On this page
WorkspaceSettings
WorkspaceSettings API reference.
Proto: workspace_settings.proto
Package: admin.gloo.solo.io
WorkspaceSettingsReport
| Field | Description |
|---|---|
workspaces | (repeated WorkspaceSettingsReport.WorkspacesEntry) |
workspace | (common.gloo.solo.io.ObjectReference)The workspace that this workspacesettings object configures. |
selectedEastWestGateways | (repeated common.gloo.solo.io.ObjectReference)A list of selected east-west gateways determined by the EastWestGatewaySelector. The GVK of selected_east_west_gateways is DiscoveredGateway. |
federatedServices | (repeated common.gloo.solo.io.ObjectReference)A list of services federated to this workspace, determined by the workspace settings configuration. The GVK of federated_services is core/v1/Service. |
WorkspaceSettingsReport.WorkspacesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.Report) |
WorkspaceSettingsSpec
WorkspaceSettings define a set of workspace-wide parameters such as importFrom and exportTo for the workspace.
These settings are commonly defined by the workspace admin. There are 3 key configurations related to WorkspaceSettings:
importFrom: To import resources from another workspace to your workspace, configure the
importFromfield in theWorkspaceSettingsresource for your workspace.exportTo: To export resources in your workspace to other workspaces, configure the
exportTofield in theWorkspaceSettingsresource for your workspace.options: Configure service isolation, federation, proxy trimming and other options for the workspace.
You can specify your workspace’s importFrom or exportTo or other workspace configuration options in your
WorkspaceSettings resource for your workspace. Only one WorkspaceSettings resource can be defined for
each workspace. The resource can be deployed to any of your workspace’s namespaces in your workload cluster(s).
Export: Only the resources below can be exported to other workspaces:
- Kubernetes Service
- VirtualDestination
- ExternalService
- RouteTable
- ApiDoc
- GraphQLResolverMap
- GraphQLSchema
- GraphQLStitchedSchema
You can use the exportTo field in the WorkspaceSettings resource for the workspace to configure what resources
are exported to which other workspaces. For example, the web application developer can export the RouteTable resource
from the web workspace to an admin-owned gateway workspace.
The following workspace example defines the backend workspace. The workspace settings example
exports the backend workspace to any workspaces that matches the label team: web.
In addition, all exported resources from the backend workspace are made available
for any workspace that has the label team: web to import.
apiVersion: admin.gloo.solo.io/v2
kind: Workspace
metadata:
name: backend
namespace: gloo-mesh
labels:
team: backend
spec:
workloadClusters:
- namespaces:
- name: backend*
---
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
name: default
namespace: backend-namespace
spec:
exportTo:
- workspaces:
- selector:
team: web
Import:
To import exported resources from other workspaces, configure the importFrom field in
the WorkspaceSettings resource for your workspace.
For example, by importing the web workspace, the admin-owned gateway workspace can delegate routing for a subset
of the gateway traffic to a RouteTable resource in the web workspace.
The following workspace defines the web workspace. The workspace settings example imports
the exported resources from the backend workspace into the web workspace. The exported resources from the
backend workspace is available to the web workspace for imports because the web workspace
has the team:web label.
apiVersion: admin.gloo.solo.io/v2
kind: Workspace
metadata:
name: web
namespace: gloo-mesh
labels:
team: web
spec:
workloadClusters:
- namespaces:
- name: web*
---
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
name: default
namespace: web-namespace
spec:
importFrom:
- workspaces:
- name: backend
The following example imports any workspaces that are available for the web workspace to import and
has the team: backend label into the web workspace. After this is deployed
in the web-namepsace namespace of a given workload cluster that are part of the workspace,
all exported resources from the backend workspaces which has the label team: backend
are imported into the web workspace and available for use by anything in the web workspace.
apiVersion: admin.gloo.solo.io/v2
kind: WorkspaceSettings
metadata:
name: default
namespace: web-namepsace
spec:
importFrom:
- workspaces:
- selector:
team: backend
To create global workspace settings that apply to all namespaces in all clusters, you can create a
WorkspaceSettings resource named global in the admin namespace, which is typically gloo-mesh.
If you have multiple workspaces, you must still create one WorkspaceSettings resource per workspaces.
However, global workspace settings override settings defined in individual workspaces.
| Field | Description |
|---|---|
importFrom | (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector)Select the workspaces whose objects will be imported into this workspace. Objects must both be exported by the workspace that is being imported and imported into this workspace in order to be shared across workspaces. Imported objects allow the creation of routes and outbound-communication from one workspace to another. Currently the following types of objects can be imported across workspaces: Kubernetes services, virtual destinations, external destinations, route tables, API schemas, and GraphQL resolver maps. You can select workspace using labels, such as setting importFrom.workspaces.selector to team: backend. Or select workspace name using exact name match, such as setting importFrom.workspaces.name to backend. Or select workspace using labels and name using simple regex, such as setting importFrom.workspaces.selector to team: backend and importFrom.workspaces.name to backend*. |
exportTo | (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector)A workspace can specify resources to export for use by other workspaces. Currently the following types of objects can be exported across workspaces: Kubernetes services, virtual destinations, external destinations, route tables, API schemas, and GraphQL resolver maps. You can select workspace using labels, such as setting exportTo.workspaces.selector to team: backend. Or select workspace name using exact name match, such as setting exportTo.workspaces.name to backend. Or exportTo all other workspaces, such as setting exportTo.workspaces.name to *. Or select workspace using labels and name using simple regex, such as setting exportTo.workspaces.selector to team: backend and team: backend*. Or select workspace name using labels or select name using simple regex, such as setting exportTo.workspaces.selector to team: backend and exportTo.workspaces.name to backend. |
options | (WorkspaceSettingsSpec.Options)Options for configuring the workspace as a whole. |
WorkspaceSettingsSpec.Options
| Field | Description |
|---|---|
serviceIsolation | (WorkspaceSettingsSpec.Options.ServiceIsolation)If Enabled, serviceIsolation will automatically block communication from non-importing workspaces into this one, enforced using mTLS. Applying AccessPolicies to destinations in this workspace will override the default service isolation behavior. |
federation | (WorkspaceSettingsSpec.Options.Federation)Federation is a feature which allows Kubernetes Services to directly communicate with each other across clusters using generated hostnames. When enabled, federation will generate a hostname for each Service selected, which is reachable by all network clients in the workspace. Federation allows routes to be created in RouteTables which forward traffic across clusters. These routes will otherwise be treated by Gloo Mesh as errors. |
eastWestGateways | (repeated WorkspaceSettingsSpec.Options.EastWestGatewaySelector)Selects the eastwest gateways in a workspace. These options are used to select which gateways should be used to route East-West traffic. This traffic can be either passthrough TLS or terminated at the EastWest Gateway. A different port is expected in each case. The virtual_dest_client_mode field provides additional information related to this traffic. If no gateways are selected, an attempt will be made to match any service with the label "istio": "eastwestgateway" with ports named either “tls” or “https”. The selection will fail with an error if the label exists but neither of the ports are defined. |
virtualDestClientMode | (common.gloo.solo.io.ClientMode)Optional: Virtual destination client mode determines how VirtualDestinations will be translated. If nil, the default value of auto mode will be used. Any configuration here can be overridden on any individual virtual destination. The settings defined here apply to both user-provided VirtualDestinations and those generated internally when federation is enabled. |
trimAllProxyConfig | (bool)When enabled, trim the outbound config from the Istio sidecar proxies of all destinations in the workspace (including imported destinations). Without the outbound destination config, the Istio sidecar proxies cannot talk to other destinations in the workspace by default. This way, you reduce the size of the proxy config to improve performance. You can add destinations back into the sidecar proxy config by enabling the serviceIsolation.trimProxyConfig field in the workspace settings or by using a TrimProxyConfigPolicy. The preferred way is the TrimProxyConfigPolicy, which gives you more fine-grained control over the allowed destinations than the workspace-wide serviceIsolation.trimProxyConfig setting. You can trim the Istio sidecar proxies for standard Kubernetes workloads, such as Deployments, DaemonSets, and StatefulSets. Proxy trimming is not supported for workloads from other tooling providers’ custom resource definitions (CRDs), such as DeploymentConfigs in OpenShift. For more information, see the Trim proxy config guide. |
WorkspaceSettingsSpec.Options.EastWestGatewaySelector
| Field | Description |
|---|---|
selector | (common.gloo.solo.io.ObjectSelector)Evaluated against the discovered Istio gateway services. When this field is blank, gateway services will be matched using the default labels described on the east_west_gateways field. |
port | (common.gloo.solo.io.PortSelector)Used to match tls port on gateway service. Traffic on this port will be used for passthrough TLS, as described on the virtual_dest_client_mode field. Default matches ports named “tls”. Matching is done by both the port name as well as the port number. A match is required for either port or tls_termination_port, otherwise an error will be reported. |
tlsTerminationPort | (common.gloo.solo.io.PortSelector)Used to match tls termination port on gateway service. Traffic on this port will be used for TLS-terminated traffic, as described on the virtual_dest_client_mode field. Default matches ports named “https”. Matching is done by both the port name as well as the port number. A match is required for either port or tls_termination_port, otherwise an error will be reported. |
hostInfoOverrides | (repeated WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo)Host information for an east-west gateway. Can be used to specify a set of routable destinations that proxy traffic back to the east-west gateway selected by the selector. Useful when a load balancer external to the mesh is being used. When using this feature, be careful to ensure that the selectors are granular enough to ensure that the correct HostInfo is mapped to the proper gateway. |
WorkspaceSettingsSpec.Options.EastWestGatewaySelector.HostInfo
Specify Host Info to override discovered routing information for an east-west gateway.
| Field | Description |
|---|---|
addr | (string)Address to be used to direct traffic to instead of the default gateway discovered address. Can be an IP address or hostname. |
port | (uint32)Port to be used to direct traffic to instead of the default gateway discovered port. |
WorkspaceSettingsSpec.Options.Federation
| Field | Description |
|---|---|
enabled | (bool)Enables the federation feature for selected Kubernetes services in the workspace. Default value is disabled. |
hostSuffix | (string)Optional: The suffix used for generated hostnames. Hostnames will be generated for each selected service in the format {{ service name }}.{{ service namespace }}.{{ service cluster }}.{{ host suffix }}. |
serviceSelector | (repeated common.gloo.solo.io.ObjectSelector)Selector for the K8s services that will be exposed to cross-cluster traffic within the Workspace. Federated hostnames will be generated for selected imported services. |
ports | (repeated common.gloo.solo.io.PortSelector)if provided, expose only selected ports to cross-cluster traffic. |
WorkspaceSettingsSpec.Options.ServiceIsolation
| Field | Description |
|---|---|
enabled | (bool)Automatically enables strict mTLS and blocks any access from non-importing workspaces into any destination in the current workspaces. Default value is disabled. |
trimProxyConfig | (google.protobuf.BoolValue)When enabled, trim the outbound config from the Istio sidecar proxies for any destination outside the workspace. The sidecar proxies keep the configuration for all destinations in the workspace (including imported destinations). To trim proxies for specific destinations with the workspace, you can use the TrimProxyConfigPolicy instead. You can trim the Istio sidecar proxies for standard Kubernetes workloads, such as Deployments, DaemonSets, and StatefulSets. Proxy trimming is not supported for workloads from other tooling providers’ custom resource definitions (CRDs), such as DeploymentConfigs in OpenShift. |
enforcementLayers | (common.gloo.solo.io.EnforcementLayers)Optional: When NetworkPolicy translation is enabled, by default, all available layers will be used to enforce Service Isolation. You can optionally explicitly define which available layers will enforce Service Isolation. Only the layers set here will be used. |
WorkspaceSettingsSpec.WorkspaceObjectSelector
Select a set of resources from a set of workspaces for import or export.
| Field | Description |
|---|---|
workspaces | (repeated common.gloo.solo.io.WorkspaceSelector)the workspaces with the resources to export to or import. |
resources | (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector)the resources (and types of those resources) which will be imported from or exported to the selected workspaces. |
WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector
selects objects of various types
| Field | Description |
|---|---|
kind | (WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind)The type of the resource to import or export. The type must be a valid importable/exportable Kubernetes or Gloo Mesh resource type. Supported types: ROUTE_TABLE, SERVICE, VIRTUAL_DESTINATION, EXTERNAL_SERVICE, API_DOC, GRAPHQL_RESOLVER_MAP, GRAPHQL_SCHEMA, GRAPHQL_STITCHED_SCHEMA, EXTERNAL_WORKLOAD, ALL (all types). |
labels | (repeated WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry)labels matching those of the object |
name | (string)Only select objects exactly matching the name. If omitted, Gloo selects matching objects with any name available in the workspace. |
namespace | (string)Only select objects exactly matching the namespace. If omitted, Gloo selects matching objects across all namespaces available in the workspace. |
cluster | (string)Only select objects in the exactly matching cluster. If omitted, Gloo selects matching objects across all clusters available in the workspace. |
WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.LabelsEntry
| Field | Description |
|---|---|
key | (string) |
value | (string) |
WorkspaceSettingsStatus
| Field | Description |
|---|---|
common | (common.gloo.solo.io.Status)The state and workspace conditions of the applied resource. |
workspace | (common.gloo.solo.io.ObjectReference)The workspace that this workspacesettings object configures. |
numSelectedEastWestGateways | (uint32)The number of selected east-west gateways determined by the EastWestGatewaySelector. |
numFederatedServices | (uint32)The number of services federated to this workspace, determined by the workspace settings configuration. |
WorkspaceSettingsSpec.WorkspaceObjectSelector.TypedObjectSelector.ObjectKind
| Name | Number | Description |
|---|---|---|
ALL | 0 | Select objects of all types. |
ROUTE_TABLE | 1 | Select RouteTable objects. |
SERVICE | 2 | Select Service objects. |
VIRTUAL_DESTINATION | 3 | Select VirtualDestination objects. |
EXTERNAL_SERVICE | 4 | Select ExternalService objects. |
API_DOC | 5 | Select ApiDoc objects. Please note that explicit import/export is only necessary for GraphQL ApiDocs that are referenced in graphql routes. ApiDocs that are used only in the context of the portal features (currently only OpenAPI ones) are implicitly imported/exported together with their corresponding destination, i.e. if a destination (e.g. a service) is visible to a RouteTable, the ApiDoc associated with it will be available when the RouteTable is referenced in a Portal. |
GRAPHQL_RESOLVER_MAP | 6 | Select GraphQLResolverMap objects. |
GRAPHQL_SCHEMA | 7 | Select GraphQLSchema objects. |
GRAPHQL_STITCHED_SCHEMA | 8 | Select GraphQLStitchedSchema objects. |
EXTERNAL_WORKLOAD | 9 | Select ExternalWorkload objects. |