Communication between the Nantian Gateway control plane and data plane occurs over gRPC bidirectional streaming. The protocol is defined in proto/gateway/control/v1/control.proto. It is based on Envoy’s xDS model, but the message structures are designed specifically for Nantian Gateway’s internal representation (IR).
There are two gRPC services between the control plane and data plane:
Service RPC Type Purpose ConfigurationDiscoveryServiceStreamConfigurationBidirectional stream Push configuration snapshots and acknowledge receipt status ConfigurationDiscoveryServiceReportStatusUnary RPC Data plane reports health status
|-- DiscoveryRequest (subscribe) ------>| Data plane initiates subscription
|<---- DiscoveryResponse (snapshot) --- | Control plane pushes config snapshot
|-- DiscoveryRequest (ACK/NACK) ------>| Data plane acknowledges receipt
| ... config change ... |
|<---- DiscoveryResponse (new ver) ---- | Control plane pushes new snapshot
|-- DiscoveryRequest (ACK/NACK) ------>| Data plane acknowledges
|-- StatusReport --------------------->| Data plane reports health status
|<---- StatusAck --------------------- | Control plane acknowledges receipt
Version tracking : Each configuration snapshot has a version field. The control plane increments the version number on every configuration change. The data plane carries its current version in the DiscoveryRequest, and the control plane uses this to determine whether a new configuration needs to be pushed.
Nonce mechanism : Each DiscoveryResponse carries a random nonce. The data plane must return this nonce unchanged in its acknowledgment. This prevents stale acknowledgments from interfering with the configuration stream.
Subscription model : The data plane declares which resource types it cares about in its initial DiscoveryRequest (the subscriptions field). The control plane only pushes resources the data plane has subscribed to.
ACK/NACK : After receiving a configuration, the data plane must reply with an acknowledgment status. ACK means the configuration was successfully applied. NACK means the configuration is invalid, with error information carried in the error_detail field.
A request message sent by the data plane to the control plane.
Field Type Description node_idstringData plane node identifier, typically the Pod name clusterstringName of the cluster the data plane belongs to versionstringCurrently applied configuration version noncestringThe nonce from the last received response (used for ACK/NACK) subscriptionsrepeated stringList of subscribed resource types result_statusDiscoveryResultStatusConfiguration application result: ACK or NACK error_detailstringError details when NACK
A response message from the control plane to the data plane.
Field Type Description versionstringCurrent configuration snapshot version noncestringUnique identifier for this response; the data plane must return this in its acknowledgment snapshotConfigSnapshotConfiguration snapshot content
The configuration snapshot, containing all configuration information needed by the data plane.
Field Type Description idstringSnapshot unique identifier generated_atTimestampSnapshot generation time listenersrepeated ListenerListener list http_routesrepeated HttpRouteHTTP route list grpc_routesrepeated GrpcRoutegRPC route list stream_routesrepeated StreamRouteTCP/UDP/TLS route list backendsrepeated BackendClusterBackend cluster list secretsrepeated SecretMaterialTLS certificates and keys extensionsStructExtension configuration (Wasm plugins, etc.)
A health status message periodically reported by the data plane.
Field Type Description node_idstringData plane node identifier versionstringCurrent data plane version readyboolWhether ready to accept traffic messagestringStatus message observed_atTimestampObservation time
The control plane’s acknowledgment of a status report.
Field Type Description acceptedboolWhether the status report was accepted
Listener defines the network ports and protocols the data plane should listen on.
Field Type Description namestringListener name addressstringListen address portuint32Listen port protocolListenerProtocolProtocol type hostnamesrepeated stringAllowed hostname list attached_routesrepeated stringNames of routes bound to this listener tlsTlsConfigTLS configuration metadatamap<string, string>Metadata backend_tlsBackendTlsConfigBackend TLS configuration addressesrepeated stringMulti-address listeners
Value Description LISTENER_PROTOCOL_HTTPHTTP/1.1 and HTTP/2 (h2c) LISTENER_PROTOCOL_HTTPSTLS termination + HTTP LISTENER_PROTOCOL_GRPCgRPC LISTENER_PROTOCOL_HTTP3HTTP/3 (QUIC) LISTENER_PROTOCOL_TCPTCP stream proxy LISTENER_PROTOCOL_UDPUDP stream proxy LISTENER_PROTOCOL_TLS_PASSTHROUGHTLS passthrough LISTENER_PROTOCOL_TLSTLS termination
Field Type Description enabledboolWhether TLS is enabled passthroughboolWhether in passthrough mode secret_refsrepeated stringReferenced Secret names sni_hostsrepeated stringSNI hostname list min_versionstringMinimum TLS version max_versionstringMaximum TLS version frontend_validationFrontendValidationClient certificate validation
Field Type Description ca_pemsrepeated stringCA certificate PEM list modestringValidation mode
HttpRoute corresponds to the HTTPRoute resource in the Gateway API and defines HTTP traffic routing rules.
Field Type Description namestringRoute name namespacestringNamespace hostnamesrepeated stringHostname list parent_refsrepeated ParentRefParent resource references rulesrepeated HttpRuleRouting rule list labelsmap<string, string>Labels annotationsmap<string, string>Annotations
Field Type Description matchesrepeated HttpMatchMatch conditions filtersrepeated FilterFilter chain backend_refsrepeated BackendRefBackend reference list timeoutsHttpRouteTimeoutsTimeout configuration retryHttpRouteRetryRetry configuration session_persistenceSessionPersistenceSession persistence namestringRule name
Field Type Description pathstringPath match value path_typestringPath match type: Exact, PathPrefix, RegularExpression methodstringHTTP method headersrepeated HeaderMatchRequest header match conditions query_paramsrepeated QueryMatchQuery parameter match conditions
Field Type Description requestDurationRequest timeout backend_requestDurationBackend request timeout
Field Type Description codesrepeated uint32HTTP status codes that trigger retry attemptsuint32Maximum retry attempts backoffDurationRetry backoff time
GrpcRoute corresponds to the GRPCRoute resource in the Gateway API.
Field Type Description namestringRoute name namespacestringNamespace hostnamesrepeated stringHostname list parent_refsrepeated ParentRefParent resource references rulesrepeated GrpcRulegRPC routing rules
Field Type Description matchesrepeated GrpcMatchMatch conditions filtersrepeated FilterFilter chain backend_refsrepeated BackendRefBackend reference list session_persistenceSessionPersistenceSession persistence namestringRule name
Field Type Description servicestringgRPC service name methodstringgRPC method name headersrepeated HeaderMatchMetadata matching match_typestringMatch type
StreamRoute uniformly represents TCP, UDP, and TLS routes.
Field Type Description namestringRoute name namespacestringNamespace kindRouteKindRoute type: TCP, UDP, TLS parent_refsrepeated ParentRefParent resource references rulesrepeated StreamRuleStream routing rules
Field Type Description portuint32Match port sni_hostnamestringSNI hostname (TLS routes) modeTlsRouteModeTLS route mode: PASSTHROUGH or TERMINATE
BackendCluster represents a backend service cluster.
Field Type Description namestringCluster name namespacestringNamespace protocolstringBackend protocol endpointsrepeated BackendEndpointEndpoint list connect_timeoutDurationConnection timeout request_timeoutDurationRequest timeout tls_validationBackendTlsValidationBackend TLS verification session_persistenceSessionPersistenceSession persistence load_balancingLoadBalancingPolicyLoad balancing strategy ai_serviceAIServiceConfigAI service configuration token_policyTokenPolicyConfigToken policy configuration wasm_pluginWasmPluginConfigWasm plugin configuration
Field Type Description addressstringEndpoint IP address portuint32Endpoint port healthyboolHealth status zonestringAvailability zone
Field Type Description providerstringProvider type: openai, anthropic, ollama formatstringRequest/response format modelstringModel name authAIServiceAuthConfigAuthentication configuration timeoutDurationRequest timeout
Field Type Description tokens_per_minuteuint64Maximum tokens per minute tokens_per_houruint64Maximum tokens per hour requests_per_minuteuint64Maximum requests per minute scopestringRate limiting scope burstdoubleBurst multiplier on_limitstringAction on limit
Field Type Description namestringPlugin name namespacestringNamespace wasm_bytesbytesWasm module byte content sha256stringSHA256 checksum hooksrepeated stringExecution hook list config_jsonstringPlugin configuration (JSON) sandboxWasmSandboxConfigSandbox configuration
Field Type Description max_memory_bytesuint64Maximum memory limit max_execution_time_msuint64Maximum execution time allow_networkboolWhether network access is allowed allow_file_systemboolWhether filesystem access is allowed
Field Type Description namespacestringSecret namespace namestringSecret name cert_pemstringCertificate PEM key_pemstringPrivate key PEM
The complete protocol definition is located at:
proto/gateway/control/v1/control.proto
The current protobuf package name is gateway.control.v1. The Go generated code import path is github.com/nantian-gw/proto/gateway/control/v1;controlv1.
The current protocol version is v1 and is under active development. Protocol message structures may change across minor version iterations. If you are developing a data plane implementation that communicates with the Nantian Gateway control plane, we recommend locking the protocol version and monitoring the changelog.
