Upgrading NGINX Ingress controller with integrated Wallarm modules¶

These instructions describe the steps to upgrade deployed Wallarm NGINX-based Ingress Controller to the latest 6.x.

To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.

Requirements¶

Kubernetes platform version 1.26-1.30
Helm package manager
Compatibility of your services with the Community Ingress NGINX Controller version 1.11.5
Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud
Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud
Access to https://charts.wallarm.com to add the Wallarm Helm charts. Ensure the access is not blocked by a firewall
Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm. Make sure the access is not blocked by a firewall
Access to the IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers
US CloudEU Cloud
34.96.64.17 34.110.183.149 35.235.66.155 34.102.90.100 34.94.156.115 35.235.115.105
34.160.38.183 34.144.227.90 34.90.110.226

Step 1: Update the Wallarm Helm chart repository¶

helm repo update wallarm

Step 2: Check out all coming K8s manifest changes¶

To avoid unexpectedly changed Ingress controller behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Ingress controller version and of the new one.

To install and run the plugin:

Install the plugin:

helm plugin install https://github.com/databus23/helm-diff

Run the plugin:
```
helm diff upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 6.0.2 -f <PATH_TO_VALUES>
```
- <RELEASE_NAME>: the name of the Helm release with the Ingress controller chart.
- <NAMESPACE>: the namespace the Ingress controller is deployed to.
- <PATH_TO_VALUES>: the path to the values.yaml file with Ingress Controller 6.x settings. You can reuse the previous version's file, updating it for the Tarantool-to-wstore transition.
  
  Helm values renamed: controller.wallarm.tarantool → controller.wallarm.postanalytics. Apply this change in values.yaml if postanalytics memory is explicitly allocated.
Make sure that no changes can affect the stability of the running services and carefully examine the errors from stdout.

If stdout is empty, make sure that the values.yaml file is valid.

Step 3: Upgrade the Ingress controller¶

It is recommended to first upgrade the NGINX Ingress Controller in a staging Kubernetes environment to validate the changes before deploying to production.

Upgrade the deployed NGINX Ingress controller:

helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 6.0.2 -f <PATH_TO_VALUES>

<RELEASE_NAME>: the name of the Helm release with the Ingress controller chart
<NAMESPACE>: the namespace the Ingress controller is deployed to
<PATH_TO_VALUES>: the path to the values.yaml file with Ingress Controller 6.x settings. You can reuse the previous version's file, updating it for the Tarantool-to-wstore transition:

Helm values renamed: controller.wallarm.tarantool → controller.wallarm.postanalytics. Apply this change in values.yaml if postanalytics memory is explicitly allocated.

Step 4: Test the upgraded Ingress controller¶

Make sure the version of the Helm chart was upgraded:
```
helm list -n <NAMESPACE>
```
Where <NAMESPACE> is the namespace the Helm chart with the Ingress controller is deployed to.

The chart version should correspond to wallarm-ingress-6.0.2.

Get the Wallarm pod:

kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=wallarm-ingress

The pod status should be STATUS: Running and READY: N/N:

NAME                                                              READY     STATUS    RESTARTS   AGE
ingress-controller-wallarm-ingress-controller-675c68d46d-cfck8      1/1       Running   0          5m

If upgrading from the version 5.x or lower, you will notice that there is no separate Tarantool pod anymore, wstore runs within the main <CHART_NAME>-wallarm-ingress-controller-xxx pod.

Send the request with the test Path Traversal attack to the Wallarm Ingress controller address:
```
curl http://<INGRESS_CONTROLLER_IP>/etc/passwd
```
Check that the solution of the newer version processes the malicious request as it did in the previous version.

Once the upgrade is successfully validated in the staging environment, proceed with upgrading the production environment.