Red Hat SummitChapter 1. Secure, protect, and connect APIs on OpenShift with Connectivity Link
This guide shows how you can use Connectivity Link on OpenShift to secure, protect, and connect an API exposed by a Gateway that uses Kubernetes Gateway API. This guide applies to the platform engineer and application developer user roles in Connectivity Link.
In multicluster environments, you must perform the following steps in each cluster individually, unless specifically excluded.
This guide includes the following sections:
- Chapter 2, Check your Connectivity Link installation and permissions
- Chapter 3, Set up your environment
- Chapter 4, Set up a DNS provider secret
- Chapter 5, Add a TLS certificate issuer
- Chapter 6, Create your Gateway instance
- Chapter 7, Configure your Gateway policies and HTTP route
- Chapter 8, Override your Gateway policies for auth and rate limiting
The steps in chapters 2 to 7 are typically performed by the platform engineer user role. The steps in chapter 8 are typically performed by the application developer user role.
1.1. Connectivity Link capabilities in multicluster environments
You can leverage Connectivity Link capabilities in single or multiple OpenShift clusters. The following features are designed to work across multiple clusters as well as in a single-cluster environment:
-
Multicluster ingress: Connectivity Link provides multicluster ingress connectivity using DNS to bring traffic to your Gateways by using a strategy defined in a
DNSPolicy. -
Global rate limiting: Connectivity Link can enable global rate limiting use cases when configured to use a shared Redis-based store for counters based on limits defined by a
RateLimitPolicy. -
Global auth: You can configure a Connectivity Link
AuthPolicyto leverage external auth providers to ensure that different clusters exposing the same API can authenticate and authorize in the same way. -
Automatic TLS certificate generation: You can configure a
TLSPolicyto automatically provision TLS certificates based on Gateway listener hosts by using integration with cert-manager and ACME providers such as Let’s Encrypt. - Integration with federated metrics stores: Connectivity Link has example dashboards and metrics for visualizing your Gateways and observing traffic hitting those Gateways across multiple clusters.
1.2. Connectivity Link user role workflows
Platform engineer: This guide shows how platform engineers can deploy Gateways that provide secure communication and are protected and ready for use by application development teams to deploy APIs.
Platform engineers can use Connectivity Link in clusters in different geographic regions to bring specific traffic to geo-located Gateways. This approach reduces latency, distributes load, and protects and secures with global rate limiting and auth policies.
- Application developer: This guide shows how application developers can override the Gateway-level global auth and rate limiting policies to configure application-level auth and rate limiting requirements for specific users.
1.3. Deployment management tooling
The examples in this guide use kubectl commands for simplicity. However, working with multiple clusters is complex, and it is best to use a tool such as OpenShift GitOps, based on Argo CD, to manage the deployment of resources to multiple clusters.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}