Hacker News new | comments | ask | show | jobs | submit login
Gravitee: Open-Source API Gateway (gravitee.io)
165 points by ausjke 52 days ago | hide | past | web | favorite | 46 comments

Trying it out now. For those who have already: how does Gravitee compare w/ Apigee, Kong, API Gateway etc.

From what I gather in the GitHub repository, they implement their own L7 management, instead of using NGINX, Envoy, HAProxy, etc. IMO, this adds quite a bit of development cost with minimum benefit.

Kong has built on OpenResty (which is built on NGINX), Ambassador has been built on Envoy Proxy -- I think these projects will be able to sustain their velocity more so than projects that need to maintain their own L7 engine. Just watching the speed at which Envoy Proxy is adding stuff is kind of staggering; hard to imagine how another company could do the same on their own homegrown engine.

Tyk runs its own L7 engine, mainly around primitives provided by the Golang stdlib, IMO having full control over this part provides a lot more flexibility than sitting on top of someone else’s stack, bugs are faster to eke out and optimisation doesn’t rely on upstream code.

(Caveat: I’m the CEO of Tyk)

Sorry for asking simple questions.

Can someone tell us what exactly is L7 ?

It seems like I cannot find any information when googling it.

For those interested, "L7 engine" seems to be the "application layer" https://en.wikipedia.org/wiki/Application_layer in the OSI model https://en.wikipedia.org/wiki/OSI_model

So communication protocol such as gRPC and HTTP.

Here is an answer from Gravitee dev: https://dev.to/brasseld/comment/25kb

NB. There are more open source alternatives: API Umbrella and Tyk.

API Gateway is closed source for one. Kong is written in Lua, for better or worse.

Hello, Marco here (CTO of Kong). Correct, Kong is primarily written in Lua with some bits in C, for two particular reasons: low latency and very high performance.

Lua per-se is a fast language (having a very small footprint), but running Lua on top of LuaJIT [1] is just so much faster. LuaJIT is an alternative implementation of the Lua VM created by Mike Pall and now supported by a few other folks and organizations like Cloudflare. Cloudflare in particular has a very large runtime implementation of the Lua + LuaJIT stack, and usually people are surprised to learn that at least 10% of the worldwide Internet traffic [2] goes through this stack.

With that said Lua + LuaJIT is being used in other applications as well, like mobile and embedded devices, where low footprint and high performance are required.

Having a low footprint is not just a nice-to-have, but a requirement for running a proxy in a Service Mesh deployment as a decentralized sidecar container (to not exhaust all the resources of the underlying VMs as we scale the number of pods and services) in addition to the traditional centralized API Gateway deployment.

[1] http://luajit.org/

[2] https://blog.cloudflare.com/cloudflare-traffic/

Recent CF blog (by a guest author) about increasing LuaJIT performance https://blog.cloudflare.com/more-consistent-luajit-performan...

tl;dr: Lua is a GC language and that's where the variance comes from.

As the co-author of that blog post a more accurate tl;dr would be the variance comes from shared hot counters that collide based on the address of objects.

Ok, to resummarize: LuaJIT is a JIT'd interpreter for a GC'd language and those two factors are where the variance comes from.

You found some very low hanging fruit in the JIT engine in particular (64 global trace buckets), fixed it and at least threw it over the fence upstream (and kudos for that). But you buried it in a bunch of irrelevant figures, and at the end of the article you rediscovered GC pauses. GC pauses are a classic, well-known problem with GC languages.

My critiques are this:

1. There is a huge body of prior work and analysis of JIT'd and GC languages due to the outsized impact of Java, probably the most popular language on the planet at one point (if it isn't still). (And Golang — Java 2.0.) Java's history (and perhaps Golang's more recent history) should have been top-of-mind at the outset of this project. I think you could continue to apply lessons learned from abundance of experience around Hotspot and JRE tuning to the LuaJIT interpreter.

2. The lengthy benchmark spreadsheets seem like a distraction rather than a useful tool. They're certainly not adding much to the article and could be summarized in 2-3 sentences each. If you really felt like it, they could be linked to an external appendix.

Wow that’s a fascinating codebase you’ve got. I mainly used Lua for scripting C/C++ codebases, never saw a large app that does the reverse. Seems to be very clear code in the functional style without too much object-orientation, did you specifically choose to not use that too much?

Lua doesn’t fit too well with the object oriented model (although possible) without being “hacky”, so we decided to leverage the strengths of the language rather than forcing ourselves to use a model that’s not well suited for the language.

Yes, that's right we do have a large Lua (using LuaJIT) code base but we are moving away from it.

Keen to know that too. We are heavily relying on Kong at my work.

Why none of these API gateways offer monetization out of the box? I'm curious. Is that a not well-demanded feature?

I have researched a lot of them and none have a straight way to do metered billing and if they somehow do, they are prohibitively expensive.

Does somebody know of an API gateway solution that offers this?

Billing is a hard issue since there is no common API to do that. All payment gateways are different. And what is most important, it lot of cases it requires some application logic, on how exactly you want to bill the user: for example partly static, partly dynamic.

What API gateway can do, is to provide you with a way to set a quota for a given user, track analytics, and have it all accessed in a programmatic way, so with a few API queries, you can know how much to bill the user. At least that's how most of the Gateways, like Tyk, do.

I think key issue here is that legacy api management solutions lock you into their billing flows and providers. An open SRC gateway like Tyk will give you freedom to use your own billing solution and define your own verticals at expense of slightly more complexity at integration/implementation.

Apigee has some monetization features... https://docs.apigee.com/api-platform/monetization/basics-mon...

They do, but it's $500 USD per month for the most basic plan. I'm looking for something that can start small and scale as needed.

In the same boat. I think you can do something with API Gateway + API Marketplace but I would LOVE a plugin to Kong or any other OS software...even if it would support just one gateway.

$500 for Apigee makes it untouchable for small startups. Another one worth looking into might be at IBM bluemix.

Axway api management might be another alternative.

a stripe 'plugin' would be great.

Throwing my hat in the ring. Micro provides an API gateway that routes dynamically via service discovery. It's written in Go and includes a surrounding toolkit of useful features. It's also entirely pluggable. https://github.com/micro/micro

Hi, I'm Nicolas (CEO of GraviteeSource, the company behind Gravitee.io).

We provide a full featured api management platform (gateway, dev portal, analytics, ...).

We use Eclipse Vert.x and every plugin is written in java.

The comparison between Gravitee and other competitors depends on your use case (saas/onprem/hybrid, features ootb, api gateway or api management, ...).

If you have specific concerns, please ask.

Running these api gateways on your own is very complex, especially when they need to be open publicly. Typically you’d want to layer a WAF and a CDN on top of them, which already come with their own api gateway like features (eg AWS cloudfront).

My question - what do people use these for?

API Gateways back in the days were primarily being adopted at the edge for external traffic, but they are increasingly being used internally to connect teams/products together, or in a Service Mesh deployment pattern for microservices. Solutions provided by cloud vendors are generally not well suited for all the N-S and E-W use-cases that typically an organization requires, they are usually slow (which in turn prevents more decoupled and traffic intensive architectures from working well), provide little extensibility options and while are every cheap to get up and running with, they also get expensive very quickly as traffic increases exponentially.

Disclaimer: I am CTO of Kong [1].

[1] https://konghq.com

Yeah, my current project is using an internal / external api gateway style. You run into so many issues... You kinda want to run away (beside performance) it is super hard to actually manage / govern etc..

Is this something like an implementation of Googles beyondcorp model? https://beyondcorp.com/

I'd say it's lower in the stack, and probably for a different audience. If you really wanted to, you can probably implement BeyondCorp using (but not only using) this or one of its competitors mentioned in this thread; but it's only part of the equation and leaves out the authorization logic of BeyondCorp.

This seems geared towards REST APIs. I would love something similar with good GraphQL support

Second this! It is still rarely used. But it's usage is growing.

Not speaking about the project itself, but since when did 100% Open Source become a thing?

Kong has Community Edition and an Enterprise Edition with non-free/proprietary features (same model as MySQL, Nginx, GitLab, & Redis). It's called the open-core model. Company is signaling that it intends to offer all features open source and without restriction.


the evil is in the details so it really depends on the boundary where the core is defined at, in nginx/mysql's case, the core is large enough for 99% small players, and the big players are willing to pay and the income is enough to sustain the projects. I somehow feel Kong's core is a bit limited which is how I found out Gravitee.

3 popular OSS models:

    1. 100% open source, funded by some entities, you can purchase  subscription for its professional support and service.
    2. 100% open source by volunteers and the community, document might be lacking but you got what you pay for.
    3. open-core, only the core portion is open and you pay a premium for plugins or its enterprise-version/pro-version.
I personally do not use option 3, and I think 1 is great for both sides.

What is the practical difference between 1 and 3?

Like, support aside, what's the difference between "pay a premium to access professional services from the dev team" and "pay a premium to access a service already professionally-built by the dev team"?

For a company that can create its own professionals related to the product, only alt 1 (but not 3) will be free. For example, not all people feel the need to buy RHEL support; they use CentOS instead.

Onion layers.

1. All layers are open source, but if you want support, you pay.

3. Core layers are open source, the top layers are proprietary.

It's not uncommon to request custom software modifications in case #1. Which brings you to case #3 in all but name.

#3 means the company will purposefully put very useful features out of scope of the core, while in #1, people expect everything that's not very custom to a specific use-case to be open-sourced eventually - which is usually the reality.

I get where you're coming from, but is that the reality?

What I've seen in practice is that the useful features in question are only useful to very large companies, which is why they're gated.

Logic being, "if you're in need of this, you most definitely can afford the premium product, and we'd like you to be sponsoring our work since it's necessary for you to make money".

Is it better to let the open source project die on the Hill of Principles, and have nobody actually benefit from the potential wasted work?

I don't get the idea of API Gateway. Is it to secure, or reuse code logic, or load balance ??? Because as i see, gateway is the central point of downtime of the whole system.

Http API? When a GRPC one?

Wso2 has a fully ASLv2 licensed API management solution which also includes a high performance gateway. It has monetization items included. Deployed to 1000s of accounts and running some environments with billions of transactions a day. Excited to take a look at this new entrant.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact