WorkspaceSettings

Proto: workspace_settings.proto

Package: admin.gloo.solo.io

Types:

WorkspaceSettingsSpec

WorkspaceSettings define a set of workspace-wide parameters such as importFrom and exportTo for the workspace. These settings are commonly defined by the workspace admin. There are 3 key configurations related to WorkspaceSettings:

You can specify your workspace's importFrom or exportTo or other workspace configuration options in your WorkspaceSettings resource for your workspace. Only one WorkspaceSettings resource can be defined for each workspace. The resource can be deployed to any of your workspace's namespaces in your workload cluster(s).

Export: Only the resources below can be exported to other workspaces:

You can use the exportTo field in the WorkspaceSettings resource for the workspace to configure what resources are exported to which other workspaces. For example, the web application developer can export the RouteTable resource from the web workspace to an admin-owned gateway workspace.

The following workspace example defines the backend workspace. The workspace settings example exports the backend workspace to any workspaces that matches the label team: web. In addition, all exported resources from the backend workspace are made available for any workspace that has the label team: web to import.

apiVersion: admin.gloo.solo.io/v2
kind: Workspace
metadata:
  name: backend
  namespace: gloo-mesh
  labels:
    team: backend
spec:
  workloadClusters:
    - namespaces:
      - name: backend*
---
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
  name: default
  namespace: backend-namespace
spec:
  exportTo:
    - workspaces:
      - selector:
          team: web

Import: To import exported resources from other workspaces, configure the importFrom field in the WorkspaceSettings resource for your workspace.

For example, by importing the web workspace, the admin-owned gateway workspace can delegate routing for a subset of the gateway traffic to a RouteTable resource in the web workspace.

The following workspace defines the web workspace. The workspace settings example imports the exported resources from the backend workspace into the web workspace. The exported resources from the backend workspace is available to the web workspace for imports because the web workspace has the team:web label.

apiVersion: admin.gloo.solo.io/v2
kind: Workspace
metadata:
  name: web
  namespace: gloo-mesh
  labels:
    team: web
spec:
  workloadClusters:
    - namespaces:
      - name: web*
---
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
  name: default
  namespace: web-namespace
spec:
  importFrom:
    - workspaces:
      - name: backend

The following example imports any workspaces that are available for the web workspace to import and has the team: backend label into the web workspace. After this is deployed in the web-namepsace namespace of a given workload cluster that are part of the workspace, all exported resources from the backend workspaces which has the label team: backend are imported into the web workspace and available for use by anything in the web workspace.

apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
  name: default
  namespace: web-namepsace
spec:
  importFrom:
    - workspaces:
      - selector:
          team: backend

WorkspaceSettings defined in the admin namespace for Gloo Mesh will override settings defined in individual workspaces. Must have the name “global” to be picked up by Gloo Mesh.

Field Description
importFrom (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector)

Select the workspaces whose objects will be imported into this workspace. Objects must both be exported by the workspace that is being imported and imported into this workspace in order to be shared across workspaces. Imported objects allow the creation of routes and outbound-communication from one workspace to another. Currently the following types of objects can be imported across workspaces: Kubernetes services, virtual destinations, external destinations, route tables, API schemas, GraphQL resolver maps, and CloudProviders. You can select workspace using labels, such as setting importFrom.workspaces.selector to team: backend. Or select workspace name using exact name match, such as setting importFrom.workspaces.name to backend. Or select workspace using labels and name using simple regex, such as setting importFrom.workspaces.selector to team: backend and importFrom.workspaces.name to backend*.
exportTo (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector)

A workspace can specify resources to export for use by other workspaces. Currently the following types of objects can be exported across workspaces: Kubernetes services, virtual destinations, external destinations, route tables, API schemas, GraphQL resolver maps, and CloudProviders. You can select workspace using labels, such as setting exportTo.workspaces.selector to team: backend. Or select workspace name using exact name match, such as setting exportTo.workspaces.name to backend. Or exportTo all other workspaces, such as setting exportTo.workspaces.name to *. Or select workspace using labels and name using simple regex, such as setting exportTo.workspaces.selector to team: backend and team: backend*. Or select workspace name using labels or select name using simple regex, such as setting exportTo.workspaces.selector to team: backend and exportTo.workspaces.name to backend.
options (WorkspaceSettingsSpec.Options)

Options for configuring the workspace as a whole.

WorkspaceSettingsSpec.Options

Field Description
serviceIsolation (WorkspaceSettingsSpec.Options.ServiceIsolation)

If Enabled, serviceIsolation will automatically block communication from non-importing workspaces into this one, enforced using mTLS. Applying AccessPolicies to destinations in this workspace will override the default service isolation behavior.
federation (WorkspaceSettingsSpec.Options.Federation)

Federation is a feature which allows Kubernetes Services to directly communicate with each other across clusters using generated hostnames. When enabled, federation will generate a hostname for each Service selected, which is reachable by all network clients in the workspace. Federation allows routes to be created in RouteTables which forward traffic across clusters. These routes will otherwise be treated by Gloo Mesh as errors.
eastWestGateways (repeated WorkspaceSettingsSpec.Options.EastWestGatewaySelector)

Selects the ingress gateways in a workspace. If no gateways are selected, defaults to attempting to use istio-eastwestgateway.istio-system as the Istio ingress gateway for “east-west” traffic, which is traffic routed across clusters for federation and virtual destinations.
virtualDestClientMode (common.gloo.solo.io.ClientMode)

Optional: Virtual destination client mode determines how VirtualDestinations will be translated. If nil, the default value of auto mode will be used. Any configuration here can be overriden on any individual virtual destination. The settings defined here apply to both user-provided VirtualDestinations and those generated internally when federation is enabled.

WorkspaceSettingsSpec.Options.EastWestGatewaySelector

Field Description
selector (common.gloo.solo.io.ObjectSelector)

Select east-west gateway
port (common.gloo.solo.io.PortSelector)

The port on the Destination which receives traffic. Not required if the Destination only exposes a single port.
hostInfoOverrides (repeated WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo)

Host information for an east-west gateway. Can be used to specify a set of routable destinations that proxy traffic back to the east-west gateway selected by the selector. Useful when a load balancer external to the mesh is being used. When using this feature, be careful to ensure that the selectors are granular enough to ensure that the correct HostInfo is mapped to the proper gateway.

WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo

Specify Host Info to override discovered routing information for an east-west gateway.

Field Description
addr (string)

Address to be used to direct traffic to instead of the default gateway discovered address. Can be an IP address or hostname.
port (uint32)

Port to be used to direct traffic to instead of the default gateway discovered port.

WorkspaceSettingsSpec.Options.Federation

Field Description
enabled (bool)

enables the federation feature for selected Kubernetes services in the workspace.
hostSuffix (string)

Optional: The suffix used for generated hostnames. Hostnames will be generated for each selected service in the format {{ service name }}.{{ service namespace }}.{{ service cluster }}.{{ host suffix }}.
serviceSelector (repeated common.gloo.solo.io.ObjectSelector)

Selector for the K8s services that will be exposed to cross-cluster traffic within the Workspace. Federated hostnames will be generated for selected imported services.
ports (repeated common.gloo.solo.io.PortSelector)

if provided, expose only selected ports to cross-cluster traffic.

WorkspaceSettingsSpec.Options.ServiceIsolation

Field Description
enabled (bool)

Automatically enables strict mTLS and blocks any access from non-importing workspaces into any destination in the current workspaces. Default value is disabled.
trimProxyConfig (google.protobuf.BoolValue)

When enabled, proxy config will be trimmed to eliminate unnecessary config updates. In Istio this will be implemented using the Sidecar resource.

WorkspaceSettingsSpec.WorkspaceObjectSelector

Select a set of resources from a set of workspaces for import or export.

Field Description
workspaces (repeated common.gloo.solo.io.WorkspaceSelector)

the workspaces with the resources to export to or import.
resources (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector)

the resources (and types of those resources) which will be imported from or exported to the selected workspaces.

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector

selects objects of various types

Field Description
kind (WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind)

The type of the resource to import or export. The type must be a valid importable/exportable Kubernetes or Gloo Mesh resource type. Supported types: RouteTable, Service, VirtualDestination, ExternalService, ApiDoc, GraphQLResolverMap, CloudProvider, GraphQLSchema, GraphQLStitchedSchema, All (all types).
labels (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry)

labels matching those of the object
name (string)

Only select objects exactly matching the name. If the field is omitted, Gloo Mesh will select matching objects with any name available in the workspace.
namespace (string)

Only select objects exactly matching the namespace. If the field is omitted, Gloo Mesh will select matching objects across all namespaces available in the workspace.
cluster (string)

Only select objects in the exactly matching cluster. If the field is omitted, Gloo Mesh will select matching objects across all clusters available in the workspace.

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry

Field Description
key (string)

value (string)

WorkspaceSettingsStatus

reflects the status of the workspace settings

Field Description
generic (common.gloo.solo.io.GenericContextStatus)

workspace (common.gloo.solo.io.ObjectReference)

The workspace that this workspacesettings object is configuring.
selectedEastWestGateways (repeated common.gloo.solo.io.ObjectReference)

Selected east-west gateways determined by the EastWestGatewaySelector The GVK of selected_east_west_gateways is DiscoveredGateway.
federatedServices (repeated common.gloo.solo.io.ObjectReference)

Services federated to this workspace because of this workspacesettings configuration. The GVK of federated_services is core/v1/Service.

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind

Name Number Description
ALL 0 Select objects of all types.
ROUTE_TABLE 1 Select RouteTable objects.
SERVICE 2 Select Service objects.
VIRTUAL_DESTINATION 3 Select VirtualDestination objects.
EXTERNAL_SERVICE 4 Select ExternalService objects.
API_DOC 5 Select ApiDoc objects.
GRAPHQL_RESOLVER_MAP 6 Select GraphQLResolverMap objects.
CLOUD_PROVIDER 7 Select CloudProvider objects.
GRAPHQL_SCHEMA 8 Select GraphQLSchema objects.
GRAPHQL_STITCHED_SCHEMA 9 Select GraphQLStitchedSchema objects.