child Ingress example

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-service-a
  namespace: my-service-a
  annotations:
    alb.ingress.kubernetes.io/group.name: shared-ingress-a
    alb.ingress.kubernetes.io/group.order: 
spec:
  ingressClassName: alb
  rules:
    - host: my-service-a.example.com
      http:
        paths:
          - path: /*
            pathType: ImplementationSpecific
            backend:
              service:
                name: "my-service-a"
                port:
                  number: 80