Gateway
The Tetrapus Gateway is the public reverse proxy. It terminates TLS, looks up the right data plane for an incoming request (by Org slug or by JWT issuer), enforces the Org's pinned region, applies a per-tenant rate-limit, and forwards the request. The gateway is stateless; horizontally scale by adding replicas behind your load balancer.
Routing topology
graph LR
CLIENT["Client"] -->|TLS| GW["Gateway"]
GW -->|cache miss| CP["Control Plane<br/>/control/assignments"]
GW -->|cache hit| ROUTE{"Route by slug<br/>or JWT iss"}
ROUTE -->|acme| DPA["Data Plane A<br/>us-east-1"]
ROUTE -->|globex| DPB["Data Plane B<br/>us-east-1"]
ROUTE -->|initech| DPC["Data Plane C<br/>eu-west-1"]
Routing rules
- Slug routing —
Host: acme.api.tetrapus.io→ lookupslug=acme. - JWT iss routing — if no slug header, parse
Authorization: Bearer …and route by theissclaim. - Region enforcement — if the gateway pod's region does not match the Org's
region_code, return421 Misdirected Requestwith the correct region inLocation:. - Per-tenant rate-limit — token bucket keyed on Org id. Defaults set by plan tier; override via
--rate-limit-rps. - Suspend / delete — suspended Orgs return
423 Locked; deleted return410 Gone.
Configuration flags
| Flag | Env var | Default | Purpose |
|---|---|---|---|
| --bind | DM_GATEWAY_BIND | 0.0.0.0:443 | Listen address for client traffic. |
| --upstream / --control-url | DM_GATEWAY_CONTROL_URL | — | Base URL of the control plane. |
| --region-code | DM_GATEWAY_DEFAULT_REGION | us-east-1 | Region this gateway pod runs in. |
| --rate-limit-rps | DM_GATEWAY_RATE_LIMIT_RPS | plan-default | Per-Org token bucket refill rate. |
| --tls-cert | DM_GATEWAY_TLS_CERT | — | PEM cert chain (omit if a sidecar terminates TLS). |
| --tls-key | DM_GATEWAY_TLS_KEY | — | PEM private key. |
| --cache-ttl | DM_GATEWAY_CACHE_TTL | 60 | Seconds the assignment cache holds an entry. |
Sample invocation
Bash
tetrapus-gateway \
--bind 0.0.0.0:443 \
--control-url https://control.internal:9100 \
--control-token "$(cat /etc/tetrapus/control.token)" \
--region-code us-east-1 \
--rate-limit-rps 500 \
--tls-cert /etc/tetrapus/tls/fullchain.pem \
--tls-key /etc/tetrapus/tls/privkey.pemRelated
- Control plane — assignment source.
- Helm chart — ships the gateway as a stateless Deployment.
- Data residency — how region pinning is enforced end-to-end.
Questions?
Reach out for help with integration, deployment, or custom domain codecs.