Architecture Overview

This module presents the side-by-side architecture of the migration environment. Both 3scale and Connectivity Link run on the same OpenShift cluster, enabling direct comparison.

Cluster layout

3scale source workloads and Connectivity Link target workloads in the same OpenShift cluster plus Developer Hub

Platform components

Component	Role
Developer Hub	Self-service portal: software catalog, templates, documentation, Kuadrant plugin, notifications.
Keycloak	Identity provider and SSO. Manages OIDC realms for both 3scale and Connectivity Link.
Gitea	Internal Git server. Stores application code and Kubernetes manifests.
ArgoCD	GitOps engine. Syncs manifests from Git to the cluster continuously.
3scale Operator	Manages the 3scale APIManager, Products, Backends, and Application Plans via CRDs.
Kuadrant Operator	Manages Connectivity Link policies: AuthPolicy, OIDCPolicy, RateLimitPolicy, PlanPolicy, APIProduct.
Istio / Service Mesh	Data plane for Gateway API. Provides Envoy-based traffic management integrated with Kuadrant.
Grafana / Kiali	Observability stack: dashboards (Grafana), service mesh topology (Kiali).

Component

Role

Developer Hub

Self-service portal: software catalog, templates, documentation, Kuadrant plugin, notifications.

Keycloak

Identity provider and SSO. Manages OIDC realms for both 3scale and Connectivity Link.

Gitea

Internal Git server. Stores application code and Kubernetes manifests.

ArgoCD

GitOps engine. Syncs manifests from Git to the cluster continuously.

3scale Operator

Manages the 3scale APIManager, Products, Backends, and Application Plans via CRDs.

Kuadrant Operator

Manages Connectivity Link policies: AuthPolicy, OIDCPolicy, RateLimitPolicy, PlanPolicy, APIProduct.

Istio / Service Mesh

Data plane for Gateway API. Provides Envoy-based traffic management integrated with Kuadrant.

Grafana / Kiali

Observability stack: dashboards (Grafana), service mesh topology (Kiali).

Request flow comparison

3scale flow (APIcast)

Request path — Client; OpenShift Route; APIcast; Backend Service

APIcast validates credentials against the 3scale backend (Redis). MappingRules determine which metric to increment. Application Plans enforce rate limits.

Connectivity Link flow (Kuadrant)

Request path — Client; OpenShift Route; Istio Gateway; Backend Service with policies

The Istio Gateway delegates authentication to Authorino and rate limiting to Limitador. Policies are attached directly to the Gateway or HTTPRoute as Kubernetes CRDs.

Namespace mapping

Application 3scale Namespace Connectivity Link Namespace

Application	3scale Namespace	Connectivity Link Namespace
Neuralbank (OIDC)	`neuralbank-3scale`	`neuralbank-stack`
NFL Wallet (API Key)	`nfl-wallet-3scale`	`nfl-wallet-prod`
3scale Operator	`3scale-system`	—
Kuadrant Operator	—	`kuadrant-system`

Neuralbank (OIDC)

neuralbank-3scale

neuralbank-stack

NFL Wallet (API Key)

nfl-wallet-3scale

nfl-wallet-prod

3scale Operator

3scale-system

—

Kuadrant Operator

—

kuadrant-system