Red Hat Connectivity Link 1.4

Single cluster and multicluster deployments

Red Hat OpenShift Documentation Team

Abstract

This guide describes how to install Connectivity Link components on OpenShift in single-cluster and multicluster environments.

Chapter 1. Installing on OpenShift Container Platform

As a platform engineer, you can install Connectivity Link on OpenShift Container Platform clusters.

Warning

Red Hat Connectivity Link 1.4.0 is deprecated. OpenShift Container Platform clusters running Connectivity Link 1.4.0 might experience authentication failures, API key management errors, gateway instability, or gateway pod memory pressure because of integration changes that are not fully compatible on all supported OpenShift Container Platform and OpenShift Service Mesh combinations.

Until a patch is released, take one of the two actions, depending on your scenario:

  • If you are a new customer, do not install Red Hat Connectivity Link 1.4.0.
  • If you are an upgrade customer, pin Connectivity Link and its dependent Operators to the latest Red Hat Connectivity Link 1.3.z release. Prevent upgrades to Connectivity Link 1.4.0.

1.1. Getting ready to install Connectivity Link

As you plan your Connectivity Link install, ensure that you have access to the required platforms in your environment with the correct user permissions. You can also decide whether to use optional supported components, such as rate limiting and Observability.

1.1.1. Required platforms and components

The following platforms and components are required to install Connectivity Link successfully:

Red Hat account
You have a Red Hat account with subscriptions for Connectivity Link and OpenShift Container Platform.
OpenShift Container Platform

OpenShift Container Platform 4.18 or later is installed, or you have access to a supported OpenShift Container Platform cloud service. See OpenShift Container Platform installation documentation.

Important

When using the Gateway API custom resource definitions (CRDs) provided in OpenShift Container Platform 4.19 or newer, you must create a GatewayClass named openshift-default and specify a controllerName of openshift.io/gateway-controller/v1. For more details, see the Getting started with Gateway API for the Ingress Operator (OpenShift Container Platform documentation).

OpenShift Service Mesh
A separate OpenShift Service Mesh installation is not required with Connectivity Link 1.3. If you use OpenShift Service Mesh, ensure that you are using 3.2 to stay in a supported configuration.
cert-manager Operator for Red Hat OpenShift

You installed cert-manager Operator for Red Hat OpenShift 1.18 to manage the TLS certificates for your gateways. See the cert-manager Operator for Red Hat OpenShift documentation.

Important

Before using a Connectivity Link TLSPolicy custom resource (CR), you must set up a certificate issuer for your cloud provider platform. See the OpenShift documentation on configuring an ACME issuer.

1.1.2. Optional components

The following components are optional with Connectivity Link. You can decide what you want to use and plan for those configurations before beginning your installation.

DNSPolicy

For a DNSPolicy CR, you must have an account for one of the supported cloud DNS providers and have set up a hosted zone for Connectivity Link. For more details, see your cloud DNS provider documentation:

RateLimitPolicy

For RateLimitPolicy CRs, you must have a shared accessible Redis-based datastore for rate-limit counters in a multicluster environment. For details on how to install and configure a secure and highly available datastore, see the documentation for your Redis-compatible datastore:

AuthPolicy
For an AuthPolicy CR, you can install Red Hat build of Keycloak if required in your environment. For more details, see the This content is not included.Red Hat build of Keycloak documentation.
Observability
For Observability, you must configure OpenShift Container Platform user workload monitoring to remote-write to a central storage system.

1.1.3. Supported configurations with Connectivity Link

Connectivity Link must run on a supported combination of OpenShift Container Platform and use the cert-manager Operator for Red Hat OpenShift. To configure observability, use Red Hat OpenShift Service Mesh. Red Hat provides both production and development support for supported configurations and tested integrations according to your subscription agreement.

Important

If you use a configuration that includes OpenShift Container Platform 4.18 or older, you must also use Red Hat OpenShift Service Mesh as the Gateway API provider.

1.1.3.1. Supported OpenShift Container Platform version configurations

Red Hat Connectivity LinkRed Hat OpenShift Container PlatformRed Hat OpenShift DedicatedRed Hat OpenShift Service on AWSMicrosoft Azure Red Hat OpenShift

Version 1.4

4.21, 4.20, 4.19, 4.18

4.21, 4.20, 4.19, 4.18

4.21, 4.20, 4.19, 4.18

4.19

Version 1.3

4.21, 4.20, 4.19, 4.18

4.21, 4.20, 4.19, 4.18

4.21, 4.20, 4.19, 4.18

4.19

Version 1.2

4.20, 4.19, 4.18

4.20, 4.19, 4.18

4.20, 4.19, 4.18

4.17

For Microsoft Azure, see the Content from learn.microsoft.com is not included.Support lifecycle for Azure Red Hat OpenShift 4.

1.1.3.2. Supported Operators

Red Hat Connectivity LinkRed Hat OpenShift Service Meshcert-manager Operator for Red Hat OpenShift

Version 1.4

3.2

1.18

Version 1.3

3.2

1.18

Version 1.2

3.1

1.17

1.1.3.3. Supported cloud providers

All versions of Connectivity Link support the following platforms as backing cloud providers for OpenShift Container Platform:

  • Amazon Web Services
  • Google Cloud Platform
  • Microsoft Azure

For more information, see the documentation for your chosen cloud provider.

1.1.3.4. Supported cloud DNS providers

For DNS policies, all versions of Connectivity Link support the following cloud DNS providers:

  • Amazon Route 53
  • Google Cloud Platform DNS
  • Microsoft Azure DNS

For more information, see the documentation for your chosen cloud DNS provider.

1.1.3.5. Supported on-premise DNS providers

You can use CoreDNS can to configure an on-cluster DNS zone. For more information, see This content is not included.Using on-premise DNS with CoreDNS.

1.1.3.6. Supported data stores for rate limiting

For rate limiting policies, Connectivity Link supports the following Redis-based data stores for rate limit counters in multicluster environments:

Red Hat Connectivity LinkRedis Enterprise or CloudAmazon ElasticacheDragonfly Community or Cloud

Version 1.4

latest

latest

latest

Version 1.3

latest

latest

latest

Version 1.2

latest

latest

latest

For more information, see the documentation for your chosen Redis-based datastore.

1.1.3.7. Supported identity access management

For authentication policies, Connectivity Link supports API keys and the following products:

Red Hat Connectivity Link VersionRed Hat build of Keycloak

Version 1.4

Version 26.4

Version 1.3

Version 26.4

Version 1.2

Version 26.4

For more information, see Supported Configurations for Red Hat build of Keycloak.

1.2. Installing Connectivity Link with the OpenShift Container Platform web console

You can use the OpenShift Container Platform web console to install the Red Hat Connectivity Link Operator. You must perform these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

The OpenShift Container Platform Cluster Ingress Operator is the default gateway controller for Connectivity Link.

An OperatorGroup custom resource (CR) is created automatically when you use the web console. For more information, see Operator Groups.

Warning

Connectivity Link requires kuadrant.io/* labels to search and filter resources on the cluster. Do not remove labels with this prefix. Removal might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are logged into the OpenShift Container Platform web console with cluster-admin privileges.

Procedure

  1. In the navigation menu, click Ecosystem > Software Catalog.
  2. In the Filter by keyword text box, enter Connectivity to find the Red Hat Connectivity Link Operator.
  3. Read the information about the Operator, and click Install to display the Operator subscription page.
  4. Select your subscription settings as follows:

    • Update Channel: stable
    • Version: 1.4.0
    • Installation mode: All namespaces on the cluster (default).
    • Installed namespace: Select the namespace where you want to install the Operator, for example, kuadrant-system. If the namespace does not already exist, click this field and select Create Project to create the namespace.
    • Approval Strategy: Select Automatic or Manual.
  5. Click Install, and wait a few moments until the Operator is installed and ready for use.
  6. Click Ecosystem > Installed Operators > Red Hat Connectivity Link.
  7. Click the Kuadrant tab, and click Create Kuadrant to create a Kuadrant custom resource (CR).
  8. In the Configure via field, click YAML view to edit the definition, for example, the Kuadrant CR name.
  9. Click Create and wait for the deployment to be displayed in the list.

    Note

    If you are using OpenShift Service Mesh, no additional configuration is required. Connectivity Link automatically detects and uses OpenShift Service Mesh as your Gateway object controller.

Verification

After you have installed the Operator, click Ecosystem > Installed Operators to verify that the Red Hat Connectivity Link Operator and the following component Operators are installed in your namespace:

  • Authorino Operator: Enables authentication and authorization for gateways and applications in a Gateway API network.
  • DNS Operator: Configures how north-south traffic from outside the network is balanced and reaches gateways.
  • Limitador Operator: Enables rate limiting for gateways and applications in a Gateway API network.

Next step

  • Update your Subscription CR to use the OpenShift Container Platform Cluster Ingress Operator.

1.3. Installing Connectivity Link on OpenShift Container Platform from the command line

You can install Connectivity Link with OpenShift CLI (oc) using the OpenShift Container Platform Cluster Ingress Operator as the default Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Warning

Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You installed the OpenShift CLI (oc).

Procedure

  1. Create the namespace where you want to install Connectivity Link by running the following command:

    $ oc create ns <kuadrant_system>

    You can replace the default <kuadrant_system> with the namespace you want to use.

  2. Create the Subscription custom resource (CR) by using the following example:

    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: rhcl-operator
      namespace: <kuadrant_system>
    spec:
      channel: stable
      installPlanApproval: Automatic
      name: rhcl-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
    • Replace <kuadrant_system> with the name of the namespace where you want to deploy Connectivity Link.

      Important

      For disconnected installations, you must replace the spec.source parameter value of the Subscription object with the name of the CatalogSource object created by oc-mirror. You can find the catalog source name by running the following command:

      $ oc get catalogsource -n openshift-marketplace
  3. Apply the Subscription CR by running the following command:

    $ oc apply -f subscription.yaml
  4. Create the OperatorGroup custom resource (CR) by using the following example:

    apiVersion: operators.coreos.com/v1
    kind: OperatorGroup
    metadata:
      name: kuadrant
      namespace: <kuadrant_system>
    spec:
      upgradeStrategy: Default
    • Replace <kuadrant_system> with the namespace you used.
  5. Apply the OperatorGroup CR by running the following command:

    $ oc apply -f operatorgroup.yaml
  6. Confirm that the Connectivity Link installation has finished by running one of the following commands:

    $ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s
    ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})
    $ oc wait --for=condition=Installed installplan ${ip} --timeout=60s

    Expect the status of installplan.operators.coreos.com/install-<suffix> when Connectivity Link is ready. The name of the install plan has a random suffix, for example, 4rql7.

  7. Create your Connectivity Link custom resource (CR) by using the following example:

    apiVersion: kuadrant.io/v1beta1
    kind: Kuadrant
    metadata:
      name: kuadrant
      namespace: <kuadrant_system>
    spec: {}

    Replace <kuadrant_system> with the namespace you used.

  8. Apply the Connectivity Link CR by running the following command:

    $ oc apply -f kuadrant.yaml

Verification

  1. Check the status of the Connectivity Link CR generation by running the following command:

    $ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant_system> --timeout=300s

    Replace <kuadrant_system> with the namespace you used.

    Example output

    kuadrant.kuadrant.io/kuadrant Ready

  2. Verify that all component Operator pods are running by entering the following command:

    $ oc get pods -n <kuadrant_system>
    • Replace <kuadrant_system> with the namespace you used.

      Example output

      NAME                                                READY   STATUS    RESTARTS   AGE
      authorino-operator-controller-manager-<hash>        2/2     Running   0          5m
      dns-operator-controller-manager-<hash>              2/2     Running   0          5m
      kuadrant-operator-controller-manager-<hash>         2/2     Running   0          7m
      limitador-operator-controller-manager-<hash>        2/2     Running   0          5m

  3. For a disconnected installation, verify that there are no image pull errors by running the following command:

    $ oc get events -n <kuadrant_system> --field-selector reason=Failed
    • Replace <kuadrant_system> with the namespace you used.

      The output should show no image pull failures.

      Note

      Pod specifications still show original image references, for example, registry.redhat.io/redhat/…​, even when images are pulled from your mirror registry. The redirection happens transparently at the CRI-O level through ImageDigestMirrorSet or ImageTagMirrorSet configuration objects.

1.4. Installing Connectivity Link on OpenShift Container Platform from the CLI with Istio as Gateway controller

If you are using OpenShift Service Mesh, you can install Connectivity Link with OpenShift CLI (oc) using Istio as your Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Warning

Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You installed the OpenShift CLI (oc).
  • You installed and configured OpenShift Service Mesh.

Procedure

  1. Create the namespace where you want to install Connectivity Link by running the following command:

    $ oc create ns <kuadrant-system>

    You can replace the default <kuadrant-system> with the namespace you want to use.

  2. Install Connectivity Link by running the following command:

    $ oc apply -f - <<EOF
    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: rhcl-operator
      namespace: kuadrant-system
    spec:
      channel: stable
      installPlanApproval: Automatic
      name: rhcl-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
      config:
        env:
        - name: ISTIO_GATEWAY_CONTROLLER_NAMES
          value: istio.io/gateway-controller
    ---
    kind: OperatorGroup
    apiVersion: operators.coreos.com/v1
    metadata:
      name: kuadrant
      namespace: kuadrant-system
    spec:
      upgradeStrategy: Default
    EOF

    Replace <kuadrant-system> with the namespace you used.

  3. Confirm that the Connectivity Link installation has finished by running one of the following commands:

    $ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s
    ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})
    $ oc wait --for=condition=Installed installplan ${ip} --timeout=60s

    Expect the status of installplan.operators.coreos.com/install-<suffix> when Connectivity Link is ready. The name of the install plan has a random suffix, for example, 4rql7.

  4. Create your Connectivity Link custom resource (CR) by running the following command:

    $ oc apply -f - <<EOF
    apiVersion: kuadrant.io/v1beta1
    kind: Kuadrant
    metadata:
      name: kuadrant
      namespace: <kuadrant-system>
    EOF

    Replace <kuadrant-system> with the namespace you used.

Verification

  • Check the status of the Connectivity Link CR generation by running the following command:

    $ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant-system> --timeout=300s

    Replace <kuadrant-system> with the namespace you used.

    Example output

    kuadrant.kuadrant.io/kuadrant Ready

1.5. Configuring DNS provider credentials for AWS

If you want to configure AWS DNS policies in Connectivity Link, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

  • You installed Connectivity Link on an OpenShift Container Platform cluster.
  • You have access to the namespace of your gateway, for example, api-gateway.

    Note

    If you already know your environment variable values, you can create the required YAML files as required for your use case.

Procedure

  1. Optional: Set up your environment variables as follows:

    1. Assign AWS_ACCESS_KEY_ID, which is the key ID from AWS with Route 53 access:

      $ export AWS_ACCESS_KEY_ID=xxxxxxx
    2. Assign AWS_SECRET_ACCESS_KEY`, which is the key from AWS with Route 53 access.

      $ export AWS_SECRET_ACCESS_KEY=xxxxxxx
    3. Assign AWS_REGION, which is your AWS region, for example, us-east-2 or eu-west-1.

      $ export AWS_REGION=your-aws-region
  2. Create a Secret resource for your credentials as follows:

    $ oc create secret generic aws-credentials \
      --namespace=api-gateway \
      --type=kuadrant.io/aws \
      --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
      --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
      --from-literal=AWS_REGION=$AWS_REGION
    Important

    You must configure the secret in the same namespace as your gateway.

1.6. Configuring Google DNS provider credentials

If you want to configure DNS policies in Connectivity Link using Google Cloud, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

  • You installed Connectivity Link on an OpenShift Container Platform cluster.
  • You have access to the namespace of your gateway, for example, api-gateway.

    Note

    If you already know your environment variable values, you can create the required YAML files as required for your use case.

Procedure

  1. Optional: Specify your GOOGLE environment variable by running the following commands:

    $ export GOOGLE=xxxxxxx

    where:

    • GOOGLE: The GOOGLE variable specifies the JSON credentials generated by the gcloud CLI or by the service account. For example, $HOME/.config/gcloud/application_default_credentials.json, which has the following credentials:

      {"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}
  2. Optional: Specify your PROJECT_ID environment variable by running the following commands:

    $ export PROJECT_ID=xxxxxxx

    PROJECT_ID: Google project ID.

  3. Create a Secret resource for your credentials by running the following command:

    $ oc create secret generic test-gcp-credentials \
      --namespace=api-gateway \
      --type=kuadrant.io/gcp \
      --from-literal=PROJECT_ID=$PROJECT_ID \
      --from-file=GOOGLE=$GOOGLE
    Important

    You must configure the secret in the same namespace as your gateway.

1.7. Configuring Azure DNS provider credentials

If you want to configure Microsoft Azure DNS policies in Connectivity Link, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.

Prerequisites

  • You installed Connectivity Link on an OpenShift Container Platform cluster.
  • You have access to the namespace of your gateway, for example, api-gateway.

    Note

    If you already know your environment variable values, you can create the required YAML files as required for your use case.

Procedure

  1. Create a new Azure service principal for managing DNS by setting the following environment variables:

    $ DNS_NEW_SP_NAME=kuadrantDnsPrincipal \
      DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) \
      DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') \
      DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')

    For more details on service principals, see the Content from learn.microsoft.com is not included.Microsoft Azure documentation.

  2. Set the resource group environment variable by running the following command:

    $ DNS_RESOURCE_GROUP="ExampleDNSResourceGroup"

    Replace "ExampleDNSResourceGroup" with the DNS resource group that you want to use.

  3. To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:

    1. Fetch the DNS ID used to grant access to the service principal as follows:

      $ DNS_ID=$(az network dns zone show --name example.com \
       --resource-group $DNS_RESOURCE_GROUP --query "id" --output tsv)
    2. Get your resource group ID by running the following command:

      $ RESOURCE_GROUP_ID=$(az group show --resource-group $DNS_RESOURCE_GROUP | jq ".id" -r)
    3. Give reader access to the resource group as follows:

      $ az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID
    4. Give contributor access to the DNS zone as follows:

      $ az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID
  4. Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access:

    1. Create the role assignment for the traffic manager contributor by running the following command:

      $ az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID
    2. Create the role assignment for the DNA zone contributor by running the following command:

      $ az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID
    3. Configure the DNS zone access by running the following command:

      $ cat <<-EOF > /local/path/to/azure.json
      {
        "tenantId": "$(az account show --query tenantId -o tsv)",
        "subscriptionId": "$(az account show --query id -o tsv)",
        "resourceGroup": "$DNS_RESOURCE_GROUP",
        "aadClientId": "$DNS_SP_APP_ID",
        "aadClientSecret": "$DNS_SP_PASSWORD"
      }
      EOF
  5. Create a Secret resource for your credentials by running the following command:

    $ oc create secret generic test-azure-credentials \
      --namespace=api-gateway \
      --type=kuadrant.io/azure \
      --from-file=azure.json=/local/path/to/azure.json
    Important

    You must configure the secret in the same namespace as your gateway.

1.8. Configuring Redis storage for rate limiting

To configure persistence for rate limit counters in a multicluster environment, you must configure the connection details for your shared Redis-based datastore. This datastore is used to persist shared rate limit counters for the Limitador component of Connectivity Link.

Important

You must configure connection details for your shared Redis-based datastore on each OpenShift Container Platform cluster that you want to use Connectivity Link for rate limiting.

Prerequisites

  • You installed Connectivity Link on one or more clusters.
  • You have a shared Redis-based datastore.
  • You installed the OpenShift CLI (oc).
  • You have write access to the OpenShift Container Platform namespaces you need to work with.
  • You have access to external or on-premise DNS.
  • You created a gateway.
  • You configured your gateway policies and HTTP routes.

Procedure

  1. Set the following environment variable to your shared Redis-based instance URL:

    $ export REDIS_URL=rediss://user:xxxxxx@some-redis.com:10340

    Include the appropriate URI scheme for your environment:

    • Secure Redis: rediss://
    • Standard Redis: redis://
  2. Create a Secret resource for your Redis URL as follows:

    $ oc -n kuadrant-system create secret generic redis-config \
      --from-literal=URL=$REDIS_URL
  3. Update your Limitador custom resource to use the secret that you created as follows:

    $ oc patch limitador limitador --type=merge -n kuadrant-system -p '
    spec:
      storage:
        redis:
          configSecretRef:
            name: redis-config
    '

1.9. Enabling the Connectivity Link dynamic plugin for OpenShift Container Platform web console

You can use the Connectivity Link dynamic plugin to view and manage your gateways and policies in the OpenShift Container Platform web console. You must perform these steps on each OpenShift Container Platform cluster.

Prerequisites

  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are logged into the OpenShift Container Platform web console with administrator access.

Procedure

  1. In the navigation menu, select the Administrator perspective.
  2. Click Home > Overview.
  3. In the Status panel, click Dynamic Plugins > View all.
  4. On the Console plugins tab, find the kuadrant-console-plugin entry in the table, which should be listed but disabled.
  5. In the kuadrant-console-plugin row, click Disabled.
  6. Select the Enable option, and click Save.
  7. Wait for the plugin status to change to Loaded.

Verification

  1. Refresh the OpenShift Container Platform web console. A new Connectivity Link menu item is displayed in the navigation sidebar.

    1. You can click Connectivity Link > Overview to explore the available resources and to get started with creating a Gateway and configuring policies in the OpenShift Container Platform web console.

Next steps

  • Create a gateway.
  • Create policies.

1.10. Using your Red Hat subscription

Red Hat Connectivity Link is provided through a software subscription. To manage your subscriptions, access your account at the Red Hat Customer Portal.

  1. Go to access.redhat.com.
  2. If you do not already have an account, create one.
  3. Log in to your account.
  4. In the menu bar, click Subscriptions to view and manage your subscriptions.

1.11. Additional resources

Chapter 2. Installing Connectivity Link in a disconnected environment

You can use Connectivity Link in a disconnected environment to apply the speed and automation of cloud-like traffic management within your private, secure network.

Warning

Red Hat Connectivity Link 1.4.0 is deprecated. OpenShift Container Platform clusters running Connectivity Link 1.4.0 might experience authentication failures, API key management errors, gateway instability, or gateway pod memory pressure because of integration changes that are not fully compatible on all supported OpenShift Container Platform and OpenShift Service Mesh combinations.

Until a patch is released, take one of the two actions, depending on your scenario:

  • If you are a new customer, do not install Red Hat Connectivity Link 1.4.0.
  • If you are an upgrade customer, pin Connectivity Link and its dependent Operators to the latest Red Hat Connectivity Link 1.3.z release. Prevent upgrades to Connectivity Link 1.4.0.
Important

Disconnected installation is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

2.1. About installing Connectivity Link in disconnected environments

By using Connectivity Link as a disconnected gateway, you can securely route traffic, enforce rate limits, and perform automated failover between your isolated clusters. You can also automate internal TLS certificate management and manage all internal networking and security policies.

You install Connectivity Link Operators in disconnected OpenShift Container Platform environments by mirroring the Operator catalog and images to your internal registry. Use the oc-mirror tool to perform the following actions, in order:

  1. Mirror the Red Hat Operator catalog containing the Connectivity Link Operator package to your local registry.
  2. Configure your OpenShift Container Platform cluster to use the mirrored catalog.
  3. Install the Connectivity Link Operator using Operator Lifecycle Manager (OLM).

The Connectivity Link Operator automatically installs the following Operators:

  • The Authorino Operator for authentication and authorization
  • The Limitador Operator for rate limiting
  • The DNS Operator for DNS management

All required images are included when you mirror the rhcl-operator package from the Red Hat catalog.

2.2. Mirroring the Connectivity Link Operator catalog

To begin your disconnected Connectivity Link installation, you must mirror the Red Hat Operator catalog to your disconnected environment. By mirroring, you are making a complete local copy of Connectivity Link on a private container registry that your isolated cluster can reach.

Applying ImageDigestMirrorSet or ImageTagMirrorSet objects triggers MachineConfig object updates and restarts cluster nodes.

Important

Connectivity Link on OpenShift Container Platform 4.19 and newer uses a dedicated Istio plugin to manage gateway traffic and does not require installation of OpenShift Service Mesh. However, the underlying Istio container images remain a hard dependency. In a disconnected environment, ensure that these images are mirrored alongside your cluster image set configuration. They are not included in the Connectivity Link Operator catalog.

Prerequisites

  • You have a supported-version, disconnected OpenShift Container Platform cluster.
  • You configured a mirror registry.
  • You have access to registry.redhat.io on an internet-connected workstation.
  • You have credentials for your mirror registry configured in ${HOME}/.docker/config.json.
  • You have either an ImageDigestMirrorSet or ImageTagMirrorSet object configured for platform images.
  • You installed the oc-mirror CLI tool for mirroring operator catalogs.

Procedure

  1. On your internet-connected workstation, create an ImageSetConfiguration file named rhcl-imageset-config.yaml by using the following example:

    Example ImageSetConfiguration YAML

    apiVersion: mirror.openshift.io/v2alpha1
    kind: ImageSetConfiguration
    mirror:
      operators:
      - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.22
        packages:
        - name: rhcl-operator
      additionalImages:
      - name: registry.redhat.io/rhcl-1/coredns-rhel9:vX.Y.Z

    • In the mirror.operators.catalog parameter, specify the Red Hat Operator catalog version matching your OpenShift Container Platform cluster version.
    • The value of the mirror.operators.packages parameter is the Connectivity Link Operator group. Authorino, Limitador, and DNS Operators are included automatically.
    • Optional. The value of the mirror.additionalImages.name parameter is the dns-operator Operator version. Set this value if you want to use the Core DNS Operator. Replace vX.Y.Z with the version matching the Connectivity Link Operator release.
  2. Mirror the catalog to a local directory by running the following command:

    $ oc mirror --v2 --config rhcl-imageset-config.yaml file://./rhcl-mirror

    This command downloads the catalog and Operator images to the rhcl-mirror directory.

  3. Transfer the rhcl-mirror directory to your disconnected environment using removable media.
  4. On a host in the disconnected environment that has access to your mirror registry, push the images to the registry by running the following command:

    $ oc mirror --v2 --config rhcl-imageset-config.yaml \
      --from file://./rhcl-mirror \
      docker://<mirror_registry:port>

    Replace <mirror_registry:port> with the path and port to your mirror registry.

  5. Apply either or both the ImageDigestMirrorSet and ImageTagMirrorSet files to configure the cluster to use the mirrored images by running the following commands:

    1. Apply the ImageDigestMirrorSet by running the following command:

      $ oc apply -f results-*/cluster-resources/idms-oc-mirror.yaml
    2. Apply the ImageTagMirrorSet by running the following command:

      $ oc apply -f results-*/cluster-resources/itms-oc-mirror.yaml
      Note

      The oc-mirror tool generates these manifests based on how you reference your images in the mirrored Operators.

  6. Wait for the MachineConfigPool object to update by running the following command:

    $ oc wait mcp --all --for=condition=Updated --timeout=30m

    Example output

    machineconfigpool.machineconfiguration.openshift.io/master condition met
    machineconfigpool.machineconfiguration.openshift.io/worker condition met

  7. From your disconnected cluster, apply the generated CatalogSource manifest by running the following command:

    $ oc apply -f cluster-resources/cs-redhat-operator-index-v4-21.yaml
  8. Wait for the Operator catalog to be ready by running the following command:

    $ oc wait catalogsource -n openshift-marketplace --all --for=condition=Ready --timeout=5m

    Example output

    catalogsource.operators.coreos.com/cs-redhat-operator-index-v4-21 condition met

2.3. Installing Connectivity Link on OpenShift Container Platform from the command line

You can install Connectivity Link with OpenShift CLI (oc) using the OpenShift Container Platform Cluster Ingress Operator as the default Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.

Warning

Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.

Prerequisites

  • You are logged into OpenShift Container Platform as a cluster administrator.
  • You are using a supported configuration of OpenShift Container Platform and required components.
  • You installed the OpenShift CLI (oc).

Procedure

  1. Create the namespace where you want to install Connectivity Link by running the following command:

    $ oc create ns <kuadrant_system>

    You can replace the default <kuadrant_system> with the namespace you want to use.

  2. Create the Subscription custom resource (CR) by using the following example:

    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: rhcl-operator
      namespace: <kuadrant_system>
    spec:
      channel: stable
      installPlanApproval: Automatic
      name: rhcl-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
    • Replace <kuadrant_system> with the name of the namespace where you want to deploy Connectivity Link.

      Important

      For disconnected installations, you must replace the spec.source parameter value of the Subscription object with the name of the CatalogSource object created by oc-mirror. You can find the catalog source name by running the following command:

      $ oc get catalogsource -n openshift-marketplace
  3. Apply the Subscription CR by running the following command:

    $ oc apply -f subscription.yaml
  4. Create the OperatorGroup custom resource (CR) by using the following example:

    apiVersion: operators.coreos.com/v1
    kind: OperatorGroup
    metadata:
      name: kuadrant
      namespace: <kuadrant_system>
    spec:
      upgradeStrategy: Default
    • Replace <kuadrant_system> with the namespace you used.
  5. Apply the OperatorGroup CR by running the following command:

    $ oc apply -f operatorgroup.yaml
  6. Confirm that the Connectivity Link installation has finished by running one of the following commands:

    $ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s
    ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})
    $ oc wait --for=condition=Installed installplan ${ip} --timeout=60s

    Expect the status of installplan.operators.coreos.com/install-<suffix> when Connectivity Link is ready. The name of the install plan has a random suffix, for example, 4rql7.

  7. Create your Connectivity Link custom resource (CR) by using the following example:

    apiVersion: kuadrant.io/v1beta1
    kind: Kuadrant
    metadata:
      name: kuadrant
      namespace: <kuadrant_system>
    spec: {}

    Replace <kuadrant_system> with the namespace you used.

  8. Apply the Connectivity Link CR by running the following command:

    $ oc apply -f kuadrant.yaml

Verification

  1. Check the status of the Connectivity Link CR generation by running the following command:

    $ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant_system> --timeout=300s

    Replace <kuadrant_system> with the namespace you used.

    Example output

    kuadrant.kuadrant.io/kuadrant Ready

  2. Verify that all component Operator pods are running by entering the following command:

    $ oc get pods -n <kuadrant_system>
    • Replace <kuadrant_system> with the namespace you used.

      Example output

      NAME                                                READY   STATUS    RESTARTS   AGE
      authorino-operator-controller-manager-<hash>        2/2     Running   0          5m
      dns-operator-controller-manager-<hash>              2/2     Running   0          5m
      kuadrant-operator-controller-manager-<hash>         2/2     Running   0          7m
      limitador-operator-controller-manager-<hash>        2/2     Running   0          5m

  3. For a disconnected installation, verify that there are no image pull errors by running the following command:

    $ oc get events -n <kuadrant_system> --field-selector reason=Failed
    • Replace <kuadrant_system> with the namespace you used.

      The output should show no image pull failures.

      Note

      Pod specifications still show original image references, for example, registry.redhat.io/redhat/…​, even when images are pulled from your mirror registry. The redirection happens transparently at the CRI-O level through ImageDigestMirrorSet or ImageTagMirrorSet configuration objects.

2.4. Troubleshooting a catalog image not accessible

If your CatalogSource object shows a READY=False status, the catalog image is not accessible from your mirror registry. You can check pod logs and check that the catalog image exists to troubleshoot this situation.

Prerequisites

  • You completed a disconnected installation of Connectivity Link.

Procedure

  1. Check the catalog pod logs by running the following command:

    $ oc logs -n openshift-marketplace -l olm.catalogSource=cs-redhat-operator-index-v{ocp-latest-version}

    Make sure you use the information that was created by the oc mirror tool to run this command.

  2. Verify that the catalog image exists in the mirror registry by running the following command:

    $ oc image info <mirror_registry>/redhat/redhat-operator-index:v{ocp-latest-version}

    Replace <mirror_registry> with the path to your mirror registry.

2.5. Checking for dependent Operators that are not installed

If you only see the Connectivity Link Operator ClusterServiceVersion, but the Authorino, Limitador, or DNS Operators are missing, the catalog might be missing digest references or the dependencies are not declared. You can track the source of the problem by checking a couple of resources.

Prerequisites

  • You completed a disconnected installation of Connectivity Link.

Procedure

  1. Verify that all four Operators are available as PackageManifest resources by running the following command:

    $ oc get packagemanifest -n openshift-marketplace | grep -E '(rhcl|authorino|limitador|dns)-operator'
  2. If any packages are missing, the catalog was not mirrored or applied correctly. Check that the catalog is ready and running with no errors and that the ImageSetConfiguration was created correctly.
  3. Check that the InstallPlan shows all dependencies by running the following command:

    $ oc get installplan -n <kuadrant_system> -o yaml

    Replace <kuadrant_system> with the namespace in which you installed Connectivity Link.

    Look for all four Operators in the InstallPlan specification output.

  4. If an Operator is missing, check the InstallPlan for errors or re-mirror the catalog.

2.6. Troubleshooting stuck pods in a disconnected installation

If your pods are stuck with an ImagePullBackOff status, this might mean that the image is either not in the mirror registry or that the ImageDigestMirrorSet object not applied correctly.

Prerequisites

  • You completed a disconnected installation of Connectivity Link.

Procedure

  1. Verify that ImageDigestMirrorSet exists by running the following command:

    $ oc get imagedigestmirrorset
  2. Check whether the specific image was mirrored by running the following command:

    $ oc image info <mirror_registry>/rhcl-1/rhcl-operator@sha256:_<digest>_
    • Replace <mirror_registry> with the path to your mirror registry.
    • Replace <digest> with the complete digest value.
  3. Check pod events by running the following command:

    $ oc describe pod <pod_name> -n <kuadrant_system>
    • Replace <pod_name> with the name of the stuck pod.
    • Replace <kuadrant_system> with the namespace in which you installed Connectivity Link.

2.7. Additional resources

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.