Upgrading NGINX Ingress controller with integrated Wallarm modules¶
These instructions describe the steps to upgrade deployed Wallarm NGINX-based Ingress Controller 4.x to the new version with Wallarm node 4.6.
To upgrade the end‑of‑life node (3.6 or lower), please use the different instructions.
Requirements¶
-
Kubernetes platform version 1.24-1.26
-
Helm package manager
-
Compatibility of your services with the Community Ingress NGINX Controller version 1.7.1
-
Access to the account with the Administrator role in Wallarm Console for the US Cloud or EU Cloud
-
Access to
https://us1.api.wallarm.comfor working with US Wallarm Cloud or tohttps://api.wallarm.comfor working with EU Wallarm Cloud -
Access to
https://charts.wallarm.comto add the Wallarm Helm charts. Ensure the access is not blocked by a firewall -
Access to the Wallarm repositories on Docker Hub
https://hub.docker.com/r/wallarm. Make sure the access is not blocked by a firewall -
Access to GCP storage addresses to download an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers
Step 1: Update the Wallarm Helm chart repository¶
helm repo update wallarm
Step 2: Check out all coming K8s manifest changes¶
To avoid unexpectedly changed Ingress controller behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Ingress controller version and of the new one.
To install and run the plugin:
-
Install the plugin:
helm plugin install https://github.com/databus23/helm-diff -
Run the plugin:
helm diff upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 4.6.3 -f <PATH_TO_VALUES><RELEASE_NAME>: the name of the Helm release with the Ingress controller chart<NAMESPACE>: the namespace the Ingress controller is deployed to<PATH_TO_VALUES>: the path to thevalues.yamlfile defining the Ingress controller 4.6 settings - you can use the one created for running the previous Ingress controller version
-
Make sure that no changes can affect the stability of the running services and carefully examine the errors from stdout.
If stdout is empty, make sure that the
values.yamlfile is valid.
Step 3: Upgrade the Ingress controller¶
Upgrade the deployed NGINX Ingress controller:
helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-ingress --version 4.6.3 -f <PATH_TO_VALUES>
-
<RELEASE_NAME>: the name of the Helm release with the Ingress controller chart -
<NAMESPACE>: the namespace the Ingress controller is deployed to -
<PATH_TO_VALUES>: the path to thevalues.yamlfile defining the Ingress controller 4.6 settings - you can use the one created for running the previous Ingress controller version
Step 4: Test the upgraded Ingress controller¶
-
Make sure the version of the Helm chart was upgraded:
helm list -n <NAMESPACE>Where
<NAMESPACE>is the namespace the Helm chart with the Ingress controller is deployed to.The chart version should correspond to
wallarm-ingress-4.6.3. -
Get the list of pods:
kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=wallarm-ingressEach pod status should be STATUS: Running or READY: N/N. For example:
NAME READY STATUS RESTARTS AGE ingress-controller-nginx-ingress-controller-675c68d46d-cfck8 4/4 Running 0 5m ingress-controller-nginx-ingress-controller-wallarm-tarantljj8g 4/4 Running 0 5m -
Send the request with the test Path Traversal attack to the Wallarm Ingress controller address:
curl http://<INGRESS_CONTROLLER_IP>/etc/passwdCheck that the solution of the newer version processes the malicious request as it did in the previous version.
Step 5: Update the Wallarm blocking page¶
If the page &/usr/share/nginx/html/wallarm_blocked.html configured via Ingress annotations is returned to blocked requests, adjust its configuration to the released changes.
In new node versions, the Wallarm blocking page has the updated UI with no logo and support email specified by default.