Skip to main content
Version: 1.6


This topic contains troubleshooting steps for various Wayfinder user types:

  • Wayfinder administrator
  • Workspace administrator
  • Workspace member

Unless otherwise noted, any user type can do these steps.

Installing Wayfinder​

[Wayfinder administrator]

Google Cloud authentication error​

If you encounter the following during an installation on GCP:

β—‰ Verifying you have correct permissions to Google Cloud
βœ” Successfully verified permissions to Google Cloud API
Error: unable to create cluster provider - Get "": oauth2: cannot fetch token: 400 Bad Request
Response: {
"error": "invalid_grant",
"error_description": "Bad Request"

Ensure you have logged in using $ gcloud auth application-default login. This ensures the credentials created via the web flow are stored in Application Default Credentials (ADC) and facilitates using the CLI to use the SDK with those stored credentials.

Certificates and cert-manager​

If you are not using the installation options --api-tls-private-key-pem and --ui-tls-private-key-pem, Wayfinder installs and uses cert-manager to provision certificates. Occasionally, cert-manager can fail while requesting a certificate from LetsEncrypt and falls into an exponential backoff:

β—‰ Waiting for Cert Manager to successfully retrieve a certificate for API
Error: operation has been cancelled
β—‰ Waiting for Cert Manager to successfully retrieve a certificate for UI
Error: operation has been cancelled

If you encounter this issue:

  1. Check the status of the certificate resource in the wayfinder namespace:

    kubectl -n wayfinder get certificate

  2. Try deleting the certificate request, and then re-run the non-interactive install:

    • kubectl -n wayfinder delete certificate NAME
    • wf install --non-interactive

    You can access the management cluster to perform the above via:

    # Google Cloud
    # Name: is the name of the management cluster we gave in the install
    # Region: is the region we created the management cluster in
    $ gcloud container clusters get-credentials NAME --zone REGION

    # Amazon AWS
    # Name: is the name of the management cluster we gave in the install
    $ aws eks update-kubeconfig --name NAME

    # Azure
    # Name: is the name of the management cluster we gave in the install
    # Region: is the location we placed the management cluster. The resource group created following the format wf-NAME-REGION
    $ az aks get-credentials --admin --name NAME --resource-group wf-NAME-REGION

Creating or accessing a cluster​

No available account when creating a cluster​

[Wayfinder administrator]

To see an available account when creating a cluster, check that both of the following are true:

  • There is at least one organization or shared account created in Wayfinder for this cloud provider.
  • The above account(s) have a Stage selected in the account naming rules.

Access forbidden​

If you see this message in the UI or CLI while accessing a cluster, any of the following may be the cause:

  • If this is a multi-tenant cluster where you are a tenant, you can administer your namespace, but you will not be able to access cluster resources.

  • Make sure you have run the command wf access cluster to establish an assumed role as a user on this cluster. You only have to run this once.

  • Check that a live session has been successfully established for your user ID:

    wf sessions

Cluster is in an error state​

Check the health of your cluster by examining the detailed status of the resource:

wf get cluster –w WORKSPACE-NAME CLUSTER-NAME -o yaml

App deployment​

Can't create an ingress resource​

If while following the ingress resource generator instructions you don't find the expected tab or link to the generator:

  1. In the UI, navigate to Resources > Clusters, click the name of your cluster, and then click the Capabilities tab to ensure you have nginx-ingress enabled.

    Ingress addon enabled

Where do I find deployment details for my Kubernetes manifest?​

See Deploy an app into a namespace.


Can't assign a robot token to a namespace​

Wayfinder only has visibility into the infrastructure it manages. Your namespace may exist in Kubernetes but not in Wayfinder.

If that’s the case, manually create the namespace in Wayfinder to associate it with the cluster. This does not affect the existing namespace, but makes it visible to Wayfinder.


Don't see actual or estimated cost​

[Wayfinder administrator]

Actual costs: To see actual costs of infrastructure for a specific cloud vendor, both of the following must be true:

  • There is at least one account with Cost audit enabled for this cloud vendor.
  • Actual costs are enabled for this cloud vendor in the UI: Wayfinder settings > Costs > Actual

Estimated costs: To see estimated costs when creating clusters or cluster plans, this must be true:

  • There is at least one account with Estimated costs enabled for this cloud vendor.

See account configuration for organization or shared accounts for your cloud vendor.