Configuring Native Node with the Helm Chart¶
When deploying the self-hosted Wallarm Native Node using the Helm chart, configuration is specified in the values.yaml
file or through the CLI. This document outlines the available configuration parameters.
To modify settings after deployment, use the following command with the parameters you wish to change:
helm upgrade --set config.api.token=<VALUE> <WALLARM_RELEASE_NAME> wallarm/wallarm-node-native -n wallarm-node
Basic settings¶
The Wallarm-specific part of the default values.yaml
that you basically might need to change looks like the following:
config:
api:
token: ""
host: api.wallarm.com
nodeGroup: "defaultNodeNextGroup"
connector:
certificate:
enabled: true
certManager:
enabled: false
# issuerRef:
# name: letsencrypt-prod
# kind: ClusterIssuer
existingSecret:
enabled: false
# name: my-secret-name
customSecret:
enabled: false
# ca: LS0...
# crt: LS0...
# key: LS0...
allowed_hosts: []
mode: block
route_config: {}
# wallarm_application: -1
# routes:
# - route: "/api/v1"
# wallarm_application: 1
# - route: "/extra_api"
# wallarm_application: 2
# - route: "/testing"
# wallarm_mode: monitoring
# - host: "example.com"
# route: /api
# wallarm_application: 3
log_level: debug
processing:
service:
type: LoadBalancer
port: 5000
config.api.token (required)¶
An API token for connecting the node to the Wallarm Cloud.
To generate an API token:
-
Go to Wallarm Console → Settings → API tokens in either the US Cloud or EU Cloud.
-
Create an API token with the Deploy source role.
config.api.host¶
Wallarm API endpoint. Can be:
config.api.nodeGroup¶
This specifies the name of the group of filtering nodes you want to add newly deployed nodes to.
Default value: defaultNodeNextGroup
config.connector.certificate.enabled (required)¶
Controls whether the Wallarm Load Balancer should use SSL/TLS certificate for secure communication.
It must be set to true
and trusted certificate must be issued for the communication.
To manage SSL/TLS communication, you can use either the certManager
, existingSecret
or customSecret
approach.
certManager¶
If you use cert-manager
in your cluster and prefer it for generating the SSL/TLS certificate, specify the corresponding configuration in this section.
Example configuration:
config:
connector:
certificate:
enabled: true
certManager:
enabled: true
issuerRef:
# The name of the cert-manager Issuer or ClusterIssuer
name: letsencrypt-prod
# If it is Issuer (namespace-scoped) or ClusterIssuer (cluster-wide)
kind: ClusterIssuer
existingSecret¶
You can use this configuration block to pull an SSL/TLS certificate from an existing Kubernetes secret in the same namespace.
Example configuration:
config:
connector:
certificate:
enabled: true
existingSecret:
enabled: true
# The name of the Kubernetes secret containing the certificate and private key
name: my-secret-name
customSecret¶
The customSecret
configuration allows you to define a certificate directly within the configuration file, without relying on external sources like Kubernetes secrets or cert-manager.
The certificate, private key, and optionally a CA should be specified as base64-encoded values.
Example configuration:
config:
connector:
certificate:
enabled: true
customSecret:
enabled: true
ca: LS0...
crt: LS0...
key: LS0...
config.connector.allowed_hosts¶
A list of allowed hostnames.
Default value: all hosts are allowed.
This parameter supports wildcard matching:
-
*
matches any sequence of non-separator characters -
?
matches any single non-separator character -
'[' [ '^' ] { character-range } ']'
Wildcard matching syntax details
// The pattern syntax is:
//
// pattern:
// { term }
// term:
// '*' matches any sequence of non-Separator characters
// '?' matches any single non-Separator character
// '[' [ '^' ] { character-range } ']'
// character class (must be non-empty)
// c matches character c (c != '*', '?', '\\', '[')
// '\\' c matches character c
//
// character-range:
// c matches character c (c != '\\', '-', ']')
// '\\' c matches character c
// lo '-' hi matches character c for lo <= c <= hi
//
// Match requires pattern to match all of name, not just a substring.
For example:
config.connector.mode¶
General traffic filtration mode: block
, safe_blocking
, monitoring
or off
. In OOB mode, traffic blocking is not supported.
Default: block
.
The mode can be overridden for specific routes.
config.connector.route_config¶
Configuration section where you specify settings for specific routes.
config.connector.route_config.wallarm_application¶
Wallarm application ID. This value can be overridden for specific routes.
Default: -1
.
config.connector.route_config.routes¶
Sets route-specific Wallarm configuration. Includes Wallarm mode and application IDs. Example configuration:
config:
connector:
route_config:
wallarm_application: 10
routes:
- host: example.com
wallarm_application: 1
routes:
- route: /app2
wallarm_application: 2
- host: api.example.com
route: /api
wallarm_application: 100
- route: /testing
wallarm_mode: off
host¶
Specifies the route host. This parameter supports wildcard matching the same as the config.connector.allowed_hosts
parameter.
For example:
routes.route or route¶
Defines specific routes. Routes can be configured with NGINX-like prefixes:
- route: [ = | ~ | ~* | ^~ | ]/location
# | | | | ^ prefix (lower priority than regexes)
# | | | ^ prefix (higher priority than regexes)
# | | ^re case insensitive
# | ^re case sensitive
# ^exact match
For example, to match only the exact route:
To match routes with a regular expression:
wallarm_application¶
Sets the Wallarm application ID. Overrides the route_config.wallarm_application
for specific endpoints.
wallarm_mode¶
Host-specific traffic filtration mode: block
, safe_blocking
, monitoring
or off
. In OOB mode, traffic blocking is not supported.
Default: monitoring
.
config.connector.log_level¶
Log level, can be debug
, info
, warn
, error
, fatal
.
Default: debug
.
processing.service.type¶
Wallarm service type. Can be:
-
LoadBalancer
for running the service as a load balancer with a public IP for easy traffic routing.This is suitable for MuleSoft, Cloudflare or Amazon CloudFront connectors.
-
ClusterIP
for internal traffic, without exposing a public IP.This is suitable for Kong API Gateway or Istio connectors.
Default: ClusterIP
.
processing.service.port¶
Wallarm service port.
Default: 5000
.
Advanced settings¶
The Wallarm-specific part of the default values.yaml
that you additionally might need to change looks like the following:
config:
connector:
http_inspector:
workers: auto
api_firewall_enabled: true
wallarm_dir: /opt/wallarm/etc/wallarm
processing:
metrics:
enabled: true
port: 9090
config.connector.http_inspector.workers¶
Wallarm worker number.
Default: auto
, which means the number of workers is set to the number of CPU cores.
config.connector.http_inspector.api_firewall_enabled¶
Controls whether API Specification Enforcement is enabled. Please note that activating this feature does not substitute for the required subscription and configuration through the Wallarm Console UI.
Default: true
.
config.connector.http_inspector.wallarm_dir¶
Specifies the directory path for node configuration files. Typically, you do not need to modify this parameter. If you need assistance, please contact the Wallarm support team.
Default: /opt/wallarm/etc/wallarm
.
processing.metrics.enabled¶
Controls whether Prometheus metrics are enabled. This parameter must be set to true
as the Wallarm node does not function properly without it.
Default: true
.
processing.metrics.port¶
Sets the address and port where Prometheus metrics will be exposed. To access these metrics, use the /metrics
endpoint.
Default: :9000
(all network interfaces on the port 9000).