Skip to main content
Version: 1.5

Older releases

Release v0.10.0​


See Get the CLI for instructions.

New features and notable changes​

  • Provide native cloud access to Wayfinder-managed cloud accounts for Wayfinder workspace members (availble now for AWS).
    • Simple setup for Wayfinder admins to define Cloud access roles and delegate to workspace(s)
    • Workspace admins can permit usage of cloud access roles to workspace members.
  • Cloud Accounts Automation Updates
    • Allow workspace members to request managed cloud accounts without creating a cluster.
    • Remove managed accounts from Wayfinder without deleting/unmanaging from cloud (e.g. for support or restore) - see the --orphan flag on wf delete cloudaccount.
    • Reduce privilege of the Wayfinder server when managing AWS accounts
      • Wayfinder Server no longer needs permission to define stacksets in order to manage cloud accounts.
      • Admins interactively create the organisational access using the Wayfinder CLI which orchestrates the correct setup in AWS, defining the required stacksets.
      • See wf setup roles --feature AccountManagement

Bug fixes​

  • [KO-2720] wf setup access --remove fails when a Wayfinder managed aws account has been deleted
  • [KO-2688] Audit log entry displays incorrect time
  • [KO-2611] Actual cost import status update fails due to logs being too large
  • [KO-2583] wf setup roles fails with incorrect error message if run with a workspace other than admin
  • [KO-2499] Fix Wayfinder builds error message invalid repo is deadline exceeded
  • [KO-1020] wf profile set and wf use workspace don't work if profile name contains '.' characters

Release v0.9.1​

See Get the CLI for instructions.

Bug fixes​

  • Fixes a bug on UI around policy assignments to robots.

Release v0.9.0​


See Get the CLI for instructions.

New features and notable changes​

  • New workflow to help user understand next steps when logging in to the UI - taking new users through creating their first workspace, cluster and namespace so they can get up and running faster.
  • Secrets encryption supports Azure Key Vault (complementing existing support for AWS KMS).
    • Supported when running with Wayfinder with Cloud Identity on Azure
    • Allows the secrets used directly by Wayfinder to be encrypted using an Azure Key Vault key. This ensures that these secrets cannot be retrieved, even with access to the underlying cluster hosting Wayfinder.
  • CLI workflow improvements:
    • Switch workspace easily using wf use workspace.
    • wf access cluster sets the current namespace on your kubectl context if a namespace is selected.
  • Wayfinder uses HTTPS by default for all internal trafficβ€”see important note below when upgrading.
  • Update default Pod Security Policy to prevent containers running as rootβ€”see important note when upgrading (below).
  • New assignable role (wf.provision) added to allow robots to build infrastructure using Wayfinder
  • PREVIEW: Learning mode for robot permissions, automating least-privilege role creation for your robot-based deployments. As this is in preview you must enable a feature flag to opt-in to this functionality.

Upgrading to v0.9​

Important notes when upgrading to v0.9:

  • The default Pod Security Policy applied to clusters managed by Wayfinder has changed to disallow running containers as root. Review any workloads you are deploying to Wayfinder managed clusters to ensure they are not running any containers as root before upgrading.
  • TLS is now enabled by default for internal traffic between the components of Wayfinder. This may require changes in your Helm values when upgrading:
    • If you've enabled ingress with api.ingress.enabled=true and ui.ingress.enabled=true, you may have to set the relevant annotations to enable HTTPS backend traffic using api.ingress.annotations and ui.ingress.annotations. For example, when using the ingress-nginx ingress controller, you must use the annotation.
    • If you've defined your own Ingress objects outside Wayfinder's Helm install, you may have to add these annotations manually.
    • If api.ingress.tls_secret or ui.ingress.tls_secret is set in your Wayfinder Helm configuration, you must also set api.ingress.tls_enabled or ui.ingress.tls_enabled for these to take effect.

Bug fixes​

  • [KO-2580] Azure cost imports can fail due to Azure billing API returning invalid UUIDs
  • [KO-2570] Policy controller sometimes creates multiple policies
  • [KO-2558] Change default Pod Security Policy to deny running as root
  • [KO-2557] Generating external resource ID for services in controller can lead to creation of multiple resources
  • [KO-2494] cert-manager can cache the wrong zone indefinitely as it doesn't find the SOA record on the target zone
  • [KO-2386] AWS autoscaler can get stuck when close to the node pod limits
  • [KO-2194] AWS SSO authentication does not work with wf setup cloudidentity and wf setup roles
  • [KO-2627] GCP no longer supports setting PrivateClusterConfig on non-private clusters

Release v0.8.1​


See Get the CLI for instructions.

New Features​

  • Azure Spot Instance support:
    • You can now specify to use Azure spot instances on an additional node pool for Azure AKS clusters. This gives potential cost savings where your workloads can tolerate disruptions.
    • Cost estimations for Azure when using spot instances show you the current spot price.
  • Accessing clusters from the CLI has been simplified with the new command wf access.
    • wf assume no longer updates your kubectl config context.

Upgrading to v0.8​

Important notes when upgrading to v0.8:

  • You must remove basicauth, if present, before upgrading.
    • Remove the value basicauth from api.auth_plugins in your Helm values before upgrading.
    • "Basic Auth" authentication is not supported and Wayfinder will fail to start with error log unknown plugin.
    • Local users still workβ€”JWT tokens are used after initial login.
  • The way allocations of cloud accounts are represented internally has changed. Existing resources will be automatically migrated by Wayfinder, and if you use the CLI and UI to manage your cloud accounts, no action is required. If you are managing CloudAccount and Allocation objects using CRDs in YAML (e.g. via wf apply), you will need to add the allocation field to the CloudAccount spec and drop the Allocation CR.
  • When building a cluster using wf create cluster you must specify the name of a cloud account instead of the name of an allocation. Workspace members can use wf get cloudaccounts -w WORKSPACEID to list the accounts allocated to the workspace. See Create a cluster.
  • The docker images for Wayfinder have moved from<image> to<image>. If you are overriding any images (for example the auth proxy) in the helm values, please ensure you adjust the location of the images.

Minor Changes​

  • [KO-2475] Assigned Policies to robot account should be deleted when robot removed
  • [KO-2473] Improve messaging on authentication proxy access errors
  • [KO-2459] UI - make final changes for creating of robots to be inline with wireframes
  • [KO-2451] Add warning to UI, that Crossplane is not ready for production use
  • [KO-2399] Update Kubernetes Controller to create robot account
  • [KO-2398] The UI needs to use the same login flow as the CLI
  • [KO-2388] Deploy service catalog in clusters using an immutable Docker image
  • [KO-2377] Move Client Token Refreshing into the pkg/client package
  • [KO-2376] Remove Legacy OpenID Providers
  • [KO-2352] Fix Robot Account Caching Issue on token regeneration
  • [KO-2335] Clean up aws IAM roles with new option wf setup --remove for roles
  • [KO-2334] Clean up aws IAM user with new option wf setup --remove for cloudidentity
  • [KO-2328] by categories relevant to a robot
  • [KO-2326] We need to validate the certificate authority provided to Wayfinder
  • [KO-2320] Allow users to use customer managed keys in their RDS & S3
  • [KO-2306] Upgrade Crossplane and provider-aws to latest stable version
  • [KO-2289] Allow 'Uptime SLA' to be turned off for AKS
  • [KO-2287] Remove the kubeconfig step in the "Configure access" on UI
  • [KO-2286] Secure processes for production artifacts, ensure integrity of production artifacts in our applications
  • [KO-2257] Remove allocations, replace with field on CloudAccount CRD
  • [KO-2247] Allow for creation of robot tokens in the UI
  • [KO-2218] Warn user if cloud account allocated to workspaces but Provisioning feature not enabled
  • [KO-2184] API Rate Limiting
  • [KO-2134] wf setup cloudidentity for Azure
  • [KO-2132] Create Azure Cloud Identity on startup
  • [KO-1940] Support minor versions in AKS plans
  • [KO-1939] UI to guide user to use 'wf setup cloudidentity' for creating cloud credentials
  • [KO-1938] Enable a single AWS Cloud Credential for AWS Access
  • [KO-1838] Add trigger and automation for version upgrade / check in E2E
  • [KO-1019] Allow to edit/delete resources on the UI while in pending/deleting/etc state

Bug Fixes​

  • [KO-2480] Cannot edit cluster from v0.7 on v0.8 due to deprecated fields
  • [KO-2467] Network Enforcement Policy Broken
  • [KO-2430] wf assume/access doesn't create a new session, if the session exists but it's expired
  • [KO-2429] AKS node pool Kubernetes version is used as underlying VM image
  • [KO-2413] wf login should error if used with -a but no profile name
  • [KO-2402] Adding UI Hostname to the list of whitelisted oauth callback urls
  • [KO-2396] Enforcement policies applied before the service is available
  • [KO-2391] No RBAC for crossplanedeployment
  • [KO-2390] When creating a robot account for a build on the UI, WAYFINDER_TOKEN is shown base64 encoded
  • [KO-2389] Robot accounts UI improvement: it's easy to copy only part of the robot token by mistake
  • [KO-2381] Fix the example text in the configmap command
  • [KO-2378] Add a non-interactive flag to the create namespace command
  • [KO-2325] 0.6.2 to 0.7.0 - UI/CLI shows intermittent "A technical problem occurred, please try again later."
  • [KO-2322] As a user I can't enable container registry management for a shared AWS cloud account
  • [KO-2276] When hitting control-c during wf assign policy an incomplete plan can be created
  • [KO-2255] Do not allow to delete a cloud account if there is a DNS zone configured for it
  • [KO-2241] UI: When editing an existing Azure CostImport, the value of Import Scope is empty
  • [KO-2226] UI: on the domain view drawer the value of "Cloud Account / Project" is constantly changing to the loading icon and back
  • [KO-2217] Don't allow more than one cloud account to point to the same actual cloud account
  • [KO-2141] Assume should only work for a single cluster
  • [KO-1941] EKS cluster status goes back to 'Success' on deletion

Release v0.7.2​


See Get the CLI for instructions.

New features​

This release of Wayfinder delivers the following major features:

  • Ingress
    • Wayfinder now provides ingress controllers in your clusters, providing your workspace members with out-of-the-box support for exposing workloads.
    • The UI can generate example manifests to use this functionality.
  • Role-Based Access Control (RBAC)
    • Wayfinder now includes a detailed policy engine which controls access to Wayfinder itself and to all clusters that it manages.
    • Ensure you review the upgrade notes below if upgrading from an older release of Wayfinder.
  • Cloud Account features
    • As part of delivering least privilege access to your cloud accounts, Wayfinder now exposes a set of 'Features' for each cloud account you add to it.
    • Allows you to express how you wish Wayfinder to use a given cloud account.
    • Scopes Wayfinder's privileges against those cloud accounts to a set of concrete permissions required for that feature to work.
    • A new wf setup roles command manages those permissions for you in AWS (GCP and Azure support will follow in future releases).

Upgrading to v0.7.2​

Important steps you must take when upgrading to v0.7.2:

  • If Wayfinder was installed into a namespace other than wf: This release contains several fixes for this case. Contact Wayfinder Support for help with the upgrade process.

  • Organization and Shared Cloud Accounts: These now specify which Wayfinder features you want to use them for. Organization accounts will have the Account Automation feature enabled by default.

    For all other features, you must edit each cloud account and enable the features you want to use that cloud account for. Wayfinder Administrators can do this in the Wayfinder Admin UI.

  • If you have an Azure Organization configured: This now has a separate subscription ID and tenant ID. If you have an Azure Organization configured, you must edit this after upgrading and specify a valid subscription ID, which is available within your tenant. Without this, attempting to use DNS Zone Management, Cost Imports or Cost Estimates with the Azure Organization will not work as expected.

  • If you have local users or static admin token authentication: Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add basicauth and/or admintoken to api.auth_plugins in your Helm values before upgrading.

  • Ensure the kubernetes authentication plugin is enabled. This is enabled by default in the helm chart, but if you are overridding the values for api.auth_plugins, append kubernetes to the list. This allows the Wayfinder UI to successfully authenticate to the API.

Important changes in behaviour​

  • The new Role-Based Access Control (RBAC) system introduces changes in the way users access their clusters. Review the RBAC documentation and ensure your users understand the changes before deploying the release. The most important change is that users must use wf assume before performing non-read operations against their clusters using kubectl.
  • This change also removes the Cluster Users configuration from cluster plans. Access to clusters is now controlled by RBAC.
  • Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add basicauth and/or admintoken to api.auth_plugins in your Helm values before upgrading.
  • Namespaces now have a default deny network policy for inbound / ingress traffic. If you are running applications in Wayfinder managed namespaces, ensure that you explictly allow the inbound network traffic required for your application to be accessed.
  • SSO Login is now the default on both CLI and UI even if you have local authentication enabled as well. To use a local user, you must now use wf login --local on the CLI or browse to https://your-wayfinder-ui-url/login-local on the UI, otherwise SSO will always be used.

Minor changes​

  • [KO-1807] Support dns01 certificate issuer in Azure
  • [KO-1895] Kubernetes 1.18 Update
  • [KO-1915] Check API version when using the CLI
  • [KO-1956] Promote wf alpha local to wf local
  • [KO-1980] Use new resource list actions layout on all resource lists
  • [KO-1996] Stop using the admin token in Wayfinder Portal
  • [KO-2004] Remove Local Login when not required
  • [KO-2010] Upgrade controller-runtime to 0.7
  • [KO-2028] Install Calico Network Policies by default into EKS
  • [KO-2058] Separate API endpoint and CLI command to generate robot tokens
  • [KO-2059] Support the eu-west-2 region for AWS Control Tower
  • [KO-2074] Prefix GCP resource with workspace name
  • [KO-2096] Do not allow clusters to be prefixed with workspace name
  • [KO-2098] Show the default workspace in wf profile show
  • [KO-2099] Unmanage member account when we delete an AWS managed account
  • [KO-2109] Removal of Legacy DEX
  • [KO-2114] Increase minimum node count to two in the eks-development plan
  • [KO-2119] Allow to define complex label selectors on a Helm Application
  • [KO-2127] Use non-interactive flag in wf kubeconfig command
  • [KO-2128] Stop using the admin token for cost imports
  • [KO-2145] Consistent labeling for Wayfinder-managed namespaces
  • [KO-2148] Assume an IAM role or use an IAM service account role for cloudinfo
  • [KO-2147] Added Fish auto-completion to Wayfinder CLI
  • [KO-2150] Promote wf alpha patch command to wf patch
  • [KO-2154] Make Wayfinder namespace commands consistent
  • [KO-2159] Clarify instructions on the UI when registering a root domain
  • [KO-2169] Remove creation of container build secrets from the UI
  • [KO-2171] Always install certificate issuers, make email optional, fix issuer names
  • [KO-2175] Rework auto-refreshing resources in the UI
  • [KO-2211] Fix OpenSSL CVE 3.13.2
  • [KO-2220] Support assuming an IAM role in AWS for cloudinfo

Bug fixes​

  • [KO-976] Prefix AWS resources with workspace name
  • [KO-1000] UI is bombarding API with queries when trying to refresh the status but the resource was deleted
  • [KO-1869] Deleting a cloud account (UI or CLI) does not delete its allocations
  • [KO-1876] Handle a cloud being disabled in the Cloud Metadata Service correctly
  • [KO-1932] Ensure the UI / API will not allow deletion of any implicit cloudcredentials
  • [KO-1978] Cloud identity support for costs requires CostManager role but no way to set this for AWS
  • [KO-1983] Unable to delete a namespace with the same name as any workspace
  • [KO-2009] Wayfinder UI should redirect from cluster page once cluster delete completes
  • [KO-2012] Duplicate CloudAccount and AWSAccounts generated
  • [KO-2019] Scheduling Anti-Affinity
  • [KO-2023] AWS Org setup says to use 'create audit user' script instead of wf setup cloudidentity
  • [KO-2024] Cloud account automation naming clash across providers
  • [KO-2026] Unable to choose eu-west-2 as a Control Tower region
  • [KO-2036] CloudIdentity auto-configured on AWS even when role not configured
  • [KO-2037] First-time startup of Wayfinder on AWS fails due to wf-admin namespace not existing
  • [KO-2039] Do not set an invalid owner reference on services created by the object controller
  • [KO-2049] Cert-man / External DNS Azure workload identity name validation fails with multiple clusters in a workspace
  • [KO-2050] Azure estimated costs / cloud metadata does not work with Azure org account
  • [KO-2057] wf assume returns before policy is applied
  • [KO-2062] Wayfinder login with a local user was showing the current user's username in the prompt
  • [KO-2064] CloudAccount api should validate any roles set
  • [KO-2067] Getting "Object 'Kind' is missing" error when applying a Secret object from file
  • [KO-2076] AWS service catalog unable to create multiple AWS accounts at the same time
  • [KO-2101] Remove the eks.privileged cluster role binding in EKS cluster
  • [KO-2105] Fix XSS vulnerability on the UI
  • [KO-2107] Secure session cookies, regenerate session after authentication
  • [KO-2113] Unable to create policy assume constrained to days of week
  • [KO-2149] When you create a new workspace, the workspace selector is loading forever on the page
  • [KO-2151] Font sizes for costs are inconsistent with the rest of the UI
  • [KO-2153] Wayfinder CLI Select & Prompt UI Issue on Windows
  • [KO-2161] Costs UI does not work with Wayfinder installed in custom namespace
  • [KO-2173] AWS account creation or update has a stackset status of OUTDATED
  • [KO-2195] Cloud credential deletion will delete ANY referenced secret, not just Wayfinder-created ones
  • [KO-2197] Error: GCP account has no associated GCP IAM service account email
  • [KO-2215] Help text for Wayfinder completion on ZSH incorrect
  • [KO-2256] Allocations should not be looked up by an expected name
  • [KO-2380] Fix the namespace.admin role in 0.7 release
  • [KO-2384] EKS PSP ClusterRoleBinding