Chapter 4. Connectivity Link policy APIs and observability
This section describes the Connectivity Link core policy APIs and observability features that you can use to secure, protect, connect, and observe your cloud applications and APIs.
4.1. Connectivity Link policy APIs
- Secure your applications with TLSPolicy
- Lightweight wrapper API to manage TLS for targeted Gateways.
- Automatically provision TLS certificates based on the Gateway listener hosts by using integration with cert-manager and ACME providers such as Let’s Encrypt.
- Configure secrets so that the Gateway automatically retrieves them when ready.
- Protect your applications with AuthPolicy
- Apply authentication and authorization across all or specific listeners in a Gateway, or at the HTTPRoute or HTTPRouteRule level.
- Use the hierarchical and role-based concept of defaults and overrides to improve collaboration and ensure compliance.
- Leverage dedicated authentication providers such as Red Hat build of Keycloak.
- Apply fine-grained authorization requirements based on request and metadata attributes.
- Protect your applications with RateLimitPolicy
- Apply rate limiting rules across all listeners in a Gateway or at the HTTPRoute or HTTPRouteRule level.
- Use the role-based and hierarchical concept of defaults and overrides to improve collaboration and ensure compliance.
- Configure limits conditionally based on metadata and request data.
- Share counters by using a backend store in multicluster environments.
- Connect your applications with DNSPolicy
- Full API that is not based on custom annotations.
- Automatically populate DNS records based on listener hosts and addresses expressed by Gateway API resources.
- Configure multicluster connectivity and routing options such as geographic and weighted responses.
- Leverage common cloud DNS providers: AWS Route 53, MicroSoft Azure DNS, and Google DNS (CoreDNS also planned).
- Configure health checks to enable DNS failover.
Additional resources
4.2. Connectivity Link observability
Connectivity Link uses Kuadrant-maintained Gateway API state metrics, metrics exposed by Connectivity Link components, and standard metrics exposed by Envoy to build a set of template alerts and dashboards. You can download and use these Kuadrant community templates to integrate with Grafana, Prometheus, and Alertmanager deployments, or use them as starting points to modify for your specific needs.
Figure 4.1. Platform engineer Grafana dashboard
The platform engineer dashboard displays details such as the following:
- Policy compliance and governance.
- Resource consumption.
- Error rates.
- Request latency and throughput.
- Multi-window, multi-burn alert templates for API error rates and latency.
- Multicluster split.
Figure 4.2. Application developer Grafana dashboard
The application developer dashboard is less focused on policies than the platform engineer dashboard and is more focused on APIs and applications. For example, this includes details such as request latency and throughput per API, and total requests and error rates by API path.
Figure 4.3. Business user Grafana dashboard
The business user dashboard includes details such as the following:
- Requests per second per API.
- Increase or decrease in rates of API usage over specified times.
Additional resources