Skip to content
Nantian Gateway

Control Plane Configuration

The control plane configuration file is located at gateway/configs/controlplane/config.yaml. It controls every aspect of the control plane process: server addresses, Kubernetes controller behavior, admin API settings, TLS, gRPC runtime parameters, and feature flags.

Server Addresses

Section titled “Server Addresses”

The control plane listens on four distinct addresses:

ParameterTypeDefaultDescription
grpcAddrstring:18080gRPC server address for xDS configuration streaming to data planes
adminAddrstring:18081HTTP admin API server used by the dashboard and internal tooling
metricsAddrstring:18082Prometheus metrics endpoint
healthProbeAddrstring:18083Kubernetes health and readiness probe endpoint

Each address follows Go’s net.Listen format. An empty host portion (e.g., :18080) binds to all network interfaces. Use 127.0.0.1:18081 to restrict the admin API to localhost.

Controller Configuration

Section titled “Controller Configuration”

These settings control how the control plane interacts with the Kubernetes API server and manages gateway resources.

ParameterTypeDefaultDescription
controllerNamestringgateway.networking.k8s.io/nantian-gwGatewayClass controller name this instance responds to
statusAddressstring127.0.0.1IP address used in Gateway status addresses field
statusAddresses[]stringAdditional addresses (hostnames or IPs) for Gateway status
namespacestringnantian-gwNamespace where the control plane runs
syncPeriodduration30sInterval between full resource resynchronizations
syncSettleDelayduration200msDelay before processing a batch of changes to allow accumulation

Reconciler Runner

Section titled “Reconciler Runner”

Controls the reconciliation loop that processes Kubernetes resource changes.

ParameterTypeDefaultDescription
reconcilerRunner.settleDelayduration300msDelay before starting reconciliation after a change event
reconcilerRunner.retryBackoffduration1sDelay between reconciliation retries on failure

Node Status

Section titled “Node Status”

Controls how the control plane tracks and persists data plane node status.

ParameterTypeDefaultDescription
nodeStatus.leasePrefixstringaeg-nodePrefix for node lease objects in the Kubernetes API
nodeStatus.persistTimeoutduration2sTimeout for persisting node status to the API server
nodeStatus.persistDebounceduration250msMinimum interval between node status persistence operations

Node Drift

Section titled “Node Drift”
ParameterTypeDefaultDescription
nodeDrift.warningThresholdduration15sDuration after which a node with no heartbeat is considered drifted

Admin API Configuration

Section titled “Admin API Configuration”

Readiness

Section titled “Readiness”
ParameterTypeDefaultDescription
adminReadiness.modestringsnapshotReadiness check mode: snapshot (ready after first snapshot built) or always

Limits

Section titled “Limits”
ParameterTypeDefaultDescription
adminLimits.maxRequestBodyBytesint2097152 (2 MB)Maximum admin API request body size
adminLimits.maxResponseBodyBytesint8388608 (8 MB)Maximum admin API response body size

Runtime

Section titled “Runtime”

HTTP server runtime settings for the admin API:

ParameterTypeDefaultDescription
adminRuntime.readHeaderTimeoutduration5sMaximum time to read request headers
adminRuntime.readTimeoutduration30sMaximum time to read the full request
adminRuntime.writeTimeoutduration30sMaximum time to write the response
adminRuntime.idleTimeoutduration2mMaximum idle time before closing a connection

Dataplane Aggregation

Section titled “Dataplane Aggregation”

The admin API can aggregate responses from connected data plane instances:

ParameterTypeDefaultDescription
adminRuntime.dataplaneAggregation.serviceNamestringnantian-dataplane-adminKubernetes Service name for data plane admin endpoints
adminRuntime.dataplaneAggregation.namespacestringnantian-gwNamespace of the data plane admin Service
adminRuntime.dataplaneAggregation.portNamestringadminPort name on the data plane admin Service
adminRuntime.dataplaneAggregation.timeoutduration2sTimeout for data plane aggregation requests
adminRuntime.dataplaneAggregation.bearerTokenFilestring""Path to bearer token file for authenticating to data planes

Authentication

Section titled “Authentication”
ParameterTypeDefaultDescription
adminAuth.bearerTokenstring""Static bearer token for admin API authentication
adminAuth.bearerTokenFilestring""Path to a file containing the bearer token
adminAuth.rateLimitRPSint640Requests per second rate limit for the admin API (0 = unlimited)

When both bearerToken and bearerTokenFile are empty, the admin API has no authentication. When configured, requests must include an Authorization: Bearer <token> header.

The rateLimitRPS field applies rate limiting to the admin API, protecting it from excessive requests. Set to 0 to disable rate limiting.

Translator Limits

Section titled “Translator Limits”

Controls resource limits for the translator that converts Kubernetes resources into internal configuration:

ParameterTypeDefaultDescription
translatorLimits.maxInputObjectsint0Maximum input objects to process (0 = unlimited)
translatorLimits.maxSnapshotObjectsint0Maximum objects in a configuration snapshot (0 = unlimited)
translatorLimits.maxSnapshotEndpointsint0Maximum endpoints in a configuration snapshot (0 = unlimited)

Set these limits to prevent the control plane from consuming excessive memory when processing very large configurations. A value of 0 means no limit.

Logging

Section titled “Logging”
ParameterTypeDefaultDescription
log.levelstringinfoMinimum log level: debug, info, warn, error
log.formatstringjsonOutput format: json or text
log.addSourceboolfalseInclude source file and line number in log entries

The debug level includes reconciliation details, snapshot diffs, and gRPC stream events. JSON format is recommended for production log aggregation.

Leader Election

Section titled “Leader Election”

The control plane uses Kubernetes leader election for high availability:

ParameterTypeDefaultDescription
leaderElection.enabledbooltrueEnable leader election (disable for single-replica deployments)
leaderElection.idstringnantian-controlplane-leaderIdentity for the leader election lock
leaderElection.leaseDurationduration15sDuration a leader holds the lease before a new election
leaderElection.renewDeadlineduration10sDeadline for the leader to renew its lease
leaderElection.retryPeriodduration2sInterval between lease acquisition attempts for non-leaders

Dashboard API

Section titled “Dashboard API”

The control plane includes a built-in dashboard API for the web admin interface:

ParameterTypeDefaultDescription
dashboardApi.enabledbooltrueEnable the dashboard API endpoints
dashboardApi.basePathstring/api/dashboardURL path prefix for dashboard API endpoints
dashboardApi.dataplaneAdminUrlstringhttp://nantian-dataplane-admin.nantian-gw.svc.cluster.local:19080URL template for data plane admin API access
dashboardApi.requestTimeoutduration5sTimeout for dashboard API requests
dashboardApi.resourceMutationsEnabledbooltrueAllow resource mutations through the dashboard API

Profiling

Section titled “Profiling”
ParameterTypeDefaultDescription
pprof.enabledboolfalseEnable Go pprof profiling endpoints
pprof.addrstring127.0.0.1:6060Address for the pprof HTTP server
pprof.bearerTokenstring""Bearer token for pprof endpoint authentication
pprof.bearerTokenFilestring""Path to a file containing the pprof bearer token

Enable pprof for debugging performance issues. The pprof server should be bound to localhost only. When a bearer token is configured, the pprof endpoint requires authentication.

TLS Configuration

Section titled “TLS Configuration”

Refer to the TLS / mTLS page for detailed TLS configuration.

Admin TLS

Section titled “Admin TLS”
ParameterTypeDefaultDescription
adminTLS.enabledboolfalseEnable TLS on the admin HTTP server
adminTLS.certPathstring""Path to the server certificate (PEM)
adminTLS.keyPathstring""Path to the server private key (PEM)
adminTLS.clientCAPathstring""Path to the CA certificate for verifying client certificates (mTLS)
adminTLS.requireClientCertboolfalseRequire and verify client certificates (mTLS)

Admin TLS enforces ECDHE cipher suites (TLS 1.2 minimum) for forward secrecy. When clientCAPath is set, the server verifies client certificates. Set requireClientCert to true to reject connections without a valid client certificate.

gRPC TLS

Section titled “gRPC TLS”
ParameterTypeDefaultDescription
grpcTLS.enabledboolfalseEnable TLS on the gRPC server
grpcTLS.certPathstring""Path to the server certificate (PEM)
grpcTLS.keyPathstring""Path to the server private key (PEM)
grpcTLS.clientCAPathstring""Path to the CA certificate for verifying client certificates
grpcTLS.requireClientCertboolfalseRequire and verify client certificates (mTLS)

gRPC Runtime

Section titled “gRPC Runtime”

These settings control the gRPC server behavior for xDS communication:

ParameterTypeDefaultDescription
grpcRuntime.keepaliveTimeduration30sInterval for sending keepalive pings to connected data planes
grpcRuntime.keepaliveTimeoutduration10sTimeout for keepalive ping responses
grpcRuntime.minPingIntervalduration15sMinimum interval between pings from data plane clients
grpcRuntime.maxConnectionIdleduration2mMaximum idle time before closing a gRPC connection
grpcRuntime.maxConnectionAgeduration30mMaximum lifetime of a gRPC connection
grpcRuntime.maxConnectionAgeGraceduration30sGrace period after max connection age before forceful closure
grpcRuntime.snapshotSendTimeoutduration5sTimeout for sending a configuration snapshot
grpcRuntime.snapshotAckTimeoutduration30sTimeout for receiving a snapshot acknowledgment
grpcRuntime.permitWithoutStreamboolfalseAllow data planes without an active xDS stream

Feature Flags

Section titled “Feature Flags”
ParameterTypeDefaultDescription
features.enableExperimentalGatewayboolfalseEnable experimental Gateway API features
features.enableAiGatewayboolfalseEnable the built-in AI gateway module

Complete Example

Section titled “Complete Example”

The following is a complete control plane configuration with all available options:

grpcAddr: ":18080"
adminAddr: ":18081"
metricsAddr: ":18082"
healthProbeAddr: ":18083"
controllerName: "gateway.networking.k8s.io/nantian-gw"
statusAddress: "127.0.0.1"
namespace: "nantian-gw"
syncPeriod: 30s
syncSettleDelay: 200ms


reconcilerRunner:
  settleDelay: "300ms"
  retryBackoff: "1s"


nodeStatus:
  leasePrefix: "aeg-node"
  persistTimeout: "2s"
  persistDebounce: "250ms"


nodeDrift:
  warningThreshold: "15s"


adminReadiness:
  mode: "snapshot"


adminLimits:
  maxRequestBodyBytes: 2097152
  maxResponseBodyBytes: 8388608


adminRuntime:
  readHeaderTimeout: "5s"
  readTimeout: "30s"
  writeTimeout: "30s"
  idleTimeout: "2m"
  dataplaneAggregation:
    serviceName: "nantian-dataplane-admin"
    namespace: "nantian-gw"
    portName: "admin"
    timeout: "2s"
    bearerTokenFile: ""


translatorLimits:
  maxInputObjects: 0
  maxSnapshotObjects: 0
  maxSnapshotEndpoints: 0


adminAuth:
  bearerToken: ""
  bearerTokenFile: ""
  rateLimitRPS: 0


dashboardApi:
  enabled: true
  basePath: "/api/dashboard"
  dataplaneAdminUrl: "http://nantian-dataplane-admin.nantian-gw.svc.cluster.local:19080"
  requestTimeout: "5s"
  resourceMutationsEnabled: true


pprof:
  enabled: false
  addr: "127.0.0.1:6060"
  bearerToken: ""
  bearerTokenFile: ""


log:
  level: "info"
  format: "json"
  addSource: false


leaderElection:
  enabled: true
  id: "nantian-controlplane-leader"
  leaseDuration: "15s"
  renewDeadline: "10s"
  retryPeriod: "2s"


adminTLS:
  enabled: false
  certPath: ""
  keyPath: ""
  clientCAPath: ""
  requireClientCert: false


grpcTLS:
  enabled: false
  certPath: ""
  keyPath: ""
  clientCAPath: ""
  requireClientCert: false


grpcRuntime:
  keepaliveTime: "30s"
  keepaliveTimeout: "10s"
  minPingInterval: "15s"
  maxConnectionIdle: "2m"
  maxConnectionAge: "30m"
  maxConnectionAgeGrace: "30s"
  snapshotSendTimeout: "5s"
  snapshotAckTimeout: "30s"
  permitWithoutStream: false


features:
  enableExperimentalGateway: false
  enableAiGateway: false

Next Steps

Section titled “Next Steps”