Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Installing on OpenShift Container Platform

As a platform engineer, you can install Connectivity Link on OpenShift Container Platform clusters.

1.1. Getting ready to install Connectivity Link
Copy link

As you plan your Connectivity Link install, ensure that you have access to the required platforms in your environment with the correct user permissions. You can also decide whether to use optional supported components, such as rate limiting and Observability.

1.1.1. Required platforms and components
Copy link

The following platforms and components are required to install Connectivity Link successfully:

Red Hat account
You have a Red Hat account with subscriptions for Connectivity Link and OpenShift Container Platform.
OpenShift Container Platform

OpenShift Container Platform 4.19 or later is installed, or you have access to a supported OpenShift Container Platform cloud service. See OpenShift Container Platform installation documentation.

Important

When using the Gateway API custom resource definitions (CRDs) provided in OpenShift Container Platform 4.19 or newer, you must create a GatewayClass named openshift-default and specify a controllerName of openshift.io/gateway-controller/v1. For more details, see the Getting started with Gateway API for the Ingress Operator (OpenShift Container Platform documentation).

OpenShift Service Mesh
A separate OpenShift Service Mesh installation is not required with Connectivity Link 1.3. If you use OpenShift Service Mesh, ensure that you are using 3.2 to stay in a supported configuration.
cert-manager Operator for Red Hat OpenShift

You installed cert-manager Operator for Red Hat OpenShift 1.18 to manage the TLS certificates for your gateways. See the cert-manager Operator for Red Hat OpenShift documentation.

Important

Before using a Connectivity Link TLSPolicy custom resource (CR), you must set up a certificate issuer for your cloud provider platform. See the OpenShift documentation on configuring an ACME issuer.

1.1.2. Optional components
Copy link

The following components are optional with Connectivity Link. You can decide what you want to use and plan for those configurations before beginning your installation.

DNSPolicy

For a DNSPolicy CR, you must have an account for one of the supported cloud DNS providers and have set up a hosted zone for Connectivity Link. For more details, see your cloud DNS provider documentation:

RateLimitPolicy

For RateLimitPolicy CRs, you must have a shared accessible Redis-based datastore for rate-limit counters in a multicluster environment. For details on how to install and configure a secure and highly available datastore, see the documentation for your Redis-compatible datastore:

AuthPolicy
For an AuthPolicy CR, you can install Red Hat build of Keycloak if required in your environment. For more details, see the Red Hat build of Keycloak documentation.
Observability
For Observability, you must configure OpenShift Container Platform user workload monitoring to remote-write to a central storage system.

Connectivity Link must run on a supported combination of OpenShift Container Platform and use the cert-manager Operator for Red Hat OpenShift. To configure observability, use Red Hat OpenShift Service Mesh. Red Hat provides both production and development support for supported configurations and tested integrations according to your subscription agreement.

Important

If you use a configuration that includes OpenShift Container Platform 4.18 or older, you must also use Red Hat OpenShift Service Mesh as the Gateway API provider.

Expand
Red Hat Connectivity LinkRed Hat OpenShift Container PlatformRed Hat OpenShift DedicatedRed Hat OpenShift Service on AWSMicrosoft Azure Red Hat OpenShift

Version 1.3

4.21, 4.20, 4.19

4.21, 4.20, 4.19

4.21, 4.20, 4.19

4.19

Version 1.2

4.20, 4.19, 4.18

4.20, 4.19, 4.18

4.20, 4.19, 4.18

4.17

Version 1.1

4.19, 4.18, 4.17

4.19, 4.18, 4.17

4.19, 4.18, 4.17

4.17

For Microsoft Azure, see the Support lifecycle for Azure Red Hat OpenShift 4.

1.1.3.2. Supported Operators
Copy link

Expand
Red Hat Connectivity LinkRed Hat OpenShift Service Meshcert-manager Operator for Red Hat OpenShift

Version 1.3

3.2

1.18

Version 1.2

3.1

1.17

Version 1.1

3.0

1.15

1.1.3.3. Supported cloud providers
Copy link

All versions of Connectivity Link support the following platforms as backing cloud providers for OpenShift Container Platform:

  • Amazon Web Services
  • Google Cloud Platform
  • Microsoft Azure

For more information, see the documentation for your chosen cloud provider.

1.1.3.4. Supported cloud DNS providers
Copy link

For DNS policies, all versions of Connectivity Link support the following cloud DNS providers:

  • Amazon Route 53
  • Google Cloud Platform DNS
  • Microsoft Azure DNS

For more information, see the documentation for your chosen cloud DNS provider.

1.1.3.5. Supported on-premise DNS providers
Copy link

You can use CoreDNS can to configure an on-cluster DNS zone.

For more information, see About using on-premise DNS with CoreDNS.

1.1.3.6. Supported data stores for rate limiting
Copy link

For rate limiting policies, Connectivity Link supports the following Redis-based data stores for rate limit counters in multicluster environments:

Expand
Red Hat Connectivity LinkRedis Enterprise or CloudAmazon ElasticacheDragonfly Community or Cloud

Version 1.3

latest

latest

latest

Version 1.2

latest

latest

latest

Version 1.1

latest

latest

latest

For more information, see the documentation for your chosen Redis-based datastore.

1.1.3.7. Supported identity access management
Copy link

For authentication policies, Connectivity Link supports API keys and the following products:

Expand
Red Hat Connectivity Link VersionRed Hat build of Keycloak

Version 1.3

Version 26.4

Version 1.2

Version 26.4

Version 1.1

Version 26.2

For more information, see Supported Configurations for Red Hat build of Keycloak.

You can use the OpenShift Container Platform web console to install the Red Hat Connectivity Link Operator. You must perform these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

The OpenShift Container Platform Cluster Ingress Operator is the default gateway controller for Connectivity Link.

An OperatorGroup custom resource (CR) is created automatically when you use the web console. For more information, see Operator Groups.

Warning

Connectivity Link requires kuadrant.io/* labels to search and filter resources on the cluster. Do not remove labels with this prefix. Removal might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are logged into the OpenShift Container Platform web console with cluster-admin privileges.

Procedure

  1. In the left navigation menu, click Ecosystem > Software Catalog.
  2. In the Filter by keyword text box, enter Connectivity to find the Red Hat Connectivity Link Operator.
  3. Read the information about the Operator, and click Install to display the Operator subscription page.

  4. Select your subscription settings as follows:

    • Update Channel: stable
    • Version: 1.3.0
    • Installation mode: All namespaces on the cluster (default).
    • Installed namespace: Select the namespace where you want to install the Operator, for example, kuadrant-system. If the namespace does not already exist, click this field and select Create Project to create the namespace.
    • Approval Strategy: Select Automatic or Manual.
  5. Click Install, and wait a few moments until the Operator is installed and ready for use.
  6. Click Ecosystem > Installed Operators > Red Hat Connectivity Link.
  7. Click the Kuadrant tab, and click Create Kuadrant to create a Kuadrant custom resource (CR).
  8. In the Configure via field, click YAML view to edit the definition, for example, the Kuadrant CR name.

  9. Click Create and wait for the deployment to be displayed in the list.

    Note

    If you are using OpenShift Service Mesh, no additional configuration is required. Connectivity Link automatically detects and uses OpenShift Service Mesh as your Gateway object controller.

Verification

After you have installed the Operator, click Ecosystem > Installed Operators to verify that the Red Hat Connectivity Link Operator and the following component Operators are installed in your namespace:

  • Authorino Operator: Enables authentication and authorization for gateways and applications in a Gateway API network.
  • DNS Operator: Configures how north-south traffic from outside the network is balanced and reaches gateways.
  • Limitador Operator: Enables rate limiting for gateways and applications in a Gateway API network.

Next step

  • Update your Subscription CR to use the OpenShift Container Platform Cluster Ingress Operator.

You can install Connectivity Link with OpenShift CLI (oc) using the OpenShift Container Platform Cluster Ingress Operator as the default Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Warning

Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You installed the OpenShift CLI (oc).

Procedure

  1. Create the namespace where you want to install Connectivity Link by running the following command: 

    $ oc create ns <kuadrant_system>

    You can replace the default <kuadrant_system> with the namespace you want to use.

  2. Install Connectivity Link by creating and applying Subscription and OperatorGroup custom resources (CRs) by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: rhcl-operator
  namespace: <kuadrant_system>
spec:
  channel: stable
  installPlanApproval: Automatic
  name: rhcl-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
---
kind: OperatorGroup
apiVersion: operators.coreos.com/v1
metadata:
  name: kuadrant
  namespace: <kuadrant_system>
spec:
  upgradeStrategy: Default
EOF

    Replace <kuadrant_system> with the namespace you used.

  3. Confirm that the Connectivity Link installation has finished by running one of the following commands: 

    $ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s
ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})
     
    $ oc wait --for=condition=Installed installplan ${ip} --timeout=60s

    Expect the status of installplan.operators.coreos.com/install-<suffix> when Connectivity Link is ready. The name of the install plan has a random suffix, for example, 4rql7.

  4. Create your Connectivity Link custom resource (CR) by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
  namespace: <kuadrant_system>
EOF

    Replace <kuadrant_system> with the namespace you used.

Verification

  • Check the status of the Connectivity Link CR generation by running the following command: 

    $ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant_system> --timeout=300s

    Replace <kuadrant_system> with the namespace you used.

    Example output

    kuadrant.kuadrant.io/kuadrant Ready

If you are using OpenShift Service Mesh, you can install Connectivity Link with OpenShift CLI (oc) using Istio as your Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Warning

Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You installed the OpenShift CLI (oc).
  • You installed and configured OpenShift Service Mesh.

Procedure

  1. Create the namespace where you want to install Connectivity Link by running the following command: 

    $ oc create ns <kuadrant-system>

    You can replace the default <kuadrant-system> with the namespace you want to use.

  2. Install Connectivity Link by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: rhcl-operator
  namespace: kuadrant-system
spec:
  channel: stable
  installPlanApproval: Automatic
  name: rhcl-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  config:
    env:
    - name: ISTIO_GATEWAY_CONTROLLER_NAMES
      value: istio.io/gateway-controller
---
kind: OperatorGroup
apiVersion: operators.coreos.com/v1
metadata:
  name: kuadrant
  namespace: kuadrant-system
spec:
  upgradeStrategy: Default
EOF

    Replace <kuadrant-system> with the namespace you used.

  3. Confirm that the Connectivity Link installation has finished by running one of the following commands: 

    $ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s
ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})
     
    $ oc wait --for=condition=Installed installplan ${ip} --timeout=60s

    Expect the status of installplan.operators.coreos.com/install-<suffix> when Connectivity Link is ready. The name of the install plan has a random suffix, for example, 4rql7.

  4. Create your Connectivity Link custom resource (CR) by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
  namespace: <kuadrant-system>
EOF

    Replace <kuadrant-system> with the namespace you used.

Verification

  • Check the status of the Connectivity Link CR generation by running the following command: 

    $ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant-system> --timeout=300s

    Replace <kuadrant-system> with the namespace you used.

    Example output

    kuadrant.kuadrant.io/kuadrant Ready

1.5. Configuring DNS provider credentials for AWS
Copy link

If you want to configure AWS DNS policies in Connectivity Link, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

  • You installed Connectivity Link on an OpenShift Container Platform cluster.

  • You have access to the namespace of your gateway, for example, api-gateway.

    Note

    If you already know your environment variable values, you can create the required YAML files as required for your use case.

Procedure

  1. Optional: Set up your environment variables as follows:

    1. Assign AWS_ACCESS_KEY_ID, which is the key ID from AWS with Route 53 access: 

      $ export AWS_ACCESS_KEY_ID=xxxxxxx

    2. Assign AWS_SECRET_ACCESS_KEY`, which is the key from AWS with Route 53 access. 

      $ export AWS_SECRET_ACCESS_KEY=xxxxxxx

    3. Assign AWS_REGION, which is your AWS region, for example, us-east-2 or eu-west-1. 

      $ export AWS_REGION=your-aws-region

  2. Create a Secret resource for your credentials as follows: 

    $ oc create secret generic aws-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/aws \
  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
  --from-literal=AWS_REGION=$AWS_REGION
    Important

    You must configure the secret in the same namespace as your gateway.

1.6. Configuring Google DNS provider credentials
Copy link

If you want to configure DNS policies in Connectivity Link using Google Cloud, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

  • You installed Connectivity Link on an OpenShift Container Platform cluster.

  • You have access to the namespace of your gateway, for example, api-gateway.

    Note

    If you already know your environment variable values, you can create the required YAML files as required for your use case.

Procedure

  1. Optional: Specify your GOOGLE environment variable by running the following commands: 

    $ export GOOGLE=xxxxxxx

    where:

    • GOOGLE: The GOOGLE variable specifies the JSON credentials generated by the gcloud CLI or by the service account. For example, $HOME/.config/gcloud/application_default_credentials.json, which has the following credentials: 

      {"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}

  2. Optional: Specify your PROJECT_ID environment variable by running the following commands: 

    $ export PROJECT_ID=xxxxxxx

    PROJECT_ID: Google project ID.

  3. Create a Secret resource for your credentials by running the following command: 

    $ oc create secret generic test-gcp-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/gcp \
  --from-literal=PROJECT_ID=$PROJECT_ID \
  --from-file=GOOGLE=$GOOGLE
    Important

    You must configure the secret in the same namespace as your gateway.

1.7. Configuring Azure DNS provider credentials
Copy link

If you want to configure Microsoft Azure DNS policies in Connectivity Link, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

  • You installed Connectivity Link on an OpenShift Container Platform cluster.

  • You have access to the namespace of your gateway, for example, api-gateway.

    Note

    If you already know your environment variable values, you can create the required YAML files as required for your use case.

Procedure

  1. Create a new Azure service principal for managing DNS by setting the following environment variables: 

    $ DNS_NEW_SP_NAME=kuadrantDnsPrincipal \
  DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) \
  DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') \
  DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')

    For more details on service principals, see the Microsoft Azure documentation.

  2. Set the resource group environment variable by running the following command: 

    $ DNS_RESOURCE_GROUP="ExampleDNSResourceGroup"

    Replace "ExampleDNSResourceGroup" with the DNS resource group that you want to use.

  3. To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:

    1. Fetch the DNS ID used to grant access to the service principal as follows: 

      $ DNS_ID=$(az network dns zone show --name example.com \
 --resource-group $DNS_RESOURCE_GROUP --query "id" --output tsv)

    2. Get your resource group ID by running the following command: 

      $ RESOURCE_GROUP_ID=$(az group show --resource-group $DNS_RESOURCE_GROUP | jq ".id" -r)

    3. Give reader access to the resource group as follows: 

      $ az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID

    4. Give contributor access to the DNS zone as follows: 

      $ az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID

  4. Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access:

    1. Create the role assignment for the traffic manager contributor by running the following command: 

      $ az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID

    2. Create the role assignment for the DNA zone contributor by running the following command: 

      $ az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID

    3. Configure the DNS zone access by running the following command: 

      $ cat <<-EOF > /local/path/to/azure.json
{
  "tenantId": "$(az account show --query tenantId -o tsv)",
  "subscriptionId": "$(az account show --query id -o tsv)",
  "resourceGroup": "$DNS_RESOURCE_GROUP",
  "aadClientId": "$DNS_SP_APP_ID",
  "aadClientSecret": "$DNS_SP_PASSWORD"
}
EOF

  5. Create a Secret resource for your credentials by running the following command: 

    $ oc create secret generic test-azure-credentials \
  --namespace=api-gateway \
  --type=kuadrant.io/azure \
  --from-file=azure.json=/local/path/to/azure.json
    Important

    You must configure the secret in the same namespace as your gateway.

1.8. Configuring Redis storage for rate limiting
Copy link

To configure persistence for rate limit counters in a multicluster environment, you must configure the connection details for your shared Redis-based datastore. This datastore is used to persist shared rate limit counters for the Limitador component of Connectivity Link.

Important

You must configure connection details for your shared Redis-based datastore on each OpenShift Container Platform cluster that you want to use Connectivity Link for rate limiting.

Prerequisites

  • You installed Connectivity Link on one or more clusters.
  • You have a shared Redis-based datastore.
  • You installed the OpenShift CLI (oc).
  • You have write access to the OpenShift Container Platform namespaces you need to work with.
  • You have access to external or on-premise DNS.
  • You created a gateway.
  • You configured your gateway policies and HTTP routes.

Procedure

  1. Set the following environment variable to your shared Redis-based instance URL: 

    $ export REDIS_URL=rediss://user:xxxxxx@some-redis.com:10340

    Include the appropriate URI scheme for your environment:

    • Secure Redis: rediss://
    • Standard Redis: redis://

  2. Create a Secret resource for your Redis URL as follows: 

    $ oc -n kuadrant-system create secret generic redis-config \
  --from-literal=URL=$REDIS_URL

  3. Update your Limitador custom resource to use the secret that you created as follows: 

    $ oc patch limitador limitador --type=merge -n kuadrant-system -p '
spec:
  storage:
    redis:
      configSecretRef:
        name: redis-config
'

You can use the Connectivity Link dynamic plugin to view and manage your gateways and policies in the OpenShift Container Platform web console. You must perform these steps on each OpenShift Container Platform cluster.

Prerequisites

  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are logged into the OpenShift Container Platform web console with administrator access.

Procedure

  1. In the left navigation menu, select the Administrator perspective.
  2. Click Home > Overview.
  3. In the Status panel, click Dynamic Plugins > View all.
  4. On the Console plugins tab, find the kuadrant-console-plugin entry in the table, which should be listed but disabled.
  5. In the kuadrant-console-plugin row, click Disabled.
  6. Select the Enable option, and click Save.
  7. Wait for the plugin status to change to Loaded.

Verification

  1. Refresh the OpenShift Container Platform web console. A new Connectivity Link menu item is displayed in the navigation sidebar.

    1. You can click Connectivity Link > Overview to explore the available resources and to get started with creating a Gateway and configuring policies in the OpenShift Container Platform web console.

Next steps

  • Create a gateway.
  • Create policies.

1.10. Using your Red Hat subscription
Copy link

Red Hat Connectivity Link is provided through a software subscription. To manage your subscriptions, access your account at the Red Hat Customer Portal.

  1. Go to access.redhat.com.
  2. If you do not already have an account, create one.
  3. Log in to your account.
  4. In the menu bar, click Subscriptions to view and manage your subscriptions.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top