Webinar Overview

Our recent webinar explored how canary deployment strategies can minimize risk and improve application quality using Pega Deployment Manager. The session demonstrated how to configure trial user groups, roll out new version of application to trial users for assessing the quality of features and then make educated decisions before full-scale rollouts

🎥 Watch the Recording: Canary Deployments with Pega Deployment Manager

Key Takeaways

• Controlled Rollouts: Canary deployments enable controlled introduction of new application versions to trial users first
• Risk Mitigation: Test with real users before general availability to reduce impact of potential issues
• Access Group Management: The entire orchestration is managed through trial and general access groups
• Validate and Roll Out Task: Post-deployment task handles the mapping of users to different application versions
• Flexible Rollback: Easy rollback capabilities when issues are detected during trial phase

Comprehensive Q&A Session

🔧 Versioning and Pipeline Strategy

Q: Do we need separate pipelines for hotfixes versus major/minor upgrades when using canary deployments?

A: We recommend using Canary for feature releases (minor\major) and have separate pipelines for Emergency patches and feature releases. This solution is not built for managing the testing of Emergency patches in production.

Q: How does versioning work if we trigger the same pipeline multiple times for the same application version?

A: It will update the same version without any issues. The system handles multiple deployments of the same version gracefully.

Q: Can trial users be on version 01.04 while general users remain on 01.02 until rollout?

A: The rollback strategy is based on the pipeline application version. We capture the current version from pipeline configuration and the old version from existing access group data instances. When updating to the current version, we capture the old version for potential rollback scenarios.

🔐 Data Management and Rollback

Q: How are data instances handled during rollout and rollback scenarios?

A: During canary rollback, we only roll back the application version pointing to the access group - data instances remain unchanged. We don't touch the rule layer during canary rollback. For complete rollback including data instances, you would use the pipeline rollback option. Data instances associated with rule sets that have history enabled can be rolled back through the deployment manager's rollback action.

Q: What happens to in-flight cases if we reject a canary deployment and perform rollback?

A: In-flight cases are retained as-is during canary deployments. Development teams need to plan for backward compatibility - either implementing case migration back to the older version or adopting a "fix forward" strategy. Fix forward strategies are generally recommended to maintain momentum and avoid extensive retesting.

Q: Can we revert back if approval was granted by mistake?

A: Once approved in deployment manager, the action cannot be reversed within the tool. You would need to manually update the environment back to the older version.

👥 Access Group Configuration

Q: Can we use multiple access groups for trial users, and do they need specific naming conventions?

A: Yes, you can specify multiple access groups for both trial users and general users. The naming is completely flexible - you can choose names that suit your needs. We use "trial users" in examples to differentiate business users who review and approve functionalities, but there are no system limitations on naming.

Q: How do we configure multiple access groups in the deployment manager?

A: In the validate and roll out task configuration, you can specify multiple access groups using comma-separated entries for both trial and general access groups. These are the two significant input parameters for the task.

Q: When and how are access groups created and mapped?

A: Access groups should be created and mapped to appropriate application versions before starting deployment of the new version. Initially, they're mapped to the older version (e.g., 01.01). The validate and roll out task then handles updating trial access groups to the latest version first, and based on approval decisions, updates general users or rolls back trial users.

🏢 Enterprise and Security Considerations

Q: Do business users directly interact with deployment manager for approvals?

A: No, we don't expect business users to access deployment manager directly. In enterprise pipelines, the release manager coordinates with business users for feedback and then takes action in deployment manager to approve or reject the rollout.

Q: Can we control who has permission to approve canary rollouts in production?

A: Currently, users with account admin or application admin roles in deployment manager can take actions on the validate and roll out task. It's typically the same user who approved the production deployment initially. There's no separate role-based approval specifically for this task.

Q: How does Rule Security Analyzer integrate with canary deployments?

A: Rule Security Analyzer is available and can be integrated into deployment pipelines, though it's not part of the default process. We also have plans for RAP tampering validation to address situations where packages are changed after staging but before production.

🌐 Environment and Multi-tenancy

Q: Can we add the validate and roll out task to pre-production or other stages?

A: Yes, there's flexibility to add multiple stages, even post-production. For initial testing, we recommend adding it to staging first to test the process, then removing it from staging and adding it to production for ongoing use. You can treat additional environments as production environments and use the same canary approach.

Q: How does canary deployment work in multi-tenant environments?

A: The current feature is built for non-multi-tenant environments. However, if access group updates happen at the tenant level, it should work similarly. This feature hasn't been specifically tested for multi-tenant scenarios.

Q: What about localization rule sets that are outside the application definition?

A: Translation rule sets outside the application definition don't impact canary deployments if you're only changing access groups. If changes are applicable to the latest application version and associated with a specific application version, they will be handled appropriately during rollback.

🔄 Pipeline Flexibility and Integration

Q: Can we have one pipeline that supports both normal deployments and canary deployments?

A: We don't recommend this approach. Our guidance is to use separate pipelines for patch releases/production fixes versus new feature development with canary deployments, as they deal with different versions (N-1 for patches vs. new versions for canary deployments).

Q: Can we use custom stages with the validate and roll out task?

A: Yes, it's possible to move the validate and roll out task to custom stages, but it requires more manual touchpoints and slows down the deployment process.

Q: How do we handle reference data deployments with separate pipelines?

A: For reference data or configuration data, you can use the same pipeline if there are just a few manual instances. For more independence from standard releases, separate configuration pipelines pointing to separate product rules provide more flexibility and control, especially when managed by CoE or enablement teams.

☁️ Cloud and On-Premises Support

Q: When will canary deployments be supported on-premises?

A: Currently, we're not planning to support this feature on Deployment Manager version 5. We're evaluating strategies for on-premises clients and the future of deployment manager services for them, but no specific timeline is available for version 5 support.

Q: What about Pega Cloud for Government migration from version 5.x?

A: Pega Cloud for Government will be supported on Cloud 3 later this year, which will include deployment manager service support. This feature won't be available on version 5.6.5, but will be available as government clients move to newer versions.

Additional Resources

• Documentation: Configuring the validate and rollout task
• Recording Link: https://community.pega.com/event/canary-deployments-pega-deployment-manager
• Expert Circle Community: Join our Pega as-a-Service Expert Circle for ongoing discussions and support