Workspaces as service discovery boundaries
You can use Gloo workspaces to determine which namespaces can access discovered Istio service mesh resources.
After installation, Gloo Mesh automatically discovers Istio service mesh resources in your cluster. When you create Gloo Mesh resources, Gloo Mesh also generates Istio resources automatically for you. These discovered, generated resources are represented in the management cluster for observability and configuration purposes. For example, when you update a Gloo Mesh resource, Gloo Mesh also updates the generated Istio resources for you. You can also view all of your service mesh resources from the Gloo Mesh UI. For more information about translating Gloo Mesh to Istio resources, see Custom resource translation.
To control which objects Gloo Mesh discovers, you can use Istio discoverySelectors on the Kubernetes namespaces. If you do not configure discovery selectors for any namespaces, all objects are discovered by default. For more information about discovery selectors, see this Istio blog.
Workspaces affect service discovery in that the discovered resources are available to other namespaces within the workspace. You can also set up exporting and importing across workspaces for discovery, just like for Gloo Mesh resources. For more information, flip through the following figures.
In the first workspace’s cluster, you don’t bother setting Istio discoverySelectors for any namespaces. By default, Gloo Mesh discovers everything. You create a Products app, which consists of a Kubernetes deployment and service. Gloo Mesh discovers the app and creates related Istio resources such as WorkloadEntry and ServiceEntry for you.
In another workspace, you do use Istio discovery selectors for the namespace. You might have a Gloo Mesh resource, such as a route table, in that namespace. Gloo Mesh generates related Istio resources for the route table, such as VirtualService, ServiceEntry, and DestinationRule. Because you created the route table in a workspace, the route table is available to other namespaces in the same workspace, too.
If you set up your workspace to import and export, Gloo Mesh exports the route table for you. The generated Gloo Mesh and related Istio resources are also discovered in the other workspace.
In the third cluster, you set up Istio discovery selectors for some namespaces. The Reviews app is not discovered because it is not in a discovered namespace. However, you can still access the app from other namespaces that are within the same workspace. For example, you might make a Gloo Mesh virtual destination that is backed by the Kubernetes service of the Reviews app.
