Installing Connectivity Link
Single cluster and multicluster deployments
Abstract
Chapter 1. Installing on OpenShift Container Platform
As a platform engineer, you can install Connectivity Link on OpenShift Container Platform clusters.
Red Hat Connectivity Link 1.4.0 is deprecated. OpenShift Container Platform clusters running Connectivity Link 1.4.0 might experience authentication failures, API key management errors, gateway instability, or gateway pod memory pressure because of integration changes that are not fully compatible on all supported OpenShift Container Platform and OpenShift Service Mesh combinations.
Until a patch is released, take one of the two actions, depending on your scenario:
- If you are a new customer, do not install Red Hat Connectivity Link 1.4.0.
- If you are an upgrade customer, pin Connectivity Link and its dependent Operators to the latest Red Hat Connectivity Link 1.3.z release. Prevent upgrades to Connectivity Link 1.4.0.
1.1. Getting ready to install Connectivity Link
As you plan your Connectivity Link install, ensure that you have access to the required platforms in your environment with the correct user permissions. You can also decide whether to use optional supported components, such as rate limiting and Observability.
1.1.1. Required platforms and components
The following platforms and components are required to install Connectivity Link successfully:
- Red Hat account
- You have a Red Hat account with subscriptions for Connectivity Link and OpenShift Container Platform.
- OpenShift Container Platform
OpenShift Container Platform 4.18 or later is installed, or you have access to a supported OpenShift Container Platform cloud service. See OpenShift Container Platform installation documentation.
ImportantWhen using the Gateway API custom resource definitions (CRDs) provided in OpenShift Container Platform 4.19 or newer, you must create a
GatewayClassnamedopenshift-defaultand specify acontrollerNameofopenshift.io/gateway-controller/v1. For more details, see the Getting started with Gateway API for the Ingress Operator (OpenShift Container Platform documentation).
- OpenShift Service Mesh
- A separate OpenShift Service Mesh installation is not required with Connectivity Link 1.3. If you use OpenShift Service Mesh, ensure that you are using 3.2 to stay in a supported configuration.
- cert-manager Operator for Red Hat OpenShift
You installed cert-manager Operator for Red Hat OpenShift 1.18 to manage the TLS certificates for your gateways. See the cert-manager Operator for Red Hat OpenShift documentation.
ImportantBefore using a Connectivity Link
TLSPolicycustom resource (CR), you must set up a certificate issuer for your cloud provider platform. See the OpenShift documentation on configuring an ACME issuer.
1.1.2. Optional components
The following components are optional with Connectivity Link. You can decide what you want to use and plan for those configurations before beginning your installation.
- DNSPolicy
For a
DNSPolicyCR, you must have an account for one of the supported cloud DNS providers and have set up a hosted zone for Connectivity Link. For more details, see your cloud DNS provider documentation:- RateLimitPolicy
For
RateLimitPolicyCRs, you must have a shared accessible Redis-based datastore for rate-limit counters in a multicluster environment. For details on how to install and configure a secure and highly available datastore, see the documentation for your Redis-compatible datastore:- AuthPolicy
-
For an
AuthPolicyCR, you can install Red Hat build of Keycloak if required in your environment. For more details, see the This content is not included.Red Hat build of Keycloak documentation. - Observability
- For Observability, you must configure OpenShift Container Platform user workload monitoring to remote-write to a central storage system.
1.1.3. Supported configurations with Connectivity Link
Connectivity Link must run on a supported combination of OpenShift Container Platform and use the cert-manager Operator for Red Hat OpenShift. To configure observability, use Red Hat OpenShift Service Mesh. Red Hat provides both production and development support for supported configurations and tested integrations according to your subscription agreement.
If you use a configuration that includes OpenShift Container Platform 4.18 or older, you must also use Red Hat OpenShift Service Mesh as the Gateway API provider.
1.1.3.1. Supported OpenShift Container Platform version configurations
| Red Hat Connectivity Link | Red Hat OpenShift Container Platform | Red Hat OpenShift Dedicated | Red Hat OpenShift Service on AWS | Microsoft Azure Red Hat OpenShift |
|---|---|---|---|---|
| Version 1.4 | 4.21, 4.20, 4.19, 4.18 | 4.21, 4.20, 4.19, 4.18 | 4.21, 4.20, 4.19, 4.18 | 4.19 |
| Version 1.3 | 4.21, 4.20, 4.19, 4.18 | 4.21, 4.20, 4.19, 4.18 | 4.21, 4.20, 4.19, 4.18 | 4.19 |
| Version 1.2 | 4.20, 4.19, 4.18 | 4.20, 4.19, 4.18 | 4.20, 4.19, 4.18 | 4.17 |
For Microsoft Azure, see the Content from learn.microsoft.com is not included.Support lifecycle for Azure Red Hat OpenShift 4.
1.1.3.2. Supported Operators
| Red Hat Connectivity Link | Red Hat OpenShift Service Mesh | cert-manager Operator for Red Hat OpenShift |
|---|---|---|
| Version 1.4 | 3.2 | 1.18 |
| Version 1.3 | 3.2 | 1.18 |
| Version 1.2 | 3.1 | 1.17 |
1.1.3.3. Supported cloud providers
All versions of Connectivity Link support the following platforms as backing cloud providers for OpenShift Container Platform:
- Amazon Web Services
- Google Cloud Platform
- Microsoft Azure
For more information, see the documentation for your chosen cloud provider.
1.1.3.4. Supported cloud DNS providers
For DNS policies, all versions of Connectivity Link support the following cloud DNS providers:
- Amazon Route 53
- Google Cloud Platform DNS
- Microsoft Azure DNS
For more information, see the documentation for your chosen cloud DNS provider.
1.1.3.5. Supported on-premise DNS providers
You can use CoreDNS can to configure an on-cluster DNS zone. For more information, see This content is not included.Using on-premise DNS with CoreDNS.
1.1.3.6. Supported data stores for rate limiting
For rate limiting policies, Connectivity Link supports the following Redis-based data stores for rate limit counters in multicluster environments:
| Red Hat Connectivity Link | Redis Enterprise or Cloud | Amazon Elasticache | Dragonfly Community or Cloud |
|---|---|---|---|
| Version 1.4 | latest | latest | latest |
| Version 1.3 | latest | latest | latest |
| Version 1.2 | latest | latest | latest |
For more information, see the documentation for your chosen Redis-based datastore.
1.1.3.7. Supported identity access management
For authentication policies, Connectivity Link supports API keys and the following products:
| Red Hat Connectivity Link Version | Red Hat build of Keycloak |
|---|---|
| Version 1.4 | Version 26.4 |
| Version 1.3 | Version 26.4 |
| Version 1.2 | Version 26.4 |
For more information, see Supported Configurations for Red Hat build of Keycloak.
1.2. Installing Connectivity Link with the OpenShift Container Platform web console
You can use the OpenShift Container Platform web console to install the Red Hat Connectivity Link Operator. You must perform these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
The OpenShift Container Platform Cluster Ingress Operator is the default gateway controller for Connectivity Link.
An OperatorGroup custom resource (CR) is created automatically when you use the web console. For more information, see Operator Groups.
Connectivity Link requires kuadrant.io/* labels to search and filter resources on the cluster. Do not remove labels with this prefix. Removal might cause unexpected behavior and degradation of Connectivity Link.
Prerequisites
- You are using a supported configuration of OpenShift Container Platform and required components.
- You are logged into OpenShift Container Platform as a cluster administrator.
-
You are logged into the OpenShift Container Platform web console with
cluster-adminprivileges.
Procedure
- In the navigation menu, click Ecosystem > Software Catalog.
-
In the Filter by keyword text box, enter
Connectivityto find the Red Hat Connectivity Link Operator. - Read the information about the Operator, and click Install to display the Operator subscription page.
Select your subscription settings as follows:
- Update Channel: stable
- Version: 1.4.0
- Installation mode: All namespaces on the cluster (default).
- Installed namespace: Select the namespace where you want to install the Operator, for example, kuadrant-system. If the namespace does not already exist, click this field and select Create Project to create the namespace.
- Approval Strategy: Select Automatic or Manual.
- Click Install, and wait a few moments until the Operator is installed and ready for use.
- Click Ecosystem > Installed Operators > Red Hat Connectivity Link.
- Click the Kuadrant tab, and click Create Kuadrant to create a Kuadrant custom resource (CR).
- In the Configure via field, click YAML view to edit the definition, for example, the Kuadrant CR name.
Click Create and wait for the deployment to be displayed in the list.
NoteIf you are using OpenShift Service Mesh, no additional configuration is required. Connectivity Link automatically detects and uses OpenShift Service Mesh as your Gateway object controller.
Verification
After you have installed the Operator, click Ecosystem > Installed Operators to verify that the Red Hat Connectivity Link Operator and the following component Operators are installed in your namespace:
- Authorino Operator: Enables authentication and authorization for gateways and applications in a Gateway API network.
- DNS Operator: Configures how north-south traffic from outside the network is balanced and reaches gateways.
- Limitador Operator: Enables rate limiting for gateways and applications in a Gateway API network.
Next step
- Update your Subscription CR to use the OpenShift Container Platform Cluster Ingress Operator.
1.3. Installing Connectivity Link on OpenShift Container Platform from the command line
You can install Connectivity Link with OpenShift CLI (oc) using the OpenShift Container Platform Cluster Ingress Operator as the default Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.
Prerequisites
- You are logged into OpenShift Container Platform as a cluster administrator.
- You are using a supported configuration of OpenShift Container Platform and required components.
-
You installed the OpenShift CLI (
oc).
Procedure
Create the namespace where you want to install Connectivity Link by running the following command:
$ oc create ns <kuadrant_system>You can replace the default
<kuadrant_system>with the namespace you want to use.Create the
Subscriptioncustom resource (CR) by using the following example:apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: rhcl-operator namespace: <kuadrant_system> spec: channel: stable installPlanApproval: Automatic name: rhcl-operator source: redhat-operators sourceNamespace: openshift-marketplaceReplace
<kuadrant_system>with the name of the namespace where you want to deploy Connectivity Link.ImportantFor disconnected installations, you must replace the
spec.sourceparameter value of theSubscriptionobject with the name of theCatalogSourceobject created byoc-mirror. You can find the catalog source name by running the following command:$ oc get catalogsource -n openshift-marketplace
Apply the
SubscriptionCR by running the following command:$ oc apply -f subscription.yaml
Create the
OperatorGroupcustom resource (CR) by using the following example:apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: kuadrant namespace: <kuadrant_system> spec: upgradeStrategy: Default-
Replace
<kuadrant_system>with the namespace you used.
-
Replace
Apply the
OperatorGroupCR by running the following command:$ oc apply -f operatorgroup.yaml
Confirm that the Connectivity Link installation has finished by running one of the following commands:
$ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})$ oc wait --for=condition=Installed installplan ${ip} --timeout=60sExpect the status of
installplan.operators.coreos.com/install-<suffix>when Connectivity Link is ready. The name of the install plan has a random suffix, for example,4rql7.Create your Connectivity Link custom resource (CR) by using the following example:
apiVersion: kuadrant.io/v1beta1 kind: Kuadrant metadata: name: kuadrant namespace: <kuadrant_system> spec: {}Replace
<kuadrant_system>with the namespace you used.Apply the Connectivity Link CR by running the following command:
$ oc apply -f kuadrant.yaml
Verification
Check the status of the Connectivity Link CR generation by running the following command:
$ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant_system> --timeout=300sReplace
<kuadrant_system>with the namespace you used.Example output
kuadrant.kuadrant.io/kuadrant Ready
Verify that all component Operator pods are running by entering the following command:
$ oc get pods -n <kuadrant_system>Replace
<kuadrant_system>with the namespace you used.Example output
NAME READY STATUS RESTARTS AGE authorino-operator-controller-manager-<hash> 2/2 Running 0 5m dns-operator-controller-manager-<hash> 2/2 Running 0 5m kuadrant-operator-controller-manager-<hash> 2/2 Running 0 7m limitador-operator-controller-manager-<hash> 2/2 Running 0 5m
For a disconnected installation, verify that there are no image pull errors by running the following command:
$ oc get events -n <kuadrant_system> --field-selector reason=FailedReplace
<kuadrant_system>with the namespace you used.The output should show no image pull failures.
NotePod specifications still show original image references, for example,
registry.redhat.io/redhat/…, even when images are pulled from your mirror registry. The redirection happens transparently at the CRI-O level throughImageDigestMirrorSetorImageTagMirrorSetconfiguration objects.
1.4. Installing Connectivity Link on OpenShift Container Platform from the CLI with Istio as Gateway controller
If you are using OpenShift Service Mesh, you can install Connectivity Link with OpenShift CLI (oc) using Istio as your Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.
Prerequisites
- You are logged into OpenShift Container Platform as a cluster administrator.
- You are using a supported configuration of OpenShift Container Platform and required components.
-
You installed the OpenShift CLI (
oc). - You installed and configured OpenShift Service Mesh.
Procedure
Create the namespace where you want to install Connectivity Link by running the following command:
$ oc create ns <kuadrant-system>You can replace the default <kuadrant-system> with the namespace you want to use.
Install Connectivity Link by running the following command:
$ oc apply -f - <<EOF apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: rhcl-operator namespace: kuadrant-system spec: channel: stable installPlanApproval: Automatic name: rhcl-operator source: redhat-operators sourceNamespace: openshift-marketplace config: env: - name: ISTIO_GATEWAY_CONTROLLER_NAMES value: istio.io/gateway-controller --- kind: OperatorGroup apiVersion: operators.coreos.com/v1 metadata: name: kuadrant namespace: kuadrant-system spec: upgradeStrategy: Default EOFReplace <kuadrant-system> with the namespace you used.
Confirm that the Connectivity Link installation has finished by running one of the following commands:
$ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})$ oc wait --for=condition=Installed installplan ${ip} --timeout=60sExpect the status of
installplan.operators.coreos.com/install-<suffix>when Connectivity Link is ready. The name of the install plan has a random suffix, for example,4rql7.Create your Connectivity Link custom resource (CR) by running the following command:
$ oc apply -f - <<EOF apiVersion: kuadrant.io/v1beta1 kind: Kuadrant metadata: name: kuadrant namespace: <kuadrant-system> EOFReplace <kuadrant-system> with the namespace you used.
Verification
Check the status of the Connectivity Link CR generation by running the following command:
$ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant-system> --timeout=300sReplace <kuadrant-system> with the namespace you used.
Example output
kuadrant.kuadrant.io/kuadrant Ready
1.5. Configuring DNS provider credentials for AWS
If you want to configure AWS DNS policies in Connectivity Link, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.
Prerequisites
- You installed Connectivity Link on an OpenShift Container Platform cluster.
You have access to the namespace of your gateway, for example,
api-gateway.NoteIf you already know your environment variable values, you can create the required YAML files as required for your use case.
Procedure
Optional: Set up your environment variables as follows:
Assign
AWS_ACCESS_KEY_ID, which is the key ID from AWS with Route 53 access:$ export AWS_ACCESS_KEY_ID=xxxxxxx
Assign AWS_SECRET_ACCESS_KEY`, which is the key from AWS with Route 53 access.
$ export AWS_SECRET_ACCESS_KEY=xxxxxxx
Assign
AWS_REGION, which is your AWS region, for example,us-east-2oreu-west-1.$ export AWS_REGION=your-aws-region
Create a
Secretresource for your credentials as follows:$ oc create secret generic aws-credentials \ --namespace=api-gateway \ --type=kuadrant.io/aws \ --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ --from-literal=AWS_REGION=$AWS_REGION
ImportantYou must configure the secret in the same namespace as your gateway.
1.6. Configuring Google DNS provider credentials
If you want to configure DNS policies in Connectivity Link using Google Cloud, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.
Prerequisites
- You installed Connectivity Link on an OpenShift Container Platform cluster.
You have access to the namespace of your gateway, for example,
api-gateway.NoteIf you already know your environment variable values, you can create the required YAML files as required for your use case.
Procedure
Optional: Specify your
GOOGLEenvironment variable by running the following commands:$ export GOOGLE=xxxxxxx
where:
GOOGLE: TheGOOGLEvariable specifies the JSON credentials generated by thegcloudCLI or by the service account. For example,$HOME/.config/gcloud/application_default_credentials.json, which has the following credentials:{"client_id": "***","client_secret": "***","refresh_token": "***","type": "authorized_user"}
Optional: Specify your
PROJECT_IDenvironment variable by running the following commands:$ export PROJECT_ID=xxxxxxx
PROJECT_ID: Google project ID.Create a
Secretresource for your credentials by running the following command:$ oc create secret generic test-gcp-credentials \ --namespace=api-gateway \ --type=kuadrant.io/gcp \ --from-literal=PROJECT_ID=$PROJECT_ID \ --from-file=GOOGLE=$GOOGLE
ImportantYou must configure the secret in the same namespace as your gateway.
Additional resources
1.7. Configuring Azure DNS provider credentials
If you want to configure Microsoft Azure DNS policies in Connectivity Link, you must configure the DNS credentials. You must perform the steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
You must configure a DNS hosted zone. The credentials for your DNS provider must have permissions to update DNS records within this zone.
Prerequisites
- You installed Connectivity Link on an OpenShift Container Platform cluster.
You have access to the namespace of your gateway, for example,
api-gateway.NoteIf you already know your environment variable values, you can create the required YAML files as required for your use case.
Procedure
Create a new Azure service principal for managing DNS by setting the following environment variables:
$ DNS_NEW_SP_NAME=kuadrantDnsPrincipal \ DNS_SP=$(az ad sp create-for-rbac --name $DNS_NEW_SP_NAME) \ DNS_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId') \ DNS_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')
For more details on service principals, see the Content from learn.microsoft.com is not included.Microsoft Azure documentation.
Set the resource group environment variable by running the following command:
$ DNS_RESOURCE_GROUP="ExampleDNSResourceGroup"
Replace "ExampleDNSResourceGroup" with the DNS resource group that you want to use.
To grant read and contributor access to the zones that you want managed for the service principal you are using, perform the following steps:
Fetch the DNS ID used to grant access to the service principal as follows:
$ DNS_ID=$(az network dns zone show --name example.com \ --resource-group $DNS_RESOURCE_GROUP --query "id" --output tsv)
Get your resource group ID by running the following command:
$ RESOURCE_GROUP_ID=$(az group show --resource-group $DNS_RESOURCE_GROUP | jq ".id" -r)
Give reader access to the resource group as follows:
$ az role assignment create --role "Reader" --assignee $DNS_SP_APP_ID --scope $DNS_ID
Give contributor access to the DNS zone as follows:
$ az role assignment create --role "Contributor" --assignee $DNS_SP_APP_ID --scope $DNS_ID
Because you are setting up advanced traffic rules for geographic and weighted responses, you must also grant traffic manager and DNS zone access:
Create the role assignment for the traffic manager contributor by running the following command:
$ az role assignment create --role "Traffic Manager Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID
Create the role assignment for the DNA zone contributor by running the following command:
$ az role assignment create --role "DNS Zone Contributor" --assignee $DNS_SP_APP_ID --scope $RESOURCE_GROUP_ID
Configure the DNS zone access by running the following command:
$ cat <<-EOF > /local/path/to/azure.json { "tenantId": "$(az account show --query tenantId -o tsv)", "subscriptionId": "$(az account show --query id -o tsv)", "resourceGroup": "$DNS_RESOURCE_GROUP", "aadClientId": "$DNS_SP_APP_ID", "aadClientSecret": "$DNS_SP_PASSWORD" } EOF
Create a
Secretresource for your credentials by running the following command:$ oc create secret generic test-azure-credentials \ --namespace=api-gateway \ --type=kuadrant.io/azure \ --from-file=azure.json=/local/path/to/azure.json
ImportantYou must configure the secret in the same namespace as your gateway.
Additional resources
1.8. Configuring Redis storage for rate limiting
To configure persistence for rate limit counters in a multicluster environment, you must configure the connection details for your shared Redis-based datastore. This datastore is used to persist shared rate limit counters for the Limitador component of Connectivity Link.
You must configure connection details for your shared Redis-based datastore on each OpenShift Container Platform cluster that you want to use Connectivity Link for rate limiting.
Prerequisites
- You installed Connectivity Link on one or more clusters.
- You have a shared Redis-based datastore.
-
You installed the OpenShift CLI (
oc). - You have write access to the OpenShift Container Platform namespaces you need to work with.
- You have access to external or on-premise DNS.
- You created a gateway.
-
You configured your gateway policies and
HTTProutes.
Procedure
Set the following environment variable to your shared Redis-based instance URL:
$ export REDIS_URL=rediss://user:xxxxxx@some-redis.com:10340
Include the appropriate URI scheme for your environment:
-
Secure Redis:
rediss:// -
Standard Redis:
redis://
-
Secure Redis:
Create a
Secretresource for your Redis URL as follows:$ oc -n kuadrant-system create secret generic redis-config \ --from-literal=URL=$REDIS_URL
Update your Limitador custom resource to use the secret that you created as follows:
$ oc patch limitador limitador --type=merge -n kuadrant-system -p ' spec: storage: redis: configSecretRef: name: redis-config '
1.9. Enabling the Connectivity Link dynamic plugin for OpenShift Container Platform web console
You can use the Connectivity Link dynamic plugin to view and manage your gateways and policies in the OpenShift Container Platform web console. You must perform these steps on each OpenShift Container Platform cluster.
Prerequisites
- You are using a supported configuration of OpenShift Container Platform and required components.
- You are logged into OpenShift Container Platform as a cluster administrator.
- You are logged into the OpenShift Container Platform web console with administrator access.
Procedure
- In the navigation menu, select the Administrator perspective.
- Click Home > Overview.
- In the Status panel, click Dynamic Plugins > View all.
- On the Console plugins tab, find the kuadrant-console-plugin entry in the table, which should be listed but disabled.
- In the kuadrant-console-plugin row, click Disabled.
- Select the Enable option, and click Save.
- Wait for the plugin status to change to Loaded.
Verification
Refresh the OpenShift Container Platform web console. A new Connectivity Link menu item is displayed in the navigation sidebar.
- You can click Connectivity Link > Overview to explore the available resources and to get started with creating a Gateway and configuring policies in the OpenShift Container Platform web console.
Next steps
- Create a gateway.
- Create policies.
1.10. Using your Red Hat subscription
Red Hat Connectivity Link is provided through a software subscription. To manage your subscriptions, access your account at the Red Hat Customer Portal.
- Go to access.redhat.com.
- If you do not already have an account, create one.
- Log in to your account.
- In the menu bar, click Subscriptions to view and manage your subscriptions.
1.11. Additional resources
Chapter 2. Installing Connectivity Link in a disconnected environment
You can use Connectivity Link in a disconnected environment to apply the speed and automation of cloud-like traffic management within your private, secure network.
Red Hat Connectivity Link 1.4.0 is deprecated. OpenShift Container Platform clusters running Connectivity Link 1.4.0 might experience authentication failures, API key management errors, gateway instability, or gateway pod memory pressure because of integration changes that are not fully compatible on all supported OpenShift Container Platform and OpenShift Service Mesh combinations.
Until a patch is released, take one of the two actions, depending on your scenario:
- If you are a new customer, do not install Red Hat Connectivity Link 1.4.0.
- If you are an upgrade customer, pin Connectivity Link and its dependent Operators to the latest Red Hat Connectivity Link 1.3.z release. Prevent upgrades to Connectivity Link 1.4.0.
Disconnected installation is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
2.1. About installing Connectivity Link in disconnected environments
By using Connectivity Link as a disconnected gateway, you can securely route traffic, enforce rate limits, and perform automated failover between your isolated clusters. You can also automate internal TLS certificate management and manage all internal networking and security policies.
You install Connectivity Link Operators in disconnected OpenShift Container Platform environments by mirroring the Operator catalog and images to your internal registry. Use the oc-mirror tool to perform the following actions, in order:
- Mirror the Red Hat Operator catalog containing the Connectivity Link Operator package to your local registry.
- Configure your OpenShift Container Platform cluster to use the mirrored catalog.
- Install the Connectivity Link Operator using Operator Lifecycle Manager (OLM).
The Connectivity Link Operator automatically installs the following Operators:
- The Authorino Operator for authentication and authorization
- The Limitador Operator for rate limiting
- The DNS Operator for DNS management
All required images are included when you mirror the rhcl-operator package from the Red Hat catalog.
2.2. Mirroring the Connectivity Link Operator catalog
To begin your disconnected Connectivity Link installation, you must mirror the Red Hat Operator catalog to your disconnected environment. By mirroring, you are making a complete local copy of Connectivity Link on a private container registry that your isolated cluster can reach.
Applying ImageDigestMirrorSet or ImageTagMirrorSet objects triggers MachineConfig object updates and restarts cluster nodes.
Connectivity Link on OpenShift Container Platform 4.19 and newer uses a dedicated Istio plugin to manage gateway traffic and does not require installation of OpenShift Service Mesh. However, the underlying Istio container images remain a hard dependency. In a disconnected environment, ensure that these images are mirrored alongside your cluster image set configuration. They are not included in the Connectivity Link Operator catalog.
Prerequisites
- You have a supported-version, disconnected OpenShift Container Platform cluster.
- You configured a mirror registry.
-
You have access to
registry.redhat.ioon an internet-connected workstation. -
You have credentials for your mirror registry configured in
${HOME}/.docker/config.json. -
You have either an
ImageDigestMirrorSetorImageTagMirrorSetobject configured for platform images. -
You installed the
oc-mirrorCLI tool for mirroring operator catalogs.
Procedure
On your internet-connected workstation, create an
ImageSetConfigurationfile namedrhcl-imageset-config.yamlby using the following example:Example
ImageSetConfigurationYAMLapiVersion: mirror.openshift.io/v2alpha1 kind: ImageSetConfiguration mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.22 packages: - name: rhcl-operator additionalImages: - name: registry.redhat.io/rhcl-1/coredns-rhel9:vX.Y.Z-
In the
mirror.operators.catalogparameter, specify the Red Hat Operator catalog version matching your OpenShift Container Platform cluster version. -
The value of the
mirror.operators.packagesparameter is the Connectivity Link Operator group. Authorino, Limitador, and DNS Operators are included automatically. -
Optional. The value of the
mirror.additionalImages.nameparameter is thedns-operatorOperator version. Set this value if you want to use the Core DNS Operator. ReplacevX.Y.Zwith the version matching the Connectivity Link Operator release.
-
In the
Mirror the catalog to a local directory by running the following command:
$ oc mirror --v2 --config rhcl-imageset-config.yaml file://./rhcl-mirror
This command downloads the catalog and Operator images to the
rhcl-mirrordirectory.-
Transfer the
rhcl-mirrordirectory to your disconnected environment using removable media. On a host in the disconnected environment that has access to your mirror registry, push the images to the registry by running the following command:
$ oc mirror --v2 --config rhcl-imageset-config.yaml \ --from file://./rhcl-mirror \ docker://<mirror_registry:port>Replace
<mirror_registry:port>with the path and port to your mirror registry.Apply either or both the
ImageDigestMirrorSetandImageTagMirrorSetfiles to configure the cluster to use the mirrored images by running the following commands:Apply the
ImageDigestMirrorSetby running the following command:$ oc apply -f results-*/cluster-resources/idms-oc-mirror.yaml
Apply the
ImageTagMirrorSetby running the following command:$ oc apply -f results-*/cluster-resources/itms-oc-mirror.yaml
NoteThe
oc-mirror toolgenerates these manifests based on how you reference your images in the mirrored Operators.
Wait for the
MachineConfigPoolobject to update by running the following command:$ oc wait mcp --all --for=condition=Updated --timeout=30m
Example output
machineconfigpool.machineconfiguration.openshift.io/master condition met machineconfigpool.machineconfiguration.openshift.io/worker condition met
From your disconnected cluster, apply the generated
CatalogSourcemanifest by running the following command:$ oc apply -f cluster-resources/cs-redhat-operator-index-v4-21.yaml
Wait for the Operator catalog to be ready by running the following command:
$ oc wait catalogsource -n openshift-marketplace --all --for=condition=Ready --timeout=5m
Example output
catalogsource.operators.coreos.com/cs-redhat-operator-index-v4-21 condition met
2.3. Installing Connectivity Link on OpenShift Container Platform from the command line
You can install Connectivity Link with OpenShift CLI (oc) using the OpenShift Container Platform Cluster Ingress Operator as the default Gateway object controller. You must complete these steps on each OpenShift Container Platform cluster that you want to use Connectivity Link on.
Connectivity Link uses labels formatted as kuadrant.io/* to search and filter resources on the cluster. Removing of any labels with the prefix might cause unexpected behavior and degradation of Connectivity Link.
Prerequisites
- You are logged into OpenShift Container Platform as a cluster administrator.
- You are using a supported configuration of OpenShift Container Platform and required components.
-
You installed the OpenShift CLI (
oc).
Procedure
Create the namespace where you want to install Connectivity Link by running the following command:
$ oc create ns <kuadrant_system>You can replace the default
<kuadrant_system>with the namespace you want to use.Create the
Subscriptioncustom resource (CR) by using the following example:apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: rhcl-operator namespace: <kuadrant_system> spec: channel: stable installPlanApproval: Automatic name: rhcl-operator source: redhat-operators sourceNamespace: openshift-marketplaceReplace
<kuadrant_system>with the name of the namespace where you want to deploy Connectivity Link.ImportantFor disconnected installations, you must replace the
spec.sourceparameter value of theSubscriptionobject with the name of theCatalogSourceobject created byoc-mirror. You can find the catalog source name by running the following command:$ oc get catalogsource -n openshift-marketplace
Apply the
SubscriptionCR by running the following command:$ oc apply -f subscription.yaml
Create the
OperatorGroupcustom resource (CR) by using the following example:apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: kuadrant namespace: <kuadrant_system> spec: upgradeStrategy: Default-
Replace
<kuadrant_system>with the namespace you used.
-
Replace
Apply the
OperatorGroupCR by running the following command:$ oc apply -f operatorgroup.yaml
Confirm that the Connectivity Link installation has finished by running one of the following commands:
$ oc wait --for=jsonpath={.status.installPlanRef.name} subscription rhcl-operator --timeout=10s ip=$(oc get subscription rhcl-operator -o=jsonpath={.status.installPlanRef.name})$ oc wait --for=condition=Installed installplan ${ip} --timeout=60sExpect the status of
installplan.operators.coreos.com/install-<suffix>when Connectivity Link is ready. The name of the install plan has a random suffix, for example,4rql7.Create your Connectivity Link custom resource (CR) by using the following example:
apiVersion: kuadrant.io/v1beta1 kind: Kuadrant metadata: name: kuadrant namespace: <kuadrant_system> spec: {}Replace
<kuadrant_system>with the namespace you used.Apply the Connectivity Link CR by running the following command:
$ oc apply -f kuadrant.yaml
Verification
Check the status of the Connectivity Link CR generation by running the following command:
$ oc wait kuadrant/kuadrant --for="condition=Ready=true" -n <kuadrant_system> --timeout=300sReplace
<kuadrant_system>with the namespace you used.Example output
kuadrant.kuadrant.io/kuadrant Ready
Verify that all component Operator pods are running by entering the following command:
$ oc get pods -n <kuadrant_system>Replace
<kuadrant_system>with the namespace you used.Example output
NAME READY STATUS RESTARTS AGE authorino-operator-controller-manager-<hash> 2/2 Running 0 5m dns-operator-controller-manager-<hash> 2/2 Running 0 5m kuadrant-operator-controller-manager-<hash> 2/2 Running 0 7m limitador-operator-controller-manager-<hash> 2/2 Running 0 5m
For a disconnected installation, verify that there are no image pull errors by running the following command:
$ oc get events -n <kuadrant_system> --field-selector reason=FailedReplace
<kuadrant_system>with the namespace you used.The output should show no image pull failures.
NotePod specifications still show original image references, for example,
registry.redhat.io/redhat/…, even when images are pulled from your mirror registry. The redirection happens transparently at the CRI-O level throughImageDigestMirrorSetorImageTagMirrorSetconfiguration objects.
2.4. Troubleshooting a catalog image not accessible
If your CatalogSource object shows a READY=False status, the catalog image is not accessible from your mirror registry. You can check pod logs and check that the catalog image exists to troubleshoot this situation.
Prerequisites
- You completed a disconnected installation of Connectivity Link.
Procedure
Check the catalog pod logs by running the following command:
$ oc logs -n openshift-marketplace -l olm.catalogSource=cs-redhat-operator-index-v{ocp-latest-version}Make sure you use the information that was created by the
oc mirrortool to run this command.Verify that the catalog image exists in the mirror registry by running the following command:
$ oc image info <mirror_registry>/redhat/redhat-operator-index:v{ocp-latest-version}Replace
<mirror_registry>with the path to your mirror registry.
2.5. Checking for dependent Operators that are not installed
If you only see the Connectivity Link Operator ClusterServiceVersion, but the Authorino, Limitador, or DNS Operators are missing, the catalog might be missing digest references or the dependencies are not declared. You can track the source of the problem by checking a couple of resources.
Prerequisites
- You completed a disconnected installation of Connectivity Link.
Procedure
Verify that all four Operators are available as
PackageManifestresources by running the following command:$ oc get packagemanifest -n openshift-marketplace | grep -E '(rhcl|authorino|limitador|dns)-operator'
-
If any packages are missing, the catalog was not mirrored or applied correctly. Check that the catalog is ready and running with no errors and that the
ImageSetConfigurationwas created correctly. Check that the
InstallPlanshows all dependencies by running the following command:$ oc get installplan -n <kuadrant_system> -o yamlReplace
<kuadrant_system>with the namespace in which you installed Connectivity Link.Look for all four Operators in the
InstallPlanspecification output.-
If an Operator is missing, check the
InstallPlanfor errors or re-mirror the catalog.
2.6. Troubleshooting stuck pods in a disconnected installation
If your pods are stuck with an ImagePullBackOff status, this might mean that the image is either not in the mirror registry or that the ImageDigestMirrorSet object not applied correctly.
Prerequisites
- You completed a disconnected installation of Connectivity Link.
Procedure
Verify that
ImageDigestMirrorSetexists by running the following command:$ oc get imagedigestmirrorset
Check whether the specific image was mirrored by running the following command:
$ oc image info <mirror_registry>/rhcl-1/rhcl-operator@sha256:_<digest>_-
Replace
<mirror_registry>with the path to your mirror registry. -
Replace
<digest>with the complete digest value.
-
Replace
Check pod events by running the following command:
$ oc describe pod <pod_name> -n <kuadrant_system>
-
Replace
<pod_name>with the name of the stuck pod. -
Replace
<kuadrant_system>with the namespace in which you installed Connectivity Link.
-
Replace
2.7. Additional resources
- This content is not included.Managing image settings
- This content is not included.Managing custom catalogs
- This content is not included.Disconnected installation overview
- This content is not included.Using Operator Lifecycle Manager in disconnected environments
- This content is not included.Mirroring an image set in a fully disconnected environment