NovaEdge

Kubernetes-Native Network Platform

NovaEdge replaces Envoy + MetalLB + NGINX Ingress + Cisco SD-WAN with a single, integrated solution designed for modern Kubernetes deployments.

Why NovaEdge?

flowchart LR
    subgraph Before["Traditional Stack"]
        NGINX["NGINX Ingress<br/>(L7 Routing)"]
        Envoy["Envoy<br/>(Policies)"]
        MetalLB["MetalLB<br/>(VIPs)"]
        SDWAN["WireGuard + Scripts<br/>(SD-WAN)"]
    end

    subgraph After["NovaEdge"]
        NE["NovaEdge<br/>(All-in-One)"]
    end

    Before -.->|"replaces"| After

    style Before fill:#FFE4B5
    style After fill:#90EE90

Feature	Traditional	NovaEdge
L7 Load Balancing	NGINX/Envoy	Built-in (12 algorithms)
L4 TCP/UDP Proxying	HAProxy/Envoy	Built-in
VIP Management	MetalLB	Built-in (L2/BGP/OSPF + BFD)
Rate Limiting	Envoy/Kong	Built-in (local + Redis)
Authentication	OAuth2 Proxy/Kong	Built-in (Basic/Forward/OIDC)
WAF	ModSecurity/Kong	Built-in (Coraza)
TLS/ACME	cert-manager/Traefik	Built-in + cert-manager support
WASM Plugins	Envoy	Built-in (Wazero)
Service Mesh	Istio/Linkerd	Built-in (TPROXY, no sidecars)
SD-WAN	Cisco Viptela/WireGuard scripts	Built-in (WireGuard + path selection)
Control-Plane VIP	kube-vip	Built-in (L2/BGP/BFD)
Components to manage	4+	1

Full comparison: What NovaEdge Replaces

Key Features

• L7 Load Balancing - HTTP/1.1, HTTP/2, HTTP/3 (QUIC), WebSockets, gRPC, SSE
• L4 Proxying - TCP/UDP proxying with TLS passthrough
• VIP Management - L2 ARP, BGP, OSPF modes with BFD and IPv6 dual-stack
• Security - mTLS, OCSP stapling, PROXY protocol, WAF, authentication stack
• Certificate Management - ACME, cert-manager, HashiCorp Vault integration
• Policy Enforcement - Rate limiting, JWT auth, CORS, IP filtering, security headers
• Extensibility - WASM plugins, composable middleware pipelines
• Gateway API - Native support for Kubernetes Gateway API (HTTP, gRPC, TCP, TLS routes)
• SD-WAN - WireGuard tunnels, multi-WAN link management, SLA-based path selection, STUN NAT traversal, DSCP QoS
• Multi-Cluster - Hub-spoke federation with split-brain detection
• Observability - OpenTelemetry tracing, Prometheus metrics, structured logging, Web UI

Quick Start

Get running in 2 minutes:

# Install the operator
helm install novaedge-operator ./charts/novaedge-operator \
  --namespace novaedge-system --create-namespace

# Deploy NovaEdge
kubectl apply -f - <<EOF
apiVersion: novaedge.io/v1alpha1
kind: NovaEdgeCluster
metadata:
  name: novaedge
  namespace: novaedge-system
spec:
  version: "v0.1.0"
  agent:
    vip:
      enabled: true
      mode: L2
EOF

# Verify
kubectl get pods -n novaedge-system

Full Quick Start Guide

Architecture at a Glance

flowchart TB
    subgraph Cluster["Kubernetes Cluster"]
        subgraph Control["Control Plane"]
            OP["Operator"]
            CTRL["Controller"]
        end

        subgraph Data["Data Plane"]
            A1["Agent"]
            A2["Agent"]
            A3["Agent"]
        end

        CRD[(CRDs)]
        SVC["Services"]
    end

    Client((Client)) --> VIP{{"VIP"}}
    VIP --> A1 & A2 & A3

    OP --> CTRL
    CTRL -->|"watches"| CRD
    CTRL -->|"configures"| A1 & A2 & A3
    A1 & A2 & A3 --> SVC

Components:

• Operator - Manages NovaEdge lifecycle via NovaEdgeCluster CRD
• Controller - Watches CRDs, builds config, distributes to agents via gRPC
• Agents - Per-node DaemonSet handling traffic routing and VIP management

Learn more about the architecture

What NovaEdge Replaces

• Full Comparison - Tool-by-tool replacement guide with feature matrix

Use Cases

Hands-on guides for common deployment scenarios, each with architecture diagrams and complete configurations:

• API Gateway - Replace Kong/Ambassador with NovaEdge
• Ingress Controller - Replace NGINX Ingress Controller
• Bare-Metal Load Balancer - Replace MetalLB for bare-metal clusters
• Gateway API - Use Kubernetes Gateway API with NovaEdge
• Service Mesh - Replace Istio/Linkerd with TPROXY-based mesh
• TLS & Certificate Management - ACME, cert-manager, Vault integration
• WAF & Security Stack - Replace ModSecurity with defense-in-depth
• Multi-Cluster Federation - Hub-spoke federation across clusters

Documentation

Getting Started

• Quick Start - Deploy in 5 minutes
• Installation - Detailed installation options
• Helm Installation - Deploy with Helm charts
• Standalone Mode - Run without Kubernetes
• Operator Installation - Lifecycle management via operator

Architecture

• Architecture Overview - System design and components
• Component Details - Deep dive into each component
• Federation Architecture - Multi-cluster federation design

User Guide

Routing & Traffic

• Routing - Configure routes and traffic matching
• Load Balancing - 12 algorithms and session affinity
• L4 Proxying - TCP/UDP proxying and TLS passthrough
• Middleware Pipelines - Composable middleware chains
• Response Caching - HTTP response caching
• Traffic Mirroring - Shadow traffic for testing
• Retry - Request retry configuration
• Error Pages - Custom error page handling
• SSE - Server-Sent Events support

VIP & Networking

• VIP Management - L2, BGP, OSPF modes with BFD and IPv6
• Control-Plane VIP - HA VIP for Kubernetes API server
• IP Pools - ProxyIPPool management and IPAM
• PROXY Protocol - PROXY protocol v1/v2 support

Service Mesh

• Service Mesh - TPROXY-based mesh with mTLS and authorization

Security & Authentication

• TLS - TLS termination, mTLS, OCSP stapling, ACME challenges
• Authentication - Basic auth, forward auth, OIDC, JWT
• Keycloak Integration - Keycloak OIDC provider setup
• Policies - Rate limiting, CORS, JWT, IP filtering, security headers
• WAF - Web Application Firewall (Coraza)

Certificate Management

• cert-manager Integration - Kubernetes-native certificate lifecycle
• HashiCorp Vault - Vault PKI and KV integration

Health & Monitoring

• Health Checks - Active and passive health checking

Advanced Topics

• Multi-Cluster Federation - Hub-spoke federation
• Federation Setup - Step-by-step federation configuration
• HTTP/3 & QUIC - Next-gen protocol support
• Gateway API - Kubernetes Gateway API integration
• WASM Plugins - Extend NovaEdge with WebAssembly plugins

Operations

• Observability - Metrics, tracing, and logging
• Web UI - Dashboard for monitoring and management
• Access Logging - Per-route access log configuration
• Troubleshooting - Common issues and solutions

Reference

• CRD Reference - Complete CRD specifications
• CLI Reference - novactl command reference
• Helm Values - Chart configuration options

Development

• Contributing - How to contribute
• Development Guide - Building from source

License

Apache License 2.0