Upgrading NGINX Ingress controller with integrated Wallarm modules¶
These instructions describe the steps to upgrade deployed Wallarm Ingress Controller 3.4 or 3.2 to the new version with Wallarm node 3.6.
New version of Community Ingress NGINX Controller
The version of Community Ingress NGINX Controller the Wallarm Ingress controller is based on has been upgraded from 0.26.2 to 1.1.3.
Since the operation of Community Ingress NGINX Controller 1.1.3 has been significantly changed, its configuration has to be adjusted to these changes during the Wallarm Ingress controller upgrade.
These instructions contain the list of Community Ingress NGINX Controller settings you probably have to change. Nevertheless, please draw up and individual plan for the configuration migration based on the Community Ingress NGINX Controller release notes.
To upgrade the node 2.18 or lower, please use the different instructions.
Step 1: Update the repository containing Wallarm Helm charts¶
Add the Wallarm Helm repository containing all chart versions by using the command below. Please use the Helm repository for further work with the Wallarm Ingress controller.
Step 2: Update the values.yaml
configuration¶
To migrate to Wallarm Ingress controller 3.6, update the following configuration specified in the values.yaml
file:
-
Standard configuration of Community Ingress NGINX Controller
-
Wallarm module configuration
Standard configuration of Community Ingress NGINX Controller¶
-
Check out the release notes on Community Ingress NGINX Controller 0.27.0 and higher and define the settings to be changed in the
values.yaml
file. -
Update the defined settings in the
values.yaml
file.
There are the following setting probably to be changed:
-
Proper reporting of end user public IP address if requests are passed through a load balancer before being sent to the Wallarm Ingress controller.
-
IngressClasses configuration. The version of used Kubernetes API has been upgraded in the new Ingress controller that requires IngressClasses to be configured via the
.controller.ingressClass
,.controller.ingressClassResource
and.controller.watchIngressWithoutClass
parameters. -
Validation of Ingress syntax via "admission webhook" is now enabled by default.
Disabling the Ingress syntax validation
It is recommended to disable the Ingress syntax validation only if it destabilizes the operation of Ingress objects.
-
Label format. If the
values.yaml
file sets pod affinity rules, change the label format in these rules, e.g.:controller: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - - key: app + - key: app.kubernetes.io/name operator: In values: - waf-ingress - - key: component + - key: app.kubernetes.io/component operator: In values: - - waf-ingress + - controller - - key: release + - key: app.kubernetes.io/instance operator: In values: - waf-ingress-ingress topologyKey: kubernetes.io/hostname weight: 100
Wallarm module configuration¶
Change the Wallarm module configuration set in the values.yaml
file as follows:
-
Get rid of the explicit monitoring service configuration. In the new Wallarm Ingress controller version, the monitoring service is enabled by default and does not require any additional configuration.
-
If the page
&/usr/share/nginx/html/wallarm_blocked.html
configured via ConfigMap is returned to blocked requests, adjust its configuration to the released changes.In new node version, the Wallarm sample blocking page has the updated UI with no logo and support email specified by default.
-
If you have customized the
overlimit_res
attack detection via thewallarm_process_time_limit
andwallarm_process_time_limit_block
NGINX directives, please transfer this settings to the rule and delete from thevalues.yaml
file.
Step 3: Transfer the overlimit_res
attack detection configuration from directives to the rule¶
Starting from the version 3.6, you can fine-tune the overlimit_res
attack detection using the rule in Wallarm Console.
Earlier, the wallarm_process_time_limit
and wallarm_process_time_limit_block
NGINX directives have been used. The listed directives are considered to be deprecated with the new rule release and will be deleted in future releases.
If the overlimit_res
attack detection settings are customized via the listed directives, it is recommended to transfer them to the rule as follows:
-
Open Wallarm Console → Rules and proceed to the Fine-tune the overlimit_res attack detection rule setup.
-
Configure the rule as done via the NGINX directives:
- The rule condition should match the NGINX configuration block with the
wallarm_process_time_limit
andwallarm_process_time_limit_block
directives specified. - The time limit for the node to process a single request (milliseconds): the value of
wallarm_process_time_limit
. -
Request processing: the Stop processing option is recommended.
Risk of running out of system memory
The high time limit and/or continuation of request processing after the limit is exceeded can trigger memory exhaustion or out-of-time request processing.
-
Register the overlimit_res attack: the Register and display in the events option is recommended.
If the
wallarm_process_time_limit_block
orprocess_time_limit_block
value isoff
, choose the Do not create attack event option. -
The rule does not have the explicit equivalent option for the
wallarm_process_time_limit_block
directive. If the rule sets Register and display in the events, the node will either block or pass theoverlimit_res
attack depending on the node filtration mode:- In the monitoring mode, the node forwards the original request to the application address. The application has the risk to be exploited by the attacks included in both processed and unprocessed request parts.
- In the safe blocking mode, the node blocks the request if it is originated from the graylisted IP address. Otherwise, the node forwards the original request to the application address. The application has the risk to be exploited by the attacks included in both processed and unprocessed request parts.
- In the block mode, the node blocks the request.
- The rule condition should match the NGINX configuration block with the
-
Delete the
wallarm_process_time_limit
andwallarm_process_time_limit_block
NGINX directives from thevalues.yaml
configuration file.If the
overlimit_res
attack detection is fine-tuned using both the directives and the rule, the node will process requests as the rule sets.
Step 4: Check out all coming K8s manifest changes¶
To avoid unexpectedly changed Ingress controller behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Ingress controller version and of the new one.
To install and run the plugin:
-
Install the plugin:
-
Run the plugin:
helm diff upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 3.6.9 -f <PATH_TO_VALUES>
<RELEASE_NAME>
: the name of the release with the deployed Ingress controller<NAMESPACE>
: the namespace the Ingress controller is deployed to<PATH_TO_VALUES>
: the path to thevalues.yaml
file defining the Ingress controller 3.6 settings
-
Make sure no changes can affect the stability of the running services and carefully examine the errors from stdout.
If stdout is empty, ensure the
values.yaml
file is valid.
Please note the changes of the following configuration:
-
Immutable field, e.g. the Deployment and/or StatefulSet selectors.
-
Pod labels. The changes can lead to the NetworkPolicy operation termination, e.g.:
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy spec: egress: - to: - namespaceSelector: matchExpressions: - key: name operator: In values: - kube-system # ${NAMESPACE} podSelector: matchLabels: # RELEASE_NAME=waf-ingress - app: waf-ingress + app.kubernetes.io/component: "controller" + app.kubernetes.io/instance: "waf-ingress" + app.kubernetes.io/name: "waf-ingress" - component: waf-ingress
-
Configuration of Prometheus with new labels, e.g.:
- job_name: 'kubernetes-ingress' kubernetes_sd_configs: - role: pod namespaces: names: - kube-system # ${NAMESPACE} relabel_configs: # RELEASE_NAME=waf-ingress # Selectors - - source_labels: [__meta_kubernetes_pod_label_app] + - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name] action: keep regex: waf-ingress - - source_labels: [__meta_kubernetes_pod_label_release] + - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance] action: keep regex: waf-ingress - - source_labels: [__meta_kubernetes_pod_label_component] + - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_component] action: keep - regex: waf-ingress + regex: controller - source_labels: [__meta_kubernetes_pod_container_port_number] action: keep regex: "10254|18080" # Replacers - action: replace target_label: __metrics_path__ regex: /metrics - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: kubernetes_namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: kubernetes_pod_name - source_labels: [__meta_kubernetes_pod_name] regex: (.*) action: replace target_label: instance replacement: "$1"
-
Analyze all other changes.
Step 5: Upgrade the Ingress controller¶
There are three ways of upgrading the Wallarm Ingress controller. Depending on whether there is a load balancer deployed to your environment, select the upgrade method:
-
Deployment of the temporary Ingress controller
-
Regular re‑creation of the Ingress controller release
-
Ingress controller release re‑creation without affecting the load balancer
Using the staging environment or minikube
If the Wallarm Ingress controller is deployed to your staging environment, it is recommended to upgrade it first. With all services operating correctly in the staging environment, you can proceed to the upgrade procedure in the production environment.
Unless it is recommended to deploy the Wallarm Ingress controller 3.6 with the updated configuration using minikube or another service first. Ensure all services operates as expected and then upgrade the Ingress controller in the production environment.
This approach helps to avoid downtime of the services in the production environment.
Method 1: Deployment of the temporary Ingress controller¶
By using this method, you can deploy Ingress Controller 3.6 as an additional entity in your environment and switch the traffic to it gradually. It helps to avoid even temporary downtime of services and ensures safe migration.
-
Copy the IngressClass configuration from the
values.yaml
file of the previous version to thevalues.yaml
file for the Ingress controller 3.6.With this configuration, the Ingress controller will identify the Ingress objects but will not process their traffic.
-
Deploy the Ingress controller 3.6:
helm install <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 3.6.9 -f <PATH_TO_VALUES>
<RELEASE_NAME>
: the name for the Ingress controller release<NAMESPACE>
: the namespace to deploy the Ingress controller to<PATH_TO_VALUES>
: the path to thevalues.yaml
file defining the Ingress controller 3.6 settings
-
Ensure all services operate correctly.
-
Switch the load to the new Ingress controller gradually.
Method 2: Regular re‑creation of the Ingress controller release¶
If the load balancer and Ingress controller are NOT described in the same Helm chart, you can just re‑create the Helm release. It will take several minutes and the Ingress controller will be unavailable for this time.
If Helm chart sets the configuration of a load balancer
If Helm chart sets the configuration of a load balancer along with the Ingress controller, release re‑creation can lead to a long load balancer downtime (depends on the cloud provider). The load balancer IP address can be changed after the upgrade if the constant address was not assigned.
Please analyze all possible risks if using this method.
To re‑create the Ingress controller release:
-
Delete the previous release:
-
<RELEASE_NAME>
: the name of the release with the deployed Ingress controller -
<NAMESPACE>
: the namespace the Ingress controller is deployed to
Please do not use the
--wait
option when executing the command since it can increase the upgrade time. -
-
Create a new release with Ingress controller 3.6:
helm install <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 3.6.9 -f <PATH_TO_VALUES>
-
<RELEASE_NAME>
: the name for the Ingress controller release -
<NAMESPACE>
: the namespace to deploy the Ingress controller to -
<PATH_TO_VALUES>
: the path to thevalues.yaml
file defining the Ingress controller 3.6 settings
-
-
Set the
wait = false
option in the Terraform configuration to decrease the upgrade time: -
Delete the previous release:
-
Create the new release with the Ingress controller 3.6:
Method 3: Ingress controller release re‑creation without affecting the load balancer¶
When using the load balancer configured by the cloud provider, it is recommended to upgrade the Ingress controller with this method because it does not affect the load balancer.
Release re‑creation will take several minutes and the Ingress controller will be unavailable for this time.
-
Get objects to be deleted (except for the load balancer):
helm get manifest <RELEASE_NAME> -n <NAMESPACE> | yq -r '. | select(.spec.type != "LoadBalancer") | .kind + "/" + .metadata.name' | tr 'A-Z' 'a-z' > objects-to-remove.txt
To install the utility
yq
, please use the instructions.Objects to be deleted will be output to the
objects-to-remove.txt
file. -
Delete listed objects and re‑create the relese:
cat objects-to-remove.txt | xargs kubectl delete --wait=false -n <NAMESPACE> && \ helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 3.6.9 -f `<PATH_TO_VALUES>`
To decrease service downtime, it is NOT recommended to execute commands separately.
-
Ensure all objects are created:
The output should say that all objects already exist.
There are the following parameters passed in the commands:
-
<RELEASE_NAME>
: the name of the release with the deployed Ingress controller -
<NAMESPACE>
: the namespace the Ingress controller is deployed to -
<PATH_TO_VALUES>
: the path to thevalues.yaml
file defining the Ingress controller 3.6 settings
Step 6: Test the upgraded Ingress controller¶
-
Check that the version of the Helm chart was updated:
The chart version should correspond to
wallarm-ingress-3.6.9
. -
Get the list of pods specifying the name of the Wallarm Ingress controller in
<INGRESS_CONTROLLER_NAME>
:Each pod status should be STATUS: Running or READY: N/N. For example:
-
Send the request with test SQLI and XSS attacks to the Wallarm Ingress controller address:
If the filtering node is working in the
block
mode, the code403 Forbidden
will be returned in the response to the request and attacks will be displayed in Wallarm Console → Events.
Step 7: Adjust the Ingress annotations to released changes¶
Adjust the following Ingress annotations to the changes released in Ingress controller 3.6:
-
If the Ingress is annotated with
nginx.ingress.kubernetes.io/wallarm-instance
, rename this annotation tonginx.ingress.kubernetes.io/wallarm-application
.Only the annotation name has changed, its logic remains the same. The annotation with the former name will be deprecated soon, so you are recommended to rename it before.
-
If the page
&/usr/share/nginx/html/wallarm_blocked.html
configured via Ingress annotations is returned to blocked requests, adjust its configuration to the released changes.In new node versions, the Wallarm blocking page has the updated UI with no logo and support email specified by default.