Release Notes
Supported versions
This page provides release notes for supported versions of Wayfinder.
For information on Wayfinder release cadence and support lifecycle, see:
Install Wayfinder
You can install Wayfinder via the provided Terraform Modules.
Wayfinder is free to use for 30 days (you will only incur cloud provider hosting costs). After this period, the trial licence will expire and your testing period ends. Please get in touch at hello@appvia.io to request a trial extension or commercial licence.
Release v2.6.4
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.6.4/wayfinder.sha256sums
Private DNS support
This release introduces full support for Private DNS zones on AWS, Azure and GCP. This allows you to extend Wayfinder's auto-provisioning of DNS zones for your clusters and apps to fully-private DNS within your cloud environment.
With this change, a new version of the GlobalDNSZone and DNSZone resources has been introduced (v2beta2) and the existing version (v2beta1) is now deprecated and will be removed in v2.7. Please update any stored GlobalDNSZone or DNSZone resources in your repositories to the new API version after upgrading.
- [WFP-3897] ✨ Introduce DNSZone and GlobalDNSZone v2beta2 API versions with full support for private DNS zones
- [WFP-3843] ✨ Implement private DNS support for Azure Private DNS
- [WFP-3844] ✨ Implement private DNS support for AWS Route53 private zones
- [WFP-3846] ✨ Implement private DNS support for GCP Cloud DNS private zones
- [WFP-3860] ✨ Add secondary external DNS package for Azure to support Azure Private DNS
- [WFP-3900] ✨ UI - New DNS configuration form
- [WFP-3847] ✨ UI - Support private DNS configuration for all providers on new DNS form
- [WFP-3971] ✨ UI - New DNS zone list with more information
- [WFP-4081] ✨ Validate DNS domains are unique - prevent creation of multiple DNS zones with the same provider using the same domain
- [WFP-4013] ✨ Tighten reconciliation criteria on package releases / updates w.r.t. DNS zones
- [WFP-4054] 🐛 Ensure DNS zones fail validation where cloud access config required but not supplied
- [WFP-4053] 🐛 UI - Perform cascading delete of DNS zones when child zones exist
- [WFP-3862] ✨ Support Custom DNS resolvers for Azure vNets
- [WFP-3839, WFP-3978] ✨ Add route / next hop support for Azure cluster network plans
- [WFP-4005] ✨ Support privatelink DNS zone vNet links in AKS cluster plan (required only when using private clusters with custom DNS resolution)
wf apply
/ wf diff
improvements
The validation performed by Wayfinder has been improved to return warnings for missing dependencies, allowing
wf apply
and wf diff
to intelligently re-order multiple resources as required so they apply successfully.
- [WFP-3986] ✨ Return 'dependency missing' warnings instead of validation errors on missing dependencies for:
- Apps: AppEnv to CloudAccessConfig, AppEnv to Application, AppComponent to Application, AppComponent to other AppComponents
- Cloud Access: CloudAccessConfig to Stage, CloudAccessConfig to CloudIdentity
- Clusters / Networks: Cluster to CloudAccessConfig, ClusterPlan to ClusterNetworkPlan, ClusterNetwork to CloudAccessConfig, ClusterNetworkPlan to AssignableNetwork
- DNS: DNSZone / GlobalDNSZone to CloudAccessConfig
- [WFP-3966] ✨ Handle warnings in
wf apply
andwf diff
:- Use returned warnings to re-order resources being applied, allowing (e.g.) an application and its components to be configured in the same pass
- Apply workspaces (and wait for ready) before workspace-dependent resources, allowing configuration of a workspace and its (e.g.) CloudAccessConfigs in the same pass
- These improvements resolve:
- [WFP-3962] 🐛 Dry run and apply of full application (with appenv and app component) may not work due to ordering
- [WFP-3497] 🐛
wf diff
does not work with resource dependencies (such as ClusterNetworkPlan to AssignableNetwork) when both are being created - [WFP-3536] 🐛 Dry run and apply of container app components that depend on cloud resource app components may not work due to ordering
App environment variables
This release introduces variables on application environments. This allows container and cloud app components to use variables which vary across your environments.
- [WFP-4149] ✨ Support variables on App environments to use as inputs for cloud resource components and as container environment variables
- [WFP-4152] ✨ Add API support for AppEnv variables
- [WFP-4153] ✨ Add support for setting AppComponent container environment variables from AppEnv variables
- [WFP-4154] ✨ Add support for setting AppComponent cloud resource inputs from AppEnv variables
- [WFP-4160] ✨ Add validation error if variable required by AppComponent is not set on AppEnv when using
wf deploy
- [WFP-4156] ✨ UI - Add support for setting variables on create/edit of AppEnv
- [WFP-4158] ✨ UI - Add support for "Add from App Env" on container and cloud resource component definition
- [WFP-4155] ✨ CLI - Add
--var
flag towf create appenv
to specify variables at AppEnv creation times - [WFP-4177] ✨ Add all user-defined appenv variables to wf-environment config map for OwnManifest components
wf access
and wf kubeconfig
improvements:
- [WFP-3974] ✨ wf access namespace / wf create token improvements
- Adds
--timeout
flag towf assume
andwf access cluster|namespace|env
to control amount of time to wait for the access binding to be ready - Adds validation to
wf access cluster|namespace|env
to error if a role is requested when authenticated as an access token (access tokens are not able to assume roles)
- Adds
- [WFP-3981] ✨ CLI - Re-use existing session if present (unless explicit
--expire
or--force-new
requested) inwf access cluster|namespace|env
- [WFP-3981] ✨ CLI - Make default expiry time 1hr in
wf access cluster|namespace|env
- [WFP-3975] ✨ UI - Add example command to set kubeconfig in cluster access instructions
- [WFP-3981] 🐛 Fix
--no-context-change
inwf access cluster|namespace|env
- [WFP-3047] 🐛 CLI - Don't prevent
wf access
if not a member of the workspace locally in CLI - defer to the access policy
Peering improvements
Validation and required fields have been improved on peering rules, and the error handling on the resulting peerings has been improved to better identify issues with peering set-up.
- [WFP-3987] ✨ Improve validation of peering rules, tidy required fields per provider
- ✨ Add clearer error reporting to Peering status on Azure
- [WFP-4082] 🐛 Ensure peering rules have a status so
wf apply --wait-for-ready
works with peering rules - [WFP-3979] 🐛 UI - Improve Peering rule form
- [WFP-3998] 🐛 UI - Prevent Peering Rule form from refreshing on edit
Other enhancements and new features
- [WFP-4096] ✨ Support Azure Virtual Network Service Endpoints in networks/plans
- [WFP-3966] ✨ Ensure CloudAccessConfig dependencies are checked on delete:
- Clusters
- ClusterNetworks
- AppEnvs
- DNSZones / GlobalDNSZones
- PeeringRules
- [WFP-4003] ✨ Add unique reqID to troubleshooting logs for each reconcile & API/webhook request
- [WFP-4032] ✨ Update Kyverno policy to support internal-ingress network policy objects for cert-manager challenges
- [WFP-3959] ✨ CLI - Add error if attempting to delete non-existent member with
wf delete member
- [WFP-4151] ✨ UI - Add table refresh button for our common tables
- Refresh button now available on most tables in UI
- Improved efficiency on refreshing to load table instead of individual rows when rows are in progress
- ✨ Update default Terranetes version to v0.7.8
Bug Fixes
- [WFP-4055] 🐛 Validate that spec.key is set equal to metadata.name on a workspace
- [WFP-4001] 🐛 Fail early for app with name 'wf-' so it doesn't break at deployment time
- [WFP-3956] 🐛 Fix user invites (to workspaces) and invite generation
- [WFP-4054] 🐛 Don't create appdns zones if no cloud access config available
- [WFP-3960] 🐛 CLI - Make
wf get members
work correctly for non-admins - [WFP-4065] 🐛 CLI - Improve
wf create cloudaccessconfig
output formatting; fix--role-name
- [WFP-4019] 🐛 UI - Fix users link on workspace overview page
- [WFP-4002] 🐛 UI - Prevent 'Access' item in 'Cloud access' section from losing highlight when 'Cloud Identites' tab selected
- [WFP-3958] 🐛 UI - Render correct fields in Cloud Access configuration permissions step when authentication type is changed for existing cloud access
- [WFP-4090] 🐛 UI - Update doc URLs on access token usage modal
- [WFP-4145] 🐛 UI - Fix redirect on creating or saving a Cloud Resource Plan
Release v2.5.1
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.5.1/wayfinder.sha256sums
New UI navigation structure
This release introduces new, clearer navigation to the UI. Clusters can now be found in both workspace and administrative sections, allowing workspace members to see their own clusters.
Other enhancements and new features
- [WF-3838] ✨ Support for 'user defined routing' outbound type on Azure AKS clusters
- [WF-3929] ✨ Add estimated cost for control plane cost for Azure 'paid' SKU clusters
- [WF-3855 / WF-3856] ✨ Provide a set of environment variables to deployed apps describing the runtime environment provided by Wayfinder
- [WF-3890] ✨ Allow AppEnvs to specify a reference to a CloudAccessConfig (needed where more than one cloud access configuration is provided to a workspace for a given stage)
- [WF-3540] ✨ Narrow the permissions required for GCP roles
- [WF-3947] ✨ Remove support for legacy auth proxy (this was replaced by our new kube proxy component in v2.4)
- [WF-3896] ✨ Add validation to Peering resources if directly applied
- [WF-3970] ✨ Improve validation of cloudaccessconfig types
Bug Fixes
- [WF-3943] 🐛 UI - Show dependency errors consistently on delete
- [WF-3945] 🐛 Ensure app components are successfully deleted if their owning app is deleted
- [WF-3949] 🐛 Ensure workspace owners can delete their own workspaces
Release v2.4.6
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.4.6/wayfinder.sha256sums
Enhancements / New features
- [WF-3792] ✨ CLI - Add
wf logs
command to follow and view Wayfinder logs - [WF-3969] ✨ UI - Remove the downloaded wf.tgz in the CLI download tip
- [WF-3944] ✨ Restrict cloud access configuration in workspaces to Wayfinder admins
Bug Fixes
- [WF-3990] 🐛 Fix AKS node pool OS type handling
- [WF-3977] 🐛 UI - Fix incorrect cluster in access cluster modal
- [WF-3968] 🐛 UI - Show correct value for number of clusters using a clusternetworkplan
- [WF-3950] 🐛 Allow non-admins to perform cost estimates and retrieve metadata for building clusters
- [WF-3926] 🐛 Enforce correctly against deployments when preventing use of cert-manager labels
Release v2.4.5
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.4.5/wayfinder.sha256sums
Enhancements / New features
- [WF-3928] ✨ Update terranetes (to v0.7.5) to support Azure Workload Identity auth
- [WF-3926] ✨ Add default policy to allow cert-manager to perform HTTP01 challenges
- [WF-3888] ✨ Add Azure AKS services network range to cluster spec
- We recommend updating your existing AKS cluster plans to specify a fixed range to use to assign Kubernetes service IP addresses from.
- It is safe to use the same range on all your clusters, thus specifying an allocated IP range of type 'Services' is now deprecated on Azure and will be removed in a future release.
- [WF-3925] ✨ Stop reserving half of the allocated IP range on AKS
- Previously, the subnet created for an AKS cluster was half the size of the allocated network, with the rest reserved for future use.
- This is no longer the case, so any new AKS clusters will use the whole allocated range for their subnet.
- This will not affect any existing clusters.
Bug Fixes
- 🐛 UI - Address "All" cluster list tab not showing resources on initial navigation
- [WF-3822 fixup] 🐛 Use workspace list API on users page, fixes invalid context error
Release v2.4.4
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.4.4/wayfinder.sha256sums
Enhancements / New features
- [WF-3915] ✨ Add support for configuring AWS Transit Gateway routing when peering
- [WF-3751] ✨ Add PeeringAcceptor permission to cloud access configuration for all clouds
- [WF-3882] ✨ Ensure cached kubeproxy connections are expired before they time out (prevents occasional 401 errors accessing clusters)
- [WF-3921] ✨ CLI - Make CLI HTTP client timeout overridable via
WAYFINDER_HTTP_CLIENT_TIMEOUT
environment variable (set to e.g. 30s)
Bug Fixes
- [WF-3895] 🐛 Correct handling of 'Not Found' errors in Azure peering provider
- [WF-3920] 🐛 CLI - Handle resources with a 'nil' common status in
wf apply --wait-for-ready
- [WF-3803] 🐛 Fix over-zealous validation for overlapping peering address ranges
- [WF-3822] 🐌 Improve performance of workspace overview APIs used by the UI
Release v2.4.3
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.4.3/wayfinder.sha256sums
Cross-cloud Web Identity support
- With credential-free access to AWS, Azure and GCP, you can now use Wayfinder's web identity to authenticate Wayfinder into your entire cloud estate, regardless of the cloud in which Wayfinder is hosted (installed)
- Benefits of credential-free access:
- When hosted in AWS use an AWS IAM role for Service Account (IRSA) identity to give Wayfinder access to AWS accounts, Azure subscriptions and GCP projects
- When hosted in Azure use Entra (formerly Azure AD) Workload Identity to give Wayfinder access to Azure subscriptions, AWS accounts and GCP projects
- When hosted in GCP use GCP Workload Identity to give Wayfinder access to GCP projects, AWS accounts and Azure subscriptions
- Reference public Terraform modules to install Wayfinder with the above identities configured on each cloud (AWS, Azure, GCP)
- Reference public Terraform modules to provision the required access for Wayfinder to each AWS account, Azure subscription or GCP project
- Complete overhaul of UI to guide and validate the configuration of cloud access and generate the YAML for your CI process
- New, simplified version of the CloudIdentity and CloudAccessConfig resources to make the configuration clearer and more readable
Includes the following new features and improvements:
- [WF-3552] ✨ Add CloudAccessCheck resource to perform a validation flow for cloud identities and permissions
- [WF-3685] ✨ Validate AWS permissions using SimulatePolicyPrincipal API
- [WF-3687] ✨ Validate Azure permissions by parsing applied policies
- [WF-3826] ✨ List missing permissions when permission checks fail on all three clouds
- [WF-3901] ✨ Ignore AWS organisation 'Service Control Policy' permission failures when assessing role validity on AWS
- [WF-3769] ✨ Auto-cleanup of old CloudAccessCheck resources once the check is complete
- Remove dependency on specific naming convetions for:
- [WF-3783] ✨ CloudAccessConfig resource names
- [WF-2491] ✨ CloudAccessConfig permission AWS role names
- ✨ CloudIdentity resource names
- [WF-3840] ✨ Improved validation of all cloud access properties
- [WF-3834] ✨ Don't block reconciliation of clusters, networks, DNS zones if cloud access permissions out of date, only if inaccessible
- [WF-3737] ✨ Add cloud permissions API
- [WF-3724] ✨ CLI - Add
wf describe cloudpermission
- [WF-3724] ✨ CLI - Add
- ✨ Provide reference cloud access Terraform modules that can set up the required access for Wayfinder in your AWS/GCP/Azure accounts:
- [WF-3714] ✨ Terraform to set up cloudaccess on AWS
- [WF-3715] ✨ Terraform to set up cloudaccess on Azure
- [WF-3716] ✨ Terraform to set up cloudaccess on GCP
- [WF-3828, WF-3832] ✨ Add API to produce values to use for cloud access Terraform inputs
- [WF-3818] ✨ UI - Display terraform inputs when preparing or amending cloud access configuration
- ✨ CLI - Add
wf describe cloudaccess
command to describe the required inputs for cloud access Terraform, with-o tfvars
to output directly for use with Terraform
- [WF-3746] ✨ CLI - Implement improved
wf create cloudidentity
andwf create cloudaccessconfig
commands- ✨ CLI - Add
--for-workload-identity
flag towf create cloudidentity
to create a cloud identity for the workload identity provided to Wayfinder at install
- ✨ CLI - Add
- Migrate from deprecated Azure AD Pod Identity to supported Entra (formerly Azure AD) Workload Identity:
- [WF-3659] ✨ Migrate AKS cluster provider to use new Azure SDK with Azure AD Workload Identity support
- [WF-3703] ✨ Migrate Azure authentication to use new Azure SDK with Azure AD Workload Identity support
- [WF-3662] ✨ Migrate Azure DNS provider to use new Azure SDK with Azure AD Workload Identity support
- [WF-3663] ✨ Migrate WorkloadIdentity controller to provision Entra / Azure AD Workload Identities instead of AzureAD Pod Identities
- ✨ Migrate Azure network provider to use the new Azure SDK
- [WF-3664] ✨ Remove AAD Pod Identity package from default packages and install
- [WF-3674] Removed cloud organisation / cloud account factory support
- [WF-3550] Removed
wf setup cloudaccessconfig
andwf setup cloudidentity
commands (replaced by the reference Terraform modules andwf create cloudaccesscconfig
/wf create cloudidentity
)
New Kubernetes API proxy for managed clusters
- Provides a consistent API to access clusters managed by Wayfinder without needing direct network connectivity
- Allows full access to API of managed clusters via UI, subject to your configured access policies:
- UI now uses same RBAC as
wf access cluster
- request access to clusters as you need them right from UI, subject to the same policies that govern all cluster access - Much improved pod log support with dynamic filtering and following
- Shell support to exec into pods for debugging, provided user has an access policy permitting this
- UI now uses same RBAC as
- [WF-3721] ✨ Full TLS verification when accessing clusters via
kubectl
- Removes need for an authentication load balancer for each cluster, reducing cluster costs
- Provides same IP address filtering as existing auth proxy
- As all access is made via Wayfinder's API, cluster access is audited as per all other Wayfinder operations
- Existing auth proxy deprecated and disabled by default in new installs, support for it for existing installs will be removed in an upcoming release
New troubleshooting section
- Provides access to Wayfinder's own controller, API, kube proxy and webhook logs from UI
- Tail and filter logs to debug isuses with your configuration
Improvements and other new features
- [WF-3901] ✨ Ignore regions which are denied by AWS service control policies in metadata
- ✨ Add Azure DevOps-compatible WF toolbox image - quay.io/appvia-wayfinder/wftoolboxazdo:v2.4.3
- [WF-3869] ✨ Allow additional node pools to be specified with zero minimum size
- [WF-3881] ✨ Support --ca-file on
wf login
, improve API client logging when used with--verbose
- [WF-3848] UI - Show message when no IP ranges exist in network range table
- ✨ Remove persistence of asset identifiers into database (was no longer used/required)
- [WF-3719] ✨ Support Azure AKS node image security update option
- [WF-3284] ✨ Remove unused windowduration property from cluster plan
- [WF-3749] ✨ Show clusters using a given ClusterNetworkPlan in UI
- [WF-3427] ✨ Allow binding of the same role multiple times to an access token, introduce new assume/assign/kubesessions subresources for consistent web interface and CLI behaviour
- ✨ CLI - Use new 'assume' subresource in
wf access cluster
- [WF-3793] ✨ Helm chart improvements:
- Option to generate a single cert
- Add default CA if secret not provided
- Remove some unused options
- [WF-3720] ✨ Allow local logins to be completely disabled
- [WF-2912, WF-2891] ✨ Use secure, HTTPS-only cookies instead of bearer tokens for UI authentication - allows opening new tabs without re-authenticating and improves security
- [WF-3717] ✨ Respect upstream IDP refresh tokens if provided - ensures users removed from IDP are blocked as soon as their upstream token indicates expiry
- ✨ Replace hard-coded default deny network policy with kyverno policy doing the same
Bug Fixes
- [WF-3904] 🐛 Ensure we only trigger reconciliation of cloudmeta when relevant condition of cloud access changes, not on any update
- [WF-3612] 🐛 Validate name of environment variables on app components are populated
- [WF-3493] 🐛 Fix issue handling empty Linux/Windows profile on AKS cluster build (prevented copying default AKS cluster plans)
- 🐛 Prevent package releases showing 'Success' when required DNS zone dependencies are unmet
- [WF-3734] 🐛 Ensure cluster exists before pre-cluster deletion logic
- [WF-3642] 🐛 Cannot edit ClusterPlan if ClusterNetworkPlan disabled
- [WF-3892] 🐛 CLI - Fix
wf create member
for usernames containing '@' characters - [WF-2560] 🐛 CLI - Set namespace correctly when using
wf access namespace
- 🐛 CLI - Don't refresh tokens if there's no refresh tokens (prevents edge case where lack of refresh token blocks CLI indefinitely)
- [WF-3564] 🐛 UI - Highlight validation error by navigating to correct pane or scrolling to issue
- [WF-3680] 🐛 UI - Fix app component list occasionally showing components from other app
Release v2.3.3
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.3.3/wayfinder.sha256sums
Enhancements / New features
- [WF-3690] ✨ Add namespaceType label to all namespaces managed by Wayfinder in child clusters
Bug Fixes
- [WF-3691] 🐛 Fix EKS KMS key alias deletion when alias not created
- [WF-3689] 🐛 Check if assignablenetwork spec has changed when checking for dependencies
Release v2.3.2
Downloads
See Get the CLI for instructions.
- CLI (Mac - AMD64): Binary | Compressed (.tar.gz)
- CLI (Mac - M1/M2): Binary | Compressed (.tar.gz)
- CLI (Linux): Binary | Compressed (.tar.gz)
- CLI (Windows): Binary | Compressed (.tar.gz)
- CLI Checksums: https://storage.googleapis.com/wayfinder-releases/v2.3.2/wayfinder.sha256sums
Bug Fixes
- [WF-3682] 🐛 Allow access token network manager roles to manage ClusterNetworks and ClusterNetworkPlans