Skip to content

starwalkn/aastro

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

332 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Aastro API Gateway

A lightweight, modular, and high-performance API Gateway for modern microservices.

Built with simplicity, performance, and developer-friendly configuration in mind.

Go Version License Go Report Card codecov Docker Pulls GitHub Created At GitHub release


✨ Features

  • 🚀 High-performance HTTP reverse proxy
  • 🔀 Request fan-out & response aggregation (merge, array, namespace)
  • 🔐 TLS & mutual TLS (mTLS) — on the inbound data port and per-upstream
  • 🔄 Zero-downtime TLS certificate hot-reload — cert-manager / Vault / SPIFFE ready
  • 🧩 Dynamic .so plugin system (request & response phase)
  • 🔗 Path parameter extraction and forwarding
  • 🔁 Retry, circuit breaker & load balancing (round-robin, least-conns)
  • 📊 Prometheus metrics with circuit breaker state tracking
  • 🛡 Rate limiting & trusted proxy support
  • 📦 YAML-based configuration
  • 🐳 Docker-ready

🚀 Quick Start

git clone https://github.com/starwalkn/aastro.git
cd aastro

make all GOOS=<YOUR_OS> GOARCH=<YOUR_ARCH>
./bin/aastro -c path/to/config.yaml

Or with Docker:

docker run \
  -p 7805:7805 \
  -v $(pwd)/config.yaml:/etc/aastro/config.yaml \
  -e AASTRO_CONFIG=/etc/aastro/config.yaml \
  starwalkn/aastro:latest

🔄 Zero-downtime TLS certificate rotation

Aastro reloads TLS certificates — on both the inbound data port and outbound upstream connections — without restarting the process, reloading config, or dropping connections. It watches the certificate directories and atomically swaps the in-memory material when the files change on disk. No SIGHUP, no full-config reload, no downtime.

Hands-off with your cert manager. Works out of the box with cert-manager, Vault Agent, and SPIFFE/SPIRE. Directory-level watching handles both atomic file replacement on a host (write-temp-then-rename) and Kubernetes secret mounts, where projected files rotate via symlink swap rather than in-place writes. Safe by construction. New handshakes use the new certificate; in-flight connections finish on the old one. If a rotated certificate or CA bundle fails to parse, the previously loaded material stays live — a bad rotation can't take the listener down. No configuration required. Rotation works on your existing cert_file, key_file, and ca_file paths — there is no flag to enable.

gateway:
  server:
    tls:
      enabled: true
      cert_file: /etc/aastro/server.crt   # rotate this file → picked up automatically
      key_file:  /etc/aastro/server.key
      client_auth: require
      client_ca_file: /etc/aastro/client-ca.crt

  routing:
    flows:
      - upstreams:
        - tls:
            enabled: true
            cert_file: /etc/aastro/clients/users.crt   # outbound mTLS, also hot-reloaded
            key_file:  /etc/aastro/clients/users.key
            ca_file:   /etc/aastro/internal-ca.crt

📖 Documentation

Full documentation, configuration reference, and plugin guide are available at:

starwalkn.github.io/aastro-docs


📄 License

Open-source. See LICENSE file for details.


Made with ❤️ in Go

About

Extensible API Gateway written in Go. Load custom plugins to extend functionality.

Topics

Resources

License

Contributing

Stars

17 stars

Watchers

0 watching

Forks

Contributors

Languages