Upgrading Kong Ingress controller with integrated Wallarm modules¶

These instructions describe the steps to upgrade deployed Wallarm Kong-based Ingress Controller 4.x to the new version with Wallarm node 4.6.

Requirements¶

Kubernetes platform version 1.22-1.26
K8s Ingress resources that configure Kong to route API calls to the microservices you want to protect
Compatibility of K8s Ingress resources with Kong 3.1.x
Helm v3 package manager
Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud
Access to https://charts.wallarm.com to add the Wallarm Helm charts
Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm
Access to the IP addresses of Google Cloud Storage listed within the link. When you allowlist, denylist, or graylist entire countries, regions, or data centers instead of individual IP addresses, the Wallarm node retrieves precise IP addresses related to the entries in the IP lists from the aggregated database hosted on Google Storage
Access to the account with the Administrator role in Wallarm Console for the US Cloud or the EU Cloud

Step 1: Update the Wallarm Helm chart repository¶

helm repo update wallarm

Step 2: Check out all coming K8s manifest changes¶

To avoid unexpectedly changed Ingress controller behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Ingress controller version and of the new one.

To install and run the plugin:

Install the plugin:

helm plugin install https://github.com/databus23/helm-diff

Run the plugin:
```
helm diff upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/kong --version 4.6.3 -f <PATH_TO_VALUES>
```
- <RELEASE_NAME>: the name of the Helm release with the Ingress controller chart
- <NAMESPACE>: the namespace the Helm chart with the Ingress controller is deployed to
- <PATH_TO_VALUES>: the path to the values.yaml file defining the Ingress controller 4.6 settings - you can use the one created for running the previous Ingress controller version
Make sure that no changes can affect the stability of the running services and carefully examine the errors from stdout.

If stdout is empty, make sure that the values.yaml file is valid.

Step 3: Upgrade the Ingress controller¶

Upgrade the deployed Kong Ingress controller:

helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/kong --version 4.6.3 -f <PATH_TO_VALUES>

<RELEASE_NAME>: the name of the Helm release with the Ingress controller chart
<NAMESPACE>: the namespace the Helm chart with the Ingress controller is deployed to
<PATH_TO_VALUES>: the path to the values.yaml file defining the Ingress controller 4.6 settings - you can use the one created for running the previous Ingress controller version

Step 4: Test the upgraded Ingress controller¶

Make sure the version of the Helm chart was upgraded:
```
helm list -n <NAMESPACE>
```
Where <NAMESPACE> is the namespace the Helm chart with the Ingress controller is deployed to.

The chart version should correspond to kong-4.6.3.

Get the Wallarm pod details to check they have been successfully started:

kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=kong

Each pod should display the following: READY: N/N and STATUS: Running, e.g.:

NAME                                                      READY   STATUS    RESTARTS   AGE
wallarm-ingress-kong-54cf88b989-gp2vg                     1/1     Running   0          91m
wallarm-ingress-kong-wallarm-tarantool-86d9d4b6cd-hpd5k   4/4     Running   0          91m

Send the test Path Traversal attacks to the Kong Ingress Controller Service:
```
curl http://<INGRESS_CONTROLLER_IP>/etc/passwd
```
Check that the solution of the newer version processes the malicious request as it did in the previous version.