Bump website build

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

.clomonitor.yml

@@ -0,0 +1,3 @@
+exemptions:
+  - check: analytics
+    reason: "We don't track people"

.gitbook.yaml

@@ -1,11 +1,11 @@
 root: ./docs/gitbook
 
+
 redirects:
   how-it-works: usage/how-it-works.md
   usage/progressive-delivery: tutorials/istio-progressive-delivery.md
   usage/ab-testing: tutorials/istio-ab-testing.md
   usage/blue-green: tutorials/kubernetes-blue-green.md
-  usage/appmesh-progressive-delivery: tutorials/appmesh-progressive-delivery.md
   usage/linkerd-progressive-delivery: tutorials/linkerd-progressive-delivery.md
   usage/contour-progressive-delivery: tutorials/contour-progressive-delivery.md
   usage/gloo-progressive-delivery: tutorials/gloo-progressive-delivery.md
@@ -13,3 +13,7 @@ redirects:
   usage/skipper-progressive-delivery: tutorials/skipper-progressive-delivery.md
   usage/crossover-progressive-delivery: tutorials/crossover-progressive-delivery.md
   usage/traefik-progressive-delivery: tutorials/traefik-progressive-delivery.md
+  usage/kuma-progressive-delivery: tutorials/kuma-progressive-delivery.md
+  usage/gatewayapi-progressive-delivery: tutorials/gatewayapi-progressive-delivery.md
+  usage/apisix-progressive-delivery: tutorials/apisix-progressive-delivery.md
+  usage/knative-progressive-delivery: tutorials/knative-progressive-delivery.md

.github/CODEOWNERS

@@ -1 +1 @@
-*   @stefanprodan
+*   @stefanprodan @aryan9600

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,29 @@
+---
+name: Bug report
+about: Create a report to help us improve this project
+title: ''
+assignees: ''
+
+---
+
+### Describe the bug
+
+A clear and concise description of what the bug is.
+Please provide the Canary definition and Flagger logs.
+
+### To Reproduce
+
+<!--
+Steps to reproduce the behaviour
+-->
+
+### Expected behavior
+
+A clear and concise description of what you expected to happen.
+
+### Additional context
+
+- Flagger version:
+- Kubernetes version:   
+- Service Mesh provider:
+- Ingress provider:

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,2 @@
+blank_issues_enabled: true
+

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,19 @@
+---
+name: Feature Request
+about: I have a suggestion (and may want to implement it 🙂)!
+title: ''
+assignees: ''
+
+---
+
+## Describe the feature
+
+What problem are you trying to solve?
+
+### Proposed solution
+
+What do you want to happen? Add any considered drawbacks.
+
+### Any alternatives you've considered?
+
+Is there another way to solve this problem that isn't as good a solution?

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    labels: ["area/ci", "dependencies"]
+    groups:
+      # Group all updates together, so that they are all applied in a single PR.
+      # Grouped updates are currently in beta and is subject to change.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      ci:
+        patterns:
+          - "*"
+    schedule:
+      # By default, this will be on a monday.
+      interval: "weekly"
+

.github/workflows/build.yaml

@@ -9,29 +9,32 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
-  container:
-    runs-on: ubuntu-latest
+  build-flagger:
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+        uses: actions/checkout@v5
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v6
         with:
-          go-version: 1.15.x
+          go-version: 1.25.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
       - name: Download modules
         run: |
           go mod download
-          go install golang.org/x/tools/cmd/goimports
+          go install golang.org/x/tools/cmd/goimports@latest
       - name: Run linters
-        run: make test-fmt test-codegen
+        run: make fmt test-codegen
+      - name: Verify CRDs
+        run: make verify-crd
       - name: Run tests
         run: go test -race -coverprofile=coverage.txt -covermode=atomic $(go list ./pkg/...)
       - name: Check if working tree is dirty
@@ -42,7 +45,7 @@ jobs:
             exit 1
           fi
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v5
         with:
           file: ./coverage.txt
       - name: Build container image

.github/workflows/e2e.yaml

@@ -9,25 +9,50 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
-  kind:
-    runs-on: ubuntu-latest
+  e2e-test:
+    runs-on:
+      group: "Default Larger Runners"
+      labels: ubuntu-latest-16-cores
     strategy:
+      fail-fast: false
       matrix:
         provider:
+          # service mesh
           - istio
           - linkerd
+          - kuma
+          # ingress controllers
           - contour
           - nginx
           - traefik
           - gloo
           - skipper
           - kubernetes
+          - gatewayapi
+          - keda
+          - apisix
+          - knative
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
       - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.5.0
+        uses: helm/kind-action@v1.12.0
+        if: matrix.provider != 'skipper'
+        with:
+          version: v0.23.0
+          cluster_name: kind
+          node_image: kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e
+      - name: Setup Kubernetes for skipper
+        uses: helm/kind-action@v1.12.0
+        if: matrix.provider == 'skipper'
+        with:
+          version: v0.23.0
+          cluster_name: kind
+          node_image: kindest/node:v1.24.12@sha256:0bdca26bd7fe65c823640b14253ea7bac4baad9336b332c94850f84d8102f873
       - name: Build container image
         run: |
           docker build -t test/flagger:latest .

.github/workflows/helm.yaml

@@ -0,0 +1,20 @@
+name: helm
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release-charts:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v5
+      - name: Publish Helm charts
+        uses: stefanprodan/helm-gh-pages@v1.7.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          charts_url: https://flagger.app

.github/workflows/push-ld.yml

@@ -0,0 +1,63 @@
+name: push-ld
+on:
+  workflow_dispatch:
+
+env:
+  IMAGE: "ghcr.io/fluxcd/flagger-loadtester"
+
+permissions:
+  contents: read
+
+jobs:
+  release-load-tester:
+    runs-on:
+      group: "Default Larger Runners"
+    permissions:
+      id-token: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: sigstore/cosign-installer@v3.10.0
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=$(grep 'VERSION' cmd/loadtester/main.go | head -1 | awk '{ print $4 }' | tr -d '"')
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: fluxcdbot
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Generate image meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE }}
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+      - name: Publish image
+        id: build-push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile.loadtester
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            REVISION=${{ github.sha }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}

.github/workflows/release.yml

@@ -3,38 +3,74 @@ on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'image tag prefix'
+        default: 'rc'
+        required: true
+
+permissions:
+  contents: read
+
+env:
+  IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}"
 
 jobs:
-  build-push:
-    runs-on: ubuntu-latest
+  release-flagger:
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+    runs-on:
+      group: "Default Larger Runners"
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: 1.25.x
+      - uses: fluxcd/flux2/action@main
+      - uses: sigstore/cosign-installer@v3.10.0
       - name: Prepare
         id: prep
         run: |
-          VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"')
+          if [[ ${GITHUB_EVENT_NAME} = "workflow_dispatch" ]]; then
+            VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
+          else
+            VERSION=$(grep 'VERSION' pkg/version/version.go | awk '{ print $4 }' | tr -d '"')
+          fi
           CHANGELOG="https://github.com/fluxcd/flagger/blob/main/CHANGELOG.md#$(echo $VERSION | tr -d '.')"
-          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
-          echo ::set-output name=VERSION::${VERSION}
-          echo ::set-output name=CHANGELOG::${CHANGELOG}
+          echo "[CHANGELOG](${CHANGELOG})" > notes.md
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
+        uses: docker/setup-qemu-action@v3
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
+        uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
-      - name: Publish image
-        uses: docker/build-push-action@v2
+      - name: Generate image meta
+        id: meta
+        uses: docker/metadata-action@v5
         with:
+          images: |
+            ${{ env.IMAGE }}
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+      - name: Publish image
+        id: build-push
+        uses: docker/build-push-action@v6
+        with:
+          sbom: true
+          provenance: true
           push: true
           builder: ${{ steps.buildx.outputs.name }}
           context: .
@@ -42,33 +78,76 @@ jobs:
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           build-args: |
             REVISON=${{ github.sha }}
-          tags: |
-            ghcr.io/fluxcd/flagger:${{ steps.prep.outputs.VERSION }}
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
-            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
-      - name: Check images
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Sign image
+        env:
+          COSIGN_EXPERIMENTAL: 1
         run: |
-          docker buildx imagetools inspect ghcr.io/fluxcd/flagger:${{ steps.prep.outputs.VERSION }}
+          cosign sign --yes ${{ env.IMAGE }}@${{ steps.build-push.outputs.digest }}
+      - name: Publish signed manifests to GHCR
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          OCI_URL=$(flux push artifact \
+            oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="$(git config --get remote.origin.url)" \
+            --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)" \
+            --output json | \
+            jq -r '. | .repository + "@" + .digest')
+          cosign sign --yes ${OCI_URL}
       - name: Publish Helm charts
-        uses: stefanprodan/helm-gh-pages@v1.3.0
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: stefanprodan/helm-gh-pages@v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           charts_url: https://flagger.app
           linting: off
-      - name: Create release
-        uses: actions/create-release@latest
+      - uses: fluxcd/pkg/actions/helm@main
+        with:
+          version: 3.12.3
+      - name: Publish signed Helm chart to GHCR
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          helm package charts/flagger
+          helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts |& tee .digest
+          cosign sign --yes ghcr.io/fluxcd/charts/flagger@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
+          rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
+          rm .digest
+      - uses: anchore/sbom-action/download-syft@v0
+      - name: Create release and SBOM
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        if: startsWith(github.ref, 'refs/tags/v')
+        with:
+          version: latest
+          args: release --release-notes=notes.md --clean --skip=validate
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          draft: false
-          prerelease: false
-          body: |
-            [CHANGELOG](${{ steps.prep.outputs.CHANGELOG }})
+      - name: Generate SLSA metadata
+        id: slsa
+        if: startsWith(github.ref, 'refs/tags/v')
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          
+          hashes=$(echo -E $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  release-provenance:
+    needs: [release-flagger]
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      contents: write # for uploading attestations to GitHub releases.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      provenance-name: "provenance.intoto.jsonl"
+      base64-subjects: "${{ needs.release-flagger.outputs.hashes }}"
+      upload-assets: true

.github/workflows/scan.yml

@@ -0,0 +1,45 @@
+name: scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 10 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  scan-fossa:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@v5
+      - name: Run FOSSA scan and upload build data
+        uses: fossa-contrib/fossa-action@v3
+        with:
+          # FOSSA Push-Only API Token
+          fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
+          github-token: ${{ github.token }}
+  scan-codeql:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: 1.25.x
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4

.goreleaser.yml

@@ -1,14 +1,31 @@
+project_name: flagger
+
 builds:
-  - main: ./cmd/flagger
-    binary: flagger
-    ldflags: -s -w -X github.com/fluxcd/flagger/pkg/version.REVISION={{.Commit}}
-    goos:
-      - linux
-    goarch:
-      - amd64
+  - skip: true
+
+release:
+  prerelease: auto
+
+source:
+  enabled: true
+  name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+signs:
+  - cmd: cosign
     env:
-      - CGO_ENABLED=0
-archives:
-  - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    files:
-    - none*
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - "--yes"
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true

CONTRIBUTING.md

@@ -29,7 +29,7 @@ you can sign your commit automatically with `git commit -s`.
 
 The project uses Slack: To join the conversation, simply join the
 [CNCF](https://slack.cncf.io/) Slack workspace and use the
-[#flux](https://cloud-native.slack.com/messages/flux/) channel.
+[#flagger](https://cloud-native.slack.com/messages/flagger/) channel.
 
 The developers use a mailing list to discuss development as well.
 Simply subscribe to [flux-dev on cncf.io](https://lists.cncf.io/g/cncf-flux-dev)

Dockerfile

@@ -1,4 +1,11 @@
-FROM golang:1.15-alpine as builder
+ARG GO_VERSION=1.25
+ARG XX_VERSION=1.6.1
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS builder
+
+# copy build utilities
+COPY --from=xx / /
 
 ARG TARGETPLATFORM
 ARG REVISON
@@ -17,11 +24,12 @@ COPY cmd/ cmd/
 COPY pkg/ pkg/
 
 # build
-RUN CGO_ENABLED=0 go build \
+ENV CGO_ENABLED=0
+RUN xx-go build \
     -ldflags "-s -w -X github.com/fluxcd/flagger/pkg/version.REVISION=${REVISON}" \
     -a -o flagger ./cmd/flagger
 
-FROM alpine:3.12
+FROM alpine:3.22
 
 RUN apk --no-cache add ca-certificates
 

Dockerfile.loadtester

@@ -1,59 +1,64 @@
-FROM alpine:3.11 as build
+FROM golang:1.25-alpine AS builder
 
-RUN apk --no-cache add alpine-sdk perl curl
+ARG TARGETPLATFORM
+ARG TARGETARCH
+ARG REVISION
 
-RUN curl -sSLo hey "https://storage.googleapis.com/hey-release/hey_linux_amd64" && \
-chmod +x hey && mv hey /usr/local/bin/hey
+RUN apk --no-cache add alpine-sdk perl curl bash tar
 
-RUN HELM2_VERSION=2.16.8 && \
-curl -sSL "https://get.helm.sh/helm-v${HELM2_VERSION}-linux-amd64.tar.gz" | tar xvz && \
-chmod +x linux-amd64/helm && mv linux-amd64/helm /usr/local/bin/helm && \
-chmod +x linux-amd64/tiller && mv linux-amd64/tiller /usr/local/bin/tiller
+RUN HELM3_VERSION=3.19.0 && \
+curl -sSL "https://get.helm.sh/helm-v${HELM3_VERSION}-linux-${TARGETARCH}.tar.gz" | tar xvz && \
+chmod +x linux-${TARGETARCH}/helm && mv linux-${TARGETARCH}/helm /usr/local/bin/helm
 
-RUN HELM3_VERSION=3.2.3 && \
-curl -sSL "https://get.helm.sh/helm-v${HELM3_VERSION}-linux-amd64.tar.gz" | tar xvz && \
-chmod +x linux-amd64/helm && mv linux-amd64/helm /usr/local/bin/helmv3
+RUN KUBECTL_VERSION=v1.34.1 &&  \
+curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
+chmod +x kubectl && mv kubectl /usr/local/bin/kubectl
 
-RUN GRPC_HEALTH_PROBE_VERSION=v0.3.1 && \
-wget -qO /usr/local/bin/grpc_health_probe https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/${GRPC_HEALTH_PROBE_VERSION}/grpc_health_probe-linux-amd64 && \
+RUN GRPC_HEALTH_PROBE_VERSION=v0.4.35 && \
+wget -qO /usr/local/bin/grpc_health_probe https://github.com/grpc-ecosystem/grpc-health-probe/releases/download/${GRPC_HEALTH_PROBE_VERSION}/grpc_health_probe-linux-${TARGETARCH} && \
 chmod +x /usr/local/bin/grpc_health_probe
 
-RUN GHZ_VERSION=0.39.0 && \
-curl -sSL "https://github.com/bojand/ghz/releases/download/v${GHZ_VERSION}/ghz_${GHZ_VERSION}_Linux_x86_64.tar.gz" | tar xz -C /tmp && \
-mv /tmp/ghz /usr/local/bin && chmod +x /usr/local/bin/ghz
+RUN GHZ_VERSION=0.120.0 && \
+curl -sSL "https://github.com/bojand/ghz/archive/refs/tags/v${GHZ_VERSION}.tar.gz" | tar xz -C /tmp && \
+cd /tmp/ghz-${GHZ_VERSION}/cmd/ghz && GOARCH=$TARGETARCH go build . && mv ghz /usr/local/bin && \
+chmod +x /usr/local/bin/ghz
 
-RUN HELM_TILLER_VERSION=0.9.3 && \
-curl -sSL "https://github.com/rimusz/helm-tiller/archive/v${HELM_TILLER_VERSION}.tar.gz" | tar xz -C /tmp && \
-mv /tmp/helm-tiller-${HELM_TILLER_VERSION} /tmp/helm-tiller
+WORKDIR /workspace
 
-RUN WRK_VERSION=4.0.2 && \
-cd /tmp && git clone -b ${WRK_VERSION} https://github.com/wg/wrk
-RUN cd /tmp/wrk && make
+# copy modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
 
-FROM bash:5.0
+# cache modules
+RUN go mod download
+
+# copy source code
+COPY cmd/ cmd/
+COPY pkg/ pkg/
+
+# build
+RUN CGO_ENABLED=0 go build -o loadtester ./cmd/loadtester/*
+
+FROM bash:5.2
+
+ARG TARGETPLATFORM
 
 RUN addgroup -S app && \
 adduser -S -g app app && \
-apk --no-cache add ca-certificates curl jq libgcc
+apk --no-cache add ca-certificates curl jq libgcc wrk hey git
 
 WORKDIR /home/app
 
-COPY --from=bats/bats:v1.1.0 /opt/bats/ /opt/bats/
+COPY --from=bats/bats:1.11.1 /opt/bats/ /opt/bats/
 RUN ln -s /opt/bats/bin/bats /usr/local/bin/
 
-COPY --from=build /usr/local/bin/hey /usr/local/bin/
-COPY --from=build /tmp/wrk/wrk /usr/local/bin/
-COPY --from=build /usr/local/bin/helm /usr/local/bin/
-COPY --from=build /usr/local/bin/tiller /usr/local/bin/
-COPY --from=build /usr/local/bin/ghz /usr/local/bin/
-COPY --from=build /usr/local/bin/helmv3 /usr/local/bin/
-COPY --from=build /usr/local/bin/grpc_health_probe /usr/local/bin/
-COPY --from=build /tmp/helm-tiller /tmp/helm-tiller
+COPY --from=builder /usr/local/bin/helm /usr/local/bin/
+COPY --from=builder /usr/local/bin/ghz /usr/local/bin/
+COPY --from=builder /usr/local/bin/grpc_health_probe /usr/local/bin/
+COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/
 
 ADD https://raw.githubusercontent.com/grpc/grpc-proto/master/grpc/health/v1/health.proto /tmp/ghz/health.proto
 
-COPY ./bin/loadtester .
-
 RUN chown -R app:app ./
 RUN chown -R app:app /tmp/ghz
 
@@ -63,7 +68,6 @@ USER app
 RUN hey -n 1 -c 1 https://flagger.app > /dev/null && echo $? | grep 0
 RUN wrk -d 1s -c 1 -t 1 https://flagger.app > /dev/null && echo $? | grep 0
 
-# install Helm v2 plugins
-RUN helm init --client-only && helm plugin install /tmp/helm-tiller
+COPY --from=builder --chown=app:app /workspace/loadtester .
 
 ENTRYPOINT ["./loadtester"]

GOVERNANCE.md

@@ -0,0 +1,5 @@
+# Flagger Governance
+
+The Flagger project is governed by the [Flux governance document](https://github.com/fluxcd/community/blob/main/GOVERNANCE.md),
+involvement is defined in the [Flux community roles document](chttps://github.com/fluxcd/community/blob/main/community-roles.md),
+and processes can be found in the [Flux process document](https://github.com/fluxcd/community/blob/main/PROCESS.md).

MAINTAINERS

@@ -1,6 +1,9 @@
 The maintainers are generally available in Slack at
-https://weave-community.slack.com/messages/flagger/ (obtain an invitation
-at https://slack.weave.works/).
+https://cloud-native.slack.com/messages/flagger/ (obtain an invitation
+at https://slack.cncf.io/).
 
-Stefan Prodan, Weaveworks <stefan@weave.works> (Slack: @stefan Twitter: @stefanprodan)
-Takeshi Yoneda, DMM.com <cz.rk.t0415y.g@gmail.com> (Slack: @mathetake Twitter: @mathetake)
+In alphabetical order:
+
+Sanskar Jaiswal, Independent <jaiswalsanskar078@gmail.com> (github: @aryan9600, slack: aryan9600)
+Stefan Prodan, ControlPlane <stefan.prodan@gmail.com> (github: @stefanprodan, slack: stefanprodan)
+Takeshi Yoneda, Tetrate <takeshi@tetrate.io> (github: @mathetake, slack: mathetake)

Makefile

@@ -5,13 +5,14 @@ LT_VERSION?=$(shell grep 'VERSION' cmd/loadtester/main.go | awk '{ print $$4 }'
 build:
 	CGO_ENABLED=0 go build -a -o ./bin/flagger ./cmd/flagger
 
-fmt:
-	gofmt -l -s -w ./
-	goimports -l -w ./
+tidy:
+	rm -f go.sum; go mod tidy -compat=1.25
 
-test-fmt:
-	gofmt -l -s ./ | grep ".*\.go"; if [ "$$?" = "0" ]; then exit 1; fi
-	goimports -l ./ | grep ".*\.go"; if [ "$$?" = "0" ]; then exit 1; fi
+vet:
+	go vet ./...
+
+fmt:
+	go fmt ./...
 
 codegen:
 	./hack/update-codegen.sh
@@ -19,22 +20,30 @@ codegen:
 test-codegen:
 	./hack/verify-codegen.sh
 
-test: test-fmt test-codegen
+test: fmt test-codegen
 	go test ./...
 
+test-coverage: fmt test-codegen
+	go test -coverprofile cover.out ./...
+	go tool cover -html=cover.out
+	rm cover.out
+
 crd:
 	cat artifacts/flagger/crd.yaml > charts/flagger/crds/crd.yaml
 	cat artifacts/flagger/crd.yaml > kustomize/base/flagger/crd.yaml
 
+verify-crd:
+	./hack/verify-crd.sh
+
 version-set:
 	@next="$(TAG)" && \
 	current="$(VERSION)" && \
-	sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
-	sed -i '' "s/flagger:$$current/flagger:$$next/g" artifacts/flagger/deployment.yaml && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/flagger/values.yaml && \
-	sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/flagger/Chart.yaml && \
-	sed -i '' "s/version: $$current/version: $$next/g" charts/flagger/Chart.yaml && \
-	sed -i '' "s/newTag: $$current/newTag: $$next/g" kustomize/base/flagger/kustomization.yaml && \
+	sed -i "s/$$current/$$next/g" pkg/version/version.go && \
+	sed -i "s/flagger:$$current/flagger:$$next/g" artifacts/flagger/deployment.yaml && \
+	sed -i "s/tag: $$current/tag: $$next/g" charts/flagger/values.yaml && \
+	sed -i "s/appVersion: $$current/appVersion: $$next/g" charts/flagger/Chart.yaml && \
+	sed -i "s/version: $$current/version: $$next/g" charts/flagger/Chart.yaml && \
+	sed -i "s/newTag: $$current/newTag: $$next/g" kustomize/base/flagger/kustomization.yaml && \
 	echo "Version $$next set in code, deployment, chart and kustomize"
 
 release:
@@ -42,7 +51,6 @@ release:
 	git push origin "v$(VERSION)"
 
 loadtester-build:
-	CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ./bin/loadtester ./cmd/loadtester/*
 	docker build -t ghcr.io/fluxcd/flagger-loadtester:$(LT_VERSION) . -f Dockerfile.loadtester
 
 loadtester-push:

README.md

@@ -1,67 +1,53 @@
-# flagger
+ # Flagger
 
-[![build](https://github.com/fluxcd/flagger/workflows/build/badge.svg)](https://github.com/fluxcd/flagger/actions)
-[![report](https://goreportcard.com/badge/github.com/fluxcd/flagger)](https://goreportcard.com/report/github.com/fluxcd/flagger)
-[![license](https://img.shields.io/github/license/fluxcd/flagger.svg)](https://github.com/fluxcd/flagger/blob/main/LICENSE)
 [![release](https://img.shields.io/github/release/fluxcd/flagger/all.svg)](https://github.com/fluxcd/flagger/releases)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4783/badge)](https://bestpractices.coreinfrastructure.org/projects/4783)
+[![report](https://goreportcard.com/badge/github.com/fluxcd/flagger)](https://goreportcard.com/report/github.com/fluxcd/flagger)
+[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflagger.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflagger?ref=badge_shield)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flagger)](https://artifacthub.io/packages/search?repo=flagger)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/flagger/badge)](https://clomonitor.io/projects/cncf/flagger)
 
 Flagger is a progressive delivery tool that automates the release process for applications running on Kubernetes. 
 It reduces the risk of introducing a new software version in production
 by gradually shifting traffic to the new version while measuring metrics and running conformance tests.
 
-![flagger-overview](https://raw.githubusercontent.com/fluxcd/flagger/main/docs/diagrams/flagger-canary-overview.png)
+![flagger-overview](https://raw.githubusercontent.com/fluxcd/flagger/main/docs/diagrams/flagger-overview.png)
 
 Flagger implements several deployment strategies (Canary releases, A/B testing, Blue/Green mirroring)
-using a service mesh (App Mesh, Istio, Linkerd) or an ingress controller (Contour, Gloo, NGINX, Skipper, Traefik) for traffic routing.
-For release analysis, Flagger can query Prometheus, Datadog or CloudWatch
-and for alerting it uses Slack, MS Teams, Discord and Rocket.
+and integrates with various Kubernetes ingress controllers, service mesh, and monitoring solutions.
+
+Flagger is a [Cloud Native Computing Foundation](https://cncf.io/) graduated project
+and part of the [Flux](https://fluxcd.io) family of GitOps tools.
 
 ### Documentation
 
-Flagger documentation can be found at [docs.flagger.app](https://docs.flagger.app).
+The Flagger documentation can be found at [docs.flagger.app](https://docs.flagger.app/main).
 
 * Install
-  * [Flagger install on Kubernetes](https://docs.flagger.app/install/flagger-install-on-kubernetes)
+  * [Flagger Install with Flux](https://docs.flagger.app/main/install/flagger-install-with-flux)
 * Usage
-  * [How it works](https://docs.flagger.app/usage/how-it-works)
-  * [Deployment strategies](https://docs.flagger.app/usage/deployment-strategies)
-  * [Metrics analysis](https://docs.flagger.app/usage/metrics)
-  * [Webhooks](https://docs.flagger.app/usage/webhooks)
-  * [Alerting](https://docs.flagger.app/usage/alerting)
-  * [Monitoring](https://docs.flagger.app/usage/monitoring)
-* Tutorials
-  * [App Mesh](https://docs.flagger.app/tutorials/appmesh-progressive-delivery)
-  * [Istio](https://docs.flagger.app/tutorials/istio-progressive-delivery)
-  * [Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
-  * [Contour](https://docs.flagger.app/tutorials/contour-progressive-delivery)
-  * [Gloo](https://docs.flagger.app/tutorials/gloo-progressive-delivery)
-  * [NGINX Ingress](https://docs.flagger.app/tutorials/nginx-progressive-delivery)
-  * [Skipper](https://docs.flagger.app/tutorials/skipper-progressive-delivery)
-  * [Traefik](https://docs.flagger.app/tutorials/traefik-progressive-delivery)
-  * [Kubernetes Blue/Green](https://docs.flagger.app/tutorials/kubernetes-blue-green)
+  * [How it works](https://docs.flagger.app/main/usage/how-it-works)
+  * [Deployment strategies](https://docs.flagger.app/main/usage/deployment-strategies)
+  * [Metrics analysis](https://docs.flagger.app/main/usage/metrics)
+  * [Webhooks](https://docs.flagger.app/main/usage/webhooks)
+  * [Alerting](https://docs.flagger.app/main/usage/alerting)
+  * [Monitoring](https://docs.flagger.app/main/usage/monitoring)
 
-### Who is using Flagger
+### Adopters
 
-List of organizations using Flagger:
+The list of production users can be found at [fluxcd.io/adopters/#flagger](https://fluxcd.io/adopters/#flagger).
 
-* [Chick-fil-A](https://www.chick-fil-a.com)
-* [Capra Consulting](https://www.capraconsulting.no)
-* [DMM.com](https://dmm-corp.com)
-* [MediaMarktSaturn](https://www.mediamarktsaturn.com)
-* [Weaveworks](https://weave.works)
-* [Jumia Group](https://group.jumia.com)
-* [eLife](https://elifesciences.org/)
-
-If you are using Flagger, please submit a PR to add your organization to the list!
+If you are using Flagger, please
+[submit a PR to add your organization](https://github.com/fluxcd/website/blob/main/data/adopters/2-flagger.yaml) to the list!
 
 ### Canary CRD
 
 Flagger takes a Kubernetes deployment and optionally a horizontal pod autoscaler (HPA),
-then creates a series of objects (Kubernetes deployments, ClusterIP services, service mesh or ingress routes).
+then creates a series of objects (Kubernetes deployments, ClusterIP services, service mesh, or ingress routes).
 These objects expose the application on the mesh and drive the canary analysis and promotion.
 
 Flagger keeps track of ConfigMaps and Secrets referenced by a Kubernetes Deployment and triggers a canary analysis if any of those objects change.
-When promoting a workload in production, both code (container images) and configuration (config maps and secrets) are being synchronised.
+When promoting a workload in production, both code (container images) and configuration (config maps and secrets) are being synchronized.
 
 For a deployment named _podinfo_, a canary promotion can be defined using Flagger's custom resource:
 
@@ -73,7 +59,8 @@ metadata:
   namespace: test
 spec:
   # service mesh provider (optional)
-  # can be: kubernetes, istio, linkerd, appmesh, nginx, skipper, contour, gloo, supergloo, traefik
+  # can be: kubernetes, istio, linkerd, kuma, knative, nginx, contour, gloo, traefik, skipper
+  # for Gateway API implementations: gatewayapi:v1 and gatewayapi:v1beta1
   provider: istio
   # deployment reference
   targetRef:
@@ -85,7 +72,7 @@ spec:
   progressDeadlineSeconds: 60
   # HPA reference (optional)
   autoscalerRef:
-    apiVersion: autoscaling/v2beta1
+    apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
     name: podinfo
   service:
@@ -184,70 +171,93 @@ For more details on how the canary analysis and promotion works please [read the
 
 **Service Mesh**
 
-| Feature                                    | App Mesh           | Istio              | Linkerd            |  Kubernetes CNI    |
-| ------------------------------------------ | ------------------ | ------------------ | ------------------ |  ----------------- |
-| Canary deployments (weighted traffic)      | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: |
-| A/B testing (headers and cookies routing)  | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: |
-| Blue/Green deployments (traffic switch)    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Blue/Green deployments (traffic mirroring) | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: |
-| Webhooks (acceptance/load testing)         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Manual gating (approve/pause/resume)       | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Request success rate check (L7 metric)     | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: |
-| Request duration check (L7 metric)         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: |
-| Custom metric checks                       | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Feature                                    | Istio              | Linkerd            | Kuma               | Knative            | Kubernetes CNI     |
+|--------------------------------------------|--------------------|--------------------|--------------------|--------------------|--------------------|
+| Canary deployments (weighted traffic)      | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: |
+| A/B testing (headers and cookies routing)  | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: |
+| Blue/Green deployments (traffic switch)    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: |
+| Blue/Green deployments (traffic mirroring) | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: |
+| Webhooks (acceptance/load testing)         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Manual gating (approve/pause/resume)       | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Request success rate check (L7 metric)     | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: |
+| Request duration check (L7 metric)         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: |
+| Custom metric checks                       | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
 
 **Ingress**
 
-| Feature                                    | Contour            | Gloo               | NGINX              | Skipper            | Traefik            |
-| ------------------------------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ |
-| Canary deployments (weighted traffic)      | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| A/B testing (headers and cookies routing)  | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: |
-| Blue/Green deployments (traffic switch)    | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Webhooks (acceptance/load testing)         | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Manual gating (approve/pause/resume)       | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| Request success rate check (L7 metric)     | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: |
-| Request duration check (L7 metric)         | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: |
-| Custom metric checks                       | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Feature                                   | Contour            | Gloo               | NGINX              | Skipper            | Traefik            | Apache APISIX      |
+|-------------------------------------------|--------------------|--------------------|--------------------|--------------------|--------------------|--------------------|
+| Canary deployments (weighted traffic)     | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| A/B testing (headers and cookies routing) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: |
+| Blue/Green deployments (traffic switch)   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Webhooks (acceptance/load testing)        | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Manual gating (approve/pause/resume)      | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Request success rate check (L7 metric)    | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Request duration check (L7 metric)        | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| Custom metric checks                      | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+
+**Networking Interface**
+
+| Feature                                    | Gateway API        | SMI                |
+|--------------------------------------------|--------------------|--------------------|
+| Canary deployments (weighted traffic)      | :heavy_check_mark: | :heavy_check_mark: |
+| Canary deployments with session affinity   | :heavy_check_mark: | :heavy_minus_sign: |
+| A/B testing (headers and cookies routing)  | :heavy_check_mark: | :heavy_minus_sign: |
+| Blue/Green deployments (traffic switch)    | :heavy_check_mark: | :heavy_check_mark: |
+| Blue/Green deployments (traffic mirroring) | :heavy_minus_sign: | :heavy_minus_sign: |
+| Webhooks (acceptance/load testing)         | :heavy_check_mark: | :heavy_check_mark: |
+| Manual gating (approve/pause/resume)       | :heavy_check_mark: | :heavy_check_mark: |
+| Request success rate check (L7 metric)     | :heavy_minus_sign: | :heavy_minus_sign: |
+| Request duration check (L7 metric)         | :heavy_minus_sign: | :heavy_minus_sign: |
+| Custom metric checks                       | :heavy_check_mark: | :heavy_check_mark: |
+
+For all the [Gateway API](https://gateway-api.sigs.k8s.io/) compatible ingress controllers and service meshes,
+the [Prometheus MetricTemplates](https://docs.flagger.app/usage/metrics#prometheus)
+can be used to implement the request success rate and request duration checks.
 
 ### Roadmap
 
-#### [GitOps Toolkit](https://github.com/fluxcd/flux2) compatibility
+#### [GitOps Toolkit](https://fluxcd.io/flux/components/) compatibility
 
-* Migrate Flagger to Kubernetes controller-runtime and [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
-* Make the Canary status compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils)
-* Make Flagger emit Kubernetes events compatible with Flux v2 notification API
-* Migrate CI to GitHub Actions and publish AMD64, ARM64 and ARMv7 container images
-* Integrate Flagger into Flux v2 as the progressive delivery component
+- Migrate Flagger to Kubernetes controller-runtime and [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
+- Make the Canary status compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils)
+- Make Flagger emit Kubernetes events compatible with Flux v2 notification API
+- Integrate Flagger into Flux v2 as the progressive delivery component
 
 #### Integrations
 
-* Add support for Kubernetes [Ingress v2](https://github.com/kubernetes-sigs/service-apis)
-* Add support for SMI compatible service mesh solutions like Open Service Mesh and Consul Connect
-* Add support for ingress controllers like HAProxy and ALB
-* Add support for metrics providers like InfluxDB, Stackdriver, SignalFX
+- Migrate Linkerd, Kuma and other service mesh integrations to Gateway API
 
 ### Contributing
 
 Flagger is Apache 2.0 licensed and accepts contributions via GitHub pull requests.
 To start contributing please read the [development guide](https://docs.flagger.app/dev/dev-guide).
 
-When submitting bug reports please include as much details as possible:
+When submitting bug reports please include as many details as possible:
 
-* which Flagger version
-* which Flagger CRD version
-* which Kubernetes version
-* what configuration (canary, ingress and workloads definitions)
-* what happened (Flagger and Proxy logs)
+- which Flagger version
+- which Kubernetes version
+- what configuration (canary, ingress and workloads definitions)
+- what happened (Flagger and Proxy logs)
 
-### Getting Help
+### Communication
 
-If you have any questions about Flagger and progressive delivery:
+Here is a list of good entry points into our community, how we stay in touch and how you can meet us as a team.
 
-* Read the Flagger [docs](https://docs.flagger.app).
-* Invite yourself to the [Weave community slack](https://slack.weave.works/)
-  and join the [#flagger](https://weave-community.slack.com/messages/flagger/) channel.
-* Join the [Weave User Group](https://www.meetup.com/pro/Weave/) and get invited to online talks,
-  hands-on training and meetups in your area.
-* File an [issue](https://github.com/fluxcd/flagger/issues/new).
+- Slack: Join in and talk to us in the `#flagger` channel on [CNCF Slack](https://slack.cncf.io/).
+- Public meetings: We run weekly meetings - join one of the upcoming dev meetings from the [Flux calendar](https://fluxcd.io/#calendar).
+- Blog: Stay up to date with the latest news on [the Flux blog](https://fluxcd.io/blog/).
+- Mailing list: To be updated on Flux and Flagger progress regularly, please [join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
 
-Your feedback is always welcome!
+#### Subscribing to the flux-dev calendar
+
+To add the meetings to your e.g. Google calendar
+
+1. visit the [Flux calendar](https://lists.cncf.io/g/cncf-flux-dev/calendar)
+2. click on "Subscribe to Calendar" at the very bottom of the page
+3. copy the iCalendar URL
+4. open e.g. your Google calendar
+5. find the "add calendar" option
+6. choose "add by URL"
+7. paste iCalendar URL (ends with `.ics`)
+8. done

artifacts/examples/appmesh-abtest.yaml

@@ -1,62 +0,0 @@
-apiVersion: flagger.app/v1beta1
-kind: Canary
-metadata:
-  name: podinfo
-  namespace: test
-spec:
-  provider: appmesh
-  progressDeadlineSeconds: 600
-  targetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: podinfo
-  autoscalerRef:
-    apiVersion: autoscaling/v2beta1
-    kind: HorizontalPodAutoscaler
-    name: podinfo
-  service:
-    port: 80
-    targetPort: 9898
-    meshName: global
-    retries:
-      attempts: 3
-      perTryTimeout: 5s
-      retryOn: "gateway-error,client-error,stream-error"
-    timeout: 35s
-    match:
-      - uri:
-          prefix: /
-    rewrite:
-      uri: /
-  analysis:
-    interval: 15s
-    threshold: 10
-    iterations: 10
-    match:
-    - headers:
-        x-canary:
-          exact: "insider"
-    metrics:
-    - name: request-success-rate
-      thresholdRange:
-        min: 99
-      interval: 1m
-    - name: request-duration
-      thresholdRange:
-        max: 500
-      interval: 30s
-    webhooks:
-    - name: conformance-test
-      type: pre-rollout
-      url: http://flagger-loadtester.test/
-      timeout: 15s
-      metadata:
-        type: "bash"
-        cmd: "curl -sd 'test' http://podinfo-canary.test/token | grep token"
-    - name: load-test
-      type: rollout
-      url: http://flagger-loadtester.test/
-      timeout: 5s
-      metadata:
-        type: cmd
-        cmd: "hey -z 1m -q 10 -c 2 -H 'X-Canary: insider' http://podinfo-canary.test/"

artifacts/examples/appmesh-canary.yaml

@@ -1,59 +0,0 @@
-apiVersion: flagger.app/v1beta1
-kind: Canary
-metadata:
-  name: podinfo
-  namespace: test
-spec:
-  provider: appmesh
-  progressDeadlineSeconds: 600
-  targetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: podinfo
-  autoscalerRef:
-    apiVersion: autoscaling/v2beta1
-    kind: HorizontalPodAutoscaler
-    name: podinfo
-  service:
-    port: 80
-    targetPort: http
-    meshName: global
-    retries:
-      attempts: 3
-      perTryTimeout: 5s
-      retryOn: "gateway-error,client-error,stream-error"
-    timeout: 35s
-    match:
-      - uri:
-          prefix: /
-    rewrite:
-      uri: /
-  analysis:
-    interval: 15s
-    threshold: 10
-    maxWeight: 50
-    stepWeight: 5
-    metrics:
-    - name: request-success-rate
-      thresholdRange:
-        min: 99
-      interval: 1m
-    - name: request-duration
-      thresholdRange:
-        max: 500
-      interval: 30s
-    webhooks:
-    - name: conformance-test
-      type: pre-rollout
-      url: http://flagger-loadtester.test/
-      timeout: 15s
-      metadata:
-        type: "bash"
-        cmd: "curl -sd 'test' http://podinfo-canary.test/token | grep token"
-    - name: load-test
-      type: rollout
-      url: http://flagger-loadtester.test/
-      timeout: 5s
-      metadata:
-        type: cmd
-        cmd: "hey -z 1m -q 10 -c 2 http://podinfo-canary.test/"

artifacts/examples/istio-abtest.yaml

@@ -10,7 +10,7 @@ spec:
     kind: Deployment
     name: podinfo
   autoscalerRef:
-    apiVersion: autoscaling/v2beta1
+    apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
     name: podinfo
   service:
@@ -20,7 +20,7 @@ spec:
     portName: http
     portDiscovery: true
     gateways:
-      - public-gateway.istio-system.svc.cluster.local
+      - istio-system/public-gateway
       - mesh
     hosts:
       - app.example.com

artifacts/examples/istio-canary.yaml

@@ -11,7 +11,7 @@ spec:
     kind: Deployment
     name: podinfo
   autoscalerRef:
-    apiVersion: autoscaling/v2beta1
+    apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
     name: podinfo
   service:
@@ -21,7 +21,7 @@ spec:
     portName: http
     portDiscovery: true
     gateways:
-    - public-gateway.istio-system.svc.cluster.local
+    - istio-system/public-gateway
     - mesh
     hosts:
     - app.example.com

artifacts/examples/kuma-canary.yaml

@@ -0,0 +1,50 @@
+apiVersion: flagger.app/v1beta1
+kind: Canary
+metadata:
+  name: podinfo
+  namespace: test
+  annotations:
+    kuma.io/mesh: default
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: podinfo
+  progressDeadlineSeconds: 60
+  service:
+    port: 9898
+    targetPort: 9898
+    apex:
+      annotations:
+        9898.service.kuma.io/protocol: "http"
+    canary:
+      annotations:
+        9898.service.kuma.io/protocol: "http"
+    primary:
+      annotations:
+        9898.service.kuma.io/protocol: "http"
+  analysis:
+    interval: 15s
+    threshold: 15
+    maxWeight: 50
+    stepWeight: 10
+    metrics:
+      - name: request-success-rate
+        threshold: 99
+        interval: 1m
+      - name: request-duration
+        threshold: 500
+        interval: 30s
+    webhooks:
+      - name: acceptance-test
+        type: pre-rollout
+        url: http://flagger-loadtester.test/
+        timeout: 30s
+        metadata:
+          type: bash
+          cmd: "curl -sd 'test' http://podinfo-canary.test:9898/token | grep token"
+      - name: load-test
+        type: rollout
+        url: http://flagger-loadtester.test/
+        metadata:
+          cmd: "hey -z 2m -q 10 -c 2 http://podinfo-canary.test:9898/"

artifacts/examples/linkerd-canary-steps.yaml

@@ -11,7 +11,7 @@ spec:
     kind: Deployment
     name: podinfo
   autoscalerRef:
-    apiVersion: autoscaling/v2beta1
+    apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
     name: podinfo
   service:

artifacts/examples/linkerd-canary.yaml

@@ -11,7 +11,7 @@ spec:
     kind: Deployment
     name: podinfo
   autoscalerRef:
-    apiVersion: autoscaling/v2beta1
+    apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
     name: podinfo
   service:

artifacts/flagger/account.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app: flagger
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: flagger
@@ -31,6 +31,18 @@ rules:
       - update
       - patch
       - delete
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
   - apiGroups:
       - apps
     resources:
@@ -78,6 +90,7 @@ rules:
     resources:
       - canaries
       - canaries/status
+      - canaries/finalizers
       - metrictemplates
       - metrictemplates/status
       - alertproviders
@@ -153,8 +166,19 @@ rules:
     resources:
       - upstreams
       - upstreams/finalizers
-      - upstreamgroups
-      - upstreamgroups/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - gateway.solo.io
+    resources:
+      - routetables
+      - routetables/finalizers
     verbs:
       - get
       - list
@@ -176,12 +200,63 @@ rules:
       - update
       - patch
       - delete
+  - apiGroups:
+      - kuma.io
+    resources:
+      - trafficroutes
+      - trafficroutes/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - httproutes
+      - httproutes/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - keda.sh
+    resources:
+      - scaledobjects
+      - scaledobjects/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - apisix.apache.org
+    resources:
+      - apisixroutes
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
   - nonResourceURLs:
       - /version
     verbs:
       - get
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: flagger

artifacts/flagger/deployment.yaml

@@ -22,7 +22,7 @@ spec:
       serviceAccountName: flagger
       containers:
       - name: flagger
-        image: ghcr.io/fluxcd/flagger:1.5.0
+        image: ghcr.io/fluxcd/flagger:1.42.0
         imagePullPolicy: IfNotPresent
         ports:
         - name: http

charts/flagger/Chart.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 name: flagger
-version: 1.5.0
-appVersion: 1.5.0
-kubeVersion: ">=1.11.0-0"
+version: 1.42.0
+appVersion: 1.42.0
+kubeVersion: ">=1.19.0-0"
 engine: gotpl
 description: Flagger is a progressive delivery operator for Kubernetes
 home: https://flagger.app
-icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/weaveworks.png
+icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/flagger-icon.png
 sources:
   - https://github.com/fluxcd/flagger
 maintainers:
@@ -18,8 +18,11 @@ keywords:
   - istio
   - appmesh
   - linkerd
+  - kuma
+  - smi
   - gloo
   - contour
   - nginx
+  - traefik
   - gitops
   - canary

charts/flagger/README.md

@@ -1,18 +1,18 @@
 # Flagger
 
-[Flagger](https://github.com/fluxcd/flagger) is an operator that automates the release process of applications on Kubernetes.
+[Flagger](https://github.com/fluxcd/flagger) is a progressive delivery tool that automates the release process
+for applications running on Kubernetes. It reduces the risk of introducing a new software version in production
+by gradually shifting traffic to the new version while measuring metrics and running conformance tests.
 
-Flagger can run automated application analysis, testing, promotion and rollback for the following deployment strategies:
-* Canary Release (progressive traffic shifting)
-* A/B Testing (HTTP headers and cookies traffic routing)
-* Blue/Green (traffic switching and mirroring)
+Flagger implements several deployment strategies (Canary releases, A/B testing, Blue/Green mirroring)
+and integrates with various Kubernetes ingress controllers, service mesh and monitoring solutions.
 
-Flagger works with service mesh solutions (Istio, Linkerd, AWS App Mesh) and with Kubernetes ingress controllers (NGINX, Skipper, Gloo, Contour, Traefik).
-Flagger can be configured to send alerts to various chat platforms such as Slack, Microsoft Teams, Discord and Rocket.
+Flagger is a [Cloud Native Computing Foundation](https://cncf.io/) project
+and part of [Flux](https://fluxcd.io) family of GitOps tools.
 
 ## Prerequisites
 
-* Kubernetes >= 1.14
+* Kubernetes >= 1.19
 
 ## Installing the Chart
 
@@ -37,13 +37,16 @@ $ helm upgrade -i flagger flagger/flagger \
     --set metricsServer=http://prometheus:9090
 ```
 
-To install Flagger for **Linkerd**:
+To install Flagger for **Linkerd** (requires Linkerd Viz extension):
 
 ```console
+# Note that linkerdAuthPolicy.create=true is only required for Linkerd 2.12 and
+# later
 $ helm upgrade -i flagger flagger/flagger \
-    --namespace=linkerd \
+    --namespace=flagger-system \
     --set meshProvider=linkerd \
-    --set metricsServer=http://linkerd-prometheus:9090
+    --set metricsServer=http://prometheus.linkerd-viz:9090 \
+    --set linkerdAuthPolicy.create=true
 ```
 
 To install Flagger for **AWS App Mesh**:
@@ -55,6 +58,16 @@ $ helm upgrade -i flagger flagger/flagger \
     --set metricsServer=http://appmesh-prometheus:9090
 ```
 
+
+To install Flagger for **Kuma Service Mesh** (requires Kuma to have been installed with Prometheus):
+
+```console
+$ helm upgrade -i flagger flagger/flagger \
+    --namespace=kuma-system \
+    --set meshProvider=kuma \
+    --set metricsServer=http://prometheus-server.kuma-metrics:80
+```
+
 To install Flagger and Prometheus for **NGINX** Ingress (requires controller metrics enabled):
 
 ```console
@@ -64,7 +77,7 @@ $ helm upgrade -i flagger flagger/flagger \
     --set prometheus.install=true
 ```
 
-To install Flagger and Prometheus for **Gloo** (requires Gloo discovery enabled):
+To install Flagger and Prometheus for **Gloo** (no longer requires Gloo discovery):
 
 ```console
 $ helm upgrade -i flagger flagger/flagger \
@@ -87,11 +100,20 @@ To install Flagger and Prometheus for **Traefik**:
 
 ```console
 $ helm upgrade -i flagger flagger/flagger \
-    --namespace traefik \
+    --namespace=traefik \
     --set prometheus.install=true \
     --set meshProvider=traefik
 ```
 
+If you need to add labels to the flagger deployment or pods, you can pass the labels as parameters as shown below.
+
+```console
+helm upgrade -i flagger flagger/flagger \
+<other parameters> \
+--set podLabels.<labelName>=<labelValue> \
+--set deploymentLabels.<labelName>=<labelValue> 
+```
+
 The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
 ## Uninstalling the Chart
@@ -108,51 +130,64 @@ The command removes all the Kubernetes components associated with the chart and
 
 The following tables lists the configurable parameters of the Flagger chart and their default values.
 
-Parameter | Description | Default
---- | --- | ---
-`image.repository` | Image repository | `ghcr.io/fluxcd/flagger`
-`image.tag` | Image tag | `<VERSION>`
-`image.pullPolicy` | Image pull policy | `IfNotPresent`
-`logLevel` | Log level | `info`
-`metricsServer` | Prometheus URL, used when `prometheus.install` is `false` | `http://prometheus.istio-system:9090`
-`prometheus.install` | If `true`, installs Prometheus configured to scrape all pods in the custer | `false`
-`prometheus.retention` |  Prometheus data retention | `2h`
-`selectorLabels` | List of labels that Flagger uses to create pod selectors | `app,name,app.kubernetes.io/name`
-`configTracking.enabled` | If `true`, flagger will track changes in Secrets and ConfigMaps referenced in the target deployment | `true`
-`eventWebhook` | If set, Flagger will publish events to the given webhook | None
-`slack.url` | Slack incoming webhook | None
-`slack.channel` | Slack channel | None
-`slack.user` | Slack username | `flagger`
-`msteams.url` | Microsoft Teams incoming webhook | None
-`podMonitor.enabled` | If `true`, create a PodMonitor for [monitoring the metrics](https://docs.flagger.app/usage/monitoring#metrics) | `false`
-`podMonitor.namespace` | Namespace where the PodMonitor is created | the same namespace
-`podMonitor.interval` | Interval at which metrics should be scraped | `15s`
-`podMonitor.podMonitor` | Additional labels to add to the PodMonitor | `{}`
-`leaderElection.enabled` | If `true`, Flagger will run in HA mode | `false`
-`leaderElection.replicaCount` | Number of replicas | `1`
-`serviceAccount.create` | If `true`, Flagger will create service account | `true`
-`serviceAccount.name` | The name of the service account to create or use. If not set and `serviceAccount.create` is `true`, a name is generated using the Flagger fullname | `""`
-`serviceAccount.annotations` | Annotations for service account | `{}`
-`ingressAnnotationsPrefix` | Annotations prefix for ingresses | `custom.ingress.kubernetes.io`
-`includeLabelPrefix` | List of prefixes of labels that are copied when creating primary deployments or daemonsets. Use * to include all | `""`
-`rbac.create` | If `true`, create and use RBAC resources | `true`
-`rbac.pspEnabled` | If `true`, create and use a restricted pod security policy | `false`
-`crd.create` | If `true`, create Flagger's CRDs (should be enabled for Helm v2 only) | `false`
-`resources.requests/cpu` | Pod CPU request | `10m`
-`resources.requests/memory` | Pod memory request | `32Mi`
-`resources.limits/cpu` | Pod CPU limit | `1000m`
-`resources.limits/memory` | Pod memory limit | `512Mi`
-`affinity` | Node/pod affinities | None
-`nodeSelector` | Node labels for pod assignment | `{}`
-`threadiness` | Number of controller workers | `2`
-`tolerations` | List of node taints to tolerate | `[]`
-`istio.kubeconfig.secretName` | The name of the Kubernetes secret containing the Istio shared control plane kubeconfig | None
-`istio.kubeconfig.key` | The name of Kubernetes secret data key that contains the Istio control plane kubeconfig | `kubeconfig`
-`ingressAnnotationsPrefix` | Annotations prefix for NGINX ingresses | None
-`ingressClass` | Ingress class used for annotating HTTPProxy objects, e.g. `contour` | None
-`podPriorityClassName` | PriorityClass name for pod priority configuration | ""
-`podDisruptionBudget.enabled` | A PodDisruptionBudget will be created if `true` | `false`
-`podDisruptionBudget.minAvailable` | The minimal number of available replicas that will be set in the PodDisruptionBudget | `1`
+| Parameter                            | Description                                                                                                                                        | Default                               |
+|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+| `image.repository`                   | Image repository                                                                                                                                   | `ghcr.io/fluxcd/flagger`              |
+| `image.tag`                          | Image tag                                                                                                                                          | `<VERSION>`                           |
+| `image.pullPolicy`                   | Image pull policy                                                                                                                                  | `IfNotPresent`                        |
+| `logLevel`                           | Log level                                                                                                                                          | `info`                                |
+| `metricsServer`                      | Prometheus URL, used when `prometheus.install` is `false`                                                                                          | `http://prometheus.istio-system:9090` |
+| `prometheus.install`                 | If `true`, installs Prometheus configured to scrape all pods in the custer                                                                         | `false`                               |
+| `prometheus.retention`               | Prometheus data retention                                                                                                                          | `2h`                                  |
+| `selectorLabels`                     | List of labels that Flagger uses to create pod selectors                                                                                           | `app,name,app.kubernetes.io/name`     |
+| `serviceMonitor.enabled`             | If `true`, creates service and serviceMonitor for monitoring Flagger metrics                                                                       | `false`                               |
+| `serviceMonitor.honorLabels`         | If `true`, label conflicts are resolved by keeping label values from the scraped data and ignoring the conflicting server-side labels              | `false`                               |
+| `serviceMonitor.namespace`           | Namespace Servicemonitor is installed in                                                                                                           | the same namespace                    |
+| `serviceMonitor.labels`              | labels for the ServiceMonitor passed to Prometheus Operator                                                                                        | `{}`                                  |
+| `configTracking.enabled`             | If `true`, flagger will track changes in Secrets and ConfigMaps referenced in the target deployment                                                | `true`                                |
+| `eventWebhook`                       | If set, Flagger will publish events to the given webhook                                                                                           | None                                  |
+| `slack.url`                          | Slack incoming webhook                                                                                                                             | None                                  |
+| `slack.proxyUrl`                     | Slack proxy url                                                                                                                                    | None                                  |
+| `slack.channel`                      | Slack channel                                                                                                                                      | None                                  |
+| `slack.user`                         | Slack username                                                                                                                                     | `flagger`                             |
+| `msteams.url`                        | Microsoft Teams incoming webhook                                                                                                                   | None                                  |
+| `msteams.proxyUrl`                   | Microsoft Teams proxy url                                                                                                                          | None                                  |
+| `clusterName`                        | When specified, Flagger will add the cluster name to alerts                                                                                        | `""`                                  |
+| `podMonitor.enabled`                 | If `true`, create a PodMonitor for [monitoring the metrics](https://docs.flagger.app/usage/monitoring#metrics)                                     | `false`                               |
+| `podMonitor.namespace`               | Namespace where the PodMonitor is created                                                                                                          | the same namespace                    |
+| `podMonitor.interval`                | Interval at which metrics should be scraped                                                                                                        | `15s`                                 |
+| `podMonitor.podMonitor`              | Additional labels to add to the PodMonitor                                                                                                         | `{}`                                  |
+| `podMonitor.honorLabels`             | If `true`, label conflicts are resolved by keeping label values from the scraped data and ignoring the conflicting server-side labels              | `false`                               |
+| `leaderElection.enabled`             | If `true`, Flagger will run in HA mode                                                                                                             | `false`                               |
+| `leaderElection.replicaCount`        | Number of replicas                                                                                                                                 | `1`                                   |
+| `serviceAccount.create`              | If `true`, Flagger will create service account                                                                                                     | `true`                                |
+| `serviceAccount.name`                | The name of the service account to create or use. If not set and `serviceAccount.create` is `true`, a name is generated using the Flagger fullname | `""`                                  |
+| `serviceAccount.annotations`         | Annotations for service account                                                                                                                    | `{}`                                  |
+| `ingressAnnotationsPrefix`           | Annotations prefix for ingresses                                                                                                                   | `custom.ingress.kubernetes.io`        |
+| `includeLabelPrefix`                 | List of prefixes of labels that are copied when creating primary deployments or daemonsets. Use * to include all                                   | `""`                                  |
+| `rbac.create`                        | If `true`, create and use RBAC resources                                                                                                           | `true`                                |
+| `rbac.pspEnabled`                    | If `true`, create and use a restricted pod security policy                                                                                         | `false`                               |
+| `crd.create`                         | If `true`, create Flagger's CRDs (should be enabled for Helm v2 only)                                                                              | `false`                               |
+| `resources.requests/cpu`             | Pod CPU request                                                                                                                                    | `10m`                                 |
+| `resources.requests/memory`          | Pod memory request                                                                                                                                 | `32Mi`                                |
+| `resources.limits/cpu`               | Pod CPU limit                                                                                                                                      | `1000m`                               |
+| `resources.limits/memory`            | Pod memory limit                                                                                                                                   | `512Mi`                               |
+| `affinity`                           | Node/pod affinities                                                                                                                                | prefer spread across hosts            |
+| `nodeSelector`                       | Node labels for pod assignment                                                                                                                     | `{}`                                  |
+| `threadiness`                        | Number of controller workers                                                                                                                       | `2`                                   |
+| `tolerations`                        | List of node taints to tolerate                                                                                                                    | `[]`                                  |
+| `controlplane.kubeconfig.secretName` | The name of the Kubernetes secret containing the service mesh control plane kubeconfig                                                             | None                                  |
+| `controlplane.kubeconfig.key`        | The name of Kubernetes secret data key that contains the service mesh control plane kubeconfig                                                     | `kubeconfig`                          |
+| `ingressAnnotationsPrefix`           | Annotations prefix for NGINX ingresses                                                                                                             | None                                  |
+| `ingressClass`                       | Ingress class used for annotating HTTPProxy objects, e.g. `contour`                                                                                | None                                  |
+| `podPriorityClassName`               | PriorityClass name for pod priority configuration                                                                                                  | ""                                    |
+| `podDisruptionBudget.enabled`        | A PodDisruptionBudget will be created if `true`                                                                                                    | `false`                               |
+| `podDisruptionBudget.minAvailable`   | The minimal number of available replicas that will be set in the PodDisruptionBudget                                                               | `1`                                   |
+| `podDisruptionBudget.minAvailable`   | The minimal number of available replicas that will be set in the PodDisruptionBudget                                                               | `1`                                   |
+| `noCrossNamespaceRefs`               | If `true`, cross namespace references to custom resources will be disabled                                                                         | `false`                               |
+| `namespace`                          | When specified, Flagger will restrict itself to watching Canary objects from that namespace                                                        | `""`                                  |
+| `deploymentLabels`                   | Labels to add to Flagger deployment                                                                                                                | `{}`                                  |
+| `podLabels`                          | Labels to add to pods of Flagger deployment                                                                                                        | `{}`                                  |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade`. For example,
 

charts/flagger/templates/account.yaml

@@ -3,8 +3,9 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "flagger.serviceAccountName" . }}
-  annotations:
+  namespace: {{ .Release.Namespace }}
   {{- if .Values.serviceAccount.annotations }}
+  annotations:
 {{ toYaml .Values.serviceAccount.annotations | indent 4 }}
   {{- end }}
   labels:

charts/flagger/templates/authorizationpolicy.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.linkerdAuthPolicy.create }}
+apiVersion: policy.linkerd.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  namespace: {{ .Values.linkerdAuthPolicy.namespace }}
+  name: prometheus-admin-flagger
+spec:
+  targetRef:
+    group: policy.linkerd.io
+    kind: Server
+    name: prometheus-admin
+  requiredAuthenticationRefs:
+    - kind: ServiceAccount
+      name: {{ template "flagger.serviceAccountName" . }}
+      namespace: {{ .Release.Namespace }}
+{{- end }}

charts/flagger/templates/deployment.yaml

@@ -2,11 +2,22 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "flagger.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     helm.sh/chart: {{ template "flagger.chart" . }}
     app.kubernetes.io/name: {{ template "flagger.name" . }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+  {{- if .Values.deploymentLabels }}
+  {{- range $key, $value := .Values.deploymentLabels }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   replicas: {{ .Values.leaderElection.replicaCount }}
   {{- if eq .Values.leaderElection.enabled false }}
@@ -22,31 +33,34 @@ spec:
       labels:
         app.kubernetes.io/name: {{ template "flagger.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/version: {{ .Chart.AppVersion }}
+      {{- if .Values.podLabels }}
+      {{- range $key, $value := .Values.podLabels }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- end }}
       annotations:
         {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
         {{- end }}
     spec:
       serviceAccountName: {{ template "flagger.serviceAccountName" . }}
+      {{- if .Values.affinity }}
       affinity:
-        podAntiAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              podAffinityTerm:
-                labelSelector:
-                  matchLabels:
-                    app.kubernetes.io/name: {{ template "flagger.name" . }}
-                    app.kubernetes.io/instance: {{ .Release.Name }}
-                topologyKey: kubernetes.io/hostname
+        {{- tpl (toYaml .Values.affinity) . | nindent 8 }}
+      {{- end }}
       {{- if .Values.image.pullSecret }}
       imagePullSecrets:
         - name: {{ .Values.image.pullSecret }}
       {{- end }}
+      {{- if .Values.controlplane.kubeconfig.secretName }}
       volumes:
-        {{- if .Values.istio.kubeconfig.secretName }}
         - name: kubeconfig
           secret:
-            secretName: "{{ .Values.istio.kubeconfig.secretName }}"
+            secretName: "{{ .Values.controlplane.kubeconfig.secretName }}"
+      {{- end }}
+        {{- if .Values.additionalVolumes }}
+          {{- toYaml .Values.additionalVolumes | nindent 8 -}}
         {{- end }}
       {{- if .Values.podPriorityClassName }}
       priorityClassName: {{ .Values.podPriorityClassName }}
@@ -57,11 +71,11 @@ spec:
           securityContext:
 {{ toYaml .Values.securityContext.context | indent 12 }}
           {{- end }}
+          {{- if .Values.controlplane.kubeconfig.secretName }}
           volumeMounts:
-            {{- if .Values.istio.kubeconfig.secretName }}
             - name: kubeconfig
-              mountPath: "/tmp/istio-host"
-            {{- end }}
+              mountPath: "/tmp/controlplane"
+          {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
@@ -90,6 +104,9 @@ spec:
           {{- if .Values.slack.url }}
           - -slack-url={{ .Values.slack.url }}
           {{- end }}
+          {{- if .Values.slack.proxyUrl }}
+          - -slack-proxy-url={{ .Values.slack.proxyUrl }}
+          {{- end }}
           {{- if .Values.slack.user }}
           - -slack-user={{ .Values.slack.user }}
           {{- end }}
@@ -99,6 +116,9 @@ spec:
           {{- if .Values.msteams.url }}
           - -msteams-url={{ .Values.msteams.url }}
           {{- end }}
+          {{- if .Values.msteams.proxyUrl }}
+          - -msteams-proxy-url={{ .Values.msteams.proxyUrl }}
+          {{- end }}
           {{- if .Values.leaderElection.enabled }}
           - -enable-leader-election=true
           - -leader-election-namespace={{ .Release.Namespace }}
@@ -121,12 +141,18 @@ spec:
           {{- if .Values.kubeconfigBurst }}
           - -kubeconfig-burst={{ .Values.kubeconfigBurst }}
           {{- end }}
-          {{- if .Values.istio.kubeconfig.secretName }}
-          - -kubeconfig-service-mesh=/tmp/istio-host/{{ .Values.istio.kubeconfig.key }}
+          {{- if .Values.controlplane.kubeconfig.secretName }}
+          - -kubeconfig-service-mesh=/tmp/controlplane/{{ .Values.controlplane.kubeconfig.key }}
           {{- end }}
           {{- if .Values.threadiness }}
           - -threadiness={{ .Values.threadiness }}
           {{- end }}
+          {{- if .Values.clusterName }}
+          - -cluster-name={{ .Values.clusterName }}
+          {{- end }}
+          {{- if .Values.noCrossNamespaceRefs }}
+          - -no-cross-namespace-refs={{ .Values.noCrossNamespaceRefs }}
+          {{- end }}
           livenessProbe:
             exec:
               command:

charts/flagger/templates/pdb.yaml

@@ -1,8 +1,13 @@
 {{- if .Values.podDisruptionBudget.enabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+apiVersion: policy/v1
+{{- else }}
 apiVersion: policy/v1beta1
+{{- end }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "flagger.name" . }}
+  namespace: {{ .Release.Namespace }}
 spec:
   minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
   selector:

charts/flagger/templates/podmonitor.yaml

@@ -17,6 +17,7 @@ spec:
   - interval: {{ .Values.podMonitor.interval }}
     path: /metrics
     port: http
+    honorLabels: {{ .Values.podMonitor.honorLabels }}
   namespaceSelector:
     matchNames:
     - {{ .Release.Namespace }}

charts/flagger/templates/prometheus.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.prometheus.install }}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "flagger.fullname" . }}-prometheus
@@ -24,7 +24,7 @@ rules:
   - nonResourceURLs: ["/metrics"]
     verbs: ["get"]
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "flagger.fullname" . }}-prometheus
@@ -255,7 +255,14 @@ spec:
               mountPath: /etc/prometheus
             - name: data-volume
               mountPath: /prometheus/data
-
+          {{- if .Values.prometheus.securityContext.enabled }}
+          securityContext:
+{{ toYaml .Values.prometheus.securityContext.context | indent 12 }}
+          {{- end }}
+      {{- if .Values.prometheus.pullSecret }}
+      imagePullSecrets:
+        - name: {{ .Values.prometheus.pullSecret }}
+      {{- end }}
       volumes:
         - name: config-volume
           configMap:

charts/flagger/templates/psp.yaml

@@ -50,6 +50,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ template "flagger.fullname" . }}-psp
+  namespace: {{ .Release.Namespace }}
   labels:
     helm.sh/chart: {{ template "flagger.chart" . }}
     app.kubernetes.io/name: {{ template "flagger.name" . }}

charts/flagger/templates/rbac.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "flagger.fullname" . }}
@@ -27,6 +27,18 @@ rules:
       - update
       - patch
       - delete
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
   - apiGroups:
       - apps
     resources:
@@ -74,6 +86,7 @@ rules:
     resources:
       - canaries
       - canaries/status
+      - canaries/finalizers
       - metrictemplates
       - metrictemplates/status
       - alertproviders
@@ -149,8 +162,19 @@ rules:
     resources:
       - upstreams
       - upstreams/finalizers
-      - upstreamgroups
-      - upstreamgroups/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - gateway.solo.io
+    resources:
+      - routetables
+      - routetables/finalizers
     verbs:
       - get
       - list
@@ -173,7 +197,7 @@ rules:
       - patch
       - delete
   - apiGroups:
-    - traefik.containo.us
+    - traefik.io 
     resources:
     - traefikservices
     verbs:
@@ -184,12 +208,89 @@ rules:
     - update
     - patch
     - delete
+  - apiGroups:
+      - kuma.io
+    resources:
+      - trafficroutes
+      - trafficroutes/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - gateway.networking.k8s.io
+    resources:
+      - httproutes
+      - httproutes/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - keda.sh
+    resources:
+      - scaledobjects
+      - scaledobjects/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - apisix.apache.org
+    resources:
+      - apisixroutes
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - metrics.keptn.sh
+    resources:
+      - keptnmetrics
+      - analyses
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
   - nonResourceURLs:
       - /version
     verbs:
       - get
+  - apiGroups:
+      - serving.knative.dev
+    resources:
+      - services
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - serving.knative.dev
+    resources:
+      - revisions
+    verbs:
+      - get
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "flagger.fullname" . }}

charts/flagger/templates/service.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "flagger.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "flagger.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: {{ template "flagger.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/flagger/templates/servicemonitor.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "flagger.name" . }}
+{{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: {{ template "flagger.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- with .Values.serviceMonitor.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: http
+      interval: 30s
+      scrapeTimeout: 30s
+      honorLabels: {{ .Values.serviceMonitor.honorLabels }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "flagger.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/flagger/values.yaml

@@ -1,8 +1,11 @@
 # Default values for flagger.
 
+## Deployment annotations
+# annotations: {}
+
 image:
   repository: ghcr.io/fluxcd/flagger
-  tag: 1.5.0
+  tag: 1.42.0
   pullPolicy: IfNotPresent
   pullSecret:
 
@@ -13,13 +16,23 @@ podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "8080"
   appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+  linkerd.io/inject: enabled
 
 # priority class name for pod priority configuration
 podPriorityClassName: ""
 
 metricsServer: "http://prometheus:9090"
 
-# accepted values are kubernetes, istio, linkerd, appmesh, contour, nginx, gloo, skipper, traefik
+# creates serviceMonitor for monitoring Flagger metrics
+serviceMonitor:
+  enabled: false
+  honorLabels: false
+  # Set the namespace the ServiceMonitor should be deployed
+  # namespace: monitoring
+  # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
+  # labels:
+
+# accepted values are kubernetes, istio, linkerd, appmesh, contour, nginx, gloo, skipper, traefik, apisix
 meshProvider: ""
 
 # single namespace restriction
@@ -50,11 +63,15 @@ securityContext:
 # when specified, flagger will publish events to the provided webhook
 eventWebhook: ""
 
+# when specified, flagger will add the cluster name to alerts
+clusterName: ""
+
 slack:
   user: flagger
   channel:
   # incoming webhook https://api.slack.com/incoming-webhooks
   url:
+  proxy:
 
 msteams:
   # MS Teams incoming webhook URL
@@ -65,6 +82,7 @@ podMonitor:
   namespace:
   interval: 15s
   additionalLabels: {}
+  honorLabels: false
 
 #env:
 #- name: SLACK_URL
@@ -72,11 +90,21 @@ podMonitor:
 #    secretKeyRef:
 #      name: slack
 #      key: url
+#- name: SLACK_PROXY_URL
+#  valueFrom:
+#    secretKeyRef:
+#      name: slack
+#      key: proxy-url
 #- name: MSTEAMS_URL
 #  valueFrom:
 #    secretKeyRef:
 #      name: msteams
 #      key: url
+#- name: MSTEAMS_PROXY_URL
+#  valueFrom:
+#    secretKeyRef:
+#      name: msteams
+#      key: proxy-url
 #- name: EVENT_WEBHOOK_URL
 #  valueFrom:
 #    secretKeyRef:
@@ -106,6 +134,13 @@ crd:
   # crd.create: `true` if custom resource definitions should be created
   create: false
 
+linkerdAuthPolicy:
+  # linkerdAuthPolicy.create: Whether to create an AuthorizationPolicy in
+  # linkerd viz' namespace to allow flagger to reach viz' prometheus service
+  create: false
+  # linkerdAuthPolicy.namespace: linkerd-viz' namespace
+  namespace: linkerd-viz
+
 nameOverride: ""
 fullnameOverride: ""
 
@@ -121,24 +156,54 @@ nodeSelector: {}
 
 tolerations: []
 
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: '{{ template "flagger.name" . }}'
+              app.kubernetes.io/instance: '{{ .Release.Name }}'
+          topologyKey: kubernetes.io/hostname
+
 prometheus:
   # to be used with ingress controllers
   install: false
-  image: docker.io/prom/prometheus:v2.23.0
+  image: docker.io/prom/prometheus:v2.41.0
+  pullSecret:
   retention: 2h
+  # when enabled, it will add a security context for the prometheus pod
+  securityContext:
+    enabled: false
+    context:
+      readOnlyRootFilesystem: true
+      runAsUser: 10001
 
 kubeconfigQPS: ""
 kubeconfigBurst: ""
 
-#  Istio multi-cluster service mesh (shared control plane single-network)
-# https://istio.io/docs/setup/install/multicluster/shared-vpn/
-istio:
+#  Multi-cluster service mesh (shared control plane single-network)
+controlplane:
   kubeconfig:
-    # istio.kubeconfig.secretName: The name of the secret containing the Istio control plane kubeconfig
+    # controlplane.kubeconfig.secretName: The name of the secret containing the mesh control plane kubeconfig
     secretName: ""
-    # istio.kubeconfig.key: The name of secret data key that contains the Istio control plane kubeconfig
+    # controlplane.kubeconfig.key: The name of secret data key that contains the mesh control plane kubeconfig
     key: "kubeconfig"
 
 podDisruptionBudget:
   enabled: false
   minAvailable: 1
+
+# Additional labels to be added to pods
+podLabels: {}
+
+# Additional labels to be added to deployments
+deploymentLabels: { }
+
+noCrossNamespaceRefs: false
+
+#Placeholder to supply additional volumes to the flagger pod
+additionalVolumes: {}
+  # - name: tmpfs
+  #   emptyDir: {}

charts/grafana/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 name: grafana
-version: 1.5.0
+version: 1.7.0
 appVersion: 7.2.0
 description: Grafana dashboards for monitoring Flagger canary deployments
-icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/weaveworks.png
+icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/flagger-icon.png
 home: https://flagger.app
 sources:
   - https://github.com/fluxcd/flagger

charts/grafana/dashboards/appmesh.json

@@ -1146,7 +1146,6 @@
     "list": [
       {
         "allValue": null,
-        "current": null,
         "datasource": "prometheus",
         "definition": "query_result(sum(envoy_cluster_upstream_rq) by (kubernetes_namespace))",
         "hide": 0,
@@ -1168,7 +1167,6 @@
       },
       {
         "allValue": null,
-        "current": null,
         "datasource": "prometheus",
         "definition": "query_result(sum(envoy_cluster_upstream_rq{kubernetes_namespace=\"$namespace\",app=~\".*-primary\"}) by (app))",
         "hide": 0,
@@ -1190,7 +1188,6 @@
       },
       {
         "allValue": null,
-        "current": null,
         "datasource": "prometheus",
         "definition": "query_result(sum(envoy_cluster_upstream_rq{kubernetes_namespace=\"$namespace\",app!~\".*-primary\"}) by (app))",
         "hide": 0,

charts/grafana/dashboards/istio.json

@@ -403,7 +403,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$primary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+          "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$primary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000",
           "format": "time_series",
           "interval": "",
           "intervalFactor": 1,
@@ -411,7 +411,7 @@
           "refId": "A"
         },
         {
-          "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$primary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+          "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$primary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
@@ -419,7 +419,7 @@
           "refId": "B"
         },
         {
-          "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$primary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+          "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$primary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
@@ -509,7 +509,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$canary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+          "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$canary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000",
           "format": "time_series",
           "interval": "",
           "intervalFactor": 1,
@@ -517,7 +517,7 @@
           "refId": "A"
         },
         {
-          "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$canary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+          "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$canary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
@@ -525,7 +525,7 @@
           "refId": "B"
         },
         {
-          "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$canary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))",
+          "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=\"destination\",destination_workload=~\"$canary\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le)) / 1000",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,

charts/loadtester/Chart.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 name: loadtester
-version: 0.18.0
-appVersion: 0.18.0
-kubeVersion: ">=1.11.0-0"
+version: 0.36.0
+appVersion: 0.36.0
+kubeVersion: ">=1.19.0-0"
 engine: gotpl
 description: Flagger's load testing services based on rakyll/hey and bojand/ghz that generates traffic during canary analysis when configured as a webhook.
 home: https://docs.flagger.app
-icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/weaveworks.png
+icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/flagger-icon.png
 sources:
   - https://github.com/fluxcd/flagger
 maintainers:
@@ -19,5 +19,6 @@ keywords:
   - appmesh
   - linkerd
   - gloo
+  - smi
   - gitops
   - load testing

charts/loadtester/README.md

@@ -1,13 +1,13 @@
 # Flagger load testing service
 
-[Flagger's](https://github.com/fluxcd/flagger) load testing service is based on 
-[rakyll/hey](https://github.com/rakyll/hey) and 
+[Flagger's](https://github.com/fluxcd/flagger) load testing service is based on
+[rakyll/hey](https://github.com/rakyll/hey) and
 [bojand/ghz](https://github.com/bojand/ghz).
 It can be used to generate HTTP and gRPC traffic during canary analysis when configured as a webhook.
 
 ## Prerequisites
 
-* Kubernetes >= 1.11
+* Kubernetes >= 1.19
 
 ## Installing the Chart
 
@@ -26,7 +26,7 @@ helm upgrade -i flagger-loadtester flagger/loadtester
 The command deploys loadtester on the Kubernetes cluster in the default namespace.
 
 > **Tip**: Note that the namespace where you deploy the load tester should
-> have the Istio, App Mesh or Linkerd sidecar injection enabled
+> have the Istio, App Mesh, Linkerd or Open Service Mesh sidecar injection enabled
 
 The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
@@ -44,32 +44,37 @@ The command removes all the Kubernetes components associated with the chart and
 
 The following tables lists the configurable parameters of the load tester chart and their default values.
 
-Parameter | Description | Default
---- | --- | ---
-`image.repository` | Image repository | `quay.io/stefanprodan/flagger-loadtester`
-`image.pullPolicy` | Image pull policy | `IfNotPresent`
-`image.tag` | Image tag | `<VERSION>`
-`replicaCount` | Desired number of pods | `1`
-`serviceAccountName` | Kubernetes service account name | `none` 
-`resources.requests.cpu` | CPU requests | `10m`
-`resources.requests.memory` | Memory requests | `64Mi`
-`tolerations` | List of node taints to tolerate | `[]`
-`affinity` | node/pod affinities | `node`
-`nodeSelector` | Node labels for pod assignment | `{}`
-`service.type` | Type of service | `ClusterIP`
-`service.port` | ClusterIP port | `80`
-`cmd.timeout` | Command execution timeout | `1h`
-`logLevel` | Log level can be debug, info, warning, error or panic | `info`
-`appmesh.enabled` | Create AWS App Mesh v1beta2 virtual node | `false`
-`appmesh.backends` | AWS App Mesh virtual services | `none`
-`istio.enabled` | Create Istio virtual service | `false`
-`istio.host` | Loadtester hostname  | `flagger-loadtester.flagger`
-`istio.gateway.enabled` | Create Istio gateway in namespace | `false`
-`istio.tls.enabled` | Enable TLS in gateway ( TLS secrets should be in namespace ) | `false`
-`istio.tls.httpsRedirect` | Redirect traffic to TLS port | `false`
-`podPriorityClassName` | PriorityClass name for pod priority configuration | ""
-`securityContext.enabled` | Add securityContext to container | ""
-`securityContext.context` | securityContext to add | ""
+| Parameter                          | Description                                                                          | Default                             |
+|------------------------------------|--------------------------------------------------------------------------------------|-------------------------------------|
+| `image.repository`                 | Image repository                                                                     | `ghcr.io/fluxcd/flagger-loadtester` |
+| `image.pullPolicy`                 | Image pull policy                                                                    | `IfNotPresent`                      |
+| `image.tag`                        | Image tag                                                                            | `<VERSION>`                         |
+| `replicaCount`                     | Desired number of pods                                                               | `1`                                 |
+| `serviceAccountName`               | Kubernetes service account name                                                      | `none`                              |
+| `resources.requests.cpu`           | CPU requests                                                                         | `10m`                               |
+| `resources.requests.memory`        | Memory requests                                                                      | `64Mi`                              |
+| `tolerations`                      | List of node taints to tolerate                                                      | `[]`                                |
+| `affinity`                         | node/pod affinities                                                                  | `node`                              |
+| `nodeSelector`                     | Node labels for pod assignment                                                       | `{}`                                |
+| `service.type`                     | Type of service                                                                      | `ClusterIP`                         |
+| `service.port`                     | ClusterIP port                                                                       | `80`                                |
+| `cmd.timeout`                      | Command execution timeout                                                            | `1h`                                |
+| `cmd.namespaceRegexp`              | Restrict access to canaries in matching namespaces                                   | ""                                  |
+| `logLevel`                         | Log level can be debug, info, warning, error or panic                                | `info`                              |
+| `appmesh.enabled`                  | Create AWS App Mesh v1beta2 virtual node                                             | `false`                             |
+| `appmesh.backends`                 | AWS App Mesh virtual services                                                        | `none`                              |
+| `istio.enabled`                    | Create Istio virtual service                                                         | `false`                             |
+| `istio.host`                       | Loadtester hostname                                                                  | `flagger-loadtester.flagger`        |
+| `istio.gateway.enabled`            | Create Istio gateway in namespace                                                    | `false`                             |
+| `istio.tls.enabled`                | Enable TLS in gateway ( TLS secrets should be in namespace )                         | `false`                             |
+| `istio.tls.httpsRedirect`          | Redirect traffic to TLS port                                                         | `false`                             |
+| `podPriorityClassName`             | PriorityClass name for pod priority configuration                                    | ""                                  |
+| `securityContext.enabled`          | Add securityContext to container                                                     | `false`                             |
+| `SecurityContext.context`          | securityContext to add                                                               | ""                                  |
+| `podSecurityContext.enabled`       | Add securityContext to pod                                                           | `false`                             |
+| `podSecurityContext.context`       | securityContext to add                                                               | ""                                  |
+| `podDisruptionBudget.enabled`      | A PodDisruptionBudget will be created if `true`                                      | `false`                             |
+| `podDisruptionBudget.minAvailable` | The minimal number of available replicas that will be set in the PodDisruptionBudget | `1`                                 |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade`. For example,
 
@@ -87,5 +92,3 @@ helm install flagger/loadtester --name flagger-loadtester -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
-
-

charts/loadtester/templates/deployment.yaml

@@ -16,10 +16,15 @@ spec:
     metadata:
       labels:
         app: {{ include "loadtester.name" . }}
+        app.kubernetes.io/name: {{ include "loadtester.name" . }}
+      {{- range $key, $value := .Values.podLabels }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
       annotations:
         appmesh.k8s.aws/ports: "444"
+        openservicemesh.io/inbound-port-exclusion-list: "80, 8080"
         {{- if .Values.podAnnotations }}
-{{ toYaml .Values.podAnnotations | indent 8 }}
+          {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
     spec:
       {{- if .Values.serviceAccountName }}
@@ -29,12 +34,12 @@ spec:
       {{- end }}
       {{- if .Values.podPriorityClassName }}
       priorityClassName: {{ .Values.podPriorityClassName }}
-      {{- end }}           
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           {{- if .Values.securityContext.enabled }}
           securityContext:
-{{ toYaml .Values.securityContext.context | indent 12 }}
+            {{- toYaml .Values.securityContext.context | nindent 12 }}
           {{- end }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -46,6 +51,7 @@ spec:
             - -port=8080
             - -log-level={{ .Values.logLevel }}
             - -timeout={{ .Values.cmd.timeout }}
+            - -namespace-regexp={{ .Values.cmd.namespaceRegexp }}
           livenessProbe:
             exec:
               command:
@@ -66,8 +72,24 @@ spec:
                 - --spider
                 - http://localhost:8080/healthz
             timeoutSeconds: 5
+          {{- if .Values.env }}
+          env:
+            {{- toYaml .Values.env | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- if .Values.image.pullSecret }}
+      imagePullSecrets:
+        - name: {{ .Values.image.pullSecret }}
+      {{- end }}
+      {{ with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -80,3 +102,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
+    {{- if .Values.podSecurityContext.enabled }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext.context | nindent 12 }}
+    {{- end }}

charts/loadtester/templates/istio-gw.yaml

@@ -1,5 +1,5 @@
 {{- if and (.Values.istio.enabled) (.Values.istio.gateway.enabled) }}
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
   name: {{ include "loadtester.fullname" . }}

charts/loadtester/templates/istio-vs.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.istio.enabled }}
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: {{ include "loadtester.fullname" . }}

charts/loadtester/templates/pdb.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+apiVersion: policy/v1
+{{- else }}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "loadtester.fullname" . }}
+spec:
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "loadtester.name" . }}
+{{- end }}

charts/loadtester/templates/rbac.yaml

@@ -51,4 +51,7 @@ metadata:
     app.kubernetes.io/name: {{ template "loadtester.name" . }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
+  {{- if .Values.rbac.serviceAccountAnnotations }}
+  annotations: {{ tpl (toYaml .Values.rbac.serviceAccountAnnotations) . | nindent 4 }}
+  {{- end }}
 {{- end }}

charts/loadtester/values.yaml

@@ -2,22 +2,28 @@ replicaCount: 1
 
 image:
   repository: ghcr.io/fluxcd/flagger-loadtester
-  tag: 0.18.0
+  tag: 0.36.0
   pullPolicy: IfNotPresent
+  pullSecret:
+
+podLabels: {}
 
 podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "8080"
 
-podPriorityClassName: ""  
+podPriorityClassName: ""
 
 logLevel: info
 cmd:
   timeout: 1h
+  namespaceRegexp: ""
 
 nameOverride: ""
 fullnameOverride: ""
 
+env: []
+
 service:
   type: ClusterIP
   port: 80
@@ -27,6 +33,9 @@ resources:
     cpu: 10m
     memory: 64Mi
 
+volumes: []
+volumeMounts: []
+
 nodeSelector: {}
 
 tolerations: []
@@ -45,6 +54,8 @@ rbac:
   #   resources: ["pods"]
   #   verbs: ["list", "get"]
   rules: []
+  # annotations to add to the service account
+  serviceAccountAnnotations: {}
 
 # name of an existing service account to use - if not creating rbac resources
 serviceAccountName: ""
@@ -62,15 +73,15 @@ appmesh:
   - podinfo
   - podinfo-canary
 
-#Istio virtual service and gatway settings. TLS secrets should be in namespace before enbaled it. ( secret format loadtester.fullname ) 
+#Istio virtual service and gatway settings. TLS secrets should be in namespace before enbaled it. ( secret format loadtester.fullname )
 istio:
   enabled: false
   host: flagger-loadtester.flagger
   gateway:
-    enabled: false  
+    enabled: false
   tls:
     enabled: false
-    httpsRedirect: false 
+    httpsRedirect: false
 
 # when enabled, it will add a security context for the loadtester pod
 securityContext:
@@ -79,3 +90,13 @@ securityContext:
     readOnlyRootFilesystem: true
     runAsUser: 100
     runAsGroup: 101
+
+podSecurityContext:
+  enabled: false
+  context:
+    fsGroup: 101
+    fsGroupChangePolicy: "OnRootMismatch"
+
+podDisruptionBudget:
+  enabled: false
+  minAvailable: 1

charts/podinfo/Chart.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
-version: 5.0.0
-appVersion: 5.0.0
+version: 6.1.4
+appVersion: 6.1.3
 name: podinfo
 engine: gotpl
 description: Flagger canary deployment demo application
 home: https://docs.flagger.app
-icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/weaveworks.png
+icon: https://raw.githubusercontent.com/fluxcd/flagger/main/docs/logo/flagger-icon.png
 sources:
   - https://github.com/stefanprodan/podinfo
 maintainers:

charts/podinfo/README.md

@@ -20,7 +20,7 @@ helm upgrade -i frontend flagger/podinfo \
 --set backend=http://backend.test:9898/echo \
 --set canary.enabled=true \
 --set canary.istioIngress.enabled=true \
---set canary.istioIngress.gateway=public-gateway.istio-system.svc.cluster.local \
+--set canary.istioIngress.gateway=istio-system/public-gateway \
 --set canary.istioIngress.host=frontend.istio.example.com
 ```
 

charts/podinfo/templates/canary.yaml

@@ -14,7 +14,7 @@ spec:
     kind: Deployment
     name:  {{ template "podinfo.fullname" . }}
   autoscalerRef:
-    apiVersion: autoscaling/v2beta1
+    apiVersion: autoscaling/v2
     kind: HorizontalPodAutoscaler
     name:  {{ template "podinfo.fullname" . }}
   service:
@@ -57,4 +57,4 @@ spec:
         metadata:
           cmd: "hey -z 1m -q 5 -c 2 http://{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}"
       {{- end }}
-{{- end }}
+{{- end }}

charts/podinfo/templates/hpa.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ template "podinfo.fullname" . }}
@@ -20,12 +20,16 @@ spec:
   - type: Resource
     resource:
       name: cpu
-      targetAverageUtilization: {{ .Values.hpa.cpu }}
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.hpa.cpu }}
   {{- end }}
   {{- if .Values.hpa.memory }}
   - type: Resource
     resource:
       name: memory
-      targetAverageValue: {{ .Values.hpa.memory }}
+      target:
+        type: AverageValue 
+        averageValue: {{ .Values.hpa.memory }}
   {{- end }}
 {{- end }}

charts/podinfo/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.canary.enabled }}
+{{- if and .Values.service.enabled (not .Values.canary.enabled) }}
 apiVersion: v1
 kind: Service
 metadata:

charts/podinfo/templates/tests/jwt.yaml

@@ -12,6 +12,7 @@ metadata:
     sidecar.istio.io/inject: "false"
     linkerd.io/inject: disabled
     appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+    openservicemesh.io/sidecar-injection: disabled
 spec:
   containers:
     - name: tools

charts/podinfo/values.yaml

@@ -1,7 +1,7 @@
 # Default values for podinfo.
 image:
   repository: ghcr.io/stefanprodan/podinfo
-  tag: 5.0.0
+  tag: 6.1.3
   pullPolicy: IfNotPresent
 
 podAnnotations: {}
@@ -25,7 +25,7 @@ canary:
   istioIngress:
     enabled: false
     # Istio ingress gateway name
-    gateway: public-gateway.istio-system.svc.cluster.local
+    gateway: istio-system/public-gateway
     # external host name eg. podinfo.example.com
     host:
   analysis:

cmd/flagger/main.go

@@ -25,7 +25,8 @@ import (
 	"strings"
 	"time"
 
-	semver "github.com/Masterminds/semver/v3"
+	"github.com/Masterminds/semver/v3"
+	"github.com/go-logr/zapr"
 	"go.uber.org/zap"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/uuid"
@@ -37,6 +38,7 @@ import (
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"k8s.io/client-go/transport"
 	_ "k8s.io/code-generator/cmd/client-gen/generators"
+	"k8s.io/klog/v2"
 
 	"github.com/fluxcd/flagger/pkg/canary"
 	clientset "github.com/fluxcd/flagger/pkg/client/clientset/versioned"
@@ -49,6 +51,8 @@ import (
 	"github.com/fluxcd/flagger/pkg/server"
 	"github.com/fluxcd/flagger/pkg/signals"
 	"github.com/fluxcd/flagger/pkg/version"
+
+	knative "knative.dev/serving/pkg/client/clientset/versioned"
 )
 
 var (
@@ -61,8 +65,11 @@ var (
 	logLevel                 string
 	port                     string
 	msteamsURL               string
+	msteamsProxyURL          string
 	includeLabelPrefix       string
 	slackURL                 string
+	slackToken               string
+	slackProxyURL            string
 	slackUser                string
 	slackChannel             string
 	eventWebhook             string
@@ -79,6 +86,8 @@ var (
 	enableConfigTracking     bool
 	ver                      bool
 	kubeconfigServiceMesh    string
+	clusterName              string
+	noCrossNamespaceRefs     bool
 )
 
 func init() {
@@ -91,16 +100,19 @@ func init() {
 	flag.StringVar(&logLevel, "log-level", "debug", "Log level can be: debug, info, warning, error.")
 	flag.StringVar(&port, "port", "8080", "Port to listen on.")
 	flag.StringVar(&slackURL, "slack-url", "", "Slack hook URL.")
+	flag.StringVar(&slackToken, "slack-token", "", "Slack bot token.")
+	flag.StringVar(&slackProxyURL, "slack-proxy-url", "", "Slack proxy URL.")
 	flag.StringVar(&slackUser, "slack-user", "flagger", "Slack user name.")
 	flag.StringVar(&slackChannel, "slack-channel", "", "Slack channel.")
 	flag.StringVar(&eventWebhook, "event-webhook", "", "Webhook for publishing flagger events")
 	flag.StringVar(&msteamsURL, "msteams-url", "", "MS Teams incoming webhook URL.")
+	flag.StringVar(&msteamsProxyURL, "msteams-proxy-url", "", "MS Teams proxy URL.")
 	flag.StringVar(&includeLabelPrefix, "include-label-prefix", "", "List of prefixes of labels that are copied when creating primary deployments or daemonsets. Use * to include all.")
 	flag.IntVar(&threadiness, "threadiness", 2, "Worker concurrency.")
 	flag.BoolVar(&zapReplaceGlobals, "zap-replace-globals", false, "Whether to change the logging level of the global zap logger.")
 	flag.StringVar(&zapEncoding, "zap-encoding", "json", "Zap logger encoding.")
 	flag.StringVar(&namespace, "namespace", "", "Namespace that flagger would watch canary object.")
-	flag.StringVar(&meshProvider, "mesh-provider", "istio", "Service mesh provider, can be istio, linkerd, appmesh, contour, gloo, nginx, skipper or traefik.")
+	flag.StringVar(&meshProvider, "mesh-provider", "istio", "Service mesh provider, can be istio, linkerd, appmesh, contour, knative, gloo, nginx, skipper, traefik, apisix, osm or kuma.")
 	flag.StringVar(&selectorLabels, "selector-labels", "app,name,app.kubernetes.io/name", "List of pod labels that Flagger uses to create pod selectors.")
 	flag.StringVar(&ingressAnnotationsPrefix, "ingress-annotations-prefix", "nginx.ingress.kubernetes.io", "Annotations prefix for NGINX ingresses.")
 	flag.StringVar(&ingressClass, "ingress-class", "", "Ingress class used for annotating HTTPProxy objects.")
@@ -109,9 +121,12 @@ func init() {
 	flag.BoolVar(&enableConfigTracking, "enable-config-tracking", true, "Enable secrets and configmaps tracking.")
 	flag.BoolVar(&ver, "version", false, "Print version")
 	flag.StringVar(&kubeconfigServiceMesh, "kubeconfig-service-mesh", "", "Path to a kubeconfig for the service mesh control plane cluster.")
+	flag.StringVar(&clusterName, "cluster-name", "", "Cluster name to be included in alert msgs.")
+	flag.BoolVar(&noCrossNamespaceRefs, "no-cross-namespace-refs", false, "When set to true, Flagger can only refer to resources in the same namespace.")
 }
 
 func main() {
+	klog.InitFlags(nil)
 	flag.Parse()
 
 	if ver {
@@ -127,6 +142,8 @@ func main() {
 		zap.ReplaceGlobals(logger.Desugar())
 	}
 
+	klog.SetLogger(zapr.NewLogger(logger.Desugar()))
+
 	defer logger.Sync()
 
 	stopCh := signals.SetupSignalHandler()
@@ -151,19 +168,24 @@ func main() {
 		logger.Fatalf("Error building flagger clientset: %s", err.Error())
 	}
 
+	knativeClient, err := knative.NewForConfig(cfg)
+	if err != nil {
+		logger.Fatalf("Error building knative clientset: %s", err.Error())
+	}
+
 	// use a remote cluster for routing if a service mesh kubeconfig is specified
 	if kubeconfigServiceMesh == "" {
 		kubeconfigServiceMesh = kubeconfig
 	}
-	cfgHost, err := clientcmd.BuildConfigFromFlags(masterURL, kubeconfigServiceMesh)
+	serviceMeshCfg, err := clientcmd.BuildConfigFromFlags(masterURL, kubeconfigServiceMesh)
 	if err != nil {
 		logger.Fatalf("Error building host kubeconfig: %v", err)
 	}
 
-	cfgHost.QPS = float32(kubeconfigQPS)
-	cfgHost.Burst = kubeconfigBurst
+	serviceMeshCfg.QPS = float32(kubeconfigQPS)
+	serviceMeshCfg.Burst = kubeconfigBurst
 
-	meshClient, err := clientset.NewForConfig(cfgHost)
+	meshClient, err := clientset.NewForConfig(serviceMeshCfg)
 	if err != nil {
 		logger.Fatalf("Error building mesh clientset: %v", err)
 	}
@@ -199,7 +221,14 @@ func main() {
 	// start HTTP server
 	go server.ListenAndServe(port, 3*time.Second, logger, stopCh)
 
-	routerFactory := router.NewFactory(cfg, kubeClient, flaggerClient, ingressAnnotationsPrefix, ingressClass, logger, meshClient)
+	setOwnerRefs := true
+	// Router shouldn't set OwnerRefs on resources that they create since the
+	// service mesh/ingress controller is in a different cluster.
+	if cfg.Host != serviceMeshCfg.Host {
+		setOwnerRefs = false
+	}
+
+	routerFactory := router.NewFactory(cfg, kubeClient, flaggerClient, knativeClient, ingressAnnotationsPrefix, ingressClass, logger, meshClient, setOwnerRefs)
 
 	var configTracker canary.Tracker
 	if enableConfigTracking {
@@ -214,10 +243,11 @@ func main() {
 
 	includeLabelPrefixArray := strings.Split(includeLabelPrefix, ",")
 
-	canaryFactory := canary.NewFactory(kubeClient, flaggerClient, configTracker, labels, includeLabelPrefixArray, logger)
+	canaryFactory := canary.NewFactory(kubeClient, flaggerClient, knativeClient, configTracker, labels, includeLabelPrefixArray, logger)
 
 	c := controller.NewController(
 		kubeClient,
+		knativeClient,
 		flaggerClient,
 		infos,
 		controlLoopInterval,
@@ -229,6 +259,9 @@ func main() {
 		meshProvider,
 		version.VERSION,
 		fromEnv("EVENT_WEBHOOK_URL", eventWebhook),
+		clusterName,
+		noCrossNamespaceRefs,
+		cfg,
 	)
 
 	// leader election context
@@ -303,7 +336,7 @@ func startLeaderElection(ctx context.Context, run func(), ns string, kubeClient
 	id = id + "_" + string(uuid.NewUUID())
 
 	lock, err := resourcelock.New(
-		resourcelock.ConfigMapsResourceLock,
+		resourcelock.LeasesResourceLock,
 		ns,
 		configMapName,
 		kubeClient.CoreV1(),
@@ -343,12 +376,15 @@ func startLeaderElection(ctx context.Context, run func(), ns string, kubeClient
 
 func initNotifier(logger *zap.SugaredLogger) (client notifier.Interface) {
 	provider := "slack"
+	token := fromEnv("SLACK_TOKEN", slackToken)
 	notifierURL := fromEnv("SLACK_URL", slackURL)
+	notifierProxyURL := fromEnv("SLACK_PROXY_URL", slackProxyURL)
 	if msteamsURL != "" || os.Getenv("MSTEAMS_URL") != "" {
 		provider = "msteams"
 		notifierURL = fromEnv("MSTEAMS_URL", msteamsURL)
+		notifierProxyURL = fromEnv("MSTEAMS_PROXY_URL", msteamsProxyURL)
 	}
-	notifierFactory := notifier.NewFactory(notifierURL, slackUser, slackChannel)
+	notifierFactory := notifier.NewFactory(notifierURL, token, notifierProxyURL, slackUser, slackChannel)
 
 	var err error
 	client, err = notifierFactory.Notifier(provider)

cmd/loadtester/main.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Flux authors
+Copyright 2020, 2022 The Flux authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -19,19 +19,22 @@ package main
 import (
 	"flag"
 	"log"
+	"regexp"
 	"time"
 
+	"go.uber.org/zap"
+
 	"github.com/fluxcd/flagger/pkg/loadtester"
 	"github.com/fluxcd/flagger/pkg/logger"
 	"github.com/fluxcd/flagger/pkg/signals"
-	"go.uber.org/zap"
 )
 
-var VERSION = "0.18.0"
+var VERSION = "0.36.0"
 var (
 	logLevel          string
 	port              string
 	timeout           time.Duration
+	namespaceRegexp   string
 	zapReplaceGlobals bool
 	zapEncoding       string
 )
@@ -40,6 +43,7 @@ func init() {
 	flag.StringVar(&logLevel, "log-level", "debug", "Log level can be: debug, info, warning, error.")
 	flag.StringVar(&port, "port", "9090", "Port to listen on.")
 	flag.DurationVar(&timeout, "timeout", time.Hour, "Load test exec timeout.")
+	flag.StringVar(&namespaceRegexp, "namespace-regexp", "", "Restrict access to canaries in matching namespaces.")
 	flag.BoolVar(&zapReplaceGlobals, "zap-replace-globals", false, "Whether to change the logging level of the global zap logger.")
 	flag.StringVar(&zapEncoding, "zap-encoding", "json", "Zap logger encoding.")
 }
@@ -66,5 +70,12 @@ func main() {
 	logger.Infof("Starting load tester v%s API on port %s", VERSION, port)
 
 	gateStorage := loadtester.NewGateStorage("in-memory")
-	loadtester.ListenAndServe(port, time.Minute, logger, taskRunner, gateStorage, stopCh)
+
+	var namespaceRegexpCompiled *regexp.Regexp
+	if namespaceRegexp != "" {
+		namespaceRegexpCompiled = regexp.MustCompile(namespaceRegexp)
+	}
+	authorizer := loadtester.NewAuthorizer(namespaceRegexpCompiled)
+
+	loadtester.ListenAndServe(port, time.Minute, logger, taskRunner, gateStorage, authorizer, stopCh)
 }

docs/gitbook/README.md

@@ -4,27 +4,38 @@ description: Flagger is a progressive delivery Kubernetes operator
 
 # Introduction
 
-[Flagger](https://github.com/weaveworks/flagger) is a **Kubernetes** operator that automates the promotion of canary deployments using **Istio**, **Linkerd**, **App Mesh**, **NGINX**, **Skipper**, **Contour**, **Gloo** or **Traefik** routing for traffic shifting and **Prometheus** metrics for canary analysis. The canary analysis can be extended with webhooks for running system integration/acceptance tests, load tests, or any other custom validation.
+[Flagger](https://github.com/fluxcd/flagger) is a progressive delivery tool that automates the release
+process for applications running on Kubernetes. It reduces the risk of introducing a new software
+version in production by gradually shifting traffic to the new version while measuring metrics
+and running conformance tests.
 
-Flagger implements a control loop that gradually shifts traffic to the canary while measuring key performance indicators like HTTP requests success rate, requests average duration and pods health. Based on analysis of the **KPIs** a canary is promoted or aborted, and the analysis result is published to **Slack** or **MS Teams**.
+Flagger implements several deployment strategies (Canary releases, A/B testing, Blue/Green mirroring)
+using a service mesh or an ingress controller for traffic routing.
+For release analysis, Flagger can query Prometheus, InfluxDB, Datadog, New Relic, CloudWatch, Stackdriver
+or Graphite and for alerting it uses Slack, MS Teams, Discord and Rocket.
 
-![Flagger overview diagram](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/flagger-canary-overview.png)
+![Flagger overview diagram](https://raw.githubusercontent.com/fluxcd/flagger/main/docs/diagrams/flagger-overview.png)
 
-Flagger can be configured with Kubernetes custom resources and is compatible with any CI/CD solutions made for Kubernetes. Since Flagger is declarative and reacts to Kubernetes events, it can be used in **GitOps** pipelines together with Flux CD or JenkinsX.
+Flagger can be configured with Kubernetes custom resources and is compatible with
+any CI/CD solutions made for Kubernetes. Since Flagger is declarative and reacts to Kubernetes events,
+it can be used in **GitOps** pipelines together with tools like [Flux CD](install/flagger-install-with-flux.md).
 
-This project is sponsored by [Weaveworks](https://www.weave.works/)
+Flagger is a [Cloud Native Computing Foundation](https://cncf.io/) graduated project
+and part of [Flux](https://fluxcd.io) family of GitOps tools.
 
 ## Getting started
 
-To get started with Flagger, chose one of the supported routing providers and [install](install/flagger-install-on-kubernetes.md) Flagger with Helm or Kustomize.
+To get started with Flagger, choose one of the supported routing providers and
+[install](install/flagger-install-with-flux.md) Flagger with Flux CD.
 
-After install Flagger, you can follow one of the tutorials:
+After installing Flagger, you can follow one of these tutorials to get started:
 
 **Service mesh tutorials**
 
+* [Gateway API](tutorials/gatewayapi-progressive-delivery.md)
 * [Istio](tutorials/istio-progressive-delivery.md)
 * [Linkerd](tutorials/linkerd-progressive-delivery.md)
-* [AWS App Mesh](tutorials/appmesh-progressive-delivery.md)
+* [Kuma](tutorials/kuma-progressive-delivery.md)
 
 **Ingress controller tutorials**
 
@@ -33,10 +44,7 @@ After install Flagger, you can follow one of the tutorials:
 * [NGINX Ingress](tutorials/nginx-progressive-delivery.md)
 * [Skipper Ingress](tutorials/skipper-progressive-delivery.md)
 * [Traefik](tutorials/traefik-progressive-delivery.md)
+* [Apache APISIX](tutorials/apisix-progressive-delivery.md)
 
-**Hands-on GitOps workshops**
-
-* [Istio](https://github.com/stefanprodan/gitops-istio)
-* [Linkerd](https://helm.workshop.flagger.dev)
-* [AWS App Mesh](https://eks.handson.flagger.dev)
-
+The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, 
+please see our [Trademark Usage page](https://www.linuxfoundation.org/legal/trademark-usage).

docs/gitbook/SUMMARY.md

@@ -6,8 +6,7 @@
 ## Install
 
 * [Flagger Install on Kubernetes](install/flagger-install-on-kubernetes.md)
-* [Flagger Install on GKE Istio](install/flagger-install-on-google-cloud.md)
-* [Flagger Install on EKS App Mesh](install/flagger-install-on-eks-appmesh.md)
+* [Flagger Install with Flux](install/flagger-install-with-flux.md)
 
 ## Usage
 
@@ -20,21 +19,22 @@
 
 ## Tutorials
 
+* [Gateway API Canary Deployments](tutorials/gatewayapi-progressive-delivery.md)
 * [Istio Canary Deployments](tutorials/istio-progressive-delivery.md)
 * [Istio A/B Testing](tutorials/istio-ab-testing.md)
 * [Linkerd Canary Deployments](tutorials/linkerd-progressive-delivery.md)
-* [App Mesh Canary Deployments](tutorials/appmesh-progressive-delivery.md)
+* [Kuma Canary Deployments](tutorials/kuma-progressive-delivery.md)
+* [Knative Canary Deployments](tutorials/knative-progressive-delivery.md)
 * [Contour Canary Deployments](tutorials/contour-progressive-delivery.md)
 * [Gloo Canary Deployments](tutorials/gloo-progressive-delivery.md)
 * [NGINX Canary Deployments](tutorials/nginx-progressive-delivery.md)
 * [Skipper Canary Deployments](tutorials/skipper-progressive-delivery.md)
 * [Traefik Canary Deployments](tutorials/traefik-progressive-delivery.md)
+* [Apache APISIX Canary Deployments](tutorials/apisix-progressive-delivery.md)
 * [Blue/Green Deployments](tutorials/kubernetes-blue-green.md)
-* [Crossover Canary Deployments](tutorials/crossover-progressive-delivery.md)
 * [Canary analysis with Prometheus Operator](tutorials/prometheus-operator.md)
-* [Canaries with Helm charts and GitOps](tutorials/canary-helm-gitops.md)
+* [Canary analysis with KEDA ScaledObjects](tutorials/keda-scaledobject.md)
 * [Zero downtime deployments](tutorials/zero-downtime-deployments.md)
-* [Rollout Weights](tutorials/rollout-weights.md)
 
 ## Dev
 

docs/gitbook/dev/dev-guide.md

@@ -8,16 +8,13 @@ Flagger is written in Go and uses Go modules for dependency management.
 
 On your dev machine install the following tools:
 
-* go >= 1.14
-* git >= 2.20
-* bash >= 5.0
-* make >= 3.81
-* kubectl >= 1.16
-* kustomize >= 3.5
-* helm >= 3.0
-* docker >= 19.03
+* go >= 1.25
+* kubectl >= 1.30
+* kustomize >= 5.0
+* helm >= 3.0
 
-You'll also need a Kubernetes cluster for testing Flagger. You can use Minikube, Kind, Docker desktop or any remote cluster \(AKS/EKS/GKE/etc\) Kubernetes version 1.14 or newer.
+You'll also need a Kubernetes cluster for testing Flagger.
+You can use Minikube, Kind, Docker desktop or any remote cluster (AKS/EKS/GKE/etc).
 
 To start contributing to Flagger, fork the [repository](https://github.com/fluxcd/flagger) on GitHub.
 
@@ -99,6 +96,8 @@ make codegen
 Run code formatters:
 
 ```bash
+go install golang.org/x/tools/cmd/goimports@latest
+
 make fmt
 ```
 
@@ -126,7 +125,9 @@ Note that any change to the CRDs must be accompanied by an update to the Open AP
 
 ## Manual testing
 
-Install a service mesh and/or an ingress controller on your cluster and deploy Flagger using one of the install options [listed here](https://docs.flagger.app/install/flagger-install-on-kubernetes).
+Install a service mesh and/or an ingress controller on your cluster
+and deploy Flagger using one of the install options
+[listed here](https://docs.flagger.app/install/flagger-install-on-kubernetes).
 
 If you made changes to the CRDs, apply your local copy with:
 
@@ -190,15 +191,13 @@ docker build -t test/flagger:latest .
 kind load docker-image test/flagger:latest
 ```
 
-
 Run the Istio e2e tests:
 
 ```bash
 ./test/istio/run.sh
 ```
 
-For each service mesh and ingress controller there is a dedicated e2e test suite,
-chose one that matches your changes from this [list](https://github.com/fluxcd/flagger/tree/main/test).
+For each service mesh and ingress controller, there is a dedicated e2e test suite,
+choose one that matches your changes from this [list](https://github.com/fluxcd/flagger/tree/main/test).
 
 When you open a pull request on Flagger repo, the unit and integration tests will be run in CI.
-

docs/gitbook/dev/release-guide.md

@@ -4,13 +4,28 @@ This document describes how to release Flagger.
 
 ## Release
 
-To release a new Flagger version \(e.g. `2.0.0`\) follow these steps:
+### Flagger 
 
-* create a branch `git checkout -b prep-2.0.0`
+To release a new Flagger version (e.g. `2.0.0`) follow these steps:
+
+* create a branch `git checkout -b release-2.0.0`
 * set the version in code and manifests `TAG=2.0.0 make version-set`
 * commit changes and merge PR
-* checkout master `git checkout master && git pull`
-* tag master `make release`
+* checkout main `git checkout main && git pull`
+* tag main `make release`
+
+### Flagger load tester
+
+To release a new Flagger load tester version (e.g. `2.0.0`) follow these steps:
+
+* create a branch `git checkout -b release-ld-2.0.0`
+* set the version in code (`cmd/loadtester/main.go#VERSION`)
+* set the version in the Helm chart (`charts/loadtester/Chart.yaml` and `values.yaml`)
+* set the version in manifests (`kustomize/tester/deployment.yaml`)
+* commit changes and push the branch upstream
+* in GitHub UI, navigate to Actions and run the `push-ld` workflow selecting the release branch
+* after the workflow finishes, open the PR which will run the e2e tests using the new tester version
+* merge the PR if the tests pass
 
 ## CI
 
@@ -18,7 +33,9 @@ After the tag has been pushed to GitHub, the CI release pipeline does the follow
 
 * creates a GitHub release
 * pushes the Flagger binary and change log to GitHub release
-* pushes the Flagger container image to Docker Hub
+* pushes the Flagger container image to GitHub Container Registry
+* pushed the Flagger install manifests to GitHub Container Registry
+* signs all OCI artifacts and release assets with Cosign and GitHub OIDC
 * pushes the Helm chart to github-pages branch
 * GitHub pages publishes the new chart version on the Helm repository
 
@@ -28,8 +45,10 @@ The documentation [website](https://docs.flagger.app) is built from the `docs` b
 
 After a Flagger release, publish the docs with:
 
-* `git checkout master && git pull`
+* `git checkout main && git pull`
 * `git checkout docs`
-* `git rebase master`
+* `git rebase main`
 * `git push origin docs`
 
+Lastly open a PR with all the docs changes on [fluxcd/website](https://github.com/fluxcd/website) to 
+update [fluxcd.io/flagger](https://fluxcd.io/flagger/).

docs/gitbook/faq.md

@@ -2,32 +2,38 @@
 
 ## Deployment Strategies
 
-**Which deployment strategies are supported by Flagger?**
+#### Which deployment strategies are supported by Flagger?
 
 Flagger implements the following deployment strategies:
 
 * [Canary Release](usage/deployment-strategies.md#canary-release)
-* [A/B Testing](usage/deployment-strategies.md#a-b-testing)
-* [Blue/Green](usage/deployment-strategies.md#blue-green-deployments)
-* [Blue/Green Mirroring](usage/deployment-strategies.md#blue-green-with-traffic-mirroring)
+* [A/B Testing](usage/deployment-strategies.md#ab-testing)
+* [Blue/Green](usage/deployment-strategies.md#bluegreen-deployments)
+* [Blue/Green Mirroring](usage/deployment-strategies.md#bluegreen-with-traffic-mirroring)
 
-**When should I use A/B testing instead of progressive traffic shifting?**
+#### When should I use A/B testing instead of progressive traffic shifting?
 
-For frontend applications that require session affinity you should use HTTP headers or cookies match conditions to ensure a set of users will stay on the same version for the whole duration of the canary analysis.
+For frontend applications that require session affinity, you should use HTTP headers or
+cookie match conditions to ensure a set of users will stay on the same version for
+the whole duration of the canary analysis.
 
-**Can I use Flagger to manage applications that live outside of a service mesh?**
+#### Can I use Flagger to manage applications that live outside of a service mesh?
 
-For applications that are not deployed on a service mesh, Flagger can orchestrate Blue/Green style deployments with Kubernetes L4 networking.
+For applications that are not deployed on a service mesh,
+Flagger can orchestrate Blue/Green style deployments with Kubernetes L4 networking.
 
-**When can I use traffic mirroring?**
+#### When can I use traffic mirroring?
 
-Traffic mirroring can be used for Blue/Green deployment strategy or a pre-stage in a Canary release. Traffic mirroring will copy each incoming request, sending one request to the primary and one to the canary service. Mirroring should be used for requests that are **idempotent** or capable of being processed twice \(once by the primary and once by the canary\).
+Traffic mirroring can be used for Blue/Green deployment strategy or a pre-stage in a Canary release.
+Traffic mirroring will copy each incoming request, sending one request to the primary and one to the canary service.
+Mirroring should be used for requests that are **idempotent**
+or capable of being processed twice (once by the primary and once by the canary).
 
-**How to retry a failed release?**
+#### How to retry a failed release?
 
 A canary analysis is triggered by changes in any of the following objects:
 
-* Deployment/DaemonSet PodSpec \(metadata, container image, command, ports, env, resources, etc\)
+* Deployment/DaemonSet PodSpec (metadata, container image, command, ports, env, resources, etc)
 * ConfigMaps mounted as volumes or mapped to environment variables
 * Secrets mounted as volumes or mapped to environment variables
 
@@ -43,11 +49,45 @@ spec:
         timestamp: "2020-03-10T14:24:48+0000"
 ```
 
+#### How to change replicas for a deployment when not using HPA?
+
+To change replicas for a deployment when not using HPA, you have to update the canary deployment with the desired replica count
+and trigger an analysis by annotating the template. After the analysis finishes, Flagger will promote the `spec.replicas` changes to the primary deployment.
+
+Example:
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+spec:
+  replicas: 4  #update replicas
+  template:
+    metadata:
+      annotations:
+        timestamp: "2022-02-10T14:24:48+0000" #add annotation to trigger analysis
+```
+
+#### Why is there a window of downtime during the canary initializing process when analysis is disabled?
+
+A window of downtime is the intended behavior when the analysis is disabled. This allows instant rollback and also mimics the way
+a Kubernetes deployment initialization works. To avoid this, enable the analysis (`skipAnalysis: false`), wait for the initialization
+to finish, and disable it afterward (`skipAnalysis: true`).
+
+#### How to disable cross namespace references?
+
+Flagger by default can access resources across namespaces (`AlertProivder`, `MetricProvider` and Gloo `Upsteream`).
+If you're in a multi-tenant environment and wish to disable this, you can do so through the `no-cross-namespace-refs` flag.
+
+```
+flagger \
+  -no-cross-namespace-refs=true \
+  ...
+```
+
 ## Kubernetes services
 
-**How is an application exposed inside the cluster?**
+#### How is an application exposed inside the cluster?
 
-Assuming the app name is podinfo you can define a canary like:
+Assuming the app name is `podinfo`, you can define a canary like:
 
 ```yaml
 apiVersion: flagger.app/v1beta1
@@ -71,23 +111,26 @@ spec:
     portName: http
 ```
 
-If the `service.name` is not specified, then `targetRef.name` is used for the apex domain and canary/primary services name prefix. You should treat the service name as an immutable field, changing it could result in routing conflicts.
+If the `service.name` is not specified, then `targetRef.name` is used for
+the apex domain and canary/primary services name prefix.
+You should treat the service name as an immutable field; changing its could result in routing conflicts.
 
 Based on the canary spec service, Flagger generates the following Kubernetes ClusterIP service:
 
-* `<service.name>.<namespace>.svc.cluster.local`  
+* `<service.name>.<namespace>.svc.cluster.local`
 
     selector `app=<name>-primary`
 
-* `<service.name>-primary.<namespace>.svc.cluster.local`  
+* `<service.name>-primary.<namespace>.svc.cluster.local`
 
     selector `app=<name>-primary`
 
-* `<service.name>-canary.<namespace>.svc.cluster.local`  
+* `<service.name>-canary.<namespace>.svc.cluster.local`
 
     selector `app=<name>`
 
-This ensures that traffic coming from a namespace outside the mesh to `podinfo.test:9898` will be routed to the latest stable release of your app.
+This ensures that traffic coming from a namespace outside the mesh to `podinfo.test:9898`
+will be routed to the latest stable release of your app.
 
 ```yaml
 apiVersion: v1
@@ -133,13 +176,16 @@ spec:
     targetPort: http
 ```
 
-The `podinfo-canary.test:9898` address is available only during the canary analysis and can be used for conformance testing or load testing.
+The `podinfo-canary.test:9898` address is available only during the canary analysis
+and can be used for conformance testing or load testing.
 
 ## Multiple ports
 
-**My application listens on multiple ports, how can I expose them inside the cluster?**
+#### My application listens on multiple ports. How can I expose them inside the cluster?
 
-If port discovery is enabled, Flagger scans the deployment spec and extracts the containers ports excluding the port specified in the canary service and Envoy sidecar ports. These ports will be used when generating the ClusterIP services.
+If port discovery is enabled, Flagger scans the deployment spec and extracts the containers ports excluding
+the port specified in the canary service and Envoy sidecar ports.
+These ports will be used when generating the ClusterIP services.
 
 For a deployment that exposes two ports:
 
@@ -183,7 +229,7 @@ Both port `8080` and `9090` will be added to the ClusterIP services.
 
 ## Label selectors
 
-**What labels selectors are supported by Flagger?**
+#### What labels selectors are supported by Flagger?
 
 The target deployment must have a single label selector in the format `app: <DEPLOYMENT-NAME>`:
 
@@ -202,13 +248,93 @@ spec:
         app: podinfo
 ```
 
-Besides `app` Flagger supports `name` and `app.kubernetes.io/name` selectors. If you use a different convention you can specify your label with the `-selector-labels` flag.
+Besides `app`, Flagger supports `name` and `app.kubernetes.io/name` selectors.
+If you use a different convention, you can specify your label with the `-selector-labels` flag.
+For example:
 
-**Is pod affinity and anti affinity supported?**
+```
+flagger \
+  -selector-labels=service,name,app.kubernetes.io/name \
+  ...
+```
 
-For pod affinity to work you need to use a different label than the `app`, `name` or `app.kubernetes.io/name`.
+#### Is pod affinity and anti affinity supported?
 
-Anti affinity example:
+Flagger will rewrite the first value in each match expression,
+defined in the target deployment's pod anti-affinity and topology spread constraints,
+satisfying the following two requirements when creating, or updating, the primary deployment:
+
+* The key in the match expression must be one of the labels specified by the parameter selector-labels.
+  The default labels are `app`,`name`,`app.kubernetes.io/name`.
+* The value must match the name of the target deployment.
+
+The rewrite done by Flagger in these cases is to suffix the value with `-primary`.
+This rewrite can be used to spread the pods created by the canary
+and primary deployments across different availability zones.
+
+Example target deployment:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podinfo
+spec:
+  selector:
+    matchLabels:
+      app: podinfo
+  template:
+    metadata:
+      labels:
+        app: podinfo
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                    - podinfo
+              topologyKey: topology.kubernetes.io/zone
+```
+
+Example of generated primary deployment:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: podinfo-primary
+spec:
+  selector:
+    matchLabels:
+      app: podinfo-primary
+  template:
+    metadata:
+      labels:
+        app: podinfo-primary
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                    - podinfo-primary
+              topologyKey: topology.kubernetes.io/zone
+```
+
+It is also possible to use a different label than the `app`, `name` or `app.kubernetes.io/name`.
+
+Anti affinity example(using a different label):
 
 ```yaml
 apiVersion: apps/v1
@@ -234,16 +360,16 @@ spec:
               labelSelector:
                 matchLabels:
                   affinity: podinfo
-              topologyKey: kubernetes.io/hostname
+              topologyKey: topology.kubernetes.io/zone
 ```
 
 ## Metrics
 
-**How does Flagger measures the request success rate and duration?**
+#### How does Flagger measure the request success rate and duration?
 
-Flagger measures the request success rate and duration using Prometheus queries.
+By default, Flagger measures the request success rate and duration using Prometheus queries.
 
-**HTTP requests success rate percentage**
+#### HTTP requests success rate percentage
 
 Spec:
 
@@ -265,69 +391,69 @@ sum(
     rate(
         istio_requests_total{
           reporter="destination",
-          destination_workload_namespace=~"$namespace",
-          destination_workload=~"$workload",
+          destination_workload_namespace=~"{{ namespace }}",
+          destination_workload=~"{{ target }}",
           response_code!~"5.*"
-        }[$interval]
+        }[{{ interval }}]
     )
-) 
-/ 
+)
+/
 sum(
     rate(
         istio_requests_total{
           reporter="destination",
-          destination_workload_namespace=~"$namespace",
-          destination_workload=~"$workload"
-        }[$interval]
+          destination_workload_namespace=~"{{ namespace }}",
+          destination_workload=~"{{ target }}"
+        }[{{ interval }}]
     )
 )
 ```
 
-Envoy query \(App Mesh\):
+Envoy query (App Mesh):
 
 ```javascript
 sum(
     rate(
         envoy_cluster_upstream_rq{
-          kubernetes_namespace="$namespace",
-          kubernetes_pod_name=~"$workload",
+          kubernetes_namespace="{{ namespace }}",
+          kubernetes_pod_name=~"{{ target }}",
           envoy_response_code!~"5.*"
-        }[$interval]
-    )
-) 
-/ 
-sum(
-    rate(
-        envoy_cluster_upstream_rq{
-          kubernetes_namespace="$namespace",
-          kubernetes_pod_name=~"$workload"
-        }[$interval]
-    )
-)
-```
-
-Envoy query \(Contour or Gloo\):
-
-```javascript
-sum(
-    rate(
-        envoy_cluster_upstream_rq{
-            envoy_cluster_name=~"$namespace-$workload",
-            envoy_response_code!~"5.*"
-        }[$interval]
+        }[{{ interval }}]
     )
 )
 /
 sum(
     rate(
         envoy_cluster_upstream_rq{
-            envoy_cluster_name=~"$namespace-$workload",
-        }[$interval]
+          kubernetes_namespace="{{ namespace }}",
+          kubernetes_pod_name=~"{{ target }}"
+        }[{{ interval }}]
     )
 )
 ```
 
-**HTTP requests milliseconds duration P99**
+Envoy query (Contour and Gloo):
+
+```javascript
+sum(
+    rate(
+        envoy_cluster_upstream_rq{
+            envoy_cluster_name=~"{{ namespace }}-{{ target }}",
+            envoy_response_code!~"5.*"
+        }[{{ interval }}]
+    )
+)
+/
+sum(
+    rate(
+        envoy_cluster_upstream_rq{
+            envoy_cluster_name=~"{{ namespace }}-{{ target }}",
+        }[{{ interval }}]
+    )
+)
+```
+
+#### HTTP requests milliseconds duration P99
 
 Spec:
 
@@ -345,29 +471,29 @@ Spec:
 Istio query:
 
 ```javascript
-histogram_quantile(0.99, 
+histogram_quantile(0.99,
   sum(
     irate(
-      istio_request_duration_seconds_bucket{
+      istio_request_duration_milliseconds_bucket{
         reporter="destination",
-        destination_workload=~"$workload",
-        destination_workload_namespace=~"$namespace"
-      }[$interval]
+        destination_workload=~"{{ target }}",
+        destination_workload_namespace=~"{{ namespace }}"
+      }[{{ interval }}]
     )
   ) by (le)
 )
 ```
 
-Envoy query \(App Mesh, Contour or Gloo\):
+Envoy query (App Mesh, Contour and Gloo):
 
 ```javascript
-histogram_quantile(0.99, 
+histogram_quantile(0.99,
   sum(
     irate(
       envoy_cluster_upstream_rq_time_bucket{
-        kubernetes_pod_name=~"$workload",
-        kubernetes_namespace=~"$namespace"
-      }[$interval]
+        kubernetes_pod_name=~"{{ target }}",
+        kubernetes_namespace=~"{{ namespace }}"
+      }[{{ interval }}]
     )
   ) by (le)
 )
@@ -375,17 +501,48 @@ histogram_quantile(0.99,
 
 > **Note** that the metric interval should be lower or equal to the control loop interval.
 
-**Can I use custom metrics?**
+#### Can I use custom metrics?
 
-The analysis can be extended with metrics provided by Prometheus, Datadog and AWS CloudWatch. For more details on how custom metrics can be used please read the [metrics docs](usage/metrics.md).
+The analysis can be extended with metrics provided by Prometheus, Datadog, AWS CloudWatch, New Relic and Graphite.
+For more details on how custom metrics can be used, please read the [metrics docs](usage/metrics.md).
+
+#### Istio Gateway API
+
+If you're using Istio with Gateway API, the Prometheus query needs to include `reporter="source"`. For example, to calculate HTTP requests error percentage, the query would be:
+
+```javascript
+100 - sum(
+    rate(
+        istio_requests_total{
+          reporter="source",
+          destination_workload_namespace=~"{{ namespace }}",
+          destination_workload=~"{{ target }}",
+          response_code!~"5.*"
+        }[{{ interval }}]
+    )
+)
+/
+sum(
+    rate(
+        istio_requests_total{
+          reporter="source",
+          destination_workload_namespace=~"{{ namespace }}",
+          destination_workload=~"{{ target }}"
+        }[{{ interval }}]
+    )
+) * 100
+```
 
 ## Istio routing
 
-**How does Flagger interact with Istio?**
+#### How does Flagger interact with Istio?
 
-Flagger creates an Istio Virtual Service and Destination Rules based on the Canary service spec. The service configuration lets you expose an app inside or outside the mesh. You can also define traffic policies, HTTP match conditions, URI rewrite rules, CORS policies, timeout and retries.
+Flagger creates an Istio Virtual Service and Destination Rules based on the Canary service spec.
+The service configuration lets you expose an app inside or outside the mesh. You can also define traffic policies,
+HTTP match conditions, URI rewrite rules, CORS policies, timeout and retries.
 
-The following spec exposes the `frontend` workload inside the mesh on `frontend.test.svc.cluster.local:9898` and outside the mesh on `frontend.example.com`. You'll have to specify an Istio ingress gateway for external hosts.
+The following spec exposes the `frontend` workload inside the mesh on `frontend.test.svc.cluster.local:9898`
+and outside the mesh on `frontend.example.com`. You'll have to specify an Istio ingress gateway for external hosts.
 
 ```yaml
 apiVersion: flagger.app/v1beta1
@@ -401,7 +558,7 @@ spec:
     portName: http-frontend
     # Istio gateways (optional)
     gateways:
-    - public-gateway.istio-system.svc.cluster.local
+    - istio-system/public-gateway
     - mesh
     # Istio virtual service host names (optional)
     hosts:
@@ -443,7 +600,7 @@ spec:
 For the above spec Flagger will generate the following virtual service:
 
 ```yaml
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: frontend
@@ -457,7 +614,7 @@ metadata:
       uid: 3a4a40dd-3875-11e9-8e1d-42010a9c0fd1
 spec:
   gateways:
-    - public-gateway.istio-system.svc.cluster.local
+    - istio-system/public-gateway
     - mesh
   hosts:
     - frontend.example.com
@@ -496,7 +653,7 @@ spec:
 For each destination in the virtual service a rule is generated:
 
 ```yaml
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: frontend-primary
@@ -507,7 +664,7 @@ spec:
     tls:
       mode: DISABLE
 ---
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: frontend-canary
@@ -519,9 +676,11 @@ spec:
       mode: DISABLE
 ```
 
-Flagger keeps in sync the virtual service and destination rules with the canary service spec. Any direct modification to the virtual service spec will be overwritten.
+Flagger keeps in sync the virtual service and destination rules with the canary service spec.
+Any direct modification to the virtual service spec will be overwritten.
 
-To expose a workload inside the mesh on `http://backend.test.svc.cluster.local:9898`, the service spec can contain only the container port and the traffic policy:
+To expose a workload inside the mesh on `http://backend.test.svc.cluster.local:9898`,
+the service spec can contain only the container port and the traffic policy:
 
 ```yaml
 apiVersion: flagger.app/v1beta1
@@ -562,9 +721,11 @@ spec:
     app: backend-primary
 ```
 
-Flagger works for user facing apps exposed outside the cluster via an ingress gateway and for backend HTTP APIs that are accessible only from inside the mesh.
+Flagger works for user facing apps exposed outside the cluster via an ingress gateway and for backend HTTP APIs
+that are accessible only from inside the mesh.
 
-If `Delegation` is enabled, Flagger would generate Istio VirtualService without hosts and gateway, making the service compatible with Istio delegation.
+If `Delegation` is enabled, Flagger would generate Istio VirtualService without hosts and gateway,
+making the service compatible with Istio delegation.
 
 ```yaml
 apiVersion: flagger.app/v1beta1
@@ -590,7 +751,7 @@ spec:
 Based on the above spec, Flagger will create the following virtual service:
 
 ```yaml
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: backend
@@ -613,17 +774,17 @@ spec:
       weight: 0
 ```
 
-Therefore, The following virtual service forward the traffic to `/podinfo` by the above delegate VirtualService.
+Therefore, the following virtual service forwards the traffic to `/podinfo` by the above delegate VirtualService.
 
 ```yaml
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: frontend
   namespace: test
 spec:
   gateways:
-    - public-gateway.istio-system.svc.cluster.local
+    - istio-system/public-gateway
     - mesh
   hosts:
     - frontend.example.com
@@ -639,13 +800,17 @@ spec:
       namespace: test
 ```
 
-Note that pilot env `PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE` must also be set. \(For the use of Istio Delegation, you can refer to the documentation of [Virtual Service](https://istio.io/latest/docs/reference/config/networking/virtual-service/#Delegate) and [pilot environment variables](https://istio.io/latest/docs/reference/commands/pilot-discovery/#envvars).\)
+Note that pilot env `PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE` must also be set.
+For the use of Istio Delegation, you can refer to the documentation of
+[Virtual Service](https://istio.io/latest/docs/reference/config/networking/virtual-service/#Delegate)
+and [pilot environment variables](https://istio.io/latest/docs/reference/commands/pilot-discovery/#envvars).
 
 ## Istio Ingress Gateway
 
-**How can I expose multiple canaries on the same external domain?**
+#### How can I expose multiple canaries on the same external domain?
 
-Assuming you have two apps, one that servers the main website and one that serves the REST API. For each app you can define a canary object as:
+Assuming you have two apps -- one that serves the main website and one that serves its REST API --
+you can define a canary object for each app as:
 
 ```yaml
 apiVersion: flagger.app/v1beta1
@@ -656,7 +821,7 @@ spec:
   service:
     port: 8080
     gateways:
-    - public-gateway.istio-system.svc.cluster.local
+    - istio-system/public-gateway
     hosts:
     - my-site.com
     match:
@@ -673,7 +838,7 @@ spec:
   service:
     port: 8080
     gateways:
-    - public-gateway.istio-system.svc.cluster.local
+    - istio-system/public-gateway
     hosts:
     - my-site.com
     match:
@@ -683,13 +848,17 @@ spec:
       uri: /
 ```
 
-Based on the above configuration, Flagger will create two virtual services bounded to the same ingress gateway and external host. Istio Pilot will [merge](https://istio.io/help/ops/traffic-management/deploy-guidelines/#multiple-virtual-services-and-destination-rules-for-the-same-host) the two services and the website rule will be moved to the end of the list in the merged configuration.
+Based on the above configuration, Flagger will create two virtual services bounded
+to the same ingress gateway and external host.
+Istio Pilot will
+[merge](https://istio.io/help/ops/traffic-management/deploy-guidelines/#multiple-virtual-services-and-destination-rules-for-the-same-host)
+the two services and the website rule will be moved to the end of the list in the merged configuration.
 
-Note that host merging only works if the canaries are bounded to a ingress gateway other than the `mesh` gateway.
+Note that host merging only works if the canaries are bounded to an ingress gateway other than the `mesh` gateway.
 
 ## Istio Mutual TLS
 
-**How can I enable mTLS for a canary?**
+#### How can I enable mTLS for a canary?
 
 When deploying Istio with global mTLS enabled, you have to set the TLS mode to `ISTIO_MUTUAL`:
 
@@ -703,7 +872,7 @@ spec:
         mode: ISTIO_MUTUAL
 ```
 
-If you run Istio in permissive mode you can disable TLS:
+If you run Istio in permissive mode, you can disable TLS:
 
 ```yaml
 apiVersion: flagger.app/v1beta1
@@ -715,12 +884,13 @@ spec:
         mode: DISABLE
 ```
 
-**If Flagger is outside of the mesh, how can it start the load test?**
+#### If Flagger is outside of the mesh, how can it start the load test?
 
-In order for Flagger to be able to call the load tester service from outside the mesh, you need to disable mTLS on port 80:
+In order for Flagger to be able to call the load tester service from outside the mesh,
+you need to disable mTLS:
 
 ```yaml
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
   name: flagger-loadtester
@@ -731,15 +901,54 @@ spec:
     tls:
       mode: DISABLE
 ---
-apiVersion: authentication.istio.io/v1alpha1
-kind: Policy
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
 metadata:
   name: flagger-loadtester
   namespace: test
 spec:
-  targets:
-  - name: flagger-loadtester
-    ports:
-    - number: 80
+  selector:
+    matchLabels:
+      app: flagger-loadtester
+  mtls:
+    mode: DISABLE
 ```
 
+## ExternalDNS
+
+### Can I use annotations?
+
+Flagger propagates annotations (and labels) to all the generated apex,
+primary and canary objects. This allows using external-dns annotations.
+
+You can configure Flagger to set annotations with:
+
+```yaml
+spec:
+  service:
+    apex:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: "mydomain.com"
+    primary:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: "primary.mydomain.com"
+    canary:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: "canary.mydomain.com"
+```
+
+### Multiple sources and Istio
+
+**/!\\** The apex annotations are added to both the generated Kubernetes Services and the generated Istio
+VirtualServices objects. If you have configured external-dns to use both sources,
+this will create conflicts!
+
+```yaml
+    spec:
+      containers:
+        args:
+        - --source=service              # choose only one
+        - --source=istio-virtualservice # of these two
+```
+
+[Checkout ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/istio.md)

docs/gitbook/install/flagger-install-on-eks-appmesh.md

@@ -1,146 +0,0 @@
-# Flagger Install on EKS App Mesh
-
-This guide walks you through setting up Flagger and AWS App Mesh on EKS.
-
-## App Mesh
-
-The App Mesh integration with EKS is made out of the following components:
-
-* Kubernetes custom resources
-  * `mesh.appmesh.k8s.aws` defines a logical boundary for network traffic between the services 
-  * `virtualnode.appmesh.k8s.aws` defines a logical pointer to a Kubernetes workload
-  * `virtualservice.appmesh.k8s.aws` defines the routing rules for a workload inside the mesh
-* CRD controller - keeps the custom resources in sync with the App Mesh control plane
-* Admission controller - injects the Envoy sidecar and assigns Kubernetes pods to App Mesh virtual nodes
-* Telemetry service - Prometheus instance that collects and stores Envoy's metrics
-
-## Create a Kubernetes cluster
-
-In order to create an EKS cluster you can use [eksctl](https://eksctl.io). Eksctl is an open source command-line utility made by Weaveworks in collaboration with Amazon.
-
-On MacOS you can install eksctl with Homebrew:
-
-```bash
-brew tap weaveworks/tap
-brew install weaveworks/tap/eksctl
-```
-
-Create an EKS cluster with:
-
-```bash
-eksctl create cluster --name=appmesh \
---region=us-west-2 \
---nodes 3 \
---node-volume-size=120 \
---appmesh-access
-```
-
-The above command will create a two nodes cluster with App Mesh [IAM policy](https://docs.aws.amazon.com/app-mesh/latest/userguide/MESH_IAM_user_policies.html) attached to the EKS node instance role.
-
-Verify the install with:
-
-```bash
-kubectl get nodes
-```
-
-## Install Helm
-
-Install the [Helm](https://docs.helm.sh/using_helm/#installing-helm) v3 command-line tool:
-
-```text
-brew install helm
-```
-
-Add the EKS repository to Helm:
-
-```bash
-helm repo add eks https://aws.github.io/eks-charts
-```
-
-## Enable horizontal pod auto-scaling
-
-Install the Horizontal Pod Autoscaler \(HPA\) metrics provider:
-
-```bash
-helm upgrade -i metrics-server stable/metrics-server \
---namespace kube-system \
---set args[0]=--kubelet-preferred-address-types=InternalIP
-```
-
-After a minute, the metrics API should report CPU and memory usage for pods. You can very the metrics API with:
-
-```bash
-kubectl -n kube-system top pods
-```
-
-## Install the App Mesh components
-
-Install the App Mesh CRDs:
-
-```bash
-kubectl apply -k github.com/aws/eks-charts/stable/appmesh-controller//crds?ref=master
-```
-
-Create the `appmesh-system` namespace:
-
-```bash
-kubectl create ns appmesh-system
-```
-
-Install the App Mesh controller:
-
-```bash
-helm upgrade -i appmesh-controller eks/appmesh-controller \
---wait --namespace appmesh-system
-```
-
-In order to collect the App Mesh metrics that Flagger needs to run the canary analysis, you'll need to setup a Prometheus instance to scrape the Envoy sidecars.
-
-Install the App Mesh Prometheus:
-
-```bash
-helm upgrade -i appmesh-prometheus eks/appmesh-prometheus \
---wait --namespace appmesh-system
-```
-
-## Install Flagger
-
-Add Flagger Helm repository:
-
-```bash
-helm repo add flagger https://flagger.app
-```
-
-Install Flagger's Canary CRD:
-
-```yaml
-kubectl apply -f https://raw.githubusercontent.com/weaveworks/flagger/master/artifacts/flagger/crd.yaml
-```
-
-Deploy Flagger in the _**appmesh-system**_ namespace:
-
-```bash
-helm upgrade -i flagger flagger/flagger \
---namespace=appmesh-system \
---set crd.create=false \
---set meshProvider=appmesh:v1beta2 \
---set metricsServer=http://appmesh-prometheus:9090
-```
-
-## Install Grafana
-
-Deploy App Mesh Grafana that comes with a dashboard for monitoring Flagger's canary releases:
-
-```bash
-helm upgrade -i appmesh-grafana eks/appmesh-grafana \
---namespace appmesh-system
-```
-
-You can access Grafana using port forwarding:
-
-```bash
-kubectl -n appmesh-system port-forward svc/appmesh-grafana 3000:3000
-```
-
-Now that you have Flagger running, you can try the [App Mesh canary deployments tutorial](https://docs.flagger.app/usage/appmesh-progressive-delivery).
-

docs/gitbook/install/flagger-install-on-google-cloud.md

@@ -1,400 +0,0 @@
-# Flagger Install on GKE Istio
-
-This guide walks you through setting up Flagger and Istio on Google Kubernetes Engine.
-
-![GKE Cluster Overview](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/flagger-gke-istio.png)
-
-## Prerequisites
-
-You will be creating a cluster on Google’s Kubernetes Engine \(GKE\), if you don’t have an account you can sign up [here](https://cloud.google.com/free/) for free credits.
-
-Login into Google Cloud, create a project and enable billing for it.
-
-Install the [gcloud](https://cloud.google.com/sdk/) command line utility and configure your project with `gcloud init`.
-
-Set the default project \(replace `PROJECT_ID` with your own project\):
-
-```text
-gcloud config set project PROJECT_ID
-```
-
-Set the default compute region and zone:
-
-```text
-gcloud config set compute/region us-central1
-gcloud config set compute/zone us-central1-a
-```
-
-Enable the Kubernetes and Cloud DNS services for your project:
-
-```text
-gcloud services enable container.googleapis.com
-gcloud services enable dns.googleapis.com
-```
-
-Install the kubectl command-line tool:
-
-```text
-gcloud components install kubectl
-```
-
-## GKE cluster setup
-
-Create a cluster with the Istio add-on:
-
-```bash
-K8S_VERSION=$(gcloud container get-server-config --format=json \
-| jq -r '.validMasterVersions[0]')
-
-gcloud beta container clusters create istio \
---cluster-version=${K8S_VERSION} \
---zone=us-central1-a \
---num-nodes=2 \
---machine-type=n1-highcpu-4 \
---preemptible \
---no-enable-cloud-logging \
---no-enable-cloud-monitoring \
---disk-size=30 \
---enable-autorepair \
---addons=HorizontalPodAutoscaling,Istio \
---istio-config=auth=MTLS_PERMISSIVE
-```
-
-The above command will create a default node pool consisting of two `n1-highcpu-4` \(vCPU: 4, RAM 3.60GB, DISK: 30GB\) preemptible VMs. Preemptible VMs are up to 80% cheaper than regular instances and are terminated and replaced after a maximum of 24 hours.
-
-Set up credentials for `kubectl`:
-
-```bash
-gcloud container clusters get-credentials istio
-```
-
-Create a cluster admin role binding:
-
-```bash
-kubectl create clusterrolebinding "cluster-admin-$(whoami)" \
---clusterrole=cluster-admin \
---user="$(gcloud config get-value core/account)"
-```
-
-Validate your setup with:
-
-```bash
-kubectl -n istio-system get svc
-```
-
-In a couple of seconds GCP should allocate an external IP to the `istio-ingressgateway` service.
-
-## Cloud DNS setup
-
-You will need an internet domain and access to the registrar to change the name servers to Google Cloud DNS.
-
-Create a managed zone named `istio` in Cloud DNS \(replace `example.com` with your domain\):
-
-```bash
-gcloud dns managed-zones create \
---dns-name="example.com." \
---description="Istio zone" "istio"
-```
-
-Look up your zone's name servers:
-
-```bash
-gcloud dns managed-zones describe istio
-```
-
-Update your registrar's name server records with the records returned by the above command.
-
-Wait for the name servers to change \(replace `example.com` with your domain\):
-
-```bash
-watch dig +short NS example.com
-```
-
-Create a static IP address named `istio-gateway` using the Istio ingress IP:
-
-```bash
-export GATEWAY_IP=$(kubectl -n istio-system get svc/istio-ingressgateway -ojson \
-| jq -r .status.loadBalancer.ingress[0].ip)
-
-gcloud compute addresses create istio-gateway --addresses ${GATEWAY_IP} --region us-central1
-```
-
-Create the following DNS records \(replace `example.com` with your domain\):
-
-```bash
-DOMAIN="example.com"
-
-gcloud dns record-sets transaction start --zone=istio
-
-gcloud dns record-sets transaction add --zone=istio \
---name="${DOMAIN}" --ttl=300 --type=A ${GATEWAY_IP}
-
-gcloud dns record-sets transaction add --zone=istio \
---name="www.${DOMAIN}" --ttl=300 --type=A ${GATEWAY_IP}
-
-gcloud dns record-sets transaction add --zone=istio \
---name="*.${DOMAIN}" --ttl=300 --type=A ${GATEWAY_IP}
-
-gcloud dns record-sets transaction execute --zone istio
-```
-
-Verify that the wildcard DNS is working \(replace `example.com` with your domain\):
-
-```bash
-watch host test.example.com
-```
-
-## Install Helm
-
-Install the [Helm](https://docs.helm.sh/using_helm/#installing-helm) command-line tool:
-
-```text
-brew install kubernetes-helm
-```
-
-Create a service account and a cluster role binding for Tiller:
-
-```bash
-kubectl -n kube-system create sa tiller
-
-kubectl create clusterrolebinding tiller-cluster-rule \
---clusterrole=cluster-admin \
---serviceaccount=kube-system:tiller
-```
-
-Deploy Tiller in the `kube-system` namespace:
-
-```bash
-helm init --service-account tiller
-```
-
-You should consider using SSL between Helm and Tiller, for more information on securing your Helm installation see [docs.helm.sh](https://docs.helm.sh/using_helm/#securing-your-helm-installation).
-
-## Install cert-manager
-
-Jetstack's [cert-manager](https://github.com/jetstack/cert-manager) is a Kubernetes operator that automatically creates and manages TLS certs issued by Let’s Encrypt.
-
-You'll be using cert-manager to provision a wildcard certificate for the Istio ingress gateway.
-
-Install cert-manager's CRDs:
-
-```bash
-CERT_REPO=https://raw.githubusercontent.com/jetstack/cert-manager
-
-kubectl apply -f ${CERT_REPO}/release-0.10/deploy/manifests/00-crds.yaml
-```
-
-Create the cert-manager namespace and disable resource validation:
-
-```bash
-kubectl create namespace cert-manager
-
-kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
-```
-
-Install cert-manager with Helm:
-
-```bash
-helm repo add jetstack https://charts.jetstack.io && \
-helm repo update && \
-helm upgrade -i cert-manager \
---namespace cert-manager \
---version v0.10.0 \
-jetstack/cert-manager
-```
-
-## Istio Gateway TLS setup
-
-![Istio Let's Encrypt](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/istio-cert-manager-gke.png)
-
-Create a generic Istio Gateway to expose services outside the mesh on HTTPS:
-
-```bash
-REPO=https://raw.githubusercontent.com/weaveworks/flagger/master
-
-kubectl apply -f ${REPO}/artifacts/gke/istio-gateway.yaml
-```
-
-Create a service account with Cloud DNS admin role \(replace `my-gcp-project` with your project ID\):
-
-```bash
-GCP_PROJECT=my-gcp-project
-
-gcloud iam service-accounts create dns-admin \
---display-name=dns-admin \
---project=${GCP_PROJECT}
-
-gcloud iam service-accounts keys create ./gcp-dns-admin.json \
---iam-account=dns-admin@${GCP_PROJECT}.iam.gserviceaccount.com \
---project=${GCP_PROJECT}
-
-gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
---member=serviceAccount:dns-admin@${GCP_PROJECT}.iam.gserviceaccount.com \
---role=roles/dns.admin
-```
-
-Create a Kubernetes secret with the GCP Cloud DNS admin key:
-
-```bash
-kubectl create secret generic cert-manager-credentials \
---from-file=./gcp-dns-admin.json \
---namespace=istio-system
-```
-
-Create a letsencrypt issuer for CloudDNS \(replace `email@example.com` with a valid email address and `my-gcp-project`with your project ID\):
-
-```yaml
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Issuer
-metadata:
-  name: letsencrypt-prod
-  namespace: istio-system
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: email@example.com
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    dns01:
-      providers:
-      - name: cloud-dns
-        clouddns:
-          serviceAccountSecretRef:
-            name: cert-manager-credentials
-            key: gcp-dns-admin.json
-          project: my-gcp-project
-```
-
-Save the above resource as letsencrypt-issuer.yaml and then apply it:
-
-```text
-kubectl apply -f ./letsencrypt-issuer.yaml
-```
-
-Create a wildcard certificate \(replace `example.com` with your domain\):
-
-```yaml
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: Certificate
-metadata:
-  name: istio-gateway
-  namespace: istio-system
-spec:
-  secretName: istio-ingressgateway-certs
-  issuerRef:
-    name: letsencrypt-prod
-  commonName: "*.example.com"
-  acme:
-    config:
-    - dns01:
-        provider: cloud-dns
-      domains:
-      - "*.example.com"
-      - "example.com"
-```
-
-Save the above resource as istio-gateway-cert.yaml and then apply it:
-
-```text
-kubectl apply -f ./istio-gateway-cert.yaml
-```
-
-In a couple of seconds cert-manager should fetch a wildcard certificate from letsencrypt.org:
-
-```text
-kubectl -n istio-system describe certificate istio-gateway
-
-Events:
-  Type    Reason         Age    From          Message
-  ----    ------         ----   ----          -------
-  Normal  CertIssued     1m52s  cert-manager  Certificate issued successfully
-```
-
-Recreate Istio ingress gateway pods:
-
-```bash
-kubectl -n istio-system get pods -l istio=ingressgateway
-```
-
-Note that Istio gateway doesn't reload the certificates from the TLS secret on cert-manager renewal. Since the GKE cluster is made out of preemptible VMs the gateway pods will be replaced once every 24h, if your not using preemptible nodes then you need to manually delete the gateway pods every two months before the certificate expires.
-
-## Install Prometheus
-
-The GKE Istio add-on does not include a Prometheus instance that scrapes the Istio telemetry service. Because Flagger uses the Istio HTTP metrics to run the canary analysis you have to deploy the following Prometheus configuration that's similar to the one that comes with the official Istio Helm chart.
-
-Find the GKE Istio version with:
-
-```bash
-kubectl -n istio-system get deploy istio-pilot -oyaml | grep image:
-```
-
-Install Prometheus in istio-system namespace:
-
-```bash
-kubectl -n istio-system apply -f \
-https://storage.googleapis.com/gke-release/istio/release/1.0.6-gke.3/patches/install-prometheus.yaml
-```
-
-## Install Flagger and Grafana
-
-Add Flagger Helm repository:
-
-```bash
-helm repo add flagger https://flagger.app
-```
-
-Install Flagger's Canary CRD:
-
-```yaml
-kubectl apply -f https://raw.githubusercontent.com/weaveworks/flagger/master/artifacts/flagger/crd.yaml
-```
-
-Deploy Flagger in the `istio-system` namespace with Slack notifications enabled:
-
-```bash
-helm upgrade -i flagger flagger/flagger \
---namespace=istio-system \
---set crd.create=false \
---set metricsServer=http://prometheus.istio-system:9090 \
---set slack.url=https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK \
---set slack.channel=general \
---set slack.user=flagger
-```
-
-Deploy Grafana in the `istio-system` namespace:
-
-```bash
-helm upgrade -i flagger-grafana flagger/grafana \
---namespace=istio-system \
---set url=http://prometheus.istio-system:9090 \
---set user=admin \
---set password=replace-me
-```
-
-Expose Grafana through the public gateway by creating a virtual service \(replace `example.com` with your domain\):
-
-```yaml
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: grafana
-  namespace: istio-system
-spec:
-  hosts:
-  - "grafana.example.com"
-  gateways:
-  - public-gateway.istio-system.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: flagger-grafana
-```
-
-Save the above resource as grafana-virtual-service.yaml and then apply it:
-
-```bash
-kubectl apply -f ./grafana-virtual-service.yaml
-```
-
-Navigate to `http://grafana.example.com` in your browser and you should be redirected to the HTTPS version.
-

docs/gitbook/install/flagger-install-on-kubernetes.md

@@ -1,10 +1,8 @@
 # Flagger Install on Kubernetes
 
-This guide walks you through setting up Flagger on a Kubernetes cluster with Helm v3 or Kustomize.
+This guide walks you through setting up Flagger on a Kubernetes cluster with Helm or Kubectl.
 
-## Prerequisites
-
-Flagger requires a Kubernetes cluster **v1.14** or newer.
+See the [Flux install guide](flagger-install-with-flux.md) for installing Flagger and keeping it up to date the GitOps way.
 
 ## Install Flagger with Helm
 
@@ -17,7 +15,7 @@ helm repo add flagger https://flagger.app
 Install Flagger's Canary CRD:
 
 ```yaml
-kubectl apply -f https://raw.githubusercontent.com/weaveworks/flagger/master/artifacts/flagger/crd.yaml
+kubectl apply -f https://raw.githubusercontent.com/fluxcd/flagger/main/artifacts/flagger/crd.yaml
 ```
 
 Deploy Flagger for Istio:
@@ -30,9 +28,12 @@ helm upgrade -i flagger flagger/flagger \
 --set metricsServer=http://prometheus:9090
 ```
 
-Note that Flagger depends on Istio telemetry and Prometheus, if you're installing Istio with istioctl then you should be using the [default profile](https://istio.io/docs/setup/additional-setup/config-profiles/).
+Note that Flagger depends on Istio telemetry and Prometheus, if you're installing
+Istio with istioctl then you should be using the
+[default profile](https://istio.io/docs/setup/additional-setup/config-profiles/).
 
-For Istio multi-cluster shared control plane you can install Flagger on each remote cluster and set the Istio control plane host cluster kubeconfig:
+For Istio multi-cluster shared control plane you can install Flagger on each remote cluster and set the
+Istio control plane host cluster kubeconfig:
 
 ```bash
 helm upgrade -i flagger flagger/flagger \
@@ -40,11 +41,13 @@ helm upgrade -i flagger flagger/flagger \
 --set crd.create=false \
 --set meshProvider=istio \
 --set metricsServer=http://istio-cluster-prometheus:9090 \
---set istio.kubeconfig.secretName=istio-kubeconfig \
---set istio.kubeconfig.key=kubeconfig
+--set controlplane.kubeconfig.secretName=istio-kubeconfig \
+--set controlplane.kubeconfig.key=kubeconfig
 ```
 
-Note that the Istio kubeconfig must be stored in a Kubernetes secret with a data key named `kubeconfig`. For more details on how to configure Istio multi-cluster credentials read the [Istio docs](https://istio.io/docs/setup/install/multicluster/shared-vpn/#credentials).
+Note that the Istio kubeconfig must be stored in a Kubernetes secret with a data key named `kubeconfig`.
+For more details on how to configure Istio multi-cluster
+credentials read the [Istio docs](https://istio.io/docs/setup/install/multicluster/shared-vpn/#credentials).
 
 Deploy Flagger for Linkerd:
 
@@ -56,59 +59,25 @@ helm upgrade -i flagger flagger/flagger \
 --set metricsServer=http://linkerd-prometheus:9090
 ```
 
-Deploy Flagger for App Mesh:
+If you need to add labels to the flagger deployment or pods, you can pass the labels as parameters as shown below.
 
-```bash
+```console
 helm upgrade -i flagger flagger/flagger \
---namespace=appmesh-system \
---set crd.create=false \
---set meshProvider=appmesh \
---set metricsServer=http://appmesh-prometheus:9090
+<other parameters> \
+--set podLabels.<labelName>=<labelValue> \
+--set deploymentLabels.<labelName>=<labelValue> 
 ```
 
 You can install Flagger in any namespace as long as it can talk to the Prometheus service on port 9090.
 
-For ingress controllers, the install instructions are:
+For ingress controllers, the installation instructions are:
 
 * [Contour](https://docs.flagger.app/tutorials/contour-progressive-delivery)
 * [Gloo](https://docs.flagger.app/tutorials/gloo-progressive-delivery)
 * [NGINX](https://docs.flagger.app/tutorials/nginx-progressive-delivery)
 * [Skipper](https://docs.flagger.app/tutorials/skipper-progressive-delivery)
 * [Traefik](https://docs.flagger.app/tutorials/traefik-progressive-delivery)
-
-Enable **Slack** notifications:
-
-```bash
-helm upgrade -i flagger flagger/flagger \
---namespace=istio-system \
---set crd.create=false \
---set slack.url=https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK \
---set slack.channel=general \
---set slack.user=flagger
-```
-
-Enable **Microsoft Teams** notifications:
-
-```bash
-helm upgrade -i flagger flagger/flagger \
---namespace=istio-system \
---set crd.create=false \
---set msteams.url=https://outlook.office.com/webhook/YOUR/TEAMS/WEBHOOK
-```
-
-You can use the helm template command and apply the generated yaml with kubectl:
-
-```bash
-# generate
-helm fetch --untar --untardir . flagger/flagger &&
-helm template flagger ./flagger \
---namespace=istio-system \
---set metricsServer=http://prometheus.istio-system:9090 \
-> flagger.yaml
-
-# apply
-kubectl apply -f flagger.yaml
-```
+* [APISIX](https://docs.flagger.app/tutorials/apisix-progressive-delivery)
 
 To uninstall the Flagger release with Helm run:
 
@@ -118,9 +87,10 @@ helm delete flagger
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
 
-> **Note** that on uninstall the Canary CRD will not be removed. Deleting the CRD will make Kubernetes remove all the objects owned by Flagger like Istio virtual services, Kubernetes deployments and ClusterIP services.
+> **Note** that on uninstall the Canary CRD will not be removed. Deleting the CRD will make Kubernetes
+> remove all the objects owned by Flagger like Istio virtual services, Kubernetes deployments and ClusterIP services.
 
-If you want to remove all the objects created by Flagger you have delete the Canary CRD with kubectl:
+If you want to remove all the objects created by Flagger you have to delete the Canary CRD with kubectl:
 
 ```text
 kubectl delete crd canaries.flagger.app
@@ -140,84 +110,25 @@ helm upgrade -i flagger-grafana flagger/grafana \
 --set password=change-me
 ```
 
-Or use helm template command and apply the generated yaml with kubectl:
-
-```bash
-# generate
-helm fetch --untar --untardir . flagger/grafana &&
-helm template flagger-grafana ./grafana \
---namespace=istio-system \
-> flagger-grafana.yaml
-
-# apply
-kubectl apply -f flagger-grafana.yaml
-```
-
 You can access Grafana using port forwarding:
 
 ```bash
 kubectl -n istio-system port-forward svc/flagger-grafana 3000:80
 ```
 
-## Install Flagger with Kustomize
+## Install Flagger with Kubectl
 
-As an alternative to Helm, Flagger can be installed with Kustomize **3.5.0** or newer.
-
-**Service mesh specific installers**
-
-Install Flagger for Istio:
+Install Flagger and Prometheus using the Kustomize overlay from the GitHub repository:
 
 ```bash
-kustomize build https://github.com/weaveworks/flagger/kustomize/istio | kubectl apply -f -
+kubectl apply -k https://github.com/fluxcd/flagger/kustomize/kubernetes?ref=main
 ```
 
-Install Flagger for AWS App Mesh:
+This deploys Flagger and Prometheus in the `flagger-system` namespace,
+sets the metrics server URL to `http://flagger-prometheus.flagger-system:9090` and the mesh provider to `kubernetes`.
 
-```bash
-kustomize build https://github.com/weaveworks/flagger/kustomize/appmesh | kubectl apply -f -
-```
-
-This deploys Flagger and sets the metrics server URL to App Mesh's Prometheus instance.
-
-Install Flagger for Linkerd:
-
-```bash
-kustomize build https://github.com/weaveworks/flagger/kustomize/linkerd | kubectl apply -f -
-```
-
-This deploys Flagger in the `linkerd` namespace and sets the metrics server URL to Linkerd's Prometheus instance.
-
-If you want to install a specific Flagger release, add the version number to the URL:
-
-```bash
-kustomize build https://github.com/weaveworks/flagger/kustomize/linkerd?ref=v1.0.0 | kubectl apply -f -
-```
-
-**Generic installer**
-
-Install Flagger and Prometheus for Contour, Gloo, NGINX, Skipper, or Traefik ingress:
-
-```bash
-kustomize build https://github.com/weaveworks/flagger/kustomize/kubernetes | kubectl apply -f -
-```
-
-This deploys Flagger and Prometheus in the `flagger-system` namespace, sets the metrics server URL to `http://flagger-prometheus.flagger-system:9090` and the mesh provider to `kubernetes`.
-
-The Prometheus instance has a two hours data retention and is configured to scrape all pods in your cluster that have the `prometheus.io/scrape: "true"` annotation.
-
-To target a different provider you can specify it in the canary custom resource:
-
-```yaml
-apiVersion: flagger.app/v1beta1
-kind: Canary
-metadata:
-  name: app
-  namespace: test
-spec:
-  # can be: kubernetes, istio, linkerd, appmesh, nginx, skipper, gloo, traefik
-  # use the kubernetes provider for Blue/Green style deployments
-  provider: nginx
-```
+The Prometheus instance has a two hours data retention and is configured to scrape all pods in your cluster
+that have the `prometheus.io/scrape: "true"` annotation.
 
 **Customized installer**
 
@@ -227,7 +138,7 @@ Create a kustomization file using Flagger as base and patch the container args:
 cat > kustomization.yaml <<EOF
 namespace: istio-system
 bases:
-  - github.com/weaveworks/flagger/kustomize/base/flagger
+  - https://github.com/fluxcd/flagger/kustomize/kubernetes?ref=main
 patches:
 - target:
     kind: Deployment
@@ -245,17 +156,6 @@ patches:
             args:
               - -mesh-provider=istio
               - -metrics-server=http://prometheus.istio-system:9090
-              - -slack-user=flagger
-              - -slack-channel=alerts
-              - -slack-url=https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK
+              - -include-label-prefix=app.kubernetes.io
 EOF
 ```
-
-Install Flagger for Istio with Slack notifications:
-
-```bash
-kustomize build . | kubectl apply -f -
-```
-
-If you want to use MS Teams instead of Slack, replace `-slack-url` with `-msteams-url` and set the webhook address to `https://outlook.office.com/webhook/YOUR/TEAMS/WEBHOOK`.
-

docs/gitbook/install/flagger-install-with-flux.md

@@ -0,0 +1,153 @@
+# Flagger Install on Kubernetes with Flux
+
+This guide walks you through setting up Flagger on a Kubernetes cluster the GitOps way.
+You'll configure Flux to scan the Flagger OCI artifacts and deploy the
+latest stable version on Kubernetes.
+
+## Flagger OCI artifacts
+
+Flagger OCI artifacts (container images, Helm charts, Kustomize overlays) are published to
+GitHub Container Registry, and they are signed with Cosign at every release.
+
+OCI artifacts
+
+- `ghcr.io/fluxcd/flagger:<version>` multi-arch container images
+- `ghcr.io/fluxcd/flagger-manifest:<version>` Kubernetes manifests
+- `ghcr.io/fluxcd/charts/flagger:<version>` Helm charts
+
+## Prerequisites
+
+To follow this guide you’ll need a Kubernetes cluster with Flux installed on it.
+Please see the Flux [get started guide](https://fluxcd.io/flux/get-started/)
+or the Flux [installation guide](https://fluxcd.io/flux/installation/).
+
+## Deploy Flagger with Flux
+
+First define the namespace where Flagger will be installed:
+
+```yaml
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flagger-system
+  labels:
+    toolkit.fluxcd.io/tenant: sre-team
+```
+
+Define a Flux `OCIRepository` that points to where the Flagger Helm charts are stored:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: flagger
+  namespace: flagger-system
+spec:
+  interval: 1h
+  url: oci://ghcr.io/fluxcd/charts/flagger
+  layerSelector:
+    mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
+    operation: copy
+  ref:
+    semver: "1.x" # update to the latest version
+```
+
+Define a Flux `HelmRelease` that verifies and installs Flagger's latest version on the cluster:
+
+```yaml
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: flagger
+  namespace: flagger-system
+spec:
+  interval: 12h
+  releaseName: flagger
+  install: # override existing Flagger CRDs
+    crds: CreateReplace
+  upgrade: # update Flagger CRDs
+    crds: CreateReplace
+  chartRef:
+    kind: OCIRepository
+    name: flagger
+  values:
+    nodeSelector:
+      kubernetes.io/os: linux
+```
+
+Copy the above manifests into a file called `flagger.yaml`, place the YAML file
+in the Git repository bootstrapped with Flux, then commit and push it to upstream.
+
+After Flux reconciles the changes on your cluster, you can check if Flagger got deployed with:
+
+```console
+$ helm list -n flagger-system 
+NAME    NAMESPACE       REVISION        STATUS          CHART           APP VERSION
+flagger flagger-system  1               deployed        flagger-1.42.0  1.42.0  
+```
+
+To uninstall Flagger, delete the `flagger.yaml` from your repository, then Flux will uninstall
+the Helm release and will remove the namespace from your cluster.
+
+## Deploy Flagger load tester with Flux
+
+Flagger comes with a load testing service that generates traffic during analysis when configured as a webhook.
+
+The load tester container images and deployment manifests are published to GitHub Container Registry.
+The container images and the manifests are signed with Cosign and GitHub Actions OIDC.
+
+Assuming the applications managed by Flagger are in the `apps` namespace, you can configure Flux to
+deploy the load tester there.
+
+Define a Flux `OCIRepository` that points to where the Flagger Kustomize overlays are stored:
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: flagger-loadtester
+  namespace: apps
+spec:
+  interval: 6h # scan for new versions every six hours
+  url: oci://ghcr.io/fluxcd/flagger-manifests
+  ref:
+    semver: "*" # update to the latest version
+```
+
+Define a Flux `Kustomization` that deploys the Flagger load tester to the `apps` namespace:
+
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flagger-loadtester
+  namespace: apps
+spec:
+  targetNamespace: apps
+  interval: 6h
+  wait: true
+  timeout: 5m
+  prune: true
+  sourceRef:
+    kind: OCIRepository
+    name: flagger-loadtester
+  path: ./tester
+```
+
+Copy the above manifests into a file called `flagger-loadtester.yaml`, place the YAML file
+in the Git repository bootstrapped with Flux, then commit and push it to upstream.
+
+After Flux reconciles the changes on your cluster, you can check if the load tester got deployed with:
+
+```console
+$ flux -n apps get kustomization flagger-loadtester 
+NAME              	READY	MESSAGE                                                                                    
+flagger-loadtester	True 	Applied revision: v1.23.0/a80af71e001
+```
+
+To uninstall the load tester, delete the `flagger-loadtester.yaml` from your repository, 
+and Flux will delete the load tester deployment from the cluster.

docs/gitbook/tutorials/apisix-progressive-delivery.md

@@ -0,0 +1,351 @@
+# Apache APISIX Canary Deployments
+
+This guide shows you how to use the [Apache APISIX](https://apisix.apache.org/) and Flagger to automate canary deployments.
+
+![Flagger Apache APISIX Overview](https://raw.githubusercontent.com/fluxcd/flagger/main/docs/diagrams/flagger-apisix-overview.png)
+
+## Prerequisites
+
+Flagger requires a Kubernetes cluster **v1.19** or newer and Apache APISIX **v2.15** or newer and Apache APISIX Ingress Controller **v1.5.0** or newer.
+
+Install Apache APISIX and Apache APISIX Ingress Controller with Helm v3:
+
+```bash
+helm repo add apisix https://charts.apiseven.com
+kubectl create ns apisix
+
+helm upgrade -i apisix apisix/apisix --version=0.11.3 \
+--namespace apisix \
+--set apisix.podAnnotations."prometheus\.io/scrape"=true \
+--set apisix.podAnnotations."prometheus\.io/port"=9091 \
+--set apisix.podAnnotations."prometheus\.io/path"=/apisix/prometheus/metrics \
+--set pluginAttrs.prometheus.export_addr.ip=0.0.0.0 \
+--set pluginAttrs.prometheus.export_addr.port=9091 \
+--set pluginAttrs.prometheus.export_uri=/apisix/prometheus/metrics \
+--set pluginAttrs.prometheus.metric_prefix=apisix_ \
+--set ingress-controller.enabled=true \
+--set ingress-controller.config.apisix.serviceNamespace=apisix
+```
+
+Install Flagger and the Prometheus add-on in the same namespace as Apache APISIX:
+
+```bash
+helm repo add flagger https://flagger.app
+
+helm upgrade -i flagger flagger/flagger \
+--namespace apisix \
+--set prometheus.install=true \
+--set meshProvider=apisix
+```
+
+## Bootstrap
+
+Flagger takes a Kubernetes deployment and optionally a horizontal pod autoscaler \(HPA\), then creates a series of objects \(Kubernetes deployments, ClusterIP services and an ApisixRoute\). These objects expose the application outside the cluster and drive the canary analysis and promotion.
+
+Create a test namespace:
+
+```bash
+kubectl create ns test
+```
+
+Create a deployment and a horizontal pod autoscaler:
+
+```bash
+kubectl apply -k https://github.com/fluxcd/flagger//kustomize/podinfo?ref=main
+```
+
+Deploy the load testing service to generate traffic during the canary analysis:
+
+```bash
+helm upgrade -i flagger-loadtester flagger/loadtester \
+--namespace=test
+```
+
+Create an Apache APISIX `ApisixRoute`, Flagger will reference and generate the canary Apache APISIX `ApisixRoute` \(replace `app.example.com` with your own domain\):
+
+```yaml
+apiVersion: apisix.apache.org/v2
+kind: ApisixRoute
+metadata:
+  name: podinfo
+  namespace: test
+spec:
+  http:
+    - backends:
+        - serviceName: podinfo
+          servicePort: 80
+      match:
+        hosts:
+          - app.example.com
+        methods:
+          - GET
+        paths:
+          - /*
+      name: method
+      plugins:
+        - name: prometheus
+          enable: true
+          config:
+            disable: false
+            prefer_name: true
+```
+
+Save the above resource as podinfo-apisixroute.yaml and then apply it:
+
+```bash
+kubectl apply -f ./podinfo-apisixroute.yaml
+```
+
+Create a canary custom resource \(replace `app.example.com` with your own domain\):
+
+```yaml
+apiVersion: flagger.app/v1beta1
+kind: Canary
+metadata:
+  name: podinfo
+  namespace: test
+spec:
+  provider: apisix
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: podinfo
+  # apisix route reference
+  routeRef:
+    apiVersion: apisix.apache.org/v2
+    kind: ApisixRoute
+    name: podinfo
+  # the maximum time in seconds for the canary deployment
+  # to make progress before it is rollback (default 600s)
+  progressDeadlineSeconds: 60
+  service:
+    # ClusterIP port number
+    port: 80
+    # container port number or name
+    targetPort: 9898
+  analysis:
+    # schedule interval (default 60s)
+    interval: 10s
+    # max number of failed metric checks before rollback
+    threshold: 10
+    # max traffic percentage routed to canary
+    # percentage (0-100)
+    maxWeight: 50
+    # canary increment step
+    # percentage (0-100)
+    stepWeight: 10
+    # APISIX Prometheus checks
+    metrics:
+      - name: request-success-rate
+        # minimum req success rate (non 5xx responses)
+        # percentage (0-100)
+        thresholdRange:
+          min: 99
+        interval: 1m
+      - name: request-duration
+        # builtin Prometheus check
+        # maximum req duration P99
+        # milliseconds
+        thresholdRange:
+          max: 500
+        interval: 30s
+    webhooks:
+      - name: load-test
+        url: http://flagger-loadtester.test/
+        timeout: 5s
+        type: rollout
+        metadata:
+          cmd: |-
+            hey -z 1m -q 10 -c 2 -h2 -host app.example.com http://apisix-gateway.apisix/api/info
+```
+
+Save the above resource as podinfo-canary.yaml and then apply it:
+
+```bash
+kubectl apply -f ./podinfo-canary.yaml
+```
+
+After a couple of seconds Flagger will create the canary objects:
+
+```bash
+# applied 
+deployment.apps/podinfo
+horizontalpodautoscaler.autoscaling/podinfo
+apisixroute/podinfo
+canary.flagger.app/podinfo
+
+# generated 
+deployment.apps/podinfo-primary
+horizontalpodautoscaler.autoscaling/podinfo-primary
+service/podinfo
+service/podinfo-canary
+service/podinfo-primary
+apisixroute/podinfo-podinfo-canary
+```
+
+## Automated canary promotion
+
+Flagger implements a control loop that gradually shifts traffic to the canary while measuring key performance indicators like HTTP requests success rate, requests average duration and pod health. Based on analysis of the KPIs a canary is promoted or aborted, and the analysis result is published to Slack or MS Teams.
+
+![Flagger Canary Stages](https://raw.githubusercontent.com/fluxcd/flagger/main/docs/diagrams/flagger-canary-steps.png)
+
+Trigger a canary deployment by updating the container image:
+
+```bash
+kubectl -n test set image deployment/podinfo \
+podinfod=stefanprodan/podinfo:6.0.1
+```
+
+Flagger detects that the deployment revision changed and starts a new rollout:
+
+```text
+kubectl -n test describe canary/podinfo
+
+Status:
+  Canary Weight:  0
+  Conditions:
+    Message:               Canary analysis completed successfully, promotion finished.
+    Reason:                Succeeded
+    Status:                True
+    Type:                  Promoted
+  Failed Checks:           1
+  Iterations:              0
+  Phase:                   Succeeded
+
+Events:
+  Type     Reason  Age                    From     Message
+  ----     ------  ----                   ----     -------
+  Warning  Synced  2m59s                  flagger  podinfo-primary.test not ready: waiting for rollout to finish: observed deployment generation less than desired generation
+  Warning  Synced  2m50s                  flagger  podinfo-primary.test not ready: waiting for rollout to finish: 0 of 1 (readyThreshold 100%) updated replicas are available
+  Normal   Synced  2m40s (x3 over 2m59s)  flagger  all the metrics providers are available!
+  Normal   Synced  2m39s                  flagger  Initialization done! podinfo.test
+  Normal   Synced  2m20s                  flagger  New revision detected! Scaling up podinfo.test
+  Warning  Synced  2m (x2 over 2m10s)     flagger  canary deployment podinfo.test not ready: waiting for rollout to finish: 0 of 1 (readyThreshold 100%) updated replicas are available
+  Normal   Synced  110s                   flagger  Starting canary analysis for podinfo.test
+  Normal   Synced  109s                   flagger  Advance podinfo.test canary weight 10
+  Warning  Synced  100s                   flagger  Halt advancement no values found for apisix metric request-success-rate probably podinfo.test is not receiving traffic: running query failed: no values found
+  Normal   Synced  90s                    flagger  Advance podinfo.test canary weight 20
+  Normal   Synced  80s                    flagger  Advance podinfo.test canary weight 30
+  Normal   Synced  69s                    flagger  Advance podinfo.test canary weight 40
+  Normal   Synced  59s                    flagger  Advance podinfo.test canary weight 50
+  Warning  Synced  30s (x2 over 40s)      flagger  podinfo-primary.test not ready: waiting for rollout to finish: 1 old replicas are pending termination
+  Normal   Synced  9s (x3 over 50s)       flagger  (combined from similar events): Promotion completed! Scaling down podinfo.test
+```
+
+**Note** that if you apply new changes to the deployment during the canary analysis, Flagger will restart the analysis.
+
+You can monitor all canaries with:
+
+```bash
+watch kubectl get canaries --all-namespaces
+
+NAMESPACE   NAME      STATUS      WEIGHT   LASTTRANSITIONTIME
+test        podinfo-2   Progressing   10       2022-11-23T05:00:54Z
+test        podinfo     Succeeded     0        2022-11-23T06:00:54Z
+```
+
+## Automated rollback
+
+During the canary analysis you can generate HTTP 500 errors to test if Flagger pauses and rolls back the faulted version.
+
+Trigger another canary deployment:
+
+```bash
+kubectl -n test set image deployment/podinfo \
+podinfod=stefanprodan/podinfo:6.0.2
+```
+
+Exec into the load tester pod with:
+
+```bash
+kubectl -n test exec -it deploy/flagger-loadtester bash
+```
+
+Generate HTTP 500 errors:
+
+```bash
+hey -z 1m -c 5 -q 5 -host app.example.com http://apisix-gateway.apisix/status/500
+```
+
+Generate latency:
+
+```bash
+watch -n 1 curl -H \"host: app.example.com\" http://apisix-gateway.apisix/delay/1
+```
+
+When the number of failed checks reaches the canary analysis threshold, the traffic is routed back to the primary, the canary is scaled to zero and the rollout is marked as failed.
+
+```text
+kubectl -n apisix logs deploy/flagger -f | jq .msg
+
+"New revision detected! Scaling up podinfo.test"
+"canary deployment podinfo.test not ready: waiting for rollout to finish: 0 of 1 (readyThreshold 100%) updated replicas are available"
+"Starting canary analysis for podinfo.test"
+"Advance podinfo.test canary weight 10"
+"Halt podinfo.test advancement success rate 0.00% < 99%"
+"Halt podinfo.test advancement success rate 26.76% < 99%"
+"Halt podinfo.test advancement success rate 34.19% < 99%"
+"Halt podinfo.test advancement success rate 37.32% < 99%"
+"Halt podinfo.test advancement success rate 39.04% < 99%"
+"Halt podinfo.test advancement success rate 40.13% < 99%"
+"Halt podinfo.test advancement success rate 48.28% < 99%"
+"Halt podinfo.test advancement success rate 50.35% < 99%"
+"Halt podinfo.test advancement success rate 56.92% < 99%"
+"Halt podinfo.test advancement success rate 67.70% < 99%"
+"Rolling back podinfo.test failed checks threshold reached 10"
+"Canary failed! Scaling down podinfo.test"
+```
+
+## Custom metrics
+
+The canary analysis can be extended with Prometheus queries.
+
+Create a metric template and apply it on the cluster:
+
+```yaml
+apiVersion: flagger.app/v1beta1
+kind: MetricTemplate
+metadata:
+  name: not-found-percentage
+  namespace: test
+spec:
+  provider:
+    type: prometheus
+    address: http://flagger-prometheus.apisix:9090
+  query: |
+    sum(
+      rate(
+        apisix_http_status{
+          route=~"{{ namespace }}_{{ route }}-{{ target }}-canary_.+",
+          code!~"4.."
+        }[{{ interval }}]
+      )
+    )
+    /
+    sum(
+      rate(
+        apisix_http_status{
+          route=~"{{ namespace }}_{{ route }}-{{ target }}-canary_.+"
+        }[{{ interval }}]
+      )
+    ) * 100
+```
+
+Edit the canary analysis and add the not found error rate check:
+
+```yaml
+  analysis:
+    metrics:
+      - name: "404s percentage"
+        templateRef:
+          name: not-found-percentage
+        thresholdRange:
+          max: 5
+        interval: 1m
+```
+
+The above configuration validates the canary by checking if the HTTP 404 req/sec percentage is below 5 percent of the total traffic. If the 404s rate reaches the 5% threshold, then the canary fails.
+
+
+The above procedures can be extended with more [custom metrics](../usage/metrics.md) checks, [webhooks](../usage/webhooks.md), [manual promotion](../usage/webhooks.md#manual-gating) approval and [Slack or MS Teams](../usage/alerting.md) notifications.
+

docs/gitbook/tutorials/appmesh-progressive-delivery.md

@@ -1,412 +0,0 @@
-# App Mesh Canary Deployments
-
-This guide shows you how to use App Mesh and Flagger to automate canary deployments. You'll need an EKS cluster configured with App Mesh, you can find the installion guide [here](https://docs.flagger.app/install/flagger-install-on-eks-appmesh).
-
-## Bootstrap
-
-Flagger takes a Kubernetes deployment and optionally a horizontal pod autoscaler \(HPA\), then creates a series of objects \(Kubernetes deployments, ClusterIP services, App Mesh virtual nodes and services\). These objects expose the application on the mesh and drive the canary analysis and promotion. The only App Mesh object you need to create by yourself is the mesh resource.
-
-Create a mesh called `global`:
-
-```bash
-cat << EOF | kubectl apply -f -
-apiVersion: appmesh.k8s.aws/v1beta2
-kind: Mesh
-metadata:
-  name: global
-spec:
-  namespaceSelector:
-    matchLabels:
-      appmesh.k8s.aws/sidecarInjectorWebhook: enabled
-EOF
-```
-
-Create a test namespace with App Mesh sidecar injection enabled:
-
-```bash
-cat << EOF | kubectl apply -f -
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: test
-  labels:
-    appmesh.k8s.aws/sidecarInjectorWebhook: enabled
-EOF
-```
-
-Create a deployment and a horizontal pod autoscaler:
-
-```bash
-kubectl apply -k github.com/weaveworks/flagger//kustomize/podinfo
-```
-
-Deploy the load testing service to generate traffic during the canary analysis:
-
-```bash
-helm upgrade -i flagger-loadtester flagger/loadtester \
---namespace=test \
---set appmesh.enabled=true \
---set "appmesh.backends[0]=podinfo" \
---set "appmesh.backends[1]=podinfo-canary"
-```
-
-Create a canary definition:
-
-```yaml
-apiVersion: flagger.app/v1beta1
-kind: Canary
-metadata:
-  name: podinfo
-  namespace: test
-spec:
-  # App Mesh API reference
-  provider: appmesh:v1beta2
-  # deployment reference
-  targetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: podinfo
-  # the maximum time in seconds for the canary deployment
-  # to make progress before it is rollback (default 600s)
-  progressDeadlineSeconds: 60
-  # HPA reference (optional)
-  autoscalerRef:
-    apiVersion: autoscaling/v2beta2
-    kind: HorizontalPodAutoscaler
-    name: podinfo
-  service:
-    # container port
-    port: 9898
-    # App Mesh ingress timeout (optional)
-    timeout: 15s
-    # App Mesh retry policy (optional)
-    retries:
-      attempts: 3
-      perTryTimeout: 5s
-      retryOn: "gateway-error,client-error,stream-error"
-    # App Mesh URI settings
-    match:
-      - uri:
-          prefix: /
-    rewrite:
-      uri: /
-  # define the canary analysis timing and KPIs
-  analysis:
-    # schedule interval (default 60s)
-    interval: 1m
-    # max number of failed metric checks before rollback
-    threshold: 5
-    # max traffic percentage routed to canary
-    # percentage (0-100)
-    maxWeight: 50
-    # canary increment step
-    # percentage (0-100)
-    stepWeight: 5
-    # App Mesh Prometheus checks
-    metrics:
-    - name: request-success-rate
-      # minimum req success rate (non 5xx responses)
-      # percentage (0-100)
-      thresholdRange:
-        min: 99
-      interval: 1m
-    - name: request-duration
-      # maximum req duration P99
-      # milliseconds
-      thresholdRange:
-        max: 500
-      interval: 30s
-    # testing (optional)
-    webhooks:
-    - name: acceptance-test
-      type: pre-rollout
-      url: http://flagger-loadtester.test/
-      timeout: 30s
-      metadata:
-        type: bash
-        cmd: "curl -sd 'test' http://podinfo-canary.test:9898/token | grep token"
-    - name: load-test
-      url: http://flagger-loadtester.test/
-      timeout: 5s
-      metadata:
-        cmd: "hey -z 1m -q 10 -c 2 http://podinfo-canary.test:9898/"
-```
-
-Save the above resource as podinfo-canary.yaml and then apply it:
-
-```bash
-kubectl apply -f ./podinfo-canary.yaml
-```
-
-After a couple of seconds Flagger will create the canary objects:
-
-```bash
-# applied 
-deployment.apps/podinfo
-horizontalpodautoscaler.autoscaling/podinfo
-canary.flagger.app/podinfo
-
-# generated Kubernetes objects
-deployment.apps/podinfo-primary
-horizontalpodautoscaler.autoscaling/podinfo-primary
-service/podinfo
-service/podinfo-canary
-service/podinfo-primary
-
-# generated App Mesh objects
-virtualnode.appmesh.k8s.aws/podinfo-canary
-virtualnode.appmesh.k8s.aws/podinfo-primary
-virtualrouter.appmesh.k8s.aws/podinfo
-virtualrouter.appmesh.k8s.aws/podinfo-canary
-virtualservice.appmesh.k8s.aws/podinfo
-virtualservice.appmesh.k8s.aws/podinfo-canary
-```
-
-After the boostrap, the podinfo deployment will be scaled to zero and the traffic to `podinfo.test` will be routed to the primary pods. During the canary analysis, the `podinfo-canary.test` address can be used to target directly the canary pods.
-
-App Mesh blocks all egress traffic by default. If your application needs to call another service, you have to create an App Mesh virtual service for it and add the virtual service name to the backend list.
-
-```yaml
-  service:
-    port: 9898
-    backends:
-      - backend1
-      - arn:aws:appmesh:eu-west-1:12345678910:mesh/my-mesh/virtualService/backend2
-```
-
-## Setup App Mesh Gateway \(optional\)
-
-In order to expose the podinfo app outside the mesh you can use the App Mesh Gateway.
-
-Deploy the App Mesh Gateway behind an AWS NLB:
-
-```bash
-helm upgrade -i appmesh-gateway eks/appmesh-gateway \
---namespace test
-```
-
-Find the gateway public address:
-
-```bash
-export URL="http://$(kubectl -n test get svc/appmesh-gateway -ojson | jq -r ".status.loadBalancer.ingress[].hostname")"
-echo $URL
-```
-
-Wait for the NLB to become active:
-
-```bash
- watch curl -sS $URL
-```
-
-Create a gateway route that points to the podinfo virtual service:
-
-```yaml
-cat << EOF | kubectl apply -f -
-apiVersion: appmesh.k8s.aws/v1beta2
-kind: GatewayRoute
-metadata:
-  name: podinfo
-  namespace: test
-spec:
-  httpRoute:
-    match:
-      prefix: "/"
-    action:
-      target:
-        virtualService:
-          virtualServiceRef:
-            name: podinfo
-EOF
-```
-
-Open your browser and navigate to the ingress address to access podinfo UI.
-
-## Automated canary promotion
-
-A canary deployment is triggered by changes in any of the following objects:
-
-* Deployment PodSpec \(container image, command, ports, env, resources, etc\)
-* ConfigMaps and Secrets mounted as volumes or mapped to environment variables
-
-Trigger a canary deployment by updating the container image:
-
-```bash
-kubectl -n test set image deployment/podinfo \
-podinfod=stefanprodan/podinfo:3.1.1
-```
-
-Flagger detects that the deployment revision changed and starts a new rollout:
-
-```text
-kubectl -n test describe canary/podinfo
-
-Status:
-  Canary Weight:         0
-  Failed Checks:         0
-  Phase:                 Succeeded
-Events:
- New revision detected! Scaling up podinfo.test
- Waiting for podinfo.test rollout to finish: 0 of 1 updated replicas are available
- Pre-rollout check acceptance-test passed
- Advance podinfo.test canary weight 5
- Advance podinfo.test canary weight 10
- Advance podinfo.test canary weight 15
- Advance podinfo.test canary weight 20
- Advance podinfo.test canary weight 25
- Advance podinfo.test canary weight 30
- Advance podinfo.test canary weight 35
- Advance podinfo.test canary weight 40
- Advance podinfo.test canary weight 45
- Advance podinfo.test canary weight 50
- Copying podinfo.test template spec to podinfo-primary.test
- Waiting for podinfo-primary.test rollout to finish: 1 of 2 updated replicas are available
- Routing all traffic to primary
- Promotion completed! Scaling down podinfo.test
-```
-
-When the canary analysis starts, Flagger will call the pre-rollout webhooks before routing traffic to the canary.
-
-**Note** that if you apply new changes to the deployment during the canary analysis, Flagger will restart the analysis.
-
-During the analysis the canary’s progress can be monitored with Grafana. The App Mesh dashboard URL is [http://localhost:3000/d/flagger-appmesh/appmesh-canary?refresh=10s&orgId=1&var-namespace=test&var-primary=podinfo-primary&var-canary=podinfo](http://localhost:3000/d/flagger-appmesh/appmesh-canary?refresh=10s&orgId=1&var-namespace=test&var-primary=podinfo-primary&var-canary=podinfo).
-
-![App Mesh Canary Dashboard](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/screens/flagger-grafana-appmesh.png)
-
-You can monitor all canaries with:
-
-```bash
-watch kubectl get canaries --all-namespaces
-
-NAMESPACE   NAME      STATUS        WEIGHT
-test        podinfo   Progressing   15
-prod        frontend  Succeeded     0
-prod        backend   Failed        0
-```
-
-If you’ve enabled the Slack notifications, you should receive the following messages:
-
-![Flagger Slack Notifications](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/screens/slack-canary-notifications.png)
-
-## Automated rollback
-
-During the canary analysis you can generate HTTP 500 errors or high latency to test if Flagger pauses the rollout.
-
-Trigger a canary deployment:
-
-```bash
-kubectl -n test set image deployment/podinfo \
-podinfod=stefanprodan/podinfo:3.1.2
-```
-
-Exec into the load tester pod with:
-
-```bash
-kubectl -n test exec -it deploy/flagger-loadtester bash
-```
-
-Generate HTTP 500 errors:
-
-```bash
-hey -z 1m -c 5 -q 5 http://podinfo-canary.test:9898/status/500
-```
-
-Generate latency:
-
-```bash
-watch -n 1 curl http://podinfo-canary.test:9898/delay/1
-```
-
-When the number of failed checks reaches the canary analysis threshold, the traffic is routed back to the primary, the canary is scaled to zero and the rollout is marked as failed.
-
-```text
-kubectl -n appmesh-system logs deploy/flagger -f | jq .msg
-
-New revision detected! progressing canary analysis for podinfo.test
-Pre-rollout check acceptance-test passed
-Advance podinfo.test canary weight 5
-Advance podinfo.test canary weight 10
-Advance podinfo.test canary weight 15
-Halt podinfo.test advancement success rate 69.17% < 99%
-Halt podinfo.test advancement success rate 61.39% < 99%
-Halt podinfo.test advancement success rate 55.06% < 99%
-Halt podinfo.test advancement request duration 1.20s > 0.5s
-Halt podinfo.test advancement request duration 1.45s > 0.5s
-Rolling back podinfo.test failed checks threshold reached 5
-Canary failed! Scaling down podinfo.test
-```
-
-If you’ve enabled the Slack notifications, you’ll receive a message if the progress deadline is exceeded, or if the analysis reached the maximum number of failed checks:
-
-![Flagger Slack Notifications](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/screens/slack-canary-failed.png)
-
-## A/B Testing
-
-Besides weighted routing, Flagger can be configured to route traffic to the canary based on HTTP match conditions. In an A/B testing scenario, you'll be using HTTP headers or cookies to target a certain segment of your users. This is particularly useful for frontend applications that require session affinity.
-
-![Flagger A/B Testing Stages](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/flagger-abtest-steps.png)
-
-Edit the canary analysis, remove the max/step weight and add the match conditions and iterations:
-
-```yaml
-  analysis:
-    interval: 1m
-    threshold: 5
-    iterations: 10
-    match:
-    - headers:
-        x-canary:
-          exact: "insider"
-    webhooks:
-    - name: load-test
-      url: http://flagger-loadtester.test/
-      metadata:
-        cmd: "hey -z 1m -q 10 -c 2 -H 'X-Canary: insider' http://podinfo.test:9898/"
-```
-
-The above configuration will run an analysis for ten minutes targeting users that have a `X-Canary: insider` header.
-
-You can also use a HTTP cookie, to target all users with a `canary` cookie set to `insider` the match condition should be:
-
-```yaml
-match:
-- headers:
-    cookie:
-      regex: "^(.*?;)?(canary=insider)(;.*)?$"
-webhooks:
-- name: load-test
-  url: http://flagger-loadtester.test/
-  metadata:
-    cmd: "hey -z 1m -q 10 -c 2 -H 'Cookie: canary=insider' http://podinfo.test:9898/"
-```
-
-Trigger a canary deployment by updating the container image:
-
-```bash
-kubectl -n test set image deployment/podinfo \
-podinfod=stefanprodan/podinfo:3.1.3
-```
-
-Flagger detects that the deployment revision changed and starts the A/B test:
-
-```text
-kubectl -n appmesh-system logs deploy/flagger -f | jq .msg
-
-New revision detected! progressing canary analysis for podinfo.test
-Advance podinfo.test canary iteration 1/10
-Advance podinfo.test canary iteration 2/10
-Advance podinfo.test canary iteration 3/10
-Advance podinfo.test canary iteration 4/10
-Advance podinfo.test canary iteration 5/10
-Advance podinfo.test canary iteration 6/10
-Advance podinfo.test canary iteration 7/10
-Advance podinfo.test canary iteration 8/10
-Advance podinfo.test canary iteration 9/10
-Advance podinfo.test canary iteration 10/10
-Copying podinfo.test template spec to podinfo-primary.test
-Waiting for podinfo-primary.test rollout to finish: 1 of 2 updated replicas are available
-Routing all traffic to primary
-Promotion completed! Scaling down podinfo.test
-```
-
-For an in-depth look at the analysis process read the [usage docs](../usage/how-it-works.md).
-