This topic provides a high-level overview of Wayfinder's architecture.
Wayfinder is hosted by the customer, and can run on Kubernetes in AWS, GCP, and Azure public clouds. At a high level, Wayfinder consists of three elements:
The API server sits in front of Kubernetes, and handles API access to Wayfinder functionality, as well as single-sign-on (SSO).
Wayfinder is deployed into a Kubernetes cluster. We use Kubernetes to deploy and run Wayfinder, and we extend the Kubernetes APIs with Custom Resource Definitions (CRDs). Wayfinder makes use of several open source Kubernetes projects, including controller-runtime, cert-manager, flux, ingress-nginx, external-dns, kaniko, gatekeeper, fluentd, and elgo-oidc.
MySQL or Postgres database
The database stores information about users and workspaces, security events, and audit and cost information.
The following diagram shows the high-level Wayfinder stack.
Once configured, the Wayfinder platform handles:
- Cloud account management
- Kubernetes cluster creation
- Cluster Security and resilience
- Container builds
- DNS and HTTPS
- Cost tracking
Wayfinder automation allows a single admin to support many teams/workspaces. Behind the scenes, the platform:
- Creates isolated cloud accounts following least privilege best practices
- Sets up role-based access control (RBAC) for both Wayfinder itself and the Kubernetes clusters created using Wayfinder
- Turns off insecure options when creating Kubernetes clusters, adds network and pod security policies, and turns on auto-scaling, using Appvia's best practices. This ensures that the public cloud Kubernetes services are configured correctly for enterprise security needs.
The following diagram shows a more detailed view of how Wayfinder components interact with each other and with Kubernetes.
Wayfinder is deployed into a Kubernetes cluster. The installation creates Wayfinder's Management Cluster, shown on the left side of this diagram. This cluster uses a MySQL or Postgres database to store data such as Wayfinder users, workspaces, events, etc.
The Management Cluster acts as the control plane, and interacts with the Kubernetes (k8s) clusters created by your developers using Wayfinder, shown on the right side of the diagram.
Wayfinder is organized around developer workspaces, the cloud infrastructure available to them, and the access policies and permissions they have. So in addition to other components, Wayfinder's Management Cluster has a namespace for each workspace created in Wayfinder, as shown in the bottom centre of the diagram.
Recommended cloud configuration
You can use Wayfinder on multiple clouds. For example, you can install Wayfinder/Management Cluster on one public cloud, and have workspace members provision their Kubernetes clusters in a different public cloud.
Regardless of this choice, we recommend the following cloud configuration:
- Use a dedicated cluster to host Wayfinder because it creates and manages namespaces as workspaces are created.
- Install Wayfinder into a cluster that is not running other workloads.
- Install only a single instance of Wayfinder into a cluster.
- Set up Wayfinder to run using credentials managed entirely by AWS on EKS.
For more information, see the installation prerequisites.
Wayfinder has an API, a CLI, and a UI that serve two primary personas: the platform administrator and the developer.
The platform administrator interface
Using the administrator interface, the Wayfinder administrator:
- Sets up cloud credentials and cloud account automation so that workspace members can have isolated development environments, following least privilege best practices for security
- Sets up default cluster plans that comply with enterprise policy, and specifies which cluster parameters are allowed to be changed by workspace members.
- Makes DNS available to workspace clusters so that they have default domains for their apps
- Configures cost integrations with the cloud provider, so that estimated and actual cloud running costs can be viewed in the Wayfinder UI
For more information, see Get Started as a Wayfinder Administrator.
The developer interface
With the infrastructure and cluster plans put in place by the Wayfinder administrator, workspace members can easily provision Kubernetes clusters using a self-service model.
Using the developer interface, workspace members:
- Provisions Kubernetes clusters and namespaces, choosing from the available cloud providers and cluster plans
- Uses default domains set up by the Wayfinder administrator, or sets up custom domains for their workloads
- Configures container builds. This lets their existing CI pipeline request Wayfinder to build their software as a container image from their git repository, and make it available in their cluster.
- Configures robots (service accounts) to run builds or deployments manually or using CI
- Views actual and projected cloud running costs
- Manages workspace members and roles, and views audit log of actions taken by workspace members
- Is able to have direct access to the Kubernetes cluster using the Kubernetes CLI,
kubectl, to deploy their apps manually, or have a Wayfinder robot deploy them, to the infrastructure managed by Wayfinder
For more information, see Get Started Using Wayfinder.