Skip to content

Upgrading Wallarm Sidecar proxy

These instructions describe the steps to upgrade Wallarm Sidecar proxy 4.x to the new version with Wallarm node 4.4.

Requirements

  • Kubernetes platform version 1.19-1.25

  • Helm v3 package manager

  • An application deployed as a Pod in a Kubernetes cluster

  • Access to https://us1.api.wallarm.com for working with US Wallarm Cloud or to https://api.wallarm.com for working with EU Wallarm Cloud

  • Access to https://charts.wallarm.com to add the Wallarm Helm charts

  • Access to the Wallarm repositories on Docker Hub https://hub.docker.com/r/wallarm

  • Access to GCP storage addresses to download an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers

  • Access to the account with the Administrator role in Wallarm Console for the US Cloud or the EU Cloud

Step 1: Update the Wallarm Helm chart repository

helm repo update wallarm

Step 2: Check out all coming K8s manifest changes

To avoid unexpectedly changed Sidecar proxy behavior, check out all coming K8s manifest changes using Helm Diff Plugin. This plugin outputs the difference between the K8s manifests of the deployed Sidecar proxy version and of the new one.

To install and run the plugin:

  1. Install the plugin:

    helm plugin install https://github.com/databus23/helm-diff
    
  2. Run the plugin:

    helm diff upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-sidecar --version 4.4.1 -f <PATH_TO_VALUES>
    
    • <RELEASE_NAME>: the name of the Helm release with the Sidecar proxy chart
    • <NAMESPACE>: the namespace the Sidecar proxy is deployed to
    • <PATH_TO_VALUES>: the path to the values.yaml file defining the Sidecar proxy 4.4 settings - you can use the one created for running the previous Sidecar proxy version
  3. Make sure that no changes can affect the stability of the running services and carefully examine the errors from stdout.

    If stdout is empty, make sure that the values.yaml file is valid.

Step 3: Upgrade the Sidecar proxy solution

Upgrade the deployed components of the Sidecar proxy solution:

helm upgrade <RELEASE_NAME> -n <NAMESPACE> wallarm/wallarm-sidecar --version 4.4.1 -f <PATH_TO_VALUES>
  • <RELEASE_NAME>: the name of the Helm release with the deployed Sidecar proxy chart

  • <NAMESPACE>: the namespace the Sidecar proxy is deployed to

  • <PATH_TO_VALUES>: the path to the values.yaml file defining the Sidecar proxy 4.4 settings - you can use the one created for running the previous Sidecar proxy version

Step 4: Test the upgraded Sidecar solution

  1. Make sure the version of the Helm chart was upgraded:

    helm list -n <NAMESPACE>
    

    Where <NAMESPACE> is the namespace the Sidecar proxy is deployed to.

    The chart version should correspond to wallarm-sidecar-1.1.5.

  2. Get the Wallarm pod details to check they have been successfully started:

    kubectl get pods -n <NAMESPACE> -l app.kubernetes.io/name=wallarm-sidecar
    

    Each pod should display the following: READY: N/N and STATUS: Running, e.g.:

    NAME                                              READY   STATUS    RESTARTS   AGE
    wallarm-sidecar-controller-54cf88b989-f7jtb      1/1     Running   0          91m
    wallarm-sidecar-controller-54cf88b989-gp2vg      1/1     Running   0          91m
    wallarm-sidecar-postanalytics-86d9d4b6cd-hpd5k   4/4     Running   0          91m
    
  3. Send the test Path Traversal attack to the application cluster address:

    curl http://<APPLICATION_CLUSTER_IP>/etc/passwd
    

    The requested application Pod should have the wallarm-sidecar: enabled label.

    Check that the solution of the newer version processes the malicious request as it did in the previous version.