Upgrading Wallarm Sidecar¶

These instructions describe the steps to upgrade Wallarm Sidecar solution.

Requirements¶

• Kubernetes platform version 1.19-1.29

• Helm v3 package manager

• An application deployed as a Pod in a Kubernetes cluster

• Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud

• Access to https://charts.wallarm.com to add the Wallarm Helm charts

• Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm

• Access to the IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

  US CloudEU Cloud

  34.96.64.17
  34.110.183.149
  

  34.160.38.183
  34.144.227.90
  

• Access to the account with the Administrator role in Wallarm Console for the US Cloud or the EU Cloud

Step 1: Update the Wallarm Helm chart repository¶

helm repo update wallarm

Step 2: Check out all coming K8s manifest changes¶

To avoid unexpectedly changed Sidecar behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Sidecar version and of the new one.

To install and run the plugin:

1. Install the plugin:

   helm plugin install https://github.com/databus23/helm-diff
   

2. Run the plugin:

   helm diff upgrade <RELEASE_NAME> -n wallarm-sidecar wallarm/wallarm-sidecar --version 4.10.10 -f <PATH_TO_VALUES>
   

   • <RELEASE_NAME> is the name of the Wallarm Sidecar Helm release.
   • wallarm-sidecar is the namespace where the Wallarm Sidecar solution has been deployed. According to our deployment guide, it is most likely set to wallarm-sidecar.
   • <PATH_TO_VALUES>: the path to the values.yaml file defining the Sidecar settings - you can use the one created for running the previous Sidecar version.

3. Make sure that no changes can affect the stability of the running services and carefully examine the errors from stdout.

   If stdout is empty, make sure that the values.yaml file is valid.

Upgrading from version 4.10.6 or lower¶

The release 4.10.7 introduces breaking changes, requiring a reinstallation of the solution. The default method for generating the admission webhook certificate has been replaced with the certgen process. During the upgrade, certificates will be automatically generated using the new certgen process.

Additionally, this release allows you to use cert-manager for admission webhook certificate provisioning or specify certificates manually.

Step 3: Uninstall the previous version of the solution¶

helm uninstall <RELEASE_NAME> -n wallarm-sidecar

Step 4: Remove previous certificate artifacts¶

kubectl delete MutatingWebhookConfiguration <RELEASE_NAME>-wallarm-sidecar
kubectl delete secret <RELEASE_NAME>-wallarm-sidecar-admission-tls -n wallarm-sidecar

Step 5: Deploy the new solution version¶

helm install --version 4.10.10 <RELEASE_NAME> wallarm/wallarm-sidecar --wait -n wallarm-sidecar -f <PATH_TO_VALUES>

• <RELEASE_NAME> is the name for the Helm release. It is recommended to re-use the same name you used for the initial deployment of the solution.

• wallarm-sidecar is the namespace to deploy the Helm release. It is recommended to re-use the same namespace you used for the initial deployment of the solution.

• <PATH_TO_VALUES> is the path to the values.yaml file. You can re-use the one generated during the initial deployment, no changes are required for upgrading.

Upgrading from version 4.10.7 or above¶

Step 3: Upgrade the Sidecar solution¶

Upgrade the deployed components of the Sidecar solution:

helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-sidecar --version 4.10.10 -f <PATH_TO_VALUES>

• <RELEASE_NAME>: the name of the Helm release with the deployed Sidecar chart

• <NAMESPACE>: the namespace the Sidecar is deployed to

• <PATH_TO_VALUES>: the path to the values.yaml file defining the Sidecar 4.8 settings - you can use the one created for running the previous Sidecar version

Test the upgraded Sidecar solution¶

1. Make sure the version of the Helm chart was upgraded:

   helm list -n wallarm-sidecar
   

   Where wallarm-sidecar is the namespace the Sidecar is deployed to. You can change this value if the namespace is different.

   The chart version should correspond to wallarm-sidecar-4.10.10.

2. Get the Wallarm control plane details to check it has been successfully started:

   kubectl get pods -n wallarm-sidecar -l app.kubernetes.io/name=wallarm-sidecar
   

   Each pod should display the following: READY: N/N and STATUS: Running, e.g.:

   NAME                                              READY   STATUS    RESTARTS   AGE
   wallarm-sidecar-controller-54cf88b989-gp2vg      1/1     Running   0          91m
   wallarm-sidecar-postanalytics-86d9d4b6cd-hpd5k   4/4     Running   0          91m
   

3. Send the test Path Traversal attack to the application cluster address:

   curl http://<APPLICATION_CLUSTER_IP>/etc/passwd
   

   The requested application Pod should have the wallarm-sidecar: enabled label.

   Check that the solution of the newer version processes the malicious request as it did in the previous version.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send