See Get the CLI for instructions.
- CLI (Mac): https://storage.googleapis.com/kore-releases/v0.8.1/kore-cli-darwin-amd64
- CLI (Linux): https://storage.googleapis.com/kore-releases/v0.8.1/kore-cli-linux-amd64
- CLI (Windows): https://storage.googleapis.com/kore-releases/v0.8.1/kore-cli-windows-amd64.exe
- Azure Spot Instance support:
- You can now specify to use Azure spot instances on an additional node pool for Azure AKS clusters. This gives potential cost savings where your workloads can tolerate disruptions.
- Cost estimations for Azure when using spot instances show you the current spot price.
- Accessing clusters from the CLI has been simplified with the new command
wf assumeno longer updates your kubectl config context.
Upgrading to v0.8
Important notes when upgrading to v0.8:
- You must remove
basicauth, if present, before upgrading.
- Remove the value
api.auth_pluginsin your Helm values before upgrading.
- "Basic Auth" authentication is not supported and Wayfinder will fail to start with error log
- Local users still work—JWT tokens are used after initial login.
- Remove the value
- The way allocations of cloud accounts are represented internally has changed. Existing resources
will be automatically migrated by Wayfinder, and if you use the CLI and UI to manage your cloud
accounts, no action is required. If you are managing CloudAccount and Allocation objects using
CRDs in YAML (e.g. via
wf apply), you will need to add the allocation field to the CloudAccount spec and drop the Allocation CR.
- When building a cluster using
wf create clusteryou must specify the name of a cloud account instead of the name of an allocation. Workspace members can use
wf get cloudaccounts -w WORKSPACEIDto list the accounts allocated to the workspace. See Create a cluster.
- The docker images for Wayfinder have moved from
quay.io/wayfinder/<image>. If you are overriding any images (for example the auth proxy) in the helm values, please ensure you adjust the location of the images.
- [KO-2475] Assigned Policies to robot account should be deleted when robot removed
- [KO-2473] Improve messaging on authentication proxy access errors
- [KO-2459] UI - make final changes for creating of robots to be inline with wireframes
- [KO-2451] Add warning to UI, that Crossplane is not ready for production use
- [KO-2399] Update Kubernetes Controller to create robot account
- [KO-2398] The UI needs to use the same login flow as the CLI
- [KO-2388] Deploy service catalog in clusters using an immutable Docker image
- [KO-2377] Move Client Token Refreshing into the pkg/client package
- [KO-2376] Remove Legacy OpenID Providers
- [KO-2352] Fix Robot Account Caching Issue on token regeneration
- [KO-2335] Clean up aws IAM roles with new option wf setup --remove for roles
- [KO-2334] Clean up aws IAM user with new option wf setup --remove for cloudidentity
- [KO-2328] by categories relevant to a robot
- [KO-2326] We need to validate the certificate authority provided to Wayfinder
- [KO-2320] Allow users to use customer managed keys in their RDS & S3
- [KO-2306] Upgrade Crossplane and provider-aws to latest stable version
- [KO-2289] Allow 'Uptime SLA' to be turned off for AKS
- [KO-2287] Remove the kubeconfig step in the "Configure access" on UI
- [KO-2286] Secure processes for production artifacts, ensure integrity of production artifacts in our applications
- [KO-2257] Remove allocations, replace with field on CloudAccount CRD
- [KO-2247] Allow for creation of robot tokens in the UI
- [KO-2218] Warn user if cloud account allocated to workspaces but Provisioning feature not enabled
- [KO-2184] API Rate Limiting
- [KO-2134] wf setup cloudidentity for Azure
- [KO-2132] Create Azure Cloud Identity on startup
- [KO-1940] Support minor versions in AKS plans
- [KO-1939] UI to guide user to use 'wf setup cloudidentity' for creating cloud credentials
- [KO-1938] Enable a single AWS Cloud Credential for AWS Access
- [KO-1838] Add trigger and automation for version upgrade / check in E2E
- [KO-1019] Allow to edit/delete resources on the UI while in pending/deleting/etc state
- [KO-2480] Cannot edit cluster from v0.7 on v0.8 due to deprecated fields
- [KO-2467] Network Enforcement Policy Broken
- [KO-2430] wf assume/access doesn't create a new session, if the session exists but it's expired
- [KO-2429] AKS node pool Kubernetes version is used as underlying VM image
- [KO-2413] wf login should error if used with -a but no profile name
- [KO-2402] Adding UI Hostname to the list of whitelisted oauth callback urls
- [KO-2396] Enforcement policies applied before the service is available
- [KO-2391] No RBAC for crossplanedeployment
- [KO-2390] When creating a robot account for a build on the UI, WAYFINDER_TOKEN is shown base64 encoded
- [KO-2389] Robot accounts UI improvement: it's easy to copy only part of the robot token by mistake
- [KO-2381] Fix the example text in the configmap command
- [KO-2378] Add a non-interactive flag to the create namespace command
- [KO-2325] 0.6.2 to 0.7.0 - UI/CLI shows intermittent "A technical problem occurred, please try again later."
- [KO-2322] As a user I can't enable container registry management for a shared AWS cloud account
- [KO-2276] When hitting control-c during
wf assign policyan incomplete plan can be created
- [KO-2255] Do not allow to delete a cloud account if there is a DNS zone configured for it
- [KO-2241] UI: When editing an existing Azure CostImport, the value of Import Scope is empty
- [KO-2226] UI: on the domain view drawer the value of "Cloud Account / Project" is constantly changing to the loading icon and back
- [KO-2217] Don't allow more than one cloud account to point to the same actual cloud account
- [KO-2141] Assume should only work for a single cluster
- [KO-1941] EKS cluster status goes back to 'Success' on deletion
See Get the CLI for instructions.
- CLI (Mac): https://storage.googleapis.com/kore-releases/v0.7.2/kore-cli-darwin-amd64
- CLI (Linux): https://storage.googleapis.com/kore-releases/v0.7.2/kore-cli-linux-amd64
- CLI (Windows): https://storage.googleapis.com/kore-releases/v0.7.2/kore-cli-windows-amd64.exe
This release of Wayfinder delivers the following major features:
- Wayfinder now provides ingress controllers in your clusters, providing your workspace members with out-of-the-box support for exposing workloads.
- The UI can generate example manifests to use this functionality.
- Role-Based Access Control (RBAC)
- Wayfinder now includes a detailed policy engine which controls access to Wayfinder itself and to all clusters that it manages.
- Ensure you review the upgrade notes below if upgrading from an older release of Wayfinder.
- Cloud Account features
- As part of delivering least privilege access to your cloud accounts, Wayfinder now exposes a set of 'Features' for each cloud account you add to it.
- Allows you to express how you wish Wayfinder to use a given cloud account.
- Scopes Wayfinder's privileges against those cloud accounts to a set of concrete permissions required for that feature to work.
- A new wf setup roles command manages those permissions for you in AWS (GCP and Azure support will follow in future releases).
Upgrading to v0.7.2
Important steps you must take when upgrading to v0.7.2:
If Wayfinder was installed into a namespace other than
wf: This release contains several fixes for this case. Contact Wayfinder Support for help with the upgrade process.
Organization and Shared Cloud Accounts: These now specify which Wayfinder features you want to use them for. Organization accounts will have the Account Automation feature enabled by default.
For all other features, you must edit each cloud account and enable the features you want to use that cloud account for. Wayfinder Administrators can do this in the Wayfinder Admin UI.
If you have an Azure Organization configured: This now has a separate subscription ID and tenant ID. If you have an Azure Organization configured, you must edit this after upgrading and specify a valid subscription ID, which is available within your tenant. Without this, attempting to use DNS Zone Management, Cost Imports or Cost Estimates with the Azure Organization will not work as expected.
If you have local users or static admin token authentication: Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add
admintokento api.auth_plugins in your Helm values before upgrading.
Ensure the kubernetes authentication plugin is enabled. This is enabled by default in the helm chart, but if you are overridding the values for
kubernetesto the list. This allows the Wayfinder UI to successfully authenticate to the API.
Important changes in behaviour
- The new Role-Based Access Control (RBAC) system introduces changes in the way users access their
clusters. Review the RBAC documentation and ensure your users understand the changes
before deploying the release. The most important change is that users must use
wf assumebefore performing non-read operations against their clusters using
- This change also removes the Cluster Users configuration from cluster plans. Access to clusters is now controlled by RBAC.
- Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or
static admin token authentication in your environment, you must add
admintokento api.auth_plugins in your Helm values before upgrading.
- Namespaces now have a default deny network policy for inbound / ingress traffic. If you are running applications in Wayfinder managed namespaces, ensure that you explictly allow the inbound network traffic required for your application to be accessed.
- SSO Login is now the default on both CLI and UI even if you have local authentication enabled as
well. To use a local user, you must now use
wf login --localon the CLI or browse to https://your-wayfinder-ui-url/login-local on the UI, otherwise SSO will always be used.
- [KO-1807] Support dns01 certificate issuer in Azure
- [KO-1895] Kubernetes 1.18 Update
- [KO-1915] Check API version when using the CLI
- [KO-1956] Promote wf alpha local to wf local
- [KO-1980] Use new resource list actions layout on all resource lists
- [KO-1996] Stop using the admin token in Wayfinder Portal
- [KO-2004] Remove Local Login when not required
- [KO-2010] Upgrade controller-runtime to 0.7
- [KO-2028] Install Calico Network Policies by default into EKS
- [KO-2058] Separate API endpoint and CLI command to generate robot tokens
- [KO-2059] Support the eu-west-2 region for AWS Control Tower
- [KO-2074] Prefix GCP resource with workspace name
- [KO-2096] Do not allow clusters to be prefixed with workspace name
- [KO-2098] Show the default workspace in
wf profile show
- [KO-2099] Unmanage member account when we delete an AWS managed account
- [KO-2109] Removal of Legacy DEX
- [KO-2114] Increase minimum node count to two in the eks-development plan
- [KO-2119] Allow to define complex label selectors on a Helm Application
- [KO-2127] Use non-interactive flag in
- [KO-2128] Stop using the admin token for cost imports
- [KO-2145] Consistent labeling for Wayfinder-managed namespaces
- [KO-2148] Assume an IAM role or use an IAM service account role for cloudinfo
- [KO-2147] Added Fish auto-completion to Wayfinder CLI
- [KO-2150] Promote
wf alpha patchcommand to
- [KO-2154] Make Wayfinder namespace commands consistent
- [KO-2159] Clarify instructions on the UI when registering a root domain
- [KO-2169] Remove creation of container build secrets from the UI
- [KO-2171] Always install certificate issuers, make email optional, fix issuer names
- [KO-2175] Rework auto-refreshing resources in the UI
- [KO-2211] Fix OpenSSL CVE 3.13.2
- [KO-2220] Support assuming an IAM role in AWS for cloudinfo
- [KO-976] Prefix AWS resources with workspace name
- [KO-1000] UI is bombarding API with queries when trying to refresh the status but the resource was deleted
- [KO-1869] Deleting a cloud account (UI or CLI) does not delete its allocations
- [KO-1876] Handle a cloud being disabled in the Cloud Metadata Service correctly
- [KO-1932] Ensure the UI / API will not allow deletion of any implicit cloudcredentials
- [KO-1978] Cloud identity support for costs requires CostManager role but no way to set this for AWS
- [KO-1983] Unable to delete a namespace with the same name as any workspace
- [KO-2009] Wayfinder UI should redirect from cluster page once cluster delete completes
- [KO-2012] Duplicate CloudAccount and AWSAccounts generated
- [KO-2019] Scheduling Anti-Affinity
- [KO-2023] AWS Org setup says to use 'create audit user' script instead of wf setup cloudidentity
- [KO-2024] Cloud account automation naming clash across providers
- [KO-2026] Unable to choose eu-west-2 as a Control Tower region
- [KO-2036] CloudIdentity auto-configured on AWS even when role not configured
- [KO-2037] First-time startup of Wayfinder on AWS fails due to wf-admin namespace not existing
- [KO-2039] Do not set an invalid owner reference on services created by the object controller
- [KO-2049] Cert-man / External DNS Azure workload identity name validation fails with multiple clusters in a workspace
- [KO-2050] Azure estimated costs / cloud metadata does not work with Azure org account
- [KO-2057] wf assume returns before policy is applied
- [KO-2062] Wayfinder login with a local user was showing the current user's username in the prompt
- [KO-2064] CloudAccount api should validate any roles set
- [KO-2067] Getting "Object 'Kind' is missing" error when applying a Secret object from file
- [KO-2076] AWS service catalog unable to create multiple AWS accounts at the same time
- [KO-2101] Remove the eks.privileged cluster role binding in EKS cluster
- [KO-2105] Fix XSS vulnerability on the UI
- [KO-2107] Secure session cookies, regenerate session after authentication
- [KO-2113] Unable to create policy assume constrained to days of week
- [KO-2149] When you create a new workspace, the workspace selector is loading forever on the page
- [KO-2151] Font sizes for costs are inconsistent with the rest of the UI
- [KO-2153] Wayfinder CLI Select & Prompt UI Issue on Windows
- [KO-2161] Costs UI does not work with Wayfinder installed in custom namespace
- [KO-2173] AWS account creation or update has a stackset status of OUTDATED
- [KO-2195] Cloud credential deletion will delete ANY referenced secret, not just Wayfinder-created ones
- [KO-2197] Error: GCP account has no associated GCP IAM service account email
- [KO-2215] Help text for Wayfinder completion on ZSH incorrect
- [KO-2256] Allocations should not be looked up by an expected name
- [KO-2380] Fix the namespace.admin role in 0.7 release
- [KO-2384] EKS PSP ClusterRoleBinding