Import and export resources across workspaces

What if you want to share services across workspaces? For example, maybe you want your gateway in Team A's workspace to route traffic to a frontend service in Team B's workspace, but not to Team C's backend services.

You can share resources across workspaces by configuring the workspace settings and the selectors on your services. You have to configure the settings for both workspaces, which help to make sure that you don't export resources by mistake.

Export to and import from settings

Make sure that your importing and exporting settings match across your workspaces.

You can select your workspaces by using labels and names.

Labels: Use Kubernetes labels to select workspaces for importing or exporting. Each workspace must have the matching label. For example, you might use labels such as team: frontend, app: bookinfo, or env: prod. By using labels, any workspaces that are subsequently added are also selected.

Names: If you want more fine-grained control, you can select workspaces by name. The following types of matching are supported.

Labels and names together: For more fine-grained control, you can combine labels and names together.

Select resources to share across workspaces

After setting up the workspaces to import from and export to, you can narrow sharing to a particular resource. Four kinds of resources are supported:

You can select resources by label, name, namespace, or cluster. For more information, see the API docs.

After importing a resource, Gloo generates subsequent resources like Istio translations in each namespace of the workspace. This way, you can use the imported resources just as other resources in your workspace.

Federated resources

Gloo Platform federates Gloo and Kubernetes resources so that services can communicate with each other across clusters within the workspace. For example, you might have a frontend service in cluster 1 that needs to get data from a backend service in cluster 2. You can use Gloo to enable communication via federation with a virtual destination resource. Then, Gloo duplicates the service and translates any needed Istio resources so that the services communicate with each other via the Istio east-west gateway.

You can configure federation with several Gloo custom resources. If you export the resource to another workspace, the resource is also federated within that workspace.

Gloo virtual destinations are the preferred way to set up multicluster routing. When you create a virtual destination, Gloo automatically federates the resource in each namespace within the workspace, even across clusters. This way, you get intelligent, locality-aware multicluster routing for the services that the virtual destination selects. You can also attach Gloo policies to virtual destinations, such as to secure and shift traffic.

Federation is automatically enabled when you create this resource or import the resource into your workspace.

For more information, see Multi-cluster routing with virtual destinations.

External services are similar to virtual destinations, except that the backing services are external to your Gloo Platform environment. When you create an external service, Gloo automatically federates the resource in each namespace within the workspace, even across clusters. This way, you get intelligent, locality-aware multicluster routing for the services or external endpoints that the external service selects. You can also attach Gloo policies to external services, such as to secure and shift traffic.

Federation is automatically enabled when you create this resource or import the resource into your workspace.

For more information, see Routing to external services.

With route tables, you can group several routes together so that you can more easily control routing behavior. When you create a route table, Gloo automatically federates the resource in each namespace within the workspace, even across clusters. This way, you get consistent ingress control for the routes that the route table selects. You can also attach Gloo policies to the routes in the route table, such as to secure and shift traffic.

Federation is automatically enabled when you create this resource or import the resource into your workspace.

For more information, see Intra-mesh routing.

Example scenarios for importing and exporting

For more information about how importing and exporting work, review the following figure, tabbed description, and example configuration file.

Figure of importing and exporting resources across workspaces.
The Ops team's workspace selects the ingress gateway and Gloo Platform add-on resources like rate limiting and external auth. Their workspace settings resource is configured as follows:

  • Exports the Gloo Platform add-on services and virtual destinations for rate limiting and external auth to any workspace. This way, any future workspaces can also use these Gloo Platform features.
  • Imports the Web team's frontend app resources so that the ingress gateway can route to the frontend.
  • Does not import the Backend API team because the ingress gateway does not need to route to those backend apps.
  • Disables federation, because Gloo virtual destinations are the preferred way to enable multicluster routing, if needed.
  • Enables service isolation so that resources are secured without additional policy configuration.
The Web team's workspace has the frontend apps that run the website. Their workspace settings resource is configured as follows:

  • Imports the Backend API team's backend apps. This way, the frontend website can use the backend services.
  • Imports the Ops team's add-on apps, as well as the gateway.
  • Exports to the Ops team so that the gateway can route to the frontend app.
  • Disables federation, because Gloo virtual destinations are the preferred way to enable multicluster routing, if needed.
  • Enables service isolation so that resources are secured without additional policy configuration.
The Backend API team's workspace has the backend apps that the frontend website needs. Their workspace settings resource is configured as follows:

  • Imports the Ops team's add-on apps so that the backend services can use Gloo features such as rate limiting.
  • Does not import the Ops team's gateway app because the backend services do no need to be exposed via ingress.
  • Exports to the Web team so that the frontend app can use the backend APIs.
  • Disables federation, because Gloo virtual destinations are the preferred way to enable multicluster routing, if needed.
  • Disables service isolation. Instead, the Backend API team uses Gloo access policies for more fine-grained access control.

Example YAML configuration

The following GitHub Gist example configures the settings for three workspaces. You create workspace settings resources in the workload cluster of your choice, as long as that cluster is part of the workspace. For more information, see the API docs.