How to use Waypoint without giving k8s admin access to the whole team?

Hello all,

I am trying to grasp the concepts of Waypoint and while I think I modestly understand the various principles in the official documentations or tutorials, I am still failing to see how I could introduce waypoint into my team (10 people).

  1. We are using a local Kubernetes with its configuration stored in one repo containing the YAML files of each service. This configuration is deployed automatically by Github Actions on “PR merge on master” (after checks and peer approval)
  2. Each service has its own Git repository and this is up to each repo to build its artifact (Binary and Docker) itself and push it to our own (local) Docker registry (of course using GH Actions).

We like that the k8s’s repo is the only source of truth (for auditability) and that nobody has any access to the k8s’ cluster directly (except some breakglass and the CI/CD accounts).

The major pain is when we need to bump the version of one service: we need to wait for the Docker image being built, find the new Docker image ID, copy/paste it into one of the YAML files of the k8s’ repo and wait for the deployment.

I am sure there are a lot of anti-patterns here (I welcome any feedback on the best practices btw).

Is it possible to use waypoint without giving k8s’ administrative access to the team directly?

My only idea would be to have one unique waypoint-repo composed of git-submodules pointing to each service and a CI/CD script calling waypoint in each separate folder. I guess that would work but I would rather stay far away from git-submodules if possible.

Would you have any other idea please?

Thank you very much.

PS: I am only talking about k8s here but we also have exactly the same problem with our AWS configuration (backed with terraform)