Red Hat Connectivity Link playground
Gateway API + Kuadrant (Connectivity Link): Auth, rate-limit, TLS, traffic shaping, OIDC, and external API proxying.
Module
Workshop — AuthPolicy + RateLimitPolicy
Use API keys to demonstrate identity + rate limiting (429).
Try endpoints Ready
Last status
—
Latency (ms)
—
Active API key
alice
Latest burst results
200
401 / 403
429
Live log same-origin
Module
Traffic shaping — A/B testing and canary rollout
The UI samples a route and visualizes observed split vs expected weights, with a progress bar and per-request log.
Traffic shaping: A/B + canary Idle
The UI sends N requests to a route and counts which backend responds.
A/B uses
/ab (expected 80/20). Canary uses /canary (expected 90/10).
expected: A/B 80/20 · canary 90/10
Run
—
—
Observed split
—
—
Avg latency (ms)
—
Latest samples (fixed width)
primary
secondary
Module
External API — Gateway-published ESPN JSON
Visually explain what happens: the browser calls the dedicated hostname
external-api.<base-domain>/<league> published via DNSPolicy (Route53) + TLS, and the cluster fetches ESPN JSON (site.api.espn.com).
External API (ESPN) via external-api hostname
The UI calls
https://external-api.<base-domain>/<league>. The in-cluster proxy fetches ESPN JSON and returns it.
Endpoints are the public ESPN JSON URLs commonly referenced by espnapi.com.
browser
external-api.<base-domain>/<league>
proxy (cluster)
ESPN JSON (site.api.espn.com)
Range
—
—
Games (final + live + upcoming)
—
Response (tree)
—
Request
—
Upstream
—
Result
—
Events
—
Request log
Module
AI chatbot — MCP tool call + TokenRateLimitPolicy
The browser talks to a Quarkus app that returns an OpenAI-compatible response including
usage.total_tokens.
When it needs external data, the app calls tools through the MCP Gateway (separate hostname) and the Gateway enforces TokenRateLimitPolicy on the AI endpoint.
—
—
Ask about sports scoreboards
Pick a tool (league) and try: What games are live? or Show finals in the last 7 days.
For the demo, the budget is intentionally small: 400 tokens / 15s. If you exceed it, you’ll get 429 from the Gateway.
budget: 400/15s
tokens: —
HTTP: —
prompt: —
Conversation
tool: — · llm: —
Custom prompt
Tip: Ctrl+Enter / Cmd+Enter to send.
Live log
Module
OIDC portal — browser login on a separate hostname
The main demo focuses on API keys, rate limits, and traffic shaping on a single host.
For OIDC, we intentionally use a separate frontend on a different hostname to make the browser login flow obvious and visually distinct.
—
What you’ll show in the OIDC portal
- Navigate to the OIDC portal URL (different hostname)
- Without login, the Gateway returns a 302 redirect to Keycloak
- After login, the Gateway sets a cookie and the portal can fetch the protected ESPN scoreboard (
/secure/nba)
OIDCPolicy (browser login)
AuthPolicy (JWT validation)
DNSPolicy (Route53 record)
Module
AuthPolicy (Keycloak JWT) — protect an API with an OIDC issuer
The Gateway validates JWTs issued by Keycloak. You’ll fetch a token, inspect it, and call a protected API with and without the token.
Authorino
Gateway endpoint:
—
Get a token (password grant)
Demo user: demo / demo on realm rhcl (client rhcl-ui).
—
HTTP (token): —
Token preview
(no token)
Call protected API
Endpoint: /jwt/secure/nba. Without a token you should get 401/403. With a token you should get 200.
HTTP: —
—
Module
Observability — dashboards for developers, platform, and business
Connectivity Link exposes metrics you can explore in Grafana dashboards and the OpenShift Console Query Browser. Use this module to jump straight to the right view depending on your audience.
Grafana dashboards
Role-focused dashboards (open directly in the cluster Grafana).
OpenShift Console graphs
Open the Query Browser with pre-filled PromQL.
Distributed tracing
Use the OpenShift Traces view when the console is available. Use Tempo (Jaeger UI) as a fallback.