Release notes

Red Hat Connectivity Link 1.4

What's new in Red Hat Connectivity Link

Red Hat OpenShift Documentation Team

Abstract

This guide provides the latest information on what's new in this release of Red Hat Connectivity Link.

Chapter 1. Red Hat Connectivity Link 1.4 release notes

Welcome to the Red Hat Connectivity Link release notes, where you can learn about what is new and what is fixed.

Warning

Red Hat Connectivity Link 1.4.0 is deprecated. OpenShift Container Platform clusters running Connectivity Link 1.4.0 might experience authentication failures, API key management errors, gateway instability, or gateway pod memory pressure because of integration changes that are not fully compatible on all supported OpenShift Container Platform and OpenShift Service Mesh combinations.

Until a patch is released, take one of the two actions, depending on your scenario:

  • If you are a new customer, do not install Red Hat Connectivity Link 1.4.0.
  • If you are an upgrade customer, pin Connectivity Link and its dependent Operators to the latest Red Hat Connectivity Link 1.3.z release. Prevent upgrades to Connectivity Link 1.4.0.

1.1. Red Hat Connectivity Link 1.4 release notes

Connectivity Link is a modular and flexible solution for application connectivity, policy management, and API management in multicloud and hybrid cloud environments. You can use Connectivity Link to secure, protect, connect, and observe your APIs, applications, and infrastructure.

Connectivity Link is based on the Content from kuadrant.io is not included.Kuadrant community project, providing a control plane for you to configure and deploy ingress gateways and policies based on the Content from gateway-api.sigs.k8s.io is not included.Kubernetes Gateway API standard. Connectivity Link supports OpenShift Service Mesh 3.2 as the Gateway API provider, which is based on the Content from istio.io is not included.Istio community project.

1.2. About this release

Red Hat Connectivity Link 1.4, RHBA-2026:25234, is now available. This release includes the MCP gateway 0.7.0 as a Technology Preview feature. New features, changes, and known issues that pertain to Connectivity Link 1.4 are included in this topic.

Starting with Connectivity Link 1.4, full support ends with the release of the next minor version. Maintenance support ends with the minor version after that. See the This content is not included.Red Hat Connectivity Link Life Cycle Policy for details about version support and OpenShift Container Platform compatibility.

Important lifecycle update for Connectivity Link 1.3
With this release, the maintenance support lifecycle for Connectivity Link 1.3 is updated. Maintenance Support for version 1.3 ends with the release of Connectivity Link 1.5. The maintenance lifecycle of 1.3 was announced before as ending with Connectivity Link 1.6.

1.2.1. New features and enhancements

You can use the new features and enhancements that are available with Red Hat Connectivity Link 1.4.

X.509 cryptographic identity verification now available
With this Connectivity Link release, you can use X.509 client certificate authentication with for strong cryptographic identity verification. The X.509 format creates a two-layer authentication process that requires both cryptographic proof and context-aware validation before a request authenticates.

For more information, see Using X.509 cryptographic identity verification.

MCP gateway: MCP prompt federation is now available

MCP gateway adds support for federating MCP prompts through the Gateway object as a Generally Available feature. MCP prompt federation makes it much easier to supply your large language models (LLMs) with the exact context and steering instructions they need, no matter which server originally hosted the template.

With this update, you can now access and run prompt templates from your upstream MCP servers through a single, central Gateway connection. Instead of managing separate connections to multiple backend servers, you can query the Gateway object to see a unified, prefixed list of every available prompt across your network. When you find the prompt template that you need, you can plug in your custom variables. The Gateway object automatically routes the request to the right place.

For more information, see Registering on-prem MCP servers.

MCP gateway: Vault documentation now included
Now you can learn how to use HashiCorp Vault (Vault) to retrieve and inject authentication credentials into your MCP server request flow with the MCP gateway.

For more information see Using credentials to access external APIs with Vault.

MCP gateway audit trail documentation is now available
The MCP gateway documentation now includes configuration instructions for creating an audit trail for compliance and accountability that captures caller identity, tool names, and MCP session context through the MCP gateway.

For more information, see Understanding an MCP gateway audit trail.

Notable technical changes

Connectivity Link: The gateway integration has been migrated from an Istio WasmPlugin to EnvoyFilter custom resources (CRs). WASM injection now uses EnvoyFilter patches. This enables native support for image pull secrets and allows for embedded plugin configurations directly within the patches. This is an internal Operator change. No user action is required during an update. Existing CRs might remain in your cluster as orphans.

Connectivity Link: To improve performance and scalability, the Kuadrant CR lookup is cached within the reconciliation state. This internal optimization reduces redundant get requests to the Kubernetes API server during reconciliation loops. This change reduces control plane utilization and consumption, reduces Operator resource usage, and makes policy reconciliation times faster.

MCP gateway: The toolPrefix field on the MCPServerRegistration CR is renamed prefix. This field has always been a server-level namespace, not tool-specific, and the rename aligns the API with its actual semantics now that it applies to both tools and prompts.

Migration: You must replace toolPrefix with prefix in your MCPServerRegistration CRs. Existing CRs must be deleted and recreated, not patched in-place. For bulk updates, you can use a sed one-liner or yq edit on these manifest files before you run the oc apply command.

1.2.2. Technology Preview features

You can try the Technology Preview features that are available with Red Hat Connectivity Link 1.4.

Important

Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production.

Technology Preview features give you early access to upcoming product features, enabling you to test functionality and provide feedback during the development process. For more information, see Red Hat Technology Preview Features - Scope of Support.

Support for GRPCRoute policy attachment
With this Connectivity Link release, GRPCRoute policy attachment support is available as a Technology Preview feature. You can attach AuthPolicy and RateLimitPolicy custom resources (CRs) to GRPCRoute CRs, enabling authentication and rate-limiting controls for gRPC services with native service and method matching.

For more information, see About GRPCRoute policy attachment support.

Disconnected installation documentation added
The Connectivity Link documentation now includes procedures for installing in a disconnected environment. You can apply cloud-like traffic management within your private, secure network.

For more information, see Installing Connectivity Link in a disconnected environment.

Connectivity Link OpenShift Container Platform web console plugin adds API management
With this Connectivity Link release, you can use the OpenShift Container Platform web console to manage your APIs and access to them with the OpenShift web console. You can manage an API catalog and role-based access. You can also see the relationships between your API products and attached resources, such as policies and routes, in a dynamic graph view.

For more information, see Create, share, and consume APIs across teams.

1.2.3. Known issues

Connectivity Link 1.4 has a known issue.

  • When either the Redis or RedisCached storage option is set in a Limitador CR and the limitador pod gets restarted for any reason, the first request to the gateway is never rate-limited. All http requests after this are rate-limited. (This content is not included.CONNLINK-856)

Legal Notice

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.