Skip to main content
Version: 1.2

Release Notes

Supported versions​

This page provides release notes for supported versions of Wayfinder. Find older release notes in the Archive page.

For information on Wayfinder release cadence and support lifecycle, see:

Release v1.2.1​

See Get the CLI for instructions.

Bug Fixes​

  • [WF-978] Increase memory limit for cert-manager to address issues on AWS EKS clusters
  • [WF-833] Switch user's profile when running wf login
  • [WF-905] UI: Fix 'Upgrade' button on GCP GKE clusters

Release v1.2.0​

See Get the CLI for instructions.

New features and notable changes​

Multi-tenant clusters​

The introduction of multi-tenancy in Wayfinder means multiple workspaces can now share a single cluster as tenants. Tenants can manage their own namespaces in the shared cluster, but cannot access cluster-wide resources.

Wayfinder comes pre-configured with RBAC and policies that model common ways of working with multi-tenant clusters, and provides tools to let you set up guardrails for what tenants can do in your cluster. You can manage access, security, and fair allocation of cluster resources.

For detailed information, see Managing Multi-tenant Clusters.

Minor improvements​

  • [WF-925] Usability improvements for CLI docker image - you can now immediately issue wf commands if you bind WAYFINDER_SERVER and WAYFINDER_TOKEN environment variables into the container, e.g. docker run -e WAYFINDER_SERVER -e WAYFINDER_WORKSPACE -e WAYFINDER_TOKEN quay.io/appvia-wayfinder/cli:v1.2.0 wf get clusters -w test
  • [WF-838] Multi-tenancy policy - prevent host path access using existing PVs
  • [WF-837] Multi-tenancy policy - prevent privileged PSP access with RoleBinding to ClusterRoles
  • [WF-835] Multi-tenancy policy - prevent privileged PSP access with namespaced Role
  • [WF-420] Multi-tenancy policy - prevent most cluster wide RBAC access in multi-tenant cluster

Bug fixes​

  • [WF-866] Improve certificate management in the install flow
  • [WF-918] Retry if concurrent GCP project policy updates call failures in wf setup roles
  • [WF-823] Correct ingress namespace on 'Expose application via ingress'
  • [WF-822] wf get clusters should default to showing both shared (MT) and owned clusters
  • [WF-801] Prevent patch commands from circumventing in-cluster policy
  • [WF-777] wf setup roles --remove on GCP does not remove project/org policy assignments for service accounts
  • [WF-715] Validate OpenID Discovery URL when not configured
  • [WF-697] Improve terminology around min/max network ranges in NetworkFabric API
  • [WF-691] Member count in tab is not updated when adding members to a workspace

Release v1.1.2​

See Get the CLI for instructions.

Bug Fixes​

  • [WF-592] 'error generating link' instead of invite link after creating new workspace for members
  • [WF-643] wf create stage fails with operation not permitted on the resource
  • [WF-454] Improve cluster expiration support - now a TTL instead of a date/time.
  • [WF-642] Estimated and actual cost improvements/fixes
  • [WF-723] Workspace deletion timing issue
  • [WF-725] Limit cluster name to 10 characters to prevent issues with long-named cloud resources
  • [WF-779] Improve the 'Disable IDP' flow in the installer

Release v1.1.1​


See Get the CLI for instructions.

Bug Fixes​

  • [WF-689] An upstream issue with GCP where the master control plane was failing on 'regular' channel due to an unsupported version.

Release v1.1.0​


See Get the CLI for instructions.

New features and notable changes​

Private Cluster Support​

Wayfinder supports provisioning private clusters in all three cloud vendors, automatically managing the network connectivity required to place workloads off public networks. With the use of peering rules administrators can define how they wish their networks to be connected.

For detailed information, see:

Bug fixes​

  • [WF-615] Directly attached domains not propagating to the in-cluster services (cert-manager / external-dns)
  • [WF-527] Installer for Azure prompting for availability zones even when non-interactive was set
  • [WF-651] Rendering of the workspace members and roles displaying 'unknown' on the CLI
  • [WF-654] UI incorrectly showing the admin workspace
  • [WF-646] Installer for Azure throws an error when trying to install into a region with only one availability zone (i.e., ukwest)

Release v1.0.3​


See Get the CLI for instructions.

Bug fixes​

  • [WF-480] Issue with the vnet id used in Azure
  • [WF-480] The IDP client id supplied is not passing validation checks
  • [WF-606] Fixes an issues when multiple instances of Wayfinder is installed in the same account and roles clash
  • [WF-617] Fixed an issue where user roles in th wf access cluster were showing up twice
  • [WF-618] Adding dependency checks on the components during the install
  • [WF-621] Bumped the version of ExternalDNS to chart v6.1.1

Release v1.0.2​


See Get the CLI for instructions.

Bug fixes​

  • [WF-462] Caching issue in the deletion of nodepools via UI
  • [WF-444] Installer failed to remove error condition when issue resolved
  • [WF-437] A finalizer is not correctly added
  • [WF-435] Issue with pod security policy and CoreDNS
  • [WF-434] Under certain conditions an issue can cause a memory violation
  • [WF-414] Cluster plans do not correctly show when a references object does not exist
  • [WF-410] Issue with behaviour when more than one DNSZone allocated to a cluster
  • [WF-399] Console/UI does not work without oauth provider configured
  • [WF-387] Encrypt emails in keygen for trial accounts
  • [WF-360] A ctrl-d during wf access cluster can cause EOF error

Release v1.0.1​


See Get the CLI for instructions.

Bug fixes​

The following bugs were fixed:

  • [WF-360] Bug in the CLI when hitting ctrl-c early in wf access cluster
  • [WF-399] When users bypass configuration of oauth on wf install, UI now checks for authentication methods available
  • [WF-410] Issue caused by multiple domains attached to the same cluster
  • [WF-411] Using incorrect resourcegroup name on Azure managed accounts
  • [WF-414] Association between cluster plans and naming rules error
  • [WF-434] Bug associated to OIDC deletion in EKS cluster
  • [WF-435] Pod security policy fix added for EKS clusters on management plane
  • [WF-437] Bug in the patching on Helm releases which caused unnecessary reconciliations
  • [WF-438] When using Helm packages the URL was not passed into the HelmRelease, so users weren't able to use repositories within wf-manager namespace

Release v1.0.0​


CLI​

See Get the CLI for instructions.

New features and notable changes​

Installation and upgrades​

  • With this release automated installation and upgrades come out of the box.
  • The automated install is available in all three cloud vendors and is opinionated to ensure the management plane is securely configured.
  • Going forward this will be the official upgrade path - enabling customers to ensure rigor around upgrades and migrations.

Clusters​

  • Automated cluster upgrades:
    • Removing the hassle of keeping the cluster up to date, this feature introduces a toggle and configurable maintainance window. This allows customers to have a policy for upgrading clusters at the plan or workspace level. When a new release is published by the cloud vendor, Wayfinder will automatically upgrade the controlplane and all nodepools during the maintenance window.
  • Clusters plans:
    • The templates for clusters have all been revamped into a concrete type.
    • Where previous installations used an embedded schema per cloud vendor, we have normalized the commonality between cloud vendors so fields are deduplicated, and where not available, introduced providerDetails field in both nodepools and clusters for cloud specific options. The change keeps the cluster plans, compact, easy to read and removes much of the cloud complexity by harmonizing on the feature rather than options.
    • Cluster policy has been placed inline with the cluster plan, this fits neatly with the ability to 'allocate' plans to workspaces.

Policy, roles, and permissions​

  • Introduction of development stages:
    • Wayfinder has introduced stages to provide the platform information on the intended use for resources, for example for production, development, CI, etc. This allows customers and us to make intelligent decisions around how those resources should be managed. You can use stages to:
      • Target policy/compliance at specific stages (prod, nonprod).
      • Provide context to assumption policies, i.e, allowing those policies to 'know' if permissions are going to affect a production resource.
  • Role assumption policies:
    • The feature still allows for a colllection of constraints around when, how and why a user is permitted to escalate permissions, but the policies themselves have had a makeover, and have been made readable.
  • Cloud Managed Roles (AWS only):
    • While using the account automation feature, Wayfinder platform administrators may create and deliver roles to managed cloudaccounts (such as Readonly, Support Requests).
    • Using the same mechanics of role assumption, workspace members (and Wayfinder admins) can assume these roles via wf access cloudaccount or wf access cloudaccount --portal.
    • The feature can also be used for short-term CLI access to cloud accounts (aws cli, terraform for example).
  • Dynamic permission profiling:
    • With dynamic profiling robot accounts can now learn their permissions and ensure that those permission granted are only those required and nothing more.
    • While the permissions can be profiled, they cannot conflict with security policy-any permissions learned must still comply with cluster policies.
    • Boundary roles also exist that allow customers to control what can and can't be learned during the profiling time frame.
  • Policy now supports match and expressions selectors:
    • Allows for finer grain controls over how policies are distributed to clusters.
    • Permits customers to make those distribution decisions based on context (which stage, environment, provider, etc.).
  • Following on from the above, the namespace selectors on policies have been upgraded to use label selector. This allows quick tweaks to influence policy across the namespaces easily.

Other​

  • Packages and applications deployment:
    • Beyond using the resource type for our own installations, customers can now levarage the Package CRD and its global counterpart to install Helm charts across the estate.
    • These can be targeted by labels at one or more clusters (based on provider, stages or custom labels for example).
  • Managed DNS Domains and automated child domains:
    • This is the ability to provide globally managed DNS domains, allocate these domains to workspaces, and automate the the creation of subdomains to clusters.
    • It means that out of the box we can start serving traffic.
    • Workspaces can self-serve their own domains.
  • Revamped GUI:
    • We've redesigned Wayfinder's user interface.
    • We've also surfaced more of the resources available in the CLI into the UI.
  • Trial licencing:
    • Prompted during the automated install, customers coming to Wayfinder can obtain a time-limited licence to run the platform.
    • Note that after the licence expires all infrastructure will stay in place, no features are dropped, but the platform loses the ability to create new resources.
  • Workspaces have replaced teams. Previous installations of Wayfinder placed the team as the logical container for clusters.

Deprecated features​

  • Container builds and registry management has been removed as a feature of Wayfinder.

Release v0.10.0​


CLI​

See Get the CLI for instructions.

New features and notable changes​

  • Provide native cloud access to Wayfinder-managed cloud accounts for Wayfinder workspace members (availble now for AWS). See User Access to Wayfinder-managed Cloud Accounts, and wf setup access cloudaccount.
    • Simple setup for Wayfinder admins to define Cloud access roles and delegate to workspace(s)
    • Workspace admins can permit usage of cloud access roles to workspace members.
  • Cloud Accounts Automation Updates
    • Allow workspace members to request managed cloud accounts without creating a cluster. See wf create cloudaccountclaims.
    • Remove managed accounts from Wayfinder without deleting/unmanaging from cloud (e.g. for support or restore) - see the --orphan flag on wf delete cloudaccount.
    • Reduce privilege of the Wayfinder server when managing AWS accounts
      • Wayfinder Server no longer needs permission to define stacksets in order to manage cloud accounts.
      • Admins interactively create the organisational access using the Wayfinder CLI which orchestrates the correct setup in AWS, defining the required stacksets.
      • See wf setup roles --feature AccountManagement

Bug fixes​

  • [KO-2720] wf setup access --remove fails when a Wayfinder managed aws account has been deleted
  • [KO-2688] Audit log entry displays incorrect time
  • [KO-2611] Actual cost import status update fails due to logs being too large
  • [KO-2583] wf setup roles fails with incorrect error message if run with a workspace other than admin
  • [KO-2499] Fix Wayfinder builds error message invalid repo is deadline exceeded
  • [KO-1020] wf profile set and wf use workspace don't work if profile name contains '.' characters

Release v0.9.1​


See Get the CLI for instructions.

Bug fixes​

  • Fixes a bug on UI around policy assignments to robots.

Release v0.9.0​


CLI​

See Get the CLI for instructions.

New features and notable changes​

  • New workflow to help user understand next steps when logging in to the UI - taking new users through creating their first workspace, cluster and namespace so they can get up and running faster.
  • Secrets encryption supports Azure Key Vault (complementing existing support for AWS KMS).
    • Supported when running with Wayfinder with Cloud Identity on Azure
    • Allows the secrets used directly by Wayfinder to be encrypted using an Azure Key Vault key. This ensures that these secrets cannot be retrieved, even with access to the underlying cluster hosting Wayfinder.
  • CLI workflow improvements:
  • Wayfinder uses HTTPS by default for all internal trafficβ€”see important note below when upgrading.
  • Update default Pod Security Policy to prevent containers running as rootβ€”see important note when upgrading (below).
  • New assignable role (wf.provision) added to allow robots to build infrastructure using Wayfinder
  • PREVIEW: Learning mode for robot permissions, automating least-privilege role creation for your robot-based deployments. As this is in preview you must enable a feature flag to opt-in to this functionality.

Upgrading to v0.9​

Important notes when upgrading to v0.9:

  • The default Pod Security Policy applied to clusters managed by Wayfinder has changed to disallow running containers as root. Review any workloads you are deploying to Wayfinder managed clusters to ensure they are not running any containers as root before upgrading.
  • TLS is now enabled by default for internal traffic between the components of Wayfinder. This may require changes in your Helm values when upgrading:
    • If you've enabled ingress with api.ingress.enabled=true and ui.ingress.enabled=true, you may have to set the relevant annotations to enable HTTPS backend traffic using api.ingress.annotations and ui.ingress.annotations. For example, when using the ingress-nginx ingress controller, you must use the nginx.ingress.kubernetes.io/backend-protocol=HTTPS annotation.
    • If you've defined your own Ingress objects outside Wayfinder's Helm install, you may have to add these annotations manually.
    • If api.ingress.tls_secret or ui.ingress.tls_secret is set in your Wayfinder Helm configuration, you must also set api.ingress.tls_enabled or ui.ingress.tls_enabled for these to take effect.

Bug fixes​

  • [KO-2580] Azure cost imports can fail due to Azure billing API returning invalid UUIDs
  • [KO-2570] Policy controller sometimes creates multiple policies
  • [KO-2558] Change default Pod Security Policy to deny running as root
  • [KO-2557] Generating external resource ID for services in controller can lead to creation of multiple resources
  • [KO-2494] cert-manager can cache the wrong zone indefinitely as it doesn't find the SOA record on the target zone
  • [KO-2386] AWS autoscaler can get stuck when close to the node pod limits
  • [KO-2194] AWS SSO authentication does not work with wf setup cloudidentity and wf setup roles
  • [KO-2627] GCP no longer supports setting PrivateClusterConfig on non-private clusters