Workspace Setting
Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.
Workspace Setting allows configuring the default traffic, security and east-west gateway settings for all the workloads in the namespaces owned by the workspace. Any namespace in the workspace that is not part of a traffic or security group with specific settings will use these default settings.
The following example sets the default security policy to accept
either mutual TLS or plaintext traffic, and only accept connections
at a proxy workload from services within the same namespace. The default
traffic policy allows unknown traffic from a proxy workload to be
forwarded via an egress gateway tsb-egress
in the perimeter
namespace in the same cluster.
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: tse
organization: tse
spec:
defaultSecuritySetting:
authenticationSettings:
trafficMode: REQUIRED
defaultTrafficSetting:
egress:
host: bookinfo-perimeter/tsb-egress
This other example sets the defaults for east-west traffic configuring gateways
for two different app groups.
The first setting configures the gateway from the namespace platinum
to manage the traffic
for all those workloads with the labels tier: platinum
and critical: true
.
The second one configures the gateway from the namespace internal
to manage the traffic
for all those workloads with the labels app: eshop
or internal-critical: true
.
Setting up multiple east-west gateways allows isolating also the cross-cluster traffic.
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: tse
organization: tse
spec:
defaultEastWestGatewaySettings:
- workloadSelector:
namespace: platinum
labels:
app: eastwest-gw
exposedServices:
- serviceLabels:
tier: platinum
critical: "true"
- workloadSelector:
namespace: internal
labels:
app: eastwest-gw
exposedServices:
- serviceLabels:
app: eshop
- serviceLabels:
internal-critical: "true"
This example configures the workspace settings for different workspaces
with a list of gateway hosts that they can reach.
The first setting configures the hostname `echo-1.tetrate.io`
which is reachable from workspace w1.
The second setting configures the hostnames `echo-1.tetrate.io` and
`echo-2.tetrate.io` which are reachable from workspace w2.
The thrid setting configures nothing.
The fourth setting configures an empty hostname list.
```yaml
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w1-settings
workspace: w1
tenant: tse
organization: tse
spec:
hostsReachability:
hostnames:
- exact: echo-1.tetrate.io
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w2-settings
workspace: w2
tenant: tse
organization: tse
spec:
hostsReachability:
hostnames:
- exact: echo-1.tetrate.io
- exact: echo-2.tetrate.io
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w3-settings
workspace: w3
tenant: tse
organization: tse
spec:
apiVersion: api.tsb.tetrate.io/v2
kind: WorkspaceSetting
metadata:
name: w4-settings
workspace: w4
tenant: tse
organization: tse
spec:
hostsReachability:
hostnames: []
From the above settings, here's a summary of the host reachability:
echo-1.tetrate.io
host is reachable from namespaces configured in w1, w2 and w3.
echo-2.tetrate.io
host is reachable from namespaces configured in w2 and w3.
All hosts are reachable from namespaces configured in workspace w3.
Workspace w4 has no access to any hosts.
WorkspaceSetting
Default security and traffic settings for all proxy workloads in the workspace.
Field | Description | Validation Rule |
---|---|---|
defaultSecuritySetting | tetrateio.api.tsb.security.v2.SecuritySetting
| – |
defaultTrafficSetting | tetrateio.api.tsb.traffic.v2.TrafficSetting
| – |
regionalFailover | List of tetrateio.api.tsb.types.v2.RegionalFailover Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect. | – |
defaultEastWestGatewaySettings | List of tetrateio.api.tsb.gateway.v2.EastWestGateway | – |
hostsReachability | tetrateio.api.tsb.gateway.v2.HostsReachability | – |