Skip to content

Wallarm-Specific Values of the Sidecar Proxy Helm Chart

This document describes Wallarm-specific Helm chart values you can change during Wallarm Sidecar deployment or upgrade. The Wallarm-specific and other chart values are for global configuration of the Sidecar proxy Helm chart.

Priorities of global and per-pod's settings

Per-pod's annotations take precedence over Helm chart values.

The Wallarm-specific part of the default values.yaml looks like the following:

config:
  wallarm:
    api:
      token: ""
      host: api.wallarm.com
      port: 443
      useSSL: true
      caVerify: true
      existingSecret:
        enabled: false
        secretKey: token
        secretName: wallarm-api-token
    fallback: "on"
    mode: monitoring
    modeAllowOverride: "on"
    enableLibDetection: "on"
    parseResponse: "on"
    parseWebsocket: "off"
    unpackResponse: "on"
    ...
postanalytics:
  external:
    enabled: false
    host: ""
    port: 3313
  ...

config.wallarm.api.token

The Wallarm node token created in Wallarm Console in the US or EU Cloud. It is required to access Wallarm API.

The parameter is ignored if config.wallarm.api.existingSecret.enabled: true.

config.wallarm.api.host

Wallarm API endpoint. Can be:

  • us1.api.wallarm.com for the US cloud

  • api.wallarm.com for the EU cloud (default)

config.wallarm.api.existingSecret

Starting from the Helm chart version 4.4.4, you can use this configuration block to pull a Wallarm node token value from Kubernetes secrets. It is useful for environments with separate secret management (e.g. you use an external secrets operator).

To store the node token in K8s secrets and pull it to the Helm chart:

  1. Create a Kubernetes secret with the Wallarm node token:

    kubectl -n <KUBERNETES_NAMESPACE> create secret generic wallarm-api-token --from-literal=token=<WALLARM_NODE_TOKEN>
    
    • <KUBERNETES_NAMESPACE> is the Kubernetes namespace you have created for the Helm release with Wallarm Sidecar controller
    • wallarm-api-token is the Kubernetes secret name
    • <WALLARM_NODE_TOKEN> is the Wallarm node token value copied from the Wallarm Console UI

    If using some external secret operator, follow appropriate documentation to create a secret.

  2. Set the following configuration in values.yaml:

    config:
      wallarm:
        api:
          token: ""
          existingSecret:
            enabled: true
            secretKey: token
            secretName: wallarm-api-token
    

Default value: existingSecret.enabled: false that points the Helm chart to get the Wallarm node token from config.wallarm.api.token.

config.wallarm.fallback

With the value set to on (default), NGINX services have the ability to enter an emergency mode. If proton.db or custom ruleset cannot be downloaded from the Wallarm Cloud due to its unavailability, this setting disables the Wallarm module and keeps NGINX functioning.

Pod's annotation: sidecar.wallarm.io/wallarm-fallback.

config.wallarm.mode

Global traffic filtration mode. Possible values:

  • monitoring (default)

  • safe_blocking

  • block

  • off

Pod's annotation: sidecar.wallarm.io/wallarm-mode.

config.wallarm.modeAllowOverride

Manages the ability to override the wallarm_mode values via settings in the Cloud. Possible values:

  • on (default)

  • off

  • strict

Pod's annotation: sidecar.wallarm.io/wallarm-mode-allow-override.

config.wallarm.enableLibDetection

Whether to additionally validate the SQL Injection attacks using the libdetection library. Possible values:

  • on (default)

  • off

Pod's annotation: sidecar.wallarm.io/wallarm-enable-libdetection.

config.wallarm.parseResponse

Whether to analyze the application responses for attacks. Possible values:

  • on (default)

  • off

Response analysis is required for vulnerability detection during passive detection and active threat verification.

Pod's annotation: sidecar.wallarm.io/wallarm-parse-response.

config.wallarm.parseWebsocket

Wallarm has full WebSockets support. By default, the WebSockets' messages are not analyzed for attacks. To force the feature, activate the API Security subscription plan and use this setting.

Possible values:

  • on

  • off (default)

Pod's annotation: sidecar.wallarm.io/wallarm-parse-websocket.

config.wallarm.unpackResponse

Whether to decompress compressed data returned in the application response:

  • on (default)

  • off

Pod's annotation: sidecar.wallarm.io/wallarm-unpack-response.

postanalytics.external.enabled

Determines whether to use the Wallarm postanalytics (Tarantool) module installed on an external host or the one installed during the Sidecar solution deployment.

This feature is supported starting from Helm release 4.6.4.

Possible values:

  • false (default): use the postanalytics module deployed by the Sidecar solution.

  • true: If enabled, please provide the external address of the postanalytics module in the postanalytics.external.host and postanalytics.external.port values.

If set to true, the Sidecar solution does not run the postanalytics module, but expects to reach it at the specified postanalytics.external.host and postanalytics.external.port.

postanalytics.external.host

The domain or IP address of the separately installed postanalytics module. This field is required if postanalytics.external.enabled is set to true.

This feature is supported starting from Helm release 4.6.4.

Example values: tarantool.domain.external or 10.10.0.100.

The specified host must be accessible from the Kubernetes cluster where the Sidecar Helm chart is deployed.

postanalytics.external.port

The TCP port on which the Wallarm postanalytics module is running. By default, it uses port 3313 as the Sidecar solution deploys the module on this port.

If postanalytics.external.enabled is set to true, specify the port on which the module is running on the specified external host.