Skip to content
Nantian Gateway

Data Plane Configuration

The data plane configuration file is located at gateway/configs/dataplane/config.yaml. It controls every aspect of the data plane process: node identity, control plane connection, logging, access logging, runtime behavior, performance tuning, protection limits, TLS, and feature flags.

Node Identity

Section titled “Node Identity”
ParameterTypeDefaultDescription
nodeIdstringdp-localUnique identifier for this data plane instance
clusterstringdefaultLogical cluster name this instance belongs to

The nodeId must be unique across all data plane instances connected to the same control plane. In Kubernetes, the Helm chart sets this to the pod name automatically. The cluster field groups data planes into logical clusters for multi-cluster deployments.

Control Plane Connection

Section titled “Control Plane Connection”
ParameterTypeDefaultDescription
controlPlaneAddrstringhttp://127.0.0.1:18080Address of the control plane gRPC server
adminAddrstring127.0.0.1:19080Address for the data plane’s own admin HTTP server

The controlPlaneAddr is the gRPC endpoint where the data plane connects to receive configuration snapshots. Use https:// when TLS is enabled on the control plane’s gRPC server.

The adminAddr is the data plane’s own admin HTTP server, used by the control plane for health checks and aggregation.

Logging

Section titled “Logging”

The data plane uses Rust’s tracing framework with fine-grained per-module control:

ParameterTypeDefaultDescription
log.levelstringinfo,nantian_core::connectors=offTracing filter directives
log.formatstringjsonOutput format: json or text
log.addSourceboolfalseInclude source file and line number
log.includeTargetboolfalseInclude the tracing target (Rust module path)
log.includeThreadIdsboolfalseInclude thread IDs
log.includeThreadNamesboolfalseInclude thread names
log.nonBlockingbooltrueUse non-blocking log output
log.nonBlockingBufferedLinesint65536Ring buffer capacity for non-blocking logging
log.dropWhenFullbooltrueDrop logs when the buffer is full

The level field accepts tracing filter syntax for per-module granularity: info,hyper=warn,tower=debug.

OpenTelemetry Log Export

Section titled “OpenTelemetry Log Export”
ParameterTypeDefaultDescription
log.openTelemetry.enabledboolfalseExport logs via OpenTelemetry
log.openTelemetry.endpointstring""OTLP collector endpoint
log.openTelemetry.protocolstringgrpcOTLP protocol: grpc or http
log.openTelemetry.timeoutMsint3000Export timeout in milliseconds
log.openTelemetry.insecureboolfalseUse insecure connection to the collector
log.openTelemetry.sampleRatiofloat1.0Sampling ratio (0.0 to 1.0)
log.openTelemetry.serviceNamestringnantian-dataplaneService name in exported data
log.openTelemetry.serviceNamespacestring""Service namespace in exported data

Admin Authentication

Section titled “Admin Authentication”
ParameterTypeDefaultDescription
adminAuth.bearerTokenstring""Static bearer token for admin API authentication
adminAuth.bearerTokenFilestring""Path to a file containing the bearer token

Access Logging

Section titled “Access Logging”

Access logs record every request processed by the data plane:

ParameterTypeDefaultDescription
accessLog.enabledboolfalseEnable access logging
accessLog.pathstringstdoutOutput path (stdout, stderr, or file path)
accessLog.formatstring(see below)Log format string with placeholders
accessLog.modestringjsonOutput mode: json or text
accessLog.sampleRatefloat0.01Sampling rate (0.0 to 1.0)
accessLog.routeAnnotationPrefixstringgateway.nantian.dev/access-log-Annotation prefix for per-route log configuration

Available format placeholders: %TIMESTAMP%, %EVENT%, %PROTOCOL%, %LISTENER%, %CLIENT_IP%, %HOST%, %METHOD%, %PATH%, %REQUEST_ID%, %ROUTE_NAMESPACE%, %ROUTE_NAME%, %BACKEND%, %STATUS%, %LATENCY_MS%, %BYTES_RECEIVED%, %BYTES_SENT%, %SNAPSHOT_VERSION%, %RETRY_ATTEMPTS%, %RESPONSE_FLAGS%.

Runtime

Section titled “Runtime”

Core runtime settings for the data plane proxy:

ParameterTypeDefaultDescription
runtime.httpListenAddrstring0.0.0.0:10080Address for the HTTP listener
runtime.enableIpv6booltrueEnable IPv6 support
runtime.enableHttp3boolfalseEnable HTTP/3 (QUIC) support
runtime.tlsMinVersionstring1.2Minimum TLS version accepted
runtime.tlsMaxVersionstring1.3Maximum TLS version offered
runtime.tlsAssetDirstring""Directory for TLS certificate assets

Runtime Tuning

Section titled “Runtime Tuning”

Performance tuning parameters for the data plane:

ParameterTypeDefaultDescription
runtimeTuning.httpReloadRetryIntervalMsint1000Retry interval for HTTP listener reload (ms)
runtimeTuning.streamReloadRetryIntervalMsint1000Retry interval for stream listener reload (ms)
runtimeTuning.downstreamReadTimeoutMsint60000Timeout for reading from downstream clients (ms)
runtimeTuning.httpMaxConnectionAgeMsint0Maximum HTTP connection age (0 = unlimited)
runtimeTuning.httpKeepaliveRequestLimitint0Maximum requests per keepalive connection (0 = unlimited)
runtimeTuning.upstreamConnectionTimeoutMsint5000Timeout for establishing upstream connections (ms)
runtimeTuning.upstreamReadTimeoutMsint30000Timeout for reading from upstream services (ms)
runtimeTuning.upstreamIdleTimeoutMsint60000Idle timeout for upstream connections (ms)

HTTP Capacity

Section titled “HTTP Capacity”
ParameterTypeDefaultDescription
runtimeTuning.httpCapacity.workerThreadsint0Worker thread count (0 = CPU count)
runtimeTuning.httpCapacity.acceptConcurrencyint16Concurrent TCP accept operations
runtimeTuning.httpCapacity.upstreamKeepalivePoolSizeint32768Maximum idle connections in the upstream pool
runtimeTuning.httpCapacity.reusePortboolnullEnable SO_REUSEPORT (null = auto-detect)

Request Mirroring

Section titled “Request Mirroring”
ParameterTypeDefaultDescription
runtimeTuning.requestMirrorMaxConcurrencyint1024Maximum concurrent mirrored requests

UDP

Section titled “UDP”
ParameterTypeDefaultDescription
runtimeTuning.udpResponseIdleTimeoutMsint500Idle timeout for UDP responses (ms)

TCP Proxy

Section titled “TCP Proxy”
ParameterTypeDefaultDescription
runtimeTuning.tcpProxyBufferBytesint16384Buffer size for TCP proxy connections
runtimeTuning.tcpSessionIdleTimeoutMsint0TCP session idle timeout (0 = unlimited)
runtimeTuning.tcpMaxConnectionAgeMsint0Maximum TCP connection age (0 = unlimited)

Retry Budget

Section titled “Retry Budget”
ParameterTypeDefaultDescription
runtimeTuning.retryBudgetEnabledbooltrueEnable retry budget for circuit breaking
runtimeTuning.retryBudgetRatioPercentint20Ratio of retries to total requests (%)
runtimeTuning.retryBudgetBurstint16Maximum burst of retries allowed

Stream Connection Pool

Section titled “Stream Connection Pool”
ParameterTypeDefaultDescription
runtimeTuning.streamUpstreamPoolSizeint128Maximum idle stream connections in the upstream pool
runtimeTuning.streamUpstreamPoolIdleTimeoutMsint30000Idle timeout for stream upstream connections (ms)

Work Stealing

Section titled “Work Stealing”
ParameterTypeDefaultDescription
runtimeTuning.workStealingbooltrueEnable Tokio work-stealing across worker threads

HTTP Cache

Section titled “HTTP Cache”
ParameterTypeDefaultDescription
runtimeTuning.httpCache.enabledboolfalseEnable HTTP response caching
runtimeTuning.httpCache.maxSizeMbint256Maximum cache size in megabytes
runtimeTuning.httpCache.defaultTtlSecondsint60Default cache TTL in seconds

Graceful Shutdown

Section titled “Graceful Shutdown”
ParameterTypeDefaultDescription
runtimeTuning.gracefulDrainPeriodMsint0Grace period for draining connections on shutdown (ms)

Active Health Checks

Section titled “Active Health Checks”
ParameterTypeDefaultDescription
runtimeTuning.activeHealthCheckEnabledboolfalseEnable active health checking of backends
runtimeTuning.activeHealthCheckIntervalMsint5000Interval between health checks (ms)
runtimeTuning.activeHealthCheckTimeoutMsint1000Timeout for health check requests (ms)
runtimeTuning.activeHealthCheckUnhealthyThresholdint2Consecutive failures before marking unhealthy

TCP Keepalive

Section titled “TCP Keepalive”

Downstream (client-facing)

Section titled “Downstream (client-facing)”
ParameterTypeDefaultDescription
runtimeTuning.downstreamTcpKeepalive.enabledboolfalseEnable TCP keepalive for downstream connections
runtimeTuning.downstreamTcpKeepalive.idleMsint60000Idle time before sending keepalive probes (ms)
runtimeTuning.downstreamTcpKeepalive.intervalMsint15000Interval between keepalive probes (ms)
runtimeTuning.downstreamTcpKeepalive.probeCountint4Number of probes before declaring dead
runtimeTuning.downstreamTcpKeepalive.userTimeoutMsint0User timeout for keepalive (0 = OS default)

Upstream (backend-facing)

Section titled “Upstream (backend-facing)”
ParameterTypeDefaultDescription
runtimeTuning.upstreamTcpKeepalive.enabledbooltrueEnable TCP keepalive for upstream connections
runtimeTuning.upstreamTcpKeepalive.idleMsint60000Idle time before sending keepalive probes (ms)
runtimeTuning.upstreamTcpKeepalive.intervalMsint15000Interval between keepalive probes (ms)
runtimeTuning.upstreamTcpKeepalive.probeCountint4Number of probes before declaring dead
runtimeTuning.upstreamTcpKeepalive.userTimeoutMsint0User timeout for keepalive (0 = OS default)

TCP Optimizations

Section titled “TCP Optimizations”
ParameterTypeDefaultDescription
runtimeTuning.downstreamTcpFastopenboolnullEnable TCP Fast Open for downstream (null = auto-detect)
runtimeTuning.downstreamDscpintnullDSCP marking for downstream connections (null = disabled)
runtimeTuning.upstreamTcpRecvBufint0Upstream TCP receive buffer size in bytes (0 = OS default)
runtimeTuning.upstreamTcpFastOpenbooltrueEnable TCP Fast Open for upstream connections
runtimeTuning.upstreamDscpintnullDSCP marking for upstream connections (null = disabled)

TCP Fast Open reduces connection latency by allowing data to be sent during the initial TCP handshake. DSCP (Differentiated Services Code Point) marking enables QoS prioritization at the network level.

Runtime Protection

Section titled “Runtime Protection”

Protection limits to prevent overload and resource exhaustion:

Global Limits

Section titled “Global Limits”
ParameterTypeDefaultDescription
runtimeProtection.httpGlobalInflightLimitint0Maximum concurrent in-flight HTTP requests (0 = unlimited)
runtimeProtection.httpGlobalRateLimitRequestsPerSecondint0Global rate limit (requests/second, 0 = unlimited)
runtimeProtection.httpGlobalRateLimitBurstint0Burst allowance for global rate limit

Listener Limits

Section titled “Listener Limits”
ParameterTypeDefaultDescription
runtimeProtection.httpListenerInflightLimitint0Maximum concurrent requests per listener (0 = unlimited)
runtimeProtection.httpListenerRateLimitRequestsPerSecondint0Per-listener rate limit (0 = unlimited)
runtimeProtection.httpListenerRateLimitBurstint0Burst allowance for listener rate limit

Route Limits

Section titled “Route Limits”
ParameterTypeDefaultDescription
runtimeProtection.httpRouteInflightLimitint0Maximum concurrent requests per route (0 = unlimited)
runtimeProtection.httpRouteRateLimitRequestsPerSecondint0Per-route rate limit (0 = unlimited)
runtimeProtection.httpRouteRateLimitBurstint0Burst allowance for route rate limit

Backend Circuit Breaker

Section titled “Backend Circuit Breaker”
ParameterTypeDefaultDescription
runtimeProtection.httpBackendCircuitBreakerMaxRequestsint0Maximum concurrent requests per backend (0 = unlimited)

Request Size Limits

Section titled “Request Size Limits”
ParameterTypeDefaultDescription
runtimeProtection.httpMaxRequestBodyBytesint0Maximum request body size in bytes (0 = unlimited)
runtimeProtection.httpMaxRequestHeaderBytesint0Maximum request header size in bytes (0 = unlimited)

TCP/UDP Limits

Section titled “TCP/UDP Limits”
ParameterTypeDefaultDescription
runtimeProtection.tcpGlobalConnectionLimitint0Maximum concurrent TCP connections (0 = unlimited)
runtimeProtection.tcpListenerConnectionLimitint0Maximum TCP connections per listener (0 = unlimited)
runtimeProtection.udpGlobalDatagramLimitint0Maximum concurrent UDP datagrams (0 = unlimited)
runtimeProtection.udpListenerDatagramLimitint0Maximum UDP datagrams per listener (0 = unlimited)

Session Persistence

Section titled “Session Persistence”
ParameterTypeDefaultDescription
sessionPersistence.secretKeystring""Secret key for session cookie signing
sessionPersistence.secretKeyFilestring""Path to file containing the secret key

xDS TLS

Section titled “xDS TLS”

TLS configuration for the xDS connection to the control plane:

ParameterTypeDefaultDescription
xdsTls.enabledboolfalseEnable TLS for the xDS connection
xdsTls.caPathstring""Path to the CA certificate for verifying the control plane
xdsTls.certPathstring""Path to the client certificate (for mTLS)
xdsTls.keyPathstring""Path to the client private key (for mTLS)
xdsTls.domainNamestring""Expected server name for certificate validation

xDS Transport

Section titled “xDS Transport”
ParameterTypeDefaultDescription
xdsTransport.connectTimeoutMsint5000Timeout for establishing the xDS connection (ms)
xdsTransport.keepaliveIntervalMsint10000Interval for xDS keepalive pings (ms)
xdsTransport.keepaliveTimeoutMsint5000Timeout for xDS keepalive ping responses (ms)
xdsTransport.initialReconnectBackoffMsint2000Initial backoff for xDS reconnection (ms)
xdsTransport.maxReconnectBackoffMsint30000Maximum backoff for xDS reconnection (ms)
xdsTransport.applyTimeoutMsint3000Timeout for applying a received configuration snapshot (ms)
xdsTransport.applyPollIntervalMsint100Polling interval when waiting for snapshot application (ms)
xdsTransport.staleStreamTimeoutMsint30000Time before considering a stale xDS stream as failed (ms)
xdsTransport.snapshotFreshnessTimeoutMsint90000Time before considering the current snapshot as stale (ms)

Feature Flags

Section titled “Feature Flags”
ParameterTypeDefaultDescription
experimental.enableExperimentalGatewayboolfalseEnable experimental Gateway API features
experimental.enableAiGatewayboolfalseEnable the built-in AI gateway module

Complete Example

Section titled “Complete Example”

The following is a complete data plane configuration with all available options:

nodeId: "dp-local"
cluster: "default"
controlPlaneAddr: "http://127.0.0.1:18080"
adminAddr: "127.0.0.1:19080"


log:
  level: "info,nantian_core::connectors=off"
  format: "json"
  addSource: false
  includeTarget: false
  includeThreadIds: false
  includeThreadNames: false
  nonBlocking: true
  nonBlockingBufferedLines: 65536
  dropWhenFull: true
  openTelemetry:
    enabled: false
    endpoint: ""
    protocol: "grpc"
    timeoutMs: 3000
    insecure: false
    sampleRatio: 1.0
    serviceName: "nantian-dataplane"
    serviceNamespace: ""


adminAuth:
  bearerToken: ""
  bearerTokenFile: ""


accessLog:
  enabled: false
  path: "stdout"
  format: "%TIMESTAMP% %EVENT% %PROTOCOL% %LISTENER% %CLIENT_IP% %HOST% %METHOD% %PATH% %REQUEST_ID% %ROUTE_NAMESPACE% %ROUTE_NAME% %BACKEND% %STATUS% %LATENCY_MS% %BYTES_RECEIVED% %BYTES_SENT% %SNAPSHOT_VERSION% %RETRY_ATTEMPTS% %RESPONSE_FLAGS%"
  mode: "json"
  sampleRate: 0.01
  routeAnnotationPrefix: "gateway.nantian.dev/access-log-"


runtime:
  httpListenAddr: "0.0.0.0:10080"
  enableIpv6: true
  enableHttp3: false
  tlsMinVersion: "1.2"
  tlsMaxVersion: "1.3"
  tlsAssetDir: ""


runtimeTuning:
  httpReloadRetryIntervalMs: 1000
  streamReloadRetryIntervalMs: 1000
  downstreamReadTimeoutMs: 60000
  httpMaxConnectionAgeMs: 0
  httpKeepaliveRequestLimit: 0
  upstreamConnectionTimeoutMs: 5000
  upstreamReadTimeoutMs: 30000
  upstreamIdleTimeoutMs: 60000
  httpCapacity:
    workerThreads: 0
    acceptConcurrency: 16
    upstreamKeepalivePoolSize: 32768
    reusePort: null
  requestMirrorMaxConcurrency: 1024
  udpResponseIdleTimeoutMs: 500
  tcpProxyBufferBytes: 16384
  tcpSessionIdleTimeoutMs: 0
  tcpMaxConnectionAgeMs: 0
  retryBudgetEnabled: true
  retryBudgetRatioPercent: 20
  retryBudgetBurst: 16
  streamUpstreamPoolSize: 128
  streamUpstreamPoolIdleTimeoutMs: 30000
  workStealing: true
  downstreamTcpFastopen: null
  downstreamDscp: null
  upstreamTcpRecvBuf: 0
  upstreamTcpFastOpen: true
  upstreamDscp: null
  httpCache:
    enabled: false
    maxSizeMb: 256
    defaultTtlSeconds: 60
  gracefulDrainPeriodMs: 0
  activeHealthCheckEnabled: false
  activeHealthCheckIntervalMs: 5000
  activeHealthCheckTimeoutMs: 1000
  activeHealthCheckUnhealthyThreshold: 2
  downstreamTcpKeepalive:
    enabled: false
    idleMs: 60000
    intervalMs: 15000
    probeCount: 4
    userTimeoutMs: 0
  upstreamTcpKeepalive:
    enabled: true
    idleMs: 60000
    intervalMs: 15000
    probeCount: 4
    userTimeoutMs: 0


runtimeProtection:
  httpGlobalInflightLimit: 0
  httpListenerInflightLimit: 0
  httpRouteInflightLimit: 0
  httpBackendCircuitBreakerMaxRequests: 0
  httpGlobalRateLimitRequestsPerSecond: 0
  httpGlobalRateLimitBurst: 0
  httpListenerRateLimitRequestsPerSecond: 0
  httpListenerRateLimitBurst: 0
  httpRouteRateLimitRequestsPerSecond: 0
  httpRouteRateLimitBurst: 0
  httpMaxRequestBodyBytes: 0
  httpMaxRequestHeaderBytes: 0
  tcpGlobalConnectionLimit: 0
  tcpListenerConnectionLimit: 0
  udpGlobalDatagramLimit: 0
  udpListenerDatagramLimit: 0


sessionPersistence:
  secretKey: ""
  secretKeyFile: ""


xdsTls:
  enabled: false
  caPath: ""
  certPath: ""
  keyPath: ""
  domainName: ""


xdsTransport:
  connectTimeoutMs: 5000
  keepaliveIntervalMs: 10000
  keepaliveTimeoutMs: 5000
  initialReconnectBackoffMs: 2000
  maxReconnectBackoffMs: 30000
  applyTimeoutMs: 3000
  applyPollIntervalMs: 100
  staleStreamTimeoutMs: 30000
  snapshotFreshnessTimeoutMs: 90000


experimental:
  enableExperimentalGateway: false
  enableAiGateway: false

Next Steps

Section titled “Next Steps”