A high-performance API Gateway built on Pingora and Gateway API. Designed for both Kubernetes and standalone (bare-metal / VM) environments.
- High Performance — Built on Cloudflare's Pingora framework with Rust; clear stack traces and better debugging compared to Lua/Go-based proxies
- Gateway API v1 — Full support for the standard Kubernetes Gateway API (v1.4.0), including HTTPRoute, GRPCRoute, TCPRoute, UDPRoute, and TLSRoute
- Dual Deployment — Runs in Kubernetes (watching CRDs) or standalone mode (local YAML config), same binary
- Hot Reload — Routes, backends, plugins, and TLS certificates all take effect immediately without restart or connection drops
- Flexible Routing — Path (Exact / Prefix / Regex), Header, Query Parameter, and Method matching with priority-based rule evaluation; supports domain-level routing with exact and wildcard hostnames
- Multi-Protocol — HTTP/1.1, HTTP/2, gRPC, TCP, UDP, WebSocket, and SNI proxy
- Advanced TLS — mTLS, dynamic certificate loading, ACME auto-provisioning (HTTP-01 / DNS-01), and per-domain TLS policy
- Per-Domain TLS Version & Cipher Control — Each domain can independently configure minimum TLS version and allowed cipher suites via EdgionTls, enabling legacy algorithm compatibility for specific domains while enforcing strict security on others
- Extensible Plugin System — 25+ built-in HTTP plugins and TCP/UDP stream plugins with plugin composition support, see full list below
- Resilience — Retry with configurable backoff, timeouts, and session persistence (Cookie / Header)
- Load Balancing — Multiple algorithms including Round Robin, EWMA, Least Connections, Consistent Hashing, and Weighted selection with active health checks
- Observability — Unified access log captures the full request lifecycle (routing, plugins, backend, errors) in a single JSON line; Prometheus metrics endpoint with distributed tracing readiness
- Sandbox Gateway — Isolated gateway environments for controlled execution
Edgion provides a rich set of built-in plugins via the EdgionPlugins CRD. Plugins can be attached to routes through Gateway API's ExtensionRef filter or composed via Plugin Composition.
| Plugin | Description |
|---|---|
| Basic Auth | HTTP Basic authentication with htpasswd support |
| JWT Auth | JSON Web Token validation and claim extraction (HS256 / RS256 / ES256) |
| Key Auth | API key authentication via header or query param |
| HMAC Auth | HMAC-based request signing verification |
| LDAP Auth | LDAP / Active Directory authentication |
| Forward Auth | Delegate authentication to an external service |
| OpenID Connect | OIDC-based SSO with Code Flow + PKCE, session cookie, and token refresh |
| JWE Decrypt | JSON Web Encryption decryption with payload-to-header mapping |
| Header Cert Auth | Client certificate header-based authentication |
| Plugin | Description |
|---|---|
| CORS | Cross-Origin Resource Sharing policy |
| CSRF | Cross-Site Request Forgery protection |
| IP Restriction | IP allowlist / denylist access control |
| Request Restriction | Attribute-based access control on headers, cookies, query params, path, method, and referer |
| Plugin | Description |
|---|---|
| Rate Limit | Local rate limiting with CMS algorithm, multi-dimension keys (IP / Header / Path) |
| Rate Limit (Redis) | Distributed rate limiting backed by Redis with cluster-wide coordination |
| Proxy Rewrite | Rewrite upstream URI, host, method, and headers with regex and variable support |
| Response Rewrite | Modify response status, headers (set / add / remove / rename), and body |
| Bandwidth Limit | Per-route downstream bandwidth throttling |
| Request Mirror | Mirror traffic to a secondary backend |
| Direct Endpoint | Route to a specific endpoint bypassing service discovery |
| Dynamic Upstream | Dynamically resolve upstream targets at request time |
| Plugin | Description |
|---|---|
| Real IP | Extract real client IP from proxy headers with recursive trusted-IP resolution |
| Ctx Setter | Set context variables for downstream plugins, conditions, and access log |
| Mock | Return mock responses for testing |
| DSL | Custom request processing via built-in DSL expressions |
These filters are built-in to the Gateway API specification and require no CRD:
Request Header Modifier | Response Header Modifier | Request Redirect | URL Rewrite
| Plugin | Description |
|---|---|
| IP Restriction | Connection-level IP allowlist / denylist |
For setup and usage details, see the User Guide and the examples.
# Run unit tests
cargo test --all --tests
# Run integration tests
cd examples/testing
./run_integration_test.shEdgion follows a Controller–Gateway separation architecture connected via gRPC:
- Controller (
edgion-controller) — Watches configuration sources (Kubernetes CRDs or local YAML), validates and pre-parses resources, then streams them to gateways via gRPC. Handles ACME certificates and status updates. - Gateway (
edgion-gateway) — Stateless data plane built on Pingora. Receives configuration from the controller, executes routing, plugin chains, load balancing, TLS termination, and access logging. - CLI (
edgion-ctl) — Management tool for inspecting and operating both controller and gateway.
┌──────────────┐
│ K8s API / │
│ Local YAML │
└──────┬───────┘
│ watch
┌──────▼───────┐
│ Controller │ ── Admin API :5800
└──────┬───────┘
│ gRPC :5810
┌────────────┼────────────┐
│ │ │
┌──────▼──┐ ┌──────▼──┐ ┌──────▼──┐
│ Gateway │ │ Gateway │ │ Gateway │
│ :80/443│ │ :80/443│ │ :80/443│
└─────────┘ └─────────┘ └─────────┘
For architecture details, see Architecture Overview.
- Gateway API Conformance Testing — Broader validation against Gateway API conformance suites
- Cache Plugin — Response caching and cache-anything support
- Async MQ / Log Gateway — Asynchronous message queue integration
- Full-Chain Reconcile — End-to-end configuration reconciliation
- HTTP/3 — Native HTTP/3 support across the gateway stack
- AI Gateway — AI-specific plugins and policies
- AI Mesh — AI service mesh capabilities
- MCP Proxy — Model Context Protocol proxy
- AI Workflow Engine — AI-powered workflow orchestration
Please excuse the many commits with minimal detail. AI-assisted development is moving faster than I can document every change thoroughly right now.
Contributions are welcome! Please check out:
Licensed under the Apache License, Version 2.0. See LICENSE for details.
- Pingora — High-performance proxy framework by Cloudflare
- Gateway API — Kubernetes SIG Network
- kube-rs — Kubernetes client library for Rust
- nom — Parser combinator framework for Rust
Version: v0.1.1
Last Updated: 2026-03-08