README.md

July 5, 2026 ยท View on GitHub

Aastro API Gateway

A lightweight, modular, and high-performance API Gateway for modern microservices.

Built with simplicity, performance, and developer-friendly configuration in mind.

Go Version License Go Report Card codecov Docker Pulls GitHub Created At GitHub release


โœจ Features

  • ๐Ÿš€ High-performance HTTP reverse proxy
  • ๐Ÿ”€ Request fan-out & response aggregation (merge, array, namespace)
  • ๐Ÿ” TLS & mutual TLS (mTLS) โ€” on the inbound data port and per-upstream
  • ๐Ÿ”„ Zero-downtime TLS certificate hot-reload โ€” cert-manager / Vault / SPIFFE ready
  • ๐Ÿงฉ Dynamic .so plugin system (request & response phase)
  • ๐Ÿ”— Path parameter extraction and forwarding
  • ๐Ÿ” Retry, circuit breaker & load balancing (round-robin, least-conns)
  • ๐Ÿ“Š Prometheus metrics with circuit breaker state tracking
  • ๐Ÿ›ก Rate limiting & trusted proxy support
  • ๐Ÿ“ฆ YAML-based configuration
  • ๐Ÿณ Docker-ready

๐Ÿš€ Quick Start

git clone https://github.com/starwalkn/aastro.git
cd aastro

make all GOOS=<YOUR_OS> GOARCH=<YOUR_ARCH>
./bin/aastro -c path/to/config.yaml

Or with Docker:

docker run \
  -p 7805:7805 \
  -v $(pwd)/config.yaml:/etc/aastro/config.yaml \
  -e AASTRO_CONFIG=/etc/aastro/config.yaml \
  starwalkn/aastro:latest

๐Ÿ”„ Zero-downtime TLS certificate rotation

Aastro reloads TLS certificates โ€” on both the inbound data port and outbound upstream connections โ€” without restarting the process, reloading config, or dropping connections. It watches the certificate directories and atomically swaps the in-memory material when the files change on disk. No SIGHUP, no full-config reload, no downtime.

Hands-off with your cert manager. Works out of the box with cert-manager, Vault Agent, and SPIFFE/SPIRE. Directory-level watching handles both atomic file replacement on a host (write-temp-then-rename) and Kubernetes secret mounts, where projected files rotate via symlink swap rather than in-place writes. Safe by construction. New handshakes use the new certificate; in-flight connections finish on the old one. If a rotated certificate or CA bundle fails to parse, the previously loaded material stays live โ€” a bad rotation can't take the listener down. No configuration required. Rotation works on your existing cert_file, key_file, and ca_file paths โ€” there is no flag to enable.

gateway:
  server:
    tls:
      enabled: true
      cert_file: /etc/aastro/server.crt   # rotate this file โ†’ picked up automatically
      key_file:  /etc/aastro/server.key
      client_auth: require
      client_ca_file: /etc/aastro/client-ca.crt

  routing:
    flows:
      - upstreams:
        - tls:
            enabled: true
            cert_file: /etc/aastro/clients/users.crt   # outbound mTLS, also hot-reloaded
            key_file:  /etc/aastro/clients/users.key
            ca_file:   /etc/aastro/internal-ca.crt

๐Ÿ“– Documentation

Full documentation, configuration reference, and plugin guide are available at:

starwalkn.github.io/aastro-docs


๐Ÿ“„ License

Open-source. See LICENSE file for details.


Made with โค๏ธ in Go