Red Hat SummitInstalling Connectivity Link on OpenShift
Single cluster and multicluster deployments
Abstract
Preface
Providing feedback on Red Hat documentation
Red Hat appreciates your feedback on product documentation.
To propose improvements, open a Jira issue and describe your suggested changes. Provide as much detail as possible to help the documentation team to address your request quickly.
Prerequisite
- You have a Red Hat Customer Portal account. This account enables you to log in to the Red Hat Jira Software instance. If you do not have an account, you will be prompted to create one.
Procedure
- Click the following link: Create issue.
- In the Summary text box, enter a brief description of the issue.
In the Description text box, provide the following information:
- The URL of the page where you found the issue.
- A detailed description of the issue. You can leave the information in other fields at their default values.
- In the Reporter field, enter your Jira user name.
- Click Create to submit the Jira issue to the documentation team.
Thank you for taking the time to provide feedback.
Chapter 1. Connectivity Link prerequisites and permissions
Before you install Connectivity Link, you must ensure that you have access to the required platforms in your environment with the correct user permissions.
1.1. Required platforms and components
- Red Hat account
- You have a Red Hat account with subscriptions for Connectivity Link and OpenShift.
- OpenShift
- OpenShift Container Platform 4.16 or later is installed, or you have access to a supported OpenShift cloud service.
-
You are logged into an OpenShift cluster with the
cluster-adminrole. -
You have the
kubectloroccommand installed.
- OpenShift Service Mesh
- Red Hat OpenShift Service Mesh 3.0 is installed on OpenShift as your Gateway API provider. For more details, see the OpenShift Service Mesh installation documentation.
- You have enabled the Gateway API feature in OpenShift Service Mesh 3.0. For more details, see the OpenShift Service Mesh documentation on enabling Gateway API.
- cert-manager Operator for Red Hat OpenShift
cert-manager Operator for Red Hat OpenShift 1.14 is installed to manage the TLS certificates for your Gateways. For more details, see the cert-manager Operator for Red Hat OpenShift documentation.
NoteBefore using a Connectivity Link TLSPolicy, you must set up a certificate issuer for your cloud provider platform. For more details, see the OpenShift documentation on configuring an ACME issuer.
1.2. Optional platforms and components
- DNSPolicy
For DNSPolicy, you have an account for one of the supported cloud DNS providers and have set up a hosted zone for Connectivity Link. For more details, see your cloud DNS provider documentation:
- RateLimitPolicy
For rate limiting policies, you have a shared accessible Redis-based datastore for rate limit counters in a multicluster environment. For details on how to install and configure a secure and highly available datastore, see the documentation for your Redis-compatible datastore:
- AuthPolicy
- For AuthPolicy, you can install Red Hat build of Keycloak if this is required in your environment. For more details, see the Red Hat build of Keycloak documentation.
- Observability
- For Observability, OpenShift user workload monitoring must be configured to remote write to a central storage system such as Thanos. For more details, see the Connectivity Link Observability Guide.
Additional resources
- For more details, see Supported Configurations for Red Hat Connectivity Link.
Chapter 2. Installing Connectivity Link in the OpenShift web console
You can use the OpenShift Container Platform web console to install the Red Hat Connectivity Link Operator.
You must perform these steps on each OpenShift cluster that you want to use Connectivity Link on.
Prerequisites
- See Chapter 1, Connectivity Link prerequisites and permissions.
- You have access to the OpenShift Container Platform web console.
Procedure
-
In the OpenShift Container Platform web console, log in with
cluster-adminprivileges. - In the left navigation menu, click Operators > OperatorHub.
-
In the Filter by keyword text box, enter
Connectivityto find the Red Hat Connectivity Link Operator. - Read the information about the Operator, and click Install to display the Operator subscription page.
Select your subscription settings as follows:
- Update Channel: stable
- Version: 1.0.2
- Installation mode: All namespaces on the cluster (default).
- Installed namespace: Select the namespace where you want to install the Operator, for example, kuadrant-system. If the namespace does not already exist, click this field and select Create Project to create the namespace.
- Approval Strategy: Select Automatic or Manual.
- Click Install, and wait a few moments until the Operator is installed and ready for use.
- Click Operators > Installed Operators > Red Hat Connectivity Link.
- Click the Kuadrant tab, and click Create Kuadrant to create a deployment.
- In the Configure via field, click YAML view to edit the definition, for example, the deployment name.
- Click Create and wait for the deployment to be displayed in the list.
Verification
After you have installed the Operator, click Operators > Installed Operators to verify that the Red Hat Connectivity Link Operator and the following component Operators are installed in your namespace:
- Red Hat - Authorino Operator: Enables authentication and authorization for Gateways and applications in a Gateway API network.
- Red Hat - DNS Operator: Configures how north-south traffic from outside the network is balanced and reaches Gateways.
- Red Hat - Limitador Operator: Enables rate limiting for Gateways and applications in a Gateway API network.
Additional resources
Chapter 3. Installing Connectivity Link on OpenShift from the command line
You must perform these steps on each OpenShift cluster that you want to use Connectivity Link on.
Prerequisites
Procedure
Create the namespace where you want to install the Operator as follows, for example,
kuadrant-system:kubectl create ns kuadrant-system
kubectl create ns kuadrant-systemCopy to Clipboard Copied! Toggle word wrap Toggle overflow To install the Connectivity Link Operator, enter the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Wait for the Connectivity Link Operators to be installed as follows:
kubectl get installplan -n kuadrant-system -o=jsonpath='{.items[0].status.phase}'kubectl get installplan -n kuadrant-system -o=jsonpath='{.items[0].status.phase}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow After some time, this command will return
Completewhen ready.To create your Connectivity Link deployment, enter the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Wait for Kuadrant to be ready as follows:
kubectl wait kuadrant/kuadrant --for="condition=Ready=true" -n kuadrant-system --timeout=300s
kubectl wait kuadrant/kuadrant --for="condition=Ready=true" -n kuadrant-system --timeout=300sCopy to Clipboard Copied! Toggle word wrap Toggle overflow This command will return
Completewhen ready.
Additional resources
Chapter 4. Authenticating to registry.redhat.io for Wasm plug-in access
For RateLimitPolicy and AuthPolicy only, you must authenticate to registry.redhat.io to access the Wasm plug-in image used with OpenShift Service Mesh as the Gateway API provider.
Prerequisites
-
You have credentials to access
registry.redhat.io. If you do not have access, see Creating Registry Service Accounts.
Procedure
Create the namespace for your Gateway, for example:
oc create ns api-gateway
oc create ns api-gatewayCopy to Clipboard Copied! Toggle word wrap Toggle overflow Create the following secret in your Gateway namespace:
oc create secret docker-registry wasm-plugin-pull-secret -n api-gateway \ --docker-server=registry.redhat.io \ --docker-username=your-registry-service-account-username \ --docker-password=your-registry-service-account-password
oc create secret docker-registry wasm-plugin-pull-secret -n api-gateway \ --docker-server=registry.redhat.io \ --docker-username=your-registry-service-account-username \ --docker-password=your-registry-service-account-passwordCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Repeat this step in each Gateway namespace in which you deploy a RateLimitPolicy or AuthPolicy.
Chapter 5. Configuring DNS provider credentials
If you want to configure DNS policies in Connectivity Link, you must configure credentials for at least one of the following supported cloud-based DNS providers:
- Amazon Route 53
- Google Cloud DNS
Microsoft Azure DNS
NoteYou must perform the steps for your chosen DNS provider on each OpenShift cluster that you want to use Connectivity Link on. You must configure the secret for the DNS provider in the same namespace that will include your Gateway.
Prerequisites
- See Chapter 1, Connectivity Link prerequisites and permissions.
You have access to the namespace in which your Gateway will be created, for example,
api-gateway.NoteThis guide uses environment variables for convenience only. If you know the environment variable values, you can set up the required
.yamlfiles in a way that suits your needs.
5.1. Configuring Amazon DNS provider credentials
Procedure
Set up your environment variables as follows:
export AWS_ACCESS_KEY_ID=xxxxxxx export AWS_SECRET_ACCESS_KEY=xxxxxxx export AWS_REGION=your-aws-region
export AWS_ACCESS_KEY_ID=xxxxxxx export AWS_SECRET_ACCESS_KEY=xxxxxxx export AWS_REGION=your-aws-regionCopy to Clipboard Copied! Toggle word wrap Toggle overflow These variable values are described as follows:
-
AWS_ACCESS_KEY_ID: Key ID from AWS with Route 53 access. -
AWS_SECRET_ACCESS_KEY: Key from AWS with Route 53 access. -
AWS_REGION: Your AWS region, for example,us-east-2oreu-west-1.
-
Create a
Secretresource for your credentials as follows:Copy to Clipboard Copied! Toggle word wrap Toggle overflow In this case, you must set the secret
typetoaws.
Additional resources
5.2. Configuring Google DNS provider credentials
Procedure
Set up your environment variables as follows:
export GOOGLE=xxxxxxx export PROJECT_ID=xxxxxxx
export GOOGLE=xxxxxxx export PROJECT_ID=xxxxxxxCopy to Clipboard Copied! Toggle word wrap Toggle overflow These variable values are described as follows:
-
GOOGLE: Google credentials JSON file. PROJECT_ID: Google project ID.The
GOOGLEvariable specifies the JSON credentials generated by thegcloudCLI or by the service account. For example,$HOME/.config/gcloud/application_default_credentials.json, which contains the following:{"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}{"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}Copy to Clipboard Copied! Toggle word wrap Toggle overflow
-
Create a
Secretresource for your credentials as follows:kubectl create secret generic test-gcp-credentials \ --namespace=api-gateway \ --type=kuadrant.io/gcp \ --from-literal=PROJECT_ID=$PROJECT_ID \ --from-file=GOOGLE=$GOOGLE
kubectl create secret generic test-gcp-credentials \ --namespace=api-gateway \ --type=kuadrant.io/gcp \ --from-literal=PROJECT_ID=$PROJECT_ID \ --from-file=GOOGLE=$GOOGLECopy to Clipboard Copied! Toggle word wrap Toggle overflow In this case, you must set the secret
typetogcp.
Additional resources
5.3. Configuring Azure DNS provider credentials
Procedure
Create a new Azure service principal for managing DNS as follows:
DNS_NEW_SP_NAME=kuadrantDnsPrincipal DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
DNS_NEW_SP_NAME=kuadrantDnsPrincipal DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')Copy to Clipboard Copied! Toggle word wrap Toggle overflow For more details on service principals, see the Microsoft Azure documentation.
To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:
Fetch the DNS ID used to grant access to the service principal as follows:
DNS_ID=$(az network dns zone show --name example.com \ --resource-group ExampleDNSResourceGroup --query "id" --output tsv) # Get your resource group ID RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -r
DNS_ID=$(az network dns zone show --name example.com \ --resource-group ExampleDNSResourceGroup --query "id" --output tsv) # Get your resource group ID RESOURCE_GROUP_ID=az group show --resource-group ExampleDNSResourceGroup | jq ".id" -rCopy to Clipboard Copied! Toggle word wrap Toggle overflow Provide reader access to the resource group as follows:
az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID
az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow Provide contributor access to the DNS zone as follows:
az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID
az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_IDCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access as follows:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a
Secretresource for your credentials as follows:kubectl create secret generic test-azure-credentials \ --namespace=api-gateway \ --type=kuadrant.io/azure \ --from-file=azure.json=/local/path/to/azure.json
kubectl create secret generic test-azure-credentials \ --namespace=api-gateway \ --type=kuadrant.io/azure \ --from-file=azure.json=/local/path/to/azure.jsonCopy to Clipboard Copied! Toggle word wrap Toggle overflow In this case, you must set the secret
typetoazure.
Additional resources
Chapter 6. Configuring Redis storage for rate limiting
To configure persistence for rate limit counters in a multicluster environment, you must configure the connection details for your shared Redis-based datastore. This datastore is used to persist shared rate limit counters for the Limitador component of Connectivity Link.
You must configure connection details for your shared Redis-based datastore on each OpenShift cluster that you want to use Connectivity Link for rate limiting.
Prerequisites
Procedure
Set the following environment variable to your shared Redis-based instance URL:
export REDIS_URL=rediss://user:xxxxxx@some-redis.com:10340
export REDIS_URL=rediss://user:xxxxxx@some-redis.com:10340Copy to Clipboard Copied! Toggle word wrap Toggle overflow Ensure that you include the appropriate URI scheme for your environment:
-
Secure Redis:
rediss:// -
Standard Redis:
redis://
-
Secure Redis:
Create a
Secretresource for your Redis URL as follows:kubectl -n kuadrant-system create secret generic redis-config \ --from-literal=URL=$REDIS_URL
kubectl -n kuadrant-system create secret generic redis-config \ --from-literal=URL=$REDIS_URLCopy to Clipboard Copied! Toggle word wrap Toggle overflow Update your Limitador custom resource to use the secret that you created as follows:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Additional resources
For details on how to set up your shared Redis-based datastore, see your Redis-compatible product documentation:
Chapter 7. Enabling the Connectivity Link dynamic plug-in in OpenShift
The Connectivity Link Operator automatically installs and configures the Connectivity Link dynamic plug-in for the OpenShift web console. You can use the Connectivity Link dynamic plug-in to view and manage your Gateways and policies in the OpenShift web console.
You must perform these steps on each OpenShift cluster that you want to use the Connectivity Link dynamic plug-in.
Prerequisites
- See Chapter 1, Connectivity Link prerequisites and permissions.
- You have access to the OpenShift Container Platform web console.
Procedure
-
In the OpenShift Container Platform web console, log in with
cluster-adminprivileges. - In the left navigation menu, select the Administrator perspective.
- Click Home > Overview.
- In the Status panel, click Dynamic Plugins > View all.
- On the Console plugins tab, find the kuadrant-console-plugin entry in the table, which should be listed but disabled.
- In the kuadrant-console-plugin row, click Disabled.
- Select the Enable option, and click Save.
- Wait for the plug-in status to change to Loaded.
Verification
When the plug-in is enabled, refresh the console. You will see a new Connectivity Link menu item in the navigation sidebar.
You can click Connectivity Link > Overview to explore the available resources and to get started with creating a Gateway and configuring policies in the OpenShift web console.
Next steps
- For examples of Gateway and policy configuration, see Configuring and deploying Gateway policies with Connectivity Link.
Appendix A. Using your Red Hat subscription
Red Hat Connectivity Link is provided through a software subscription. To manage your subscriptions, access your account at the Red Hat Customer Portal.
Managing your subscriptions
- Go to access.redhat.com.
- If you do not already have an account, create one.
- Log in to your account.
- In the menu bar, click Subscriptions to view and manage your subscriptions.
Revised on 2025-05-14 11:02:20 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}