This topic provides a high-level overview of Wayfinder's architecture.
Wayfinder is hosted by the customer, and can run on Kubernetes in AWS, GCP, and Azure public clouds. At a high level, Wayfinder consists of three elements:
The API server sits in front of Kubernetes, and handles API access to Wayfinder functionality, as well as single-sign-on (SSO).
Wayfinder is deployed into a Kubernetes cluster. We use Kubernetes to deploy and run Wayfinder, and we extend the Kubernetes APIs with Custom Resource Definitions (CRDs). Wayfinder makes use of several open source Kubernetes projects, including controller-runtime, cert-manager, flux, ingress-nginx, external-dns, kaniko, gatekeeper, fluentd, and elgo-oidc.
MySQL or Postgres database
The database stores information about users and teams, security events, and audit and cost information.
The following diagram shows the high-level Wayfinder stack.
Once configured, the Wayfinder platform handles:
- Cloud account management
- Kubernetes cluster creation
- Cluster Security and resilience
- Container builds
- DNS and HTTPS
- Cost tracking
Wayfinder automation allows a single admin to support many teams. Behind the scenes, the platform:
- Creates isolated cloud accounts following least privilege best practices
- Sets up role-based access control (RBAC) for both Wayfinder itself and the Kubernetes clusters created using Wayfinder
- Turns off insecure options when creating Kubernetes clusters, adds network and pod security policies, and turns on auto-scaling, using Appvia's best practices. This ensures that the public cloud Kubernetes services are configured correctly for enterprise security needs.
The following diagram shows a more detailed view of how Wayfinder components interact with each other and with Kubernetes.
Wayfinder is deployed into a Kubernetes cluster. The installation creates Wayfinder's Management Cluster, shown on the left side of this diagram. This cluster uses a MySQL or Postgres database to store data such as Wayfinder users, teams, events, etc.
The Management Cluster acts as the control plane, and interacts with the Kubernetes (k8s) clusters created by your development teams using Wayfinder, shown on the right side of the diagram.
Wayfinder is organized around development teams, the cloud infrastructure available to them, and the access policies and permissions they have. So in addition to other components, Wayfinder's Management Cluster has a namespace for each team created in Wayfinder, as shown in the bottom centre of the diagram.
You can use Wayfinder on multiple clouds. For example, you can install Wayfinder/Management Cluster on one public cloud, and have teams provision their Kubernetes clusters in a different public cloud.
Regardless of this choice, we recommend the following cloud configuration:
- Use a dedicated cluster to host Wayfinder because it creates and manages namespaces as teams are created.
- Install Wayfinder into a cluster that is not running other workloads.
- Install only a single instance of Wayfinder into a cluster.
- Set up Wayfinder to run using credentials managed entirely by AWS on EKS.
For more information, see the installation prerequisites.
Wayfinder has an API, a CLI, and a UI that serve two primary personas: the platform administrator and the developer.
Using the administrator interface, the Wayfinder administrator:
- Sets up cloud credentials and cloud account automation so that teams can have isolated development environments, following least privilege best practices for security
- Sets up default cluster plans that comply with enterprise policy, and specifies which cluster parameters are allowed to be changed by development teams
- Makes DNS available to development team clusters so that they have default domains for their apps
- Configures cost integrations with the cloud provider, so that estimated and actual cloud running costs can be viewed in the Wayfinder UI
For more information, see Get Started as a Wayfinder Administrator.
With the infrastructure and cluster plans put in place by the Wayfinder administrator, development teams can easily provision Kubernetes clusters using a self-service model.
Using the developer interface, the development team:
- Provisions Kubernetes clusters and namespaces, choosing from the available cloud providers and cluster plans
- Uses default domains set up by the Wayfinder administrator, or sets up custom domains for their workloads
- Configures container builds. This lets their existing CI pipeline request Wayfinder to build their software as a container image from their git repository, and make it available in their cluster.
- Configures robots (service accounts) to run builds or deployments manually or using CI
- Views actual and projected cloud running costs
- Manages team members and roles, and views audit log of actions taken by team members
- Is able to have direct access to the Kubernetes cluster using the Kubernetes CLI,
kubectl, to deploy their apps manually, or have a Wayfinder robot deploy them, to the infrastructure managed by Wayfinder
For more information, see Get Started Using Wayfinder.