Upgrading Wallarm Sidecar¶
These instructions describe the steps to upgrade Wallarm Sidecar 4.x to the new version with Wallarm node 4.8.
Requirements¶
-
Kubernetes platform version 1.19-1.25
-
Helm v3 package manager
-
An application deployed as a Pod in a Kubernetes cluster
-
Access to
https://us1.api.wallarm.com
for working with US Wallarm Cloud or tohttps://api.wallarm.com
for working with EU Wallarm Cloud -
Access to
https://charts.wallarm.com
to add the Wallarm Helm charts -
Access to the Wallarm repositories on Docker Hub
https://hub.docker.com/r/wallarm
-
Access to the IP addresses of Google Cloud Storage listed within the link. When you allowlist, denylist, or graylist entire countries, regions, or data centers instead of individual IP addresses, the Wallarm node retrieves precise IP addresses related to the entries in the IP lists from the aggregated database hosted on Google Storage
-
Access to the account with the Administrator role in Wallarm Console for the US Cloud or the EU Cloud
Step 1: Update the Wallarm Helm chart repository¶
helm repo update wallarm
Step 2: Check out all coming K8s manifest changes¶
To avoid unexpectedly changed Sidecar behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Sidecar version and of the new one.
To install and run the plugin:
-
Install the plugin:
helm plugin install https://github.com/databus23/helm-diff
-
Run the plugin:
helm diff upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-sidecar --version 4.8.1 -f <PATH_TO_VALUES>
<RELEASE_NAME>
: the name of the Helm release with the Sidecar chart<NAMESPACE>
: the namespace the Sidecar is deployed to<PATH_TO_VALUES>
: the path to thevalues.yaml
file defining the Sidecar 4.8 settings - you can use the one created for running the previous Sidecar version
-
Make sure that no changes can affect the stability of the running services and carefully examine the errors from stdout.
If stdout is empty, make sure that the
values.yaml
file is valid.
Step 3: Upgrade the Sidecar solution¶
Upgrade the deployed components of the Sidecar solution:
helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-sidecar --version 4.8.1 -f <PATH_TO_VALUES>
-
<RELEASE_NAME>
: the name of the Helm release with the deployed Sidecar chart -
<NAMESPACE>
: the namespace the Sidecar is deployed to -
<PATH_TO_VALUES>
: the path to thevalues.yaml
file defining the Sidecar 4.8 settings - you can use the one created for running the previous Sidecar version
Step 4: Test the upgraded Sidecar solution¶
-
Make sure the version of the Helm chart was upgraded:
helm list -n wallarm-sidecar
Where
wallarm-sidecar
is the namespace the Sidecar is deployed to. You can change this value if the namespace is different.The chart version should correspond to
wallarm-sidecar-1.1.5
. -
Get the Wallarm pod details to check they have been successfully started:
kubectl get pods -n wallarm-sidecar -l app.kubernetes.io/name=wallarm-sidecar
Each pod should display the following: READY: N/N and STATUS: Running, e.g.:
NAME READY STATUS RESTARTS AGE wallarm-sidecar-controller-54cf88b989-gp2vg 1/1 Running 0 91m wallarm-sidecar-postanalytics-86d9d4b6cd-hpd5k 4/4 Running 0 91m
-
Send the test Path Traversal attack to the application cluster address:
curl http://<APPLICATION_CLUSTER_IP>/etc/passwd
The requested application Pod should have the
wallarm-sidecar: enabled
label.Check that the solution of the newer version processes the malicious request as it did in the previous version.