On this page

WorkspaceSettings

WorkspaceSettings API reference.

Proto: workspace_settings.proto

Package: admin.gloo.solo.io

WorkspaceSettingsReport

Field	Description
`workspaces`	(`repeated WorkspaceSettingsReport.WorkspacesEntry`)
`workspace`	(`common.gloo.solo.io.ObjectReference`) The workspace that this workspacesettings object configures.
`selectedEastWestGateways`	(`repeated common.gloo.solo.io.ObjectReference`) A list of selected east-west gateways determined by the EastWestGatewaySelector. The GVK of selected_east_west_gateways is DiscoveredGateway.
`federatedServices`	(`repeated common.gloo.solo.io.ObjectReference`) A list of services federated to this workspace, determined by the workspace settings configuration. The GVK of federated_services is core/v1/Service.

WorkspaceSettingsReport.WorkspacesEntry

Field	Description
`key`	(`string`)
`value`	(`common.gloo.solo.io.Report`)

WorkspaceSettingsSpec

WorkspaceSettings define a set of workspace-wide parameters such as importFrom and exportTo for the workspace. These settings are commonly defined by the workspace admin. There are 3 key configurations related to WorkspaceSettings:

importFrom: To import resources from another workspace to your workspace, configure the importFrom field in the WorkspaceSettings resource for your workspace.
exportTo: To export resources in your workspace to other workspaces, configure the exportTo field in the WorkspaceSettings resource for your workspace.
options: Configure service isolation, federation, proxy trimming and other options for the workspace.

You can specify your workspace’s importFrom or exportTo or other workspace configuration options in your WorkspaceSettings resource for your workspace. Only one WorkspaceSettings resource can be defined for each workspace. The resource can be deployed to any of your workspace’s namespaces in your workload cluster(s).

Export: Only the resources below can be exported to other workspaces:

Kubernetes Service
VirtualDestination
ExternalService
RouteTable
ApiDoc
GraphQLResolverMap
GraphQLSchema
GraphQLStitchedSchema

You can use the exportTo field in the WorkspaceSettings resource for the workspace to configure what resources are exported to which other workspaces. For example, the web application developer can export the RouteTable resource from the web workspace to an admin-owned gateway workspace.

The following workspace example defines the backend workspace. The workspace settings example exports the backend workspace to any workspaces that matches the label team: web. In addition, all exported resources from the backend workspace are made available for any workspace that has the label team: web to import.

  apiVersion: admin.gloo.solo.io/v2
kind: Workspace
metadata:
  name: backend
  namespace: gloo-mesh
  labels:
    team: backend
spec:
  workloadClusters:
    - namespaces:
      - name: backend*
---
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
  name: default
  namespace: backend-namespace
spec:
  exportTo:
    - workspaces:
      - selector:
          team: web

Import: To import exported resources from other workspaces, configure the importFrom field in the WorkspaceSettings resource for your workspace.

For example, by importing the web workspace, the admin-owned gateway workspace can delegate routing for a subset of the gateway traffic to a RouteTable resource in the web workspace.

The following workspace defines the web workspace. The workspace settings example imports the exported resources from the backend workspace into the web workspace. The exported resources from the backend workspace is available to the web workspace for imports because the web workspace has the team:web label.

  apiVersion: admin.gloo.solo.io/v2
kind: Workspace
metadata:
  name: web
  namespace: gloo-mesh
  labels:
    team: web
spec:
  workloadClusters:
    - namespaces:
      - name: web*
---
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
  name: default
  namespace: web-namespace
spec:
  importFrom:
    - workspaces:
      - name: backend

The following example imports any workspaces that are available for the web workspace to import and has the team: backend label into the web workspace. After this is deployed in the web-namepsace namespace of a given workload cluster that are part of the workspace, all exported resources from the backend workspaces which has the label team: backend are imported into the web workspace and available for use by anything in the web workspace.

  apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
  name: default
  namespace: web-namepsace
spec:
  importFrom:
    - workspaces:
      - selector:
          team: backend

To create global workspace settings that apply to all namespaces in all clusters, you can create a WorkspaceSettings resource named global in the admin namespace, which is typically gloo-mesh. If you have multiple workspaces, you must still create one WorkspaceSettings resource per workspaces. However, global workspace settings override settings defined in individual workspaces.

Field	Description
`importFrom`	(`repeated WorkspaceSettingsSpec.WorkspaceObjectSelector`) Select the workspaces whose objects will be imported into this workspace. Objects must both be exported by the workspace that is being imported and imported into this workspace in order to be shared across workspaces. Imported objects allow the creation of routes and outbound-communication from one workspace to another. Currently the following types of objects can be imported across workspaces: Kubernetes services, virtual destinations, external destinations, route tables, API schemas, and GraphQL resolver maps. You can select workspace using labels, such as setting `importFrom.workspaces.selector` to `team: backend`. Or select workspace name using exact name match, such as setting `importFrom.workspaces.name` to `backend`. Or select workspace using labels and name using simple regex, such as setting `importFrom.workspaces.selector` to `team: backend` and `importFrom.workspaces.name` to `backend*`.
`exportTo`	(`repeated WorkspaceSettingsSpec.WorkspaceObjectSelector`) A workspace can specify resources to export for use by other workspaces. Currently the following types of objects can be exported across workspaces: Kubernetes services, virtual destinations, external destinations, route tables, API schemas, and GraphQL resolver maps. You can select workspace using labels, such as setting `exportTo.workspaces.selector` to `team: backend`. Or select workspace name using exact name match, such as setting `exportTo.workspaces.name` to `backend`. Or exportTo all other workspaces, such as setting `exportTo.workspaces.name` to ``. Or select workspace using labels and name using simple regex, such as setting `exportTo.workspaces.selector` to `team: backend` and `team: backend`. Or select workspace name using labels or select name using simple regex, such as setting `exportTo.workspaces.selector` to `team: backend` and `exportTo.workspaces.name` to `backend`.
`options`	(`WorkspaceSettingsSpec.Options`) Options for configuring the workspace as a whole.

WorkspaceSettingsSpec.Options

Field	Description
`serviceIsolation`	(`WorkspaceSettingsSpec.Options.ServiceIsolation`) If Enabled, serviceIsolation will automatically block communication from non-importing workspaces into this one, enforced using mTLS. Applying AccessPolicies to destinations in this workspace will override the default service isolation behavior.
`federation`	(`WorkspaceSettingsSpec.Options.Federation`) Federation is a feature which allows Kubernetes Services to directly communicate with each other across clusters using generated hostnames. When enabled, federation will generate a hostname for each Service selected, which is reachable by all network clients in the workspace. Federation allows routes to be created in RouteTables which forward traffic across clusters. These routes will otherwise be treated by Gloo Mesh as errors.
`eastWestGateways`	(`repeated WorkspaceSettingsSpec.Options.EastWestGatewaySelector`) Selects the eastwest gateways in a workspace. These options are used to select which gateways should be used to route East-West traffic. This traffic can be either passthrough TLS or terminated at the EastWest Gateway. A different port is expected in each case. The `virtual_dest_client_mode` field provides additional information related to this traffic. If no gateways are selected, an attempt will be made to match any service with the label `"istio": "eastwestgateway"` with ports named either “tls” or “https”. The selection will fail with an error if the label exists but neither of the ports are defined.
`virtualDestClientMode`	(`common.gloo.solo.io.ClientMode`) Optional: Virtual destination client mode determines how VirtualDestinations will be translated. If nil, the default value of auto mode will be used. Any configuration here can be overridden on any individual virtual destination. The settings defined here apply to both user-provided VirtualDestinations and those generated internally when federation is enabled.
`trimAllProxyConfig`	(`bool`) When enabled, trim the outbound config from the Istio sidecar proxies of all destinations in the workspace (including imported destinations). Without the outbound destination config, the Istio sidecar proxies cannot talk to other destinations in the workspace by default. This way, you reduce the size of the proxy config to improve performance. You can add destinations back into the sidecar proxy config by enabling the `serviceIsolation.trimProxyConfig` field in the workspace settings or by using a `TrimProxyConfigPolicy`. The preferred way is the `TrimProxyConfigPolicy`, which gives you more fine-grained control over the allowed destinations than the workspace-wide `serviceIsolation.trimProxyConfig` setting. For more information, see the Trim proxy config guide.

WorkspaceSettingsSpec.Options.EastWestGatewaySelector

Field	Description
`selector`	(`common.gloo.solo.io.ObjectSelector`) Evaluated against the discovered Istio gateway services. When this field is blank, gateway services will be matched using the default labels described on the `east_west_gateways` field.
`port`	(`common.gloo.solo.io.PortSelector`) Used to match tls port on gateway service. Traffic on this port will be used for passthrough TLS, as described on the `virtual_dest_client_mode` field. Default matches ports named “tls”. Matching is done by both the port name as well as the port number. A match is required for either `port` or `tls_termination_port`, otherwise an error will be reported.
`tlsTerminationPort`	(`common.gloo.solo.io.PortSelector`) Used to match tls termination port on gateway service. Traffic on this port will be used for TLS-terminated traffic, as described on the `virtual_dest_client_mode` field. Default matches ports named “https”. Matching is done by both the port name as well as the port number. A match is required for either `port` or `tls_termination_port`, otherwise an error will be reported.
`hostInfoOverrides`	(`repeated WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo`) Host information for an east-west gateway. Can be used to specify a set of routable destinations that proxy traffic back to the east-west gateway selected by the selector. Useful when a load balancer external to the mesh is being used. When using this feature, be careful to ensure that the selectors are granular enough to ensure that the correct HostInfo is mapped to the proper gateway.

WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo

Specify Host Info to override discovered routing information for an east-west gateway.

Field	Description
`addr`	(`string`) Address to be used to direct traffic to instead of the default gateway discovered address. Can be an IP address or hostname.
`port`	(`uint32`) Port to be used to direct traffic to instead of the default gateway discovered port.

WorkspaceSettingsSpec.Options.Federation

Field	Description
`enabled`	(`bool`) Enables the federation feature for selected Kubernetes services in the workspace. Default value is disabled.
`hostSuffix`	(`string`) Optional: The suffix used for generated hostnames. Hostnames will be generated for each selected service in the format `{{ service name }}.{{ service namespace }}.{{ service cluster }}.{{ host suffix }}`.
`serviceSelector`	(`repeated common.gloo.solo.io.ObjectSelector`) Selector for the K8s services that will be exposed to cross-cluster traffic within the Workspace. Federated hostnames will be generated for selected imported services.
`ports`	(`repeated common.gloo.solo.io.PortSelector`) if provided, expose only selected ports to cross-cluster traffic.

WorkspaceSettingsSpec.Options.ServiceIsolation

Field	Description
`enabled`	(`bool`) Automatically enables strict mTLS and blocks any access from non-importing workspaces into any destination in the current workspaces. Default value is disabled.
`trimProxyConfig`	(`google.protobuf.BoolValue`) When enabled, trim the outbound config from the Istio sidecar proxies for any destination outside the workspace. The sidecar proxies keep the configuration for all destinations in the workspace (including imported destinations). To trim proxies for specific destinations with the workspace, you can use the `TrimProxyConfigPolicy` instead.
`enforcementLayers`	(`common.gloo.solo.io.EnforcementLayers`) Optional: When NetworkPolicy translation is enabled, by default, all available layers will be used to enforce Service Isolation. You can optionally explicitly define which available layers will enforce Service Isolation. Only the layers set here will be used.

WorkspaceSettingsSpec.WorkspaceObjectSelector

Select a set of resources from a set of workspaces for import or export.

Field	Description
`workspaces`	(`repeated common.gloo.solo.io.WorkspaceSelector`) the workspaces with the resources to export to or import.
`resources`	(`repeated WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector`) the resources (and types of those resources) which will be imported from or exported to the selected workspaces.

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector

selects objects of various types

Field	Description
`kind`	(`WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind`) The type of the resource to import or export. The type must be a valid importable/exportable Kubernetes or Gloo Mesh resource type. Supported types: `ROUTE_TABLE`, `SERVICE`, `VIRTUAL_DESTINATION`, `EXTERNAL_SERVICE`, `API_DOC`, `GRAPHQL_RESOLVER_MAP`, `GRAPHQL_SCHEMA`, `GRAPHQL_STITCHED_SCHEMA`, `EXTERNAL_WORKLOAD`, `ALL` (all types).
`labels`	(`repeated WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry`) labels matching those of the object
`name`	(`string`) Only select objects exactly matching the name. If omitted, Gloo selects matching objects with any name available in the workspace.
`namespace`	(`string`) Only select objects exactly matching the namespace. If omitted, Gloo selects matching objects across all namespaces available in the workspace.
`cluster`	(`string`) Only select objects in the exactly matching cluster. If omitted, Gloo selects matching objects across all clusters available in the workspace.

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry

Field	Description
`key`	(`string`)
`value`	(`string`)

WorkspaceSettingsStatus

Field	Description
`common`	(`common.gloo.solo.io.Status`) The state and workspace conditions of the applied resource.
`workspace`	(`common.gloo.solo.io.ObjectReference`) The workspace that this workspacesettings object configures.
`numSelectedEastWestGateways`	(`uint32`) The number of selected east-west gateways determined by the EastWestGatewaySelector.
`numFederatedServices`	(`uint32`) The number of services federated to this workspace, determined by the workspace settings configuration.

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind

Name	Number	Description
`ALL`	0	Select objects of all types.
`ROUTE_TABLE`	1	Select RouteTable objects.
`SERVICE`	2	Select Service objects.
`VIRTUAL_DESTINATION`	3	Select VirtualDestination objects.
`EXTERNAL_SERVICE`	4	Select ExternalService objects.
`API_DOC`	5	Select ApiDoc objects. Please note that explicit import/export is only necessary for GraphQL ApiDocs that are referenced in graphql routes. ApiDocs that are used only in the context of the portal features (currently only OpenAPI ones) are implicitly imported/exported together with their corresponding destination, i.e. if a destination (e.g. a service) is visible to a RouteTable, the ApiDoc associated with it will be available when the RouteTable is referenced in a Portal.
`GRAPHQL_RESOLVER_MAP`	6	Select GraphQLResolverMap objects.
`GRAPHQL_SCHEMA`	7	Select GraphQLSchema objects.
`GRAPHQL_STITCHED_SCHEMA`	8	Select GraphQLStitchedSchema objects.
`EXTERNAL_WORKLOAD`	9	Select ExternalWorkload objects.

WorkspaceSettings

WorkspaceSettingsReport link

WorkspaceSettingsReport.WorkspacesEntry link

WorkspaceSettingsSpec link

WorkspaceSettingsSpec.Options link

WorkspaceSettingsSpec.Options.EastWestGatewaySelector link

WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo link

WorkspaceSettingsSpec.Options.Federation link

WorkspaceSettingsSpec.Options.ServiceIsolation link

WorkspaceSettingsSpec.WorkspaceObjectSelector link

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector link

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry link

WorkspaceSettingsStatus link

WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind link