API Gateway Architecture

The API Gateway is the single entry point for all client requests to the MATIH platform. Built on Spring Boot 3.2 with Kong as the underlying proxy, it provides service routing, rate limiting, traffic management, plugin orchestration, and load balancing. The gateway runs on port 8080 and manages all inbound traffic across control plane and data plane services.

Service Overview

Property	Value
Service Name	`api-gateway`
Port	8080
Technology	Spring Boot 3.2, Java 21, Kong Gateway
Proxy Backend	Kong Admin API (port 8001)
Cache	In-memory ConcurrentHashMap for route/service configs
Security	JWT authentication, RBAC via `@PreAuthorize`
API Documentation	OpenAPI 3.0 (Swagger)

Architecture

                    API Gateway (Port 8080)
                           |
    +----------+-----------+-----------+-----------+
    |          |           |           |           |
 REST API   Kong Proxy  Health     Plugins     Metrics
 (mgmt)     (traffic)   (/health)  (rate-limit) (/prometheus)
    |          |           |           |           |
    +----------+-----------+-----------+-----------+
                           |
              +------------+------------+
              |            |            |
    GatewayMgmtService  LoadBalancer  Plugin
    (routes, services)   Service      Registry
              |            |            |
              +------------+------------+
                           |
                   Kong Admin API (:8001)

Controllers

The API Gateway exposes a single management controller that covers all gateway operations:

Controller	Base Path	Purpose
`GatewayController`	`/api/v1/gateway`	Service, route, plugin, rate limit, traffic, and upstream management

Key Components

GatewayManagementService

Manages Kong services, routes, plugins, rate limiting, and traffic control (canary deployments, traffic mirroring) via the Kong Admin API.

LoadBalancerService

Manages Kong upstreams and targets for load balancing. Supports round-robin, weighted, consistent-hashing (header and cookie), and latency-based algorithms.

Security

All management endpoints require the ADMIN role via @PreAuthorize("hasRole('ADMIN')"). Health endpoints are publicly accessible.

Configuration

server:
  port: 8080
 
gateway:
  kong:
    admin-url: http://localhost:8001

Next Steps

Service Routing -- managing backend services and routes
Rate Limiting -- per-tenant rate limit configuration
Canary Deployments -- traffic splitting for canary releases
Traffic Mirroring -- shadow traffic for testing
Load Balancing -- upstream and target management
Plugins -- enabling and configuring gateway plugins
API Reference -- complete endpoint listing

API Gateway (Kong)Service Routing