Connectivity Link

Expose VM services through Gateway API with Kuadrant-powered authentication and rate limiting.

What is Connectivity Link?

Red Hat Connectivity Link is the productized distribution of the Kuadrant project. It extends the Kubernetes Gateway API with policy-based authentication, authorization, and rate limiting. When enabled in this golden path, it creates a complete ingress pipeline from the internet to the VM service.

Components Created

When enableConnectivityLink is set to true, the template generates the following additional resources:

Gateway

A gateway.networking.k8s.io/v1 Gateway using the istio GatewayClass. Listens on HTTP port 8080 with ClusterIP service type. Istio provisions an envoy proxy pod.

HTTPRoute

Routes requests matching the configured path prefix to the VM Service on port 8080. Attached to the Gateway as a parentRef.

OpenShift Route

Exposes the Istio gateway service externally with TLS edge termination. Provides the *.apps.<domain> hostname.

AuthPolicy

Kuadrant AuthPolicy targeting the HTTPRoute. Configures authentication via API Key header/cookie or OIDC JWT validation.

RateLimitPolicy

Global rate limiting on the HTTPRoute (when auth model is not API Key). Enforces a per-minute request limit via Limitador.

PlanPolicy + APIProduct

(API Key mode only) Tiered rate limiting with free/basic/pro plans and Dev Portal integration for API Key self-service.

Authentication Models

None (Open Access)

No authentication is enforced. All requests pass through to the VM service. A RateLimitPolicy is still applied if the rate limit is greater than zero.

API Key

Clients authenticate by providing an API key via the X-API-Key HTTP header or a vm-api-key cookie. The AuthPolicy uses Authorino's apiKey identity source, which validates keys stored as Kubernetes Secrets with the label authorino.kuadrant.io/managed-by: authorino.

A demo API key Secret is automatically created: <vmName>-demo-key with the basic plan tier.

Rate Limit Plans (API Key mode)

When the API Key authentication model is selected, rate limiting is handled by a PlanPolicy instead of a plain RateLimitPolicy. The PlanPolicy defines three tiers:

Plan	Daily Limit	Per-Minute Limit	How to Select
free	100 requests	10 requests	Set annotation `secret.kuadrant.io/plan-id: free` on the API key Secret
basic	1,000 requests	60 requests	Set annotation `secret.kuadrant.io/plan-id: basic` on the API key Secret
pro	10,000 requests	300 requests	Set annotation `secret.kuadrant.io/plan-id: pro` on the API key Secret

Unauthenticated Response (API Key)

When no valid API key is provided, the AuthPolicy returns a custom HTML login page (HTTP 401) that allows users to enter their API key in a browser form. The form validates the key against the service and sets a cookie for subsequent requests.

OIDC (Keycloak)

Clients authenticate using a JWT Bearer token issued by Red Hat Build of Keycloak. The AuthPolicy validates tokens against the Keycloak issuer URL:

jwt:
  issuerUrl: https://rhbk.<clusterDomain>/realms/<realm>
credentials:
  authorizationHeader:
    prefix: Bearer

Usage with curl:

# Get a token from Keycloak
TOKEN=$(curl -s -X POST \
  "https://rhbk.apps.cluster.example.com/realms/neuralbank/protocol/openid-connect/token" \
  -d "grant_type=client_credentials" \
  -d "client_id=vm-client" \
  -d "client_secret=YOUR_SECRET" | jq -r .access_token)

# Access the VM service
curl -H "Authorization: Bearer $TOKEN" \
  https://my-webserver-route-user1-vms.apps.cluster.example.com/

Dev Portal & API Product

When the API Key model is selected, the template also creates an APIProduct resource (Kuadrant Dev Portal CRD). This enables:

API discovery in the Kuadrant Dev Portal
Self-service API Key generation for consumers
Plan selection (free / basic / pro)
API documentation linked from the Gitea repository

The API is also registered in the Backstage catalog as an API entity with an OpenAPI 3.0 spec, linked to the VM Component via providesApis.

Traffic Flow Diagram

  Client Request
       │
       │  HTTPS
       ▼
  ┌────────────────┐
  │ OpenShift Route │  TLS edge termination
  │ (HAProxy)       │
  └───────┬────────┘
          │  HTTP :8080
          ▼
  ┌────────────────┐
  │ Istio Gateway   │  GatewayClass: istio
  │ (Envoy Proxy)   │
  └───────┬────────┘
          │
    ┌─────┴──────┐
    ▼            ▼
┌────────┐  ┌─────────┐
│Authorino│  │Limitador│  Envoy ext-auth & rate-limit filters
│(AuthPol)│  │(RLPol)  │
└────────┘  └─────────┘
    │            │
    └─────┬──────┘
          │  Authorized + Within limits
          ▼
  ┌────────────────┐
  │ HTTPRoute       │  Path prefix match
  └───────┬────────┘
          │
          ▼
  ┌────────────────┐
  │ K8s Service     │  ClusterIP :8080
  └───────┬────────┘
          │
          ▼
  ┌────────────────┐
  │ VM (httpd)      │  RHEL guest on :8080
  └────────────────┘