KONG-33 Spike - Investigate Kong Alternatives

https://folio-org.atlassian.net/browse/KONG-33

1 Executive Summary
2 Feature Comparison Table
3 Advanced Features Table
4 Detailed Analysis
5 Apache APISIX
- 5.1 Management & APIs:
- 5.2 Configuration Management:
- 5.3 Routing Capabilities:
- 5.4 Advanced Features:
- 5.5 Observability:
- 5.6 Performance:
- 5.7 Community:
- 5.8 PROS:
- 5.9 CONS:
6 Tyk Gateway
- 6.1 Management & APIs:
- 6.2 Configuration Management:
- 6.3 Routing Capabilities:
- 6.4 Advanced Features:
- 6.5 Observability:
- 6.6 Performance:
- 6.7 Community:
- 6.8 PROS:
- 6.9 CONS:
7 Spring Cloud Gateway
- 7.1 Management & APIs:
- 7.2 Configuration Management:
- 7.3 Routing Capabilities:
- 7.4 Advanced Features:
- 7.5 Observability:
- 7.6 Performance:
- 7.7 Community:
- 7.8 PROS:
- 7.9 CONS:
8 Traefik
- 8.1 Management & APIs:
- 8.2 Configuration Management:
- 8.3 Routing Capabilities:
- 8.4 Advanced Features:
- 8.5 Observability:
- 8.6 Performance:
- 8.7 Community:
- 8.8 PROS:
- 8.9 CONS:
9 KrakenD
- 9.1 Management & APIs:
- 9.2 Configuration Management:
- 9.3 Routing Capabilities:
- 9.4 Advanced Features:
- 9.5 Observability:
- 9.6 Performance:
- 9.7 Community:
- 9.8 PROS:
- 9.9 CONS:
10 Envoy Gateway
- 10.1 Management & APIs:
- 10.2 Configuration Management:
- 10.3 Routing Capabilities:
- 10.4 Advanced Features:
- 10.5 Observability:
- 10.6 Performance:
- 10.7 Community:
- 10.8 PROS:
- 10.9 CONS:
11 Gloo Gateway
- 11.1 Management & APIs:
- 11.2 Configuration Management:
- 11.3 Routing Capabilities:
- 11.4 Observability:
- 11.5 Performance:
- 11.6 PROS:
- 11.7 CONS:
12 Gluu Gateway
- 12.1 Management & APIs:
- 12.2 Configuration Management:
- 12.3 Routing Capabilities:
- 12.4 Advanced Features:
- 12.5 Observability:
- 12.6 Performance:
- 12.7 PROS:
- 12.8 CONS:
13 Migration from Kong to Top 3 Alternatives
- 13.1 1. Migration to Apache APISIX
- 13.2 2. Migration to Tyk Gateway
- 13.3 3. Migration to Envoy Gateway
14 Conclusion & Recommendation

Executive Summary

Scope: Assesses enterprise-ready open-source API gateways (excluding Kong) with migration guidance for teams planning a Kong exit.
Gateways Evaluated: Apache APISIX, Tyk Gateway, Spring Cloud Gateway, Traefik, KrakenD, Envoy Gateway.
Criteria: License, operational and routing depth, clustering, admin UI/interfaces, FIPS compliance, feature parity, advanced capabilities, community health, and release tempo.

Feature Comparison Table

Gateway	License	FIPS	Mgmt UI	Admin API	Config Storage	Hot Reload	Clustering	Multi-Tenant	Java Plugins

Gateway	License	FIPS	Mgmt UI	Admin API	Config Storage	Hot Reload	Clustering	Multi-Tenant	Java Plugins
APISIX	Apache 2.0	✅ (OSS)	Separate	REST (full CRUD)	etcd	Yes	Active-Active	Plugin/Ent	Yes
Tyk	MPL 2.0	Paid/Ent	Built-In	REST (full)	File/DB	Yes	Active-Active	Native/OSS	No
Spring Cloud GW	Apache 2.0	JVM/JCE	None	REST (Actuator)	File/Git/Config	Yes	Cloud-Native	Custom	Yes
Traefik	MIT	❌	Status Only	HTTP	File/K8s/API	Yes	Stateless	Custom	No
KrakenD	Apache 2.0	❌	None	Minimal REST	JSON File	No	Stateless	None	No
Envoy Gateway	Apache 2.0	Paid/Ent*	None/CRD	K8s CRD/gRPC	K8s CRD	Yes	Active-Active	None	WASM/Go

Advanced Features Table

Gateway	Rate Limiting	Circuit Breaker	Retry Logic	Load Balancing	Caching	WebSockets	gRPC

Gateway	Rate Limiting	Circuit Breaker	Retry Logic	Load Balancing	Caching	WebSockets	gRPC
APISIX	Tok/Leaky/Fixed	Plugin	Plugin-based	RR/weighted/custom	Redis	Yes	Yes
Tyk	Tok/Leaky/Fixed	Built-in	Built-in	RR/IPHash/session	Redis	Yes	Partial
Spring Cloud GW	Plugin/Micrometer	Plugin/Resilience	Code/Spring	RR/random/custom	Ext/Spring	Yes	No
Traefik	Middleware	Middleware	Middleware	RR/weight/custom	None	Yes	Yes
KrakenD	Plugin	No	Plugin/simple	RR/plugin/scripting	In-mem	Yes	No
Envoy Gateway	Policy/CRD/plug	Native/policy	Built-in/policy	RR/weight/custom	Plugins	Yes	Yes

Detailed Analysis

Apache APISIX

Overview:
Enterprise-ready OSS API gateway with real-time config, FIPS compliance, extensive plugins, high performance, and strong community.

Management & APIs:

Admin UI: Yes (separate, web dashboard)
Admin API: RESTful, full CRUD, plugin and resource lifecycle
API Features: Bulk CRUD, plugin/versioning, health/status endpoints

Configuration Management:

Storage: etcd (distributed)
Hot Reload: Yes (atomic cluster-wide propagation)

Routing Capabilities:

Path Matching: exact, prefix, param (/foo/:id), wildcard
Routing Limitations:
- Path regex must be configured with “vars” on uri
- Cannot match encoded slash (%2F) in parameter (this is an nginx restriction)

Advanced Features:

Rate Limiting: Token, leaky bucket, fixed window (per-plugin)
Circuit Breaker: Plugin
Authentication: JWT, OIDC, LDAP, API Key, Basic (plugins)
Authorization: RBAC, plugin

Observability:

Logging: 15+ plugins (JSON/syslog/HTTP/Kafka, etc.)
Metrics: Prometheus, DataDog
Tracing: OpenTelemetry, Jaeger, SkyWalking

Performance:

RPS: 23,000+
P99 Latency: <1ms

Community:

GitHub Stars: 14,000+
Release Cycle: Bi-weekly (rapid, active OSS cadence)

PROS:

OSS FIPS 140-2 support
Real-time hot reload
Advanced plugin/obs support
Java and Lua extensibility

CONS:

Multi-tenancy OSS via plugins only
No regex route, %2F path issue
Admin UI is separate deploy
Lower plugin count vs. Tyk

Tyk Gateway

Overview:
Polished Go gateway suited for organizations needing OSS UI, multi-tenancy, and powerful routing, with commercial FIPS/enterprise.

Management & APIs:

Admin UI: Yes (built-in, web dashboard)
Admin API: RESTful, comprehensive (analytics, orgs, CRUD)
API Features: Bulk ops, analytics, policy mgmt, inherited versioning

Configuration Management:

Storage: File, MongoDB, Redis
Hot Reload: Yes (API/UI/file scope)

Routing Capabilities:

Path Matching: exact, prefix, full regex, wildcard, parameterized
Routing Limitations:
- Clustering needs DB backend
- No JVM/Java plugin model

Advanced Features:

Rate Limiting: Token/leaky/fixed window, burst (policies)
Circuit Breaker: Dashboard-configurable, threshold/policy
Authentication: JWT, OAuth2, OIDC, API Key, HMAC
Authorization: RBAC/JWT/policy

Observability:

Logging: JSON, syslog
Metrics: Prometheus, StatsD
Tracing: OpenTelemetry, Jaeger

Performance:

RPS: 12,000+
P99 Latency: <10ms

Community:

GitHub Stars: 9,500+
Release Cycle: Monthly (regular feature pace)

PROS:

Rich UI/analytics built-in
Native OSS multi-tenancy
Regex routing, flexible plugins
Top developer UX and docs

CONS:

FIPS only in commercial
Clustering needs DB (infra cost)
No JVM plugin support
Lower scale than APISIX/Envoy

Spring Cloud Gateway

Overview:
Best for Spring/Java organizations; code-centric API gateway, high extensibility, full Spring cloud integration, ops via Java.

Management & APIs:

Admin UI: No (health/metrics via Actuator)
Admin API: Spring REST endpoints, Actuator
API Features: Health/metrics, dynamic route mgmt via config/actuator

Configuration Management:

Storage: Git, file, Spring Config Server
Hot Reload: Yes (Spring Cloud bus refresh)

Routing Capabilities:

Path Matching: exact, prefix, full regex
Routing Limitations:
- No web UI/config for non-Java teams
- Clustering is custom build

Advanced Features:

Rate Limiting: Plugin/micrometer
Circuit Breaker: Plugin (Resilience4j)
Authentication: Spring Security (all major)
Authorization: RBAC/ABAC (Spring)

Observability:

Logging: Logback, JSON
Metrics: Micrometer, Prometheus
Tracing: Sleuth, OpenTelemetry

Performance:

RPS: 8,000+
P99 Latency: <15ms

Community:

GitHub Stars: 4,700+
Release Cycle: Quarterly (aligned with Spring ecosystem)

PROS:

Deep Java/Spring extensibility
Full regex/programmatic routing
Spring Cloud native
Good observability/plugins

CONS:

No web UI / ops for non-Java teams
No OSS multi-tenancy
Moderate performance/JVM overhead
Clustering/config are “build it” not plug-and-play

Traefik

Overview:
Container-native, automatic config, best for K8s/events-driven infra, limited admin UI (status only), excels in simplicity/scalability.

Management & APIs:

Admin UI: Status dashboard (monitoring only)
Admin API: HTTP (dynamic config, status)
API Features: Live status, route health

Configuration Management:

Storage: File, K8s CRD, labels (event-driven)
Hot Reload: Yes (instant, event scope)

Routing Capabilities:

Path Matching: exact, prefix, wildcard, partial regex
Routing Limitations:
- No config/admin UI for management
- Only basic multi-tenancy possible

Advanced Features:

Rate Limiting: Middleware/plugins
Circuit Breaker: Middleware
Authentication: OAuth2 plugin, JWT, Key, Basic
Authorization: Custom (middleware)

Observability:

Logging: JSON/logf
Metrics: Prometheus, DataDog, StatsD
Tracing: Jaeger, Zipkin

Performance:

RPS: 10,000+
P99 Latency: <8ms

Community:

GitHub Stars: 50,000+
Release Cycle: Monthly (very active, huge user base)

PROS:

Leading K8s/Cloud integration
Easy auto-reload/config
Large community and support
Lightweight/stateless

CONS:

No admin UI for configuration
Not a full API gateway (proxy focus)
Manual multi-tenancy/config
Lacks advanced API mgmt

KrakenD

Overview:
For API aggregation/fan-in use cases, config-as-code, high performance, minimal UI, limited service discovery and plugins.

Management & APIs:

Admin UI: None (file/config only)
Admin API: REST/info (routing, telemetry)
API Features: Swagger support, hot reload requires redeploy

Configuration Management:

Storage: JSON file
Hot Reload: No (restart required)

Routing Capabilities:

Path Matching: exact, prefix, wildcard
Routing Limitations:
- Limited route pattern matching options
- No web/admin UI

Advanced Features:

Rate Limiting: Plugin, simple window
Circuit Breaker: External/middleware
Authentication: JWT, API key, plugin
Authorization: Middleware

Observability:

Logging: JSON/syslog
Metrics: Prometheus/InfluxDB
Tracing: Jaeger/Zipkin

Performance:

RPS: 20,000+
P99 Latency: <2ms

Community:

GitHub Stars: 6,000+