I'm working with a basic Node.js API that follows Domain Driven Design, and I'm planning to expose it using a Gateway API. As the domain grows, I intend to split it into separate images or pods. Currently, authentication is handled at the application level, but I'm considering moving it to the Gateway API for better structure. I aim to keep the infrastructure as simple as possible.
Here's what I want my Gateway API to handle:
- TLS Termination
- Integration with Observability tools like Prometheus, Grafana, Loki, and OpenTelemetry
- Rate Limiting — I'm uncertain whether to implement this at the Gateway API layer or the application level initially.
- Web Application Firewall
- Traffic Control for Canary Deployment
- Policy Management
- Health Checks
- It must be FOSS (Free and Open Source Software)
One concern I have is regarding rate limiting. If I implement it at the Gateway API level, it becomes tied to Kubernetes, which raises concerns if I decide to run my Gateway API or reverse proxy in standalone containers on a VM. I'm hoping that the rate limiting functionality is linked to the provider I choose rather than the Gateway API, but I wonder if rate limiting is intrinsically a business logic concern. For instance, the authentication route might need different rate limiting rules compared to other routes. Given all this, I'm leaning towards using Traefik or Kong, but I haven't seen much community use for Kong and prefer solutions backed by larger user bases.
4 Answers
I’ve heard lots of great things about Traefik. It’s user-friendly and has a solid community backing it up. Might be a good fit for the simplicity you're looking for!
I’m using Calico Ingress Gateway in my setup, which is built on Gateway API standards and integrates seamlessly with Envoy! It may suit your needs perfectly since it offers all the features you're looking for. Check it out here for specifics: [Envoy Gateway Docs](https://gateway.envoyproxy.io/docs/tasks/).
You might want to look into Envoy gateway. It fits all the features you're after and is built around the Gateway API. If you're already using Istio, that would be worth considering since it’s already integrated into your setup. Cilium is a good choice for CNI if you don’t need too many features. I think you’ll find Envoy pretty sweet for your needs!
Honestly, I would steer clear of Kong unless you’re willing to pay for it. They have a lot of features locked behind a paywall, especially if you need secure deployment options. It's pretty enterprise-focused, which could be a hassle in the long run.
Yeah, I got that vibe too! Seems like a heavy investment for what they offer!
Totally agree! Envoy's got a solid feature set, and you can find loads of documentation to help you set it up right.