README.md
July 5, 2026 ยท View on GitHub
Aastro API Gateway
A lightweight, modular, and high-performance API Gateway for modern microservices.
Built with simplicity, performance, and developer-friendly configuration in mind.
โจ Features
- ๐ High-performance HTTP reverse proxy
- ๐ Request fan-out & response aggregation (merge, array, namespace)
- ๐ TLS & mutual TLS (mTLS) โ on the inbound data port and per-upstream
- ๐ Zero-downtime TLS certificate hot-reload โ cert-manager / Vault / SPIFFE ready
- ๐งฉ Dynamic
.soplugin system (request & response phase) - ๐ Path parameter extraction and forwarding
- ๐ Retry, circuit breaker & load balancing (round-robin, least-conns)
- ๐ Prometheus metrics with circuit breaker state tracking
- ๐ก Rate limiting & trusted proxy support
- ๐ฆ YAML-based configuration
- ๐ณ Docker-ready
๐ Quick Start
git clone https://github.com/starwalkn/aastro.git
cd aastro
make all GOOS=<YOUR_OS> GOARCH=<YOUR_ARCH>
./bin/aastro -c path/to/config.yaml
Or with Docker:
docker run \
-p 7805:7805 \
-v $(pwd)/config.yaml:/etc/aastro/config.yaml \
-e AASTRO_CONFIG=/etc/aastro/config.yaml \
starwalkn/aastro:latest
๐ Zero-downtime TLS certificate rotation
Aastro reloads TLS certificates โ on both the inbound data port and outbound upstream connections โ without restarting the process, reloading config, or dropping connections. It watches the certificate directories and atomically swaps the in-memory material when the files change on disk. No SIGHUP, no full-config reload, no downtime.
Hands-off with your cert manager. Works out of the box with cert-manager, Vault Agent, and SPIFFE/SPIRE. Directory-level watching handles both atomic file replacement on a host (write-temp-then-rename) and Kubernetes secret mounts, where projected files rotate via symlink swap rather than in-place writes. Safe by construction. New handshakes use the new certificate; in-flight connections finish on the old one. If a rotated certificate or CA bundle fails to parse, the previously loaded material stays live โ a bad rotation can't take the listener down. No configuration required. Rotation works on your existing cert_file, key_file, and ca_file paths โ there is no flag to enable.
gateway:
server:
tls:
enabled: true
cert_file: /etc/aastro/server.crt # rotate this file โ picked up automatically
key_file: /etc/aastro/server.key
client_auth: require
client_ca_file: /etc/aastro/client-ca.crt
routing:
flows:
- upstreams:
- tls:
enabled: true
cert_file: /etc/aastro/clients/users.crt # outbound mTLS, also hot-reloaded
key_file: /etc/aastro/clients/users.key
ca_file: /etc/aastro/internal-ca.crt
๐ Documentation
Full documentation, configuration reference, and plugin guide are available at:
starwalkn.github.io/aastro-docs
๐ License
Open-source. See LICENSE file for details.
Made with โค๏ธ in Go