Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
1.5.x
  • Home icon
  • Kong Gateway Operator
  • Guides
  • Upgrade
  • Data Plane
  • Blue/Green Upgrades
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • unreleased
  • 1.6.x (latest)
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
  • Introduction
    • Overview
    • Deployment Topologies
      • Hybrid Mode
      • DB-less Mode
    • Key Concepts
      • Gateway API
      • Gateway Configuration
      • Managed Gateways
    • Changelog
    • Version Support Policy
    • FAQ
  • Get Started
    • Konnect
      • Install Gateway Operator
      • Create a KonnectExtension
      • Deploy a Data Plane
      • Create a Route
    • Kong Ingress Controller
      • Install Gateway Operator
      • Create a Gateway
      • Create a Route
  • Production Deployment
    • Overview
    • Install
    • Enterprise License
    • Monitoring
      • Metrics
      • Status fields
        • Overview
        • DataPlane
        • ControlPlane
        • Gateway
    • Upgrade Gateway Operator
    • Certificates
      • Using custom CA for signing operator certificates
  • Guides
    • AI Gateway
    • Customization
      • Set data plane image
      • Deploying Sidecars
      • Customizing PodTemplateSpec
      • Defining PodDisruptionBudget for DataPlane
    • Autoscaling Kong Gateway
    • Autoscaling Workloads
      • Overview
      • Prometheus
      • Datadog
    • Upgrading Data Planes
      • Rolling Deployment
      • Blue / Green Deployment
    • Kong Custom Plugin Distribution
    • Managing Konnect entities
      • Architecture overview
      • Gateway Control Plane
      • Service and Route
      • Consumer, Credentials and Consumer Groups
      • Key and Key Set
      • Upstream and Targets
      • Certificate and CA Certificate
      • Vault
      • Data Plane Client Certificate
      • Tagging and Labeling
      • Managing Plugin Bindings by CRD
      • Cloud Gateways - Networks
      • Cloud Gateways - Data Plane Group Configuration
      • FAQ
    • Migration
      • Migrate Konnect DataPlanes from KGO v1.4.x to v1.5.x
  • Reference
    • Custom Resources
      • Overview
      • GatewayConfiguration
      • ControlPlane
      • DataPlane
      • KongPluginInstallation
    • Understanding KonnectExtension
    • Configuration Options
    • License
    • Version Compatibility
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Using DataPlane
You are browsing documentation for an older version. See the latest documentation here.

Blue/Green Upgrades

Using DataPlane

Blue/Green upgrades can be accomplished when working with the DataPlane resource directly.

  1. To enable blue/green deployments set the spec.deployment.rollout.strategy on your DataPlane resource:

     apiVersion: gateway-operator.konghq.com/v1beta1
     kind: DataPlane
     metadata:
       name: dataplane-example
     spec:
       deployment:
         rollout:
           strategy:
             blueGreen:
               promotion:
                 strategy: BreakBeforePromotion
         podTemplateSpec:
           spec:
             containers:
             - name: proxy
               image: kong/kong-gateway:3.10.0.1
               env:
               - name: KONG_LOG_LEVEL
                 value: debug
    

    NOTE: Currently only BreakBeforePromotion is available as promotion strategy.

    When applied like this, Kong Gateway Operator will deploy new Services through which you’ll be able to access new Pods once they are available.

    By default no Pods will be deployed immediately, instead Kong Gateway Operator will observe the DataPlane resource for spec changes and when any configuration drift is detected it will spawn a new “preview” Deployment which will contain the changes applied to the DataPlane resource.

  2. Wait for DataPlane to be ready to accept changes

     kubectl wait dataplane dataplane-example --for=jsonpath='{.status.rollout.conditions[*].reason}'=AwaitingPromotion
    
  3. Test it out by patching the DataPlane with a new image:

     kubectl patch dataplane dataplane-example --type='json' -p='[{"op": "replace", "path": "/spec/deployment/podTemplateSpec/spec/containers/0/image", "value":"kong:3.3.1"}]'
    

    The output should look like this:

     dataplane.gateway-operator.konghq.com/dataplane-example patched
    

    After this patch gets applied you’ll be able to access the new Kong Gateway Pods via the “preview” ingress Service.

  4. To find the “preview” Service you can look up DataPlane status, and more specifically its rollout field:

     kubectl get dataplane dataplane-example -o jsonpath-as-json='{.status.rollout}'
    

    The output should look like this:

     [
         {
             "conditions": [
                 {
                     "lastTransitionTime": "2023-09-21T11:40:25Z",
                     "message": "",
                     "observedGeneration": 2,
                     "reason": "AwaitingPromotion",
                     "status": "False",
                     "type": "RolledOut"
                 }
             ],
             "deployment": {
                 "selector": "6cf0d993-2319-43d5-bfdc-e2cadd6bd7e3"
             },
             "services": {
                 "adminAPI": {
                     "addresses": [
                         {
                             "sourceType": "PrivateIP",
                             "type": "IPAddress",
                             "value": "None"
                         }
                     ],
                     "name": "dataplane-admin-dataplane-example-cx6nq"
                 },
                 "ingress": {
                     "addresses": [
                         {
                             "sourceType": "PrivateLoadBalancer",
                             "type": "IPAddress",
                             "value": "172.18.0.101"
                         },
                         {
                             "sourceType": "PrivateIP",
                             "type": "IPAddress",
                             "value": "10.96.28.2"
                         }
                     ],
                     "name": "dataplane-ingress-dataplane-example-2249g"
                 }
             }
         }
     ]
    

    Here you can see the ingress Service name that was created for you to validate the new set of Pods.

    Its addresses (together with their types and sourceTypes) are stored status.rollout.services[].ingress.

    Notice that status.rollout.conditions[] contains a condition with Type RolledOut and Reason set to AwaitingPromotion. This means that everything is ready to promote the DataPlane with staged changes. Before we do so, let’s test it.

  5. You can access the spawned “preview” Service by using its LB address (taken from the status.rollout.services[].ingress.addresses[].value field):

     $ curl -s -D - -o /dev/null 172.18.0.101
     HTTP/1.1 404 Not Found
     Date: Thu, 21 Sep 2023 11:40:26 GMT
     Content-Type: application/json; charset=utf-8
     Connection: keep-alive
     Content-Length: 52
     X-Kong-Response-Latency: 0
     Server: kong/3.3.1
    

    This way we can see that new Kong Gateway Pods have been deployed and are reachable through the “preview” ingress Service using the updated image.

  6. Verify the old Pods are still available and are still serving the traffic. You can verify that by accessing its “live” ingress Service

    We can get its addresses with:

     kubectl get dataplane dataplane-example -o jsonpath-as-json='{.status.addresses}'
    

    The output should look like this:

     [
       [
         {
             "sourceType": "PrivateLoadBalancer",
             "type": "IPAddress",
             "value": "172.18.0.100"
         },
         {
             "sourceType": "PrivateIP",
             "type": "IPAddress",
             "value": "10.96.11.156"
         }
       ],
     ]
    

    Knowing the LoadBalancer IP address is 172.18.0.100, you can issue a request:

     $ curl -s -D - -o /dev/null 172.18.0.100
     HTTP/1.1 404 Not Found
     Date: Thu, 21 Sep 2023 11:40:26 GMT
     Content-Type: application/json; charset=utf-8
     Connection: keep-alive
     Content-Length: 52
     X-Kong-Response-Latency: 0
     Server: kong/3.9.0
    

    As you can see, the live Service is still serving traffic using 3.9.0.

  7. Now you can perform additional validation steps by inspecting the deployed resources.

  8. Once you’ve validated the newly created resources, run kubectl annotate dataplanes.gateway-operator.konghq.com dataplane-example gateway-operator.konghq.com/promote-when-ready=true to allow Kong Gateway Operator to switch the traffic to the new Pods.

    This annotation will automatically be cleared by Kong Gateway Operator once the new Pods are promoted to be live.

  9. Once the promotion concludes, the updated Pods start serving traffic and the old Pods and their Deployment will be deleted to conserve the resources.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025