Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Connectivity Link observability

You can use the Connectivity Link observability features to observe and monitor your gateways, applications, and APIs on OpenShift Container Platform.

1.1. Connectivity Link observability features
Copy link

Connectivity Link uses metrics exposed by Connectivity Link components, Gateway API state metrics, and standard metrics exposed by Envoy to build a set template dashboards and alerts. Envoy is part of OpenShift Service Mesh. In this case, it runs as a gateway deployment.

You can download Kuadrant community-based templates to integrate with Grafana, Prometheus, and Alertmanager deployments, or use those templates as starting points that you can change for your specific needs. Use the secure images available in the Red Hat Catalog at: Red Hat Connectivity Link.

Connectivity Link includes the following observability features:

  • Metrics: Prometheus metrics for monitoring gateway and policy performance
  • Tracing: Distributed tracing with Red Hat build of OpenTelemetry support for request flows
  • Access Logs: Envoy access logs with request correlation and structured logging
  • Dashboards: Pre-built Grafana dashboards for visualization

1.2. Configure your observability monitoring stack
Copy link

You can prepare your monitoring stack to give yourself insight into your gateways, applications, and APIs by setting up dashboards and alerts on your OpenShift Container Platform cluster. You must configure your stack on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

The example dashboards and alerts for observing Connectivity Link functionality use low-level CPU and network metrics from the user monitoring stack in OpenShift Container Platform and resource-state metrics from Gateway API and Connectivity Link resources. The user monitoring stack in OpenShift Container Platform is based on the Prometheus open source project.

Important

The following procedure is an example only and is not intended for production use.

Prerequisites

  • You installed Connectivity Link.
  • You set up metrics, such as prometheus.
  • You installed and configured Grafana on your OpenShift Container Platform cluster.
  • You cloned the Kuadrant Operator GitHub repository.

Procedure

  1. Verify that the user workload monitoring is configured correctly in your OpenShift Container Platform cluster as follows: 

    $ kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload
    Copy to Clipboard Toggle word wrap

    The expected output is enableUserWorkload: true.

  2. Install the Connectivity Link, Gateway, and Grafana component metrics and configuration as follows: 

    $ kubectl apply -k https://github.com/Kuadrant/kuadrant-operator/config/install/configure/observability?ref=v1.2.0
    Copy to Clipboard Toggle word wrap

  3. From the root directory of your Kuadrant Operator repository, configure the OpenShift Container Platform thanos-query instance as a data source in Grafana as follows: 

    TOKEN="Bearer $(oc whoami -t)"
HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')"
echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env
echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env
kubectl apply -k config/observability/openshift/grafana
    Copy to Clipboard Toggle word wrap

  4. Configure the example Grafana dashboards as follows: 

    $ kubectl apply -k https://github.com/Kuadrant/kuadrant-operator/examples/dashboards?ref=v1.3.0
    Copy to Clipboard Toggle word wrap

By enabling observability monitoring, you can view context, historical trends, and alerts based on the metrics you configured. After you have configured your monitoring stack, use this step to expose metrics endpoints, deploy monitoring resources, and configure the Envoy gateway.

When you enable observability monitoring, the following events occur:

  • Connectivity Link creates ServiceMonitor and PodMonitor custom resource definitions (CRDs) for its components in the namespace where Connectivity Link is.
  • A single set of monitors is created in each gateway namespace to scrape metrics from any gateways.
  • Monitors also scrape metrics from the corresponding gateway system namespace, generally the istio-system namespace.

You can delete and re-create monitors as required. Monitors are only ever created or deleted, and not updated or reverted. The following procedure is optional. You can create your own ServiceMonitor or PodMonitor definitions, or configure prometheus metrics directly.

Important

To use Connectivity Link observability dashboards, you must enable observability on each OpenShift Container Platform cluster that Connectivity Link runs on.

Prerequisites

  • You installed Connectivity Link.
  • You have administrator access to your OpenShift Container Platform cluster.
  • You configured observability metrics.

Procedure

  • To enable default observability for Connectivity Link and any gateways, set spec.observability.enable parameter value to true in your Kuadrant custom resource (CR):

    Example Kuadrant CR

    apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec:
  observability:
    enable: true
# ...
    Copy to Clipboard Toggle word wrap

    You can also set the spec.observability.enable to false and create your own ServiceMonitor or PodMonitor definitions, or configure Prometheus directly.

Verification

  • Check the created monitors by running the following command: 

    $ kubectl get servicemonitor,podmonitor -A -l kuadrant.io/observability=true
    Copy to Clipboard Toggle word wrap

Connectivity Link includes starting points for monitoring your Connectivity Link deployment with ready-to-use example dashboards and alerts. You can customize these dashboards and alerts to fit your environment.

Dashboards are organized with different metrics for different use cases.

1.4.1. Platform engineer Grafana dashboard
Copy link

The platform engineer dashboard displays the following details:

  • Policy compliance and governance.
  • Resource consumption
  • Error rates
  • Request latency and throughput
  • Multi-window, multi-burn alert templates for API error rates and latency
  • Multicluster split

1.4.2. Application developer Grafana dashboard
Copy link

The application developer dashboard is less focused on policies than the platform engineer dashboard and is more focused on APIs and applications. For example:

  • Request latency and throughput per API
  • Total requests and error rates by API path

1.4.3. Business user Grafana dashboard
Copy link

The business user dashboard includes the following details:

  • Requests per second per API
  • Increase or decrease in rates of API usage over specified times

1.4.4. Grafana dashboards available to import
Copy link

The Connectivity Link example dashboards are uploaded to the Grafana dashboards website. You can import the following dashboards into your Grafana deployment on OpenShift Container Platform:

Expand
Table 1.1. Connectivity Link example dashboards in Grafana
NameDashboard ID

App Developer dashboard

21538

Platform Engineer dashboard

20982

Business User dashboard

20981

DNS Operator dashboard

22695

1.4.5. Importing dashboards in Grafana
Copy link

As an infrastructure engineer, you can manually select and important dashboards to Grafana to conduct rapid prototyping or emergency troubleshooting, test community dashboards, or perfect a dashboard that you intend to automate for another team.

Important

You must perform these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Prerequisites

  • You configured your monitoring stack and other observability resources as needed.
  • You installed Connectivity Link.
  • You have administrator access to a running OpenShift Container Platform cluster.

Procedure

As an infrastructure engineer, automating the import of observability dashboards can give you more consistency, version control, and operational velocity. Automation gives you the benefits of monitoring-as-code, and helps keep Operators updated, clusters identical, and supports multi-tenancy.

  • You can use a GrafanaDashboard resource to reference a ConfigMap.

    Data sources are configured as template variables, automatically integrating with your existing data sources. The metrics for these dashboards are sourced from Prometheus.

    Important

    For some example dashboard panels to work correctly, HTTPRoutes in Connectivity Link must include a service and deployment label with a value that matches the name of the service and deployment being routed to. For example, service=my-app and deployment=my-app. This allows low-level Istio and Envoy metrics to be joined with Gateway API state metrics.

  • If you do not want to use the GUI, you can automate dashboard provisioning in Grafana by adding JSON files to a ConfigMap object that you must mount at /etc/grafana/provisioning/dashboards.

1.4.7. About configuring Prometheus alerts
Copy link

As an infrastructure engineer, you can configure Prometheus alerts in OpenShift Container Platform is a proactive way to tune alerts so that you can ensure platform stability. For example, you can set alert triggers for automated incident detection, usage, and cluster health.

  • You can integrate the Connectivity Link example alerts into Prometheus as PrometheusRule resources, and then adjust the alert thresholds to suit your specific operational needs.
  • For details on how to configure Prometheus alerts, see Configuring alerts and notifications for user workload monitoring.
  • Service Level Objective (SLO) alerts generated by using the Sloth GitHub project are also included. You can use these alerts to integrate with the SLO Grafana dashboard, which uses generated labels to comprehensively overview your SLOs.

1.5. Tracing in Connectivity Link
Copy link

Connectivity Link supports tracing at both the control plane and data-plane levels. Connectivity Link exports control-plane traces to your OpenTelemetry Collector so that you can observe reconciliation loops and internal operations. This is useful for debugging controller behavior, understanding operator performance, and tracking policy lifecycle events.

Data-plane tracing traces actual user requests through the gateway and policy enforcement components. You can see request flows through Istio, Authorino, Limitador, and the wasm-shim module. Data-plane tracing is useful for debugging request-level issues and policy enforcement.

To use tracing, you must configure both types of tracing. You must configure the kuadrant custom resource (CR) for the data plane. For control plane tracing, you must configure each operating component separately, such as the kuadrant-operator, authorino-operator, and limitador-operator deployments. This configuration sends traces to the same collector, providing a complete view of your Connectivity Link system from policy reconciliation to request processing.

Even though control plane and data plane traces are separate, you can correlate them. For example, create a RateLimitPolicy to understand how traces work together to show all events.

  • Create a RateLimitPolicy at 15:30:00, then view the control plane trace to see the following events:

    • Policy reconciliation completed at 15:30:05.
    • Limitador configuration updated.
    • wasm-shim configuration updated.

  • Next, send a test request at 15:30:10, then view data plane trace to see the following events:

    • Request processed through the wasm-shim module.
    • Rate limit check sent to Limitador.
    • Response returned.

You can use a similar pattern of action for any events that you want to correlate manually. This type of correlation is useful in development environments.

1.5.2. Control-plane tracing environment variables
Copy link

You can enable control tracing in Connectivity Link by setting OpenTelemetry environment variables in the deployment. The method for setting the variables depends on your deployment approach, for example, whether you used the Operator Lifecycle Manager (OLM) or YAML manifests.

Control plane traces appear under the service name kuadrant-operator in the Grafana dashboard.

Expand
Table 1.2. Available OpenTelemetry environment variables
VariableDescriptionDefault

OTEL_EXPORTER_OTLP_ENDPOINT

OTLP collector endpoint URL, for example, rpc://tempo.tempo.svc.cluster.local:4317. The following supported endpoint URL schemes are:

Tracing disabled

OTEL_EXPORTER_OTLP_TRACES_ENDPOINT

Override endpoint specifically for traces

Uses OTEL_EXPORTER_OTLP_ENDPOINT

OTEL_EXPORTER_OTLP_INSECURE

Use insecure connection to collector; set to false when used in production with TLS

true

OTEL_SERVICE_NAME

Service name for traces

kuadrant-operator

OTEL_SERVICE_VERSION

Service version for telemetry data

Empty

Enable data plane tracing in OpenShift Service Mesh with the kuadrant CR. You must perform these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Prerequisites

  • You installed Connectivity Link.
  • You have administrator access to a running OpenShift Container Platform cluster.
  • You have Red Hat OpenShift Distributed Tracing Platform installed and configured to support OpenTelemetry.

Procedure

  1. Enable tracing in OpenShift Service Mesh by configuring your Telemetry custom resource (CR) as follows:

    Example OpenShift Service Mesh Telemetry CR with tracing

    apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: gateway-system
spec:
  tracing:
  - providers:
    - name: tempo-otlp
    randomSamplingPercentage: 100
# ...
    Copy to Clipboard Toggle word wrap

  2. Apply the configuration by running the following command: 

    $ kubectl apply -f mesh-default.yaml
    Copy to Clipboard Toggle word wrap

  3. Configure a tracing extension provider for OpenShift Service Mesh in your Istio CR by adding a list value to the spec.values.meshConfig.extensionProviders parameter. Ensure that you also add the otel port and service information:

    Example Istio CR with tracing extension provider

    apiVersion: operator.istio.io/v1alpha1
kind: Istio
metadata:
  name: default
spec:
  namespace: gateway-system
  values:
    meshConfig:
      defaultConfig:
        tracing: {}
      enableTracing: true
      extensionProviders:
      - name: tempo-otlp
        opentelemetry:
          port: 4317
          service: tempo.tempo.svc.cluster.local
# ...
    Copy to Clipboard Toggle word wrap

    Important

    If you are setting the controller manually, you must set the OpenTelemetry Collector protocol in the Service CR port name and appProtocol fields. For example, when using gRPC, the port name should begin with grpc- or the appProtocol should be grpc: 

    kind: Service
apiVersion: v1
metadata:
  name: otel-collector
spec:
  ports:
    - name: otlp-grpc
      port: 4317
      targetPort: 4317
      appProtocol: grpc
  selector:
    app: otel-collector
# ...
    Copy to Clipboard Toggle word wrap

  4. Apply the configuration by running the following command: 

    $ kubectl apply -f istio.yaml
    Copy to Clipboard Toggle word wrap

  5. Optional. If you want to collect Authorino and Limitador traces in a different location than your Kaudrant traces, complete the following steps:

    1. Enable request tracing in your Authorino custom resource (CR) and send authentication and authorization traces to the central collector as follows:

      Example Authorino CR with request tracing

      apiVersion: operator.authorino.kuadrant.io/v1beta1
kind: Authorino
metadata:
  name: authorino
spec:
  tracing:
    endpoint: rpc://authorino-collector:4317
    insecure: true
# ...
      Copy to Clipboard Toggle word wrap

      Set insecure to true to skip TLS certificate verification in development environments. Set to false for production environments.

    2. Apply the configuration by running the following command: 

      $ kubectl apply -f authorino.yaml
      Copy to Clipboard Toggle word wrap

    3. Enable request tracing in your Limitador CR and send rate limit traces to the central collector as follows:

      Example Limitador CR with request tracing

      apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador
spec:
  tracing:
    endpoint: rpc://limitador-collector:4317
    insecure: true
# ...
      Copy to Clipboard Toggle word wrap

      Set insecure to true to skip TLS certificate verification in development environments. Set to false for production environments.

    4. Apply the configuration by running the following command: 

      $ kubectl apply -f limitador.yaml
      Copy to Clipboard Toggle word wrap
      Important

      Trace IDs do not propagate to WebAssembly modules in OpenShift Service Mesh. This means that requests passed to Limitador do not have the relevant parent trace ID. However, if the trace initiation point is outside OpenShift Service Mesh, the parent trace ID is available to Limitador and included in traces. This impacts correlating traces from Limitador with traces from Authorino, the gateway, and any other components in the request path.

  6. Configure data-plane tracing in the Kuadrant CR by providing the collector endpoint as shown in the following example:

    Example kuadrant CR

    apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
  namespace: kuadrant-system
spec:
  observability:
    dataPlane:
      defaultLevels:
        - debug: "true" # Enable DEBUG level trace filtering
      httpHeaderIdentifier: x-request-id
    tracing:
      defaultEndpoint: rpc://tempo.tempo.svc.cluster.local:4317
      insecure: true
    Copy to Clipboard Toggle word wrap

    where:

    • spec.observability.tracing.defaultEndpoint: The URL of the tracing collector backend. That is, the OpenTelemetry endpoint. The following are supported protocols:

      • rpc:// for gRPC OTLP, port 4317
      • http:// for HTTP OTLP, port 4318

    • `spec.observability.tracing.insecure: Set to true to skip TLS certificate verification in development environments. Set to false for production environments.

      Important

      Point to the collector service, such as the Distributed Tracing Platform, not the query service. The collector receives traces from your applications. The query service is only for viewing traces in the GUI.

  7. Apply the configuration by running the following command: 

    $ kubectl apply -f kuadrant.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the CR applied successfully by listing the objects of that Kind by running the following command: 

    $ kubectl get kuadrant
    Copy to Clipboard Toggle word wrap

1.5.4. Troubleshooting by using traces and logs
Copy link

You can use a tracing user interface such Grafana to search for OpenShift Service Mesh and Connectivity Link trace information by trace ID. You can get the trace ID from logs, or from a header in a sample request that you want to troubleshoot. You can also search for recent traces, filtering by the service that you want to focus on.

If you centrally aggregate logs by using tools such as Grafana Loki and Promtail, you can jump between trace information and the relevant logs for that service.

By using a combination of tracing and logs, you can visualize and troubleshoot request timing issues and narrow down to specific services. This method gives you even more insight a more complete picture of your user traffic when you combine it with Connectivity Link metrics and dashboards.

1.5.5. Viewing rate-limit logging with trace IDs
Copy link

You can enable request logging with trace IDs to get more information about requests when you use the Limitador component of Connectivity Link for rate limiting. To do this, you must increase the log level.

Prerequisites

  • You installed Connectivity Link.
  • You have administrator access to a running OpenShift Container Platform cluster.
  • You configured Grafana dashboards.
  • You have Red Hat OpenShift Distributed Tracing Platform installed and configured to support OpenTelemetry.

Procedure

  • Set the verbosity to 3 or higher in your Limitador custom resource (CR) as follows:

    Example Limitador CR

    apiVersion: limitador.kuadrant.io/v1alpha1
kind: Limitador
metadata:
  name: limitador
spec:
  verbosity: 3
    Copy to Clipboard Toggle word wrap

    Example log entry with the traceparent field holding the trace ID

    "Request received: Request { metadata: MetadataMap { headers: {"te": "trailers", "grpc-timeout": "5000m", "content-type": "application/grpc", "traceparent": "00-4a2a933a23df267aed612f4694b32141-00f067aa0ba902b7-01", "x-envoy-internal": "true", "x-envoy-expected-rq-timeout-ms": "5000"} }, message: RateLimitRequest { domain: "default/toystore", descriptors: [RateLimitDescriptor { entries: [Entry { key: "limit.general_user__f5646550", value: "1" }, Entry { key: "metadata.filter_metadata.envoy\\.filters\\.http\\.ext_authz.identity.userid", value: "alice" }], limit: None }], hits_addend: 1 }, extensions: Extensions }"
    Copy to Clipboard Toggle word wrap

1.6. Configuring access logs
Copy link

You can configure Envoy access logs in OpenShift Service Mesh so that you can to track a single request across multiple services and components by using a unique identifier.

Prerequisites

  • You installed Connectivity Link.
  • You have a running OpenShift Container Platform cluster.
  • You have administrator access to the OpenShift Container Platform cluster.

Procedure

  1. Enable mesh-wide, default-format access logs by using the Istio Telemetry API. Use the following example as a starting point:

    Example Telemetry API config

    apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: access-logs
  namespace: gateway-system
spec:
  accessLogging:
    - providers:
      - name: envoy
    Copy to Clipboard Toggle word wrap

    You might also use the istio-system as your namespace, depending on your setup.

  2. For better parsing and integration with log aggregation systems, enable JSON-formatted access logs. Only log errors as shown in the following example:

    Example JSON config

    apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: access-logs-json
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: envoy
    filter:
      expression: "response.code >= 400"
    Copy to Clipboard Toggle word wrap

  3. To enable logging for a specific workload and add filtering, use the following example:

    Example JSON workload config

    apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: selective-logging
  namespace: my-app-ns
spec:
  selector:
    matchLabels:
      app: productpage
  accessLogging:
    - providers:
        - name: access-logs-json
      filter:
        expression: "response.code >= 400"
    Copy to Clipboard Toggle word wrap

    Tip

    The expression field uses Common Expression Language (CEL). You can use CEL-based filters to avoid excessive and meaningless logs.

  4. If you are using the Sail Operator, check which Istio Operator is active in your cluster by running the following command: 

    $ kubectl get istio -A
    Copy to Clipboard Toggle word wrap

    The expected output is a list of your mesh deployments, such as default, prod-mesh and their current status.

  5. Configure the Istio mesh with a custom access log provider to enable JSON encoding: 

    apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  namespace: istio-system
  values:
    meshConfig:
      accessLogFile: /dev/stdout
      accessLogEncoding: JSON
      accessLogFormat: |
        {
          "start_time": "%START_TIME%",
          "method": "%REQ(:METHOD)%",
          "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
          "protocol": "%PROTOCOL%",
          "response_code": "%RESPONSE_CODE%",
          "response_flags": "%RESPONSE_FLAGS%",
          "bytes_received": "%BYTES_RECEIVED%",
          "bytes_sent": "%BYTES_SENT%",
          "duration": "%DURATION%",
          "upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
          "x_forwarded_for": "%REQ(X-FORWARDED-FOR)%",
          "user_agent": "%REQ(USER-AGENT)%",
          "request_id": "%REQ(X-REQUEST-ID)%",
          "authority": "%REQ(:AUTHORITY)%",
          "upstream_host": "%UPSTREAM_HOST%",
          "upstream_cluster": "%UPSTREAM_CLUSTER%",
          "route_name": "%ROUTE_NAME%"
        }
    Copy to Clipboard Toggle word wrap

Next steps

  • Filter your access logs to focus on the errors you need to see.
  • Enable request, log, and tracing correlation.

1.6.1. Filtering access logs
Copy link

You can filter your access logs to reduce extra messages and focus on the issues and errors that are relevant to your use case.

Prerequisites

  • You installed Connectivity Link.
  • You have a running OpenShift Container Platform cluster.
  • You have administrator access to the OpenShift Container Platform cluster.
  • You enabled access logs.

Procedure

  1. Configure your Telemetry custom resource (CR) to only log errors by using the following example: 

    apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: access-logs-errors-only
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: envoy
      filter:
        expression: "response.code >= 400"
    Copy to Clipboard Toggle word wrap

  2. Configure your Telemetry custom resource (CR) to only log specific routes by using the following example: 

    apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: access-logs-api-only
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: envoy
      filter:
        expression: 'request.url_path.startsWith("/api/")'
    Copy to Clipboard Toggle word wrap

  3. Configure your Telemetry custom resource (CR) to exclude health checks by using the following example: 

    apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: access-logs-no-healthz
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: envoy
      filter:
        expression: '!request.url_path.startsWith("/healthz")'
    Copy to Clipboard Toggle word wrap

1.6.2. Common access log format variables
Copy link

You can quickly set up Envoy logs by using the most common format variables so that you get exactly the data you want.

Example configuration snippet

envoyFileAccessLog:
  path: /dev/stdout
  logFormat:
    text: "[%START_TIME%] %REQ(X-REQUEST-ID)% %RESP(HEADER)% %RESPONSE_FLAGS%\n"
Copy to Clipboard Toggle word wrap

Expand
Table 1.3. Common Envoy access log format variables
VariableDescription

%START_TIME%

Request start time

%REQ(HEADER)%

Request header value, such as %REQ(X-REQUEST-ID)%

%RESP(HEADER)%

Response header value

%PROTOCOL%

Protocol, such as HTTP/1.1, HTTP/2

%RESPONSE_CODE%

HTTP response code

%RESPONSE_FLAGS%

Response flags indicating issues, such as UH, UF

%BYTES_RECEIVED%

Bytes received from client

%BYTES_SENT%

Bytes sent to client

%DURATION%

Total request duration in milliseconds

%UPSTREAM_HOST%

Upstream host address

%UPSTREAM_CLUSTER%

Upstream cluster name

%ROUTE_NAME%

Route name that matched

Access logs give you detailed information about each request processed by the gateway, including timing, response codes, and request identifiers. For example, you can correlate requests across gateways, Authorino, Limitador, and backend services.

You can correlate request information with traces and application logs for a variety of uses. Request correlation uses x-request-id headers. These headers are automatically generated by Envoy for each incoming request. For example:

  • Access logs show the x-request-id.
  • Traces include the x-request-id as a span attribute.
  • Use a dashboard to jump from logs to traces and vice versa.

The following fields are the most important access-log fields for request correlation:

  • request_id (%REQ(X-REQUEST-ID)%): The unique request identifier generated by Envoy.
  • start_time** (%START_TIME%): The request start time for time-based correlation.
  • route_name** (%ROUTE_NAME%): The route that matched the request, which is useful for policy debugging.

You can use access logs and tracing together to correlate requests. When you correlate request IDs, you can search for an ID once and see the entire journey from the initial access through to an event that you are investigating.

You can see the exact timing of a request as it entered and left each service. If you have configured user or organization-based IDs, you can also determine who a problem is effecting so that you can prioritize your response.

The following configuration example tells WASM filters to log the x-request-id header value and enables request correlation across Envoy, Authorino, Limitador, and WASM logs.

Prerequisites

  • You installed Connectivity Link.
  • You have a running OpenShift Container Platform cluster.
  • You have administrator access to the OpenShift Container Platform cluster.
  • You enabled access logs and tracing.

Procedure

  1. To enable request correlation across Connectivity Link components, configure the httpHeaderIdentifier in the Kuadrant CR: 

    apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
  namespace: kuadrant-system
spec:
  observability:
    dataPlane:
      httpHeaderIdentifier: x-request-id
    tracing:
      defaultEndpoint: rpc://tempo.tempo.svc.cluster.local:4317
      insecure: true
    Copy to Clipboard Toggle word wrap

  2. You can correlate logs across all components using the x-request-id, by using the following examples:

    1. View the following Envoy access log entry: 

      {
  "start_time": "2026-01-23T15:45:12.345Z",
  "method": "GET",
  "path": "/api/users",
  "response_code": 200,
  "request_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "route_name": "toystore-route"
}
      Copy to Clipboard Toggle word wrap

    2. Correlate the following Authorino log entry with the Envoy access log: 

      {"level":"info","ts":"2026-01-23T15:45:12.350Z","request_id":"a1b2c3d4-e5f6-7890-abcd-ef1234567890","msg":"auth check succeeded","identity":"alice"}
      Copy to Clipboard Toggle word wrap

    3. Correlate the following Limitador log entry with the Envoy and Authorino logs: 

      Request received: ... "x-request-id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" ...
      Copy to Clipboard Toggle word wrap

  3. When you combine the three logs, the story of this request_id is:

    • At 15:45:12, a user named alice requested the users' API, /api/users. You can also see the request_id of a1b2c3d4-e5f6-7890-abcd-ef1234567890.
    • The request hit the toystore-route in Envoy.
    • Envoy paused the request and checked authentication with Authorino, see level and info.
    • Authorino verified Alice’s identity: auth check succeeded, identity, alice.
    • Simultaneously, Limitador noted the request to ensure that Alice did not exceed her allowed limit.
    • Finally, Envoy allowed the traffic through, resulting in a 200 response code.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top