🦎 Axolotl

Pronounced /ˈæksəˌlɒtəl/ — “AK-suh-lot-ul” Kubernetes-Native Secure Access Platform Inspired by Pangolin. Reimagined for the cloud-native world.

---

🚧 Project Status

Axolotl is an early-stage project and currently under active development. APIs, components, and behaviors may change frequently until the first stable release.

---

🧠 Overview

Axolotl is a lightweight, modular, and Kubernetes-native Secure Access Gateway. It honors Pangolin — and its companions Newt (client agent) and Gerbil (tunnel manager) — while reimagining their design for distributed, declarative, and regenerative cloud environments.

Axolotl provides:

• Identity-aware tunneling
• Zero-trust reverse proxying
• Declarative access policies
• Full Kubernetes-native deployment with Operators and CRDs

---

🌱 The Name

Axolotl is a Mexican salamander known for its regenerative ability — it can regrow limbs, organs, and even parts of its brain. Like its namesake, this project embodies resilience, adaptability, and self-healing, aligning naturally with Kubernetes’ philosophy.

“It doesn’t metamorphose — it evolves continuously.” Axolotl symbolizes continuous regeneration of infrastructure through declarative design.

---

🧬 Architecture

High-Level Diagram

                  ┌──────────────────────────────┐
                  │         Axolotl Core         │
                  │ (Control Plane / Go + SQLite) │
                  │ - API / Policy Engine         │
                  │ - Config / CRD Controller     │
                  └──────────────┬───────────────┘
                                 │ gRPC / REST
 ┌────────────────────────────────┼────────────────────────────────┐
 │                                │                                │
 │                                │                                │
 │                   ┌────────────────────┐         ┌────────────────────┐
 │                   │   Axolotl Proxy    │         │   Axolotl Auth     │
 │                   │ (Reverse Proxy)    │         │ (OIDC / Policy)    │
 │                   └────────────────────┘         └────────────────────┘
 │                                │                                │
 │                                │                                │
 │                    ┌────────────────────┐                       │
 │                    │   Gerbil (Server)  │ <── WireGuard Tunnel ─┼──┐
 │                    │  Tunnel Manager    │                       │  │
 │                    └────────────────────┘                       │  │
 │                                                                │  │
 │                    ┌────────────────────┐                       │  │
 │                    │   Newt (Client)    │ <─── User / Device ───┘  │
 │                    │  Edge Agent        │                          │
 │                    └────────────────────┘                          │
 │                                                                │
 └────────────────────────────────────────────────────────────────┘

Component Summary

Component	Description	Technology
Core	Control plane managing configuration, CRDs, and policy orchestration	Go + SQLite
Auth	Identity provider integration (OIDC/OAuth2), token issuance	Go
Proxy	Reverse proxy & policy enforcement layer	Go
Edge (Newt)	Client-side agent establishing tunnels to Gerbil	Go (external module)
Tunnel (Gerbil)	WireGuard-based tunnel manager orchestrating secure links	Go (external module)
UI	Web console built with Nue.js for managing clusters, sites, and policies	Nue.js
Operator	Kubernetes Operator managing CRDs (AccessPolicy, TunnelSite, etc.)	Go + Controller Runtime

---

🧩 Key Features

• 🔐 Zero-Trust Access Control

  • Identity-aware authorization at every layer
  • Integrates OIDC / SSO providers via Axolotl Auth

• ☁️ Kubernetes-Native Design

  • Deploys as CRDs, Operators, and Ingress resources
  • Reconciles automatically with your cluster’s state

• ⚙️ Composable MSA Architecture

  • Modular microservices for Core, Auth, Proxy, and Edge
  • gRPC-based internal communication

• 💾 Lightweight Persistence

  • Embedded SQLite for simplicity
  • Optional PostgreSQL adapter for larger deployments

• 💻 Modern Dashboard

  • Built with Nue.js — minimal, reactive, and fast
  • Realtime policy insights, tunnel status, and resource maps

• 🌐 Full Pangolin Compatibility

  • Supports existing Newt and Gerbil agents
  • Configurable endpoints and targets via YAML or CRDs

---

🚀 Quick Start

Prerequisites

• Go 1.22+
• Node.js 20+
• Kubernetes 1.30+
• Helm 3+

Deployment

git clone https://github.com/mrchypark/axolotl
cd axolotl

# Build backend
make build

# Deploy CRDs and operator
kubectl apply -f deploy/crds
helm install axolotl ./charts/axolotl

# Forward dashboard
kubectl port-forward svc/axolotl-ui 8080:80
open http://localhost:8080

---

🧱 Configuration Example

apiVersion: axolotl.io/v1
kind: TunnelSite
metadata:
  name: dev-lab
spec:
  client: newt
  server: gerbil
  mode: wireguard
  resources:
    - name: internal-api
      target: http://10.0.1.12:8080
      accessPolicy: allow-authenticated

---

🔭 Roadmap

• Full Helm chart + CRD set
• WebSocket and TCP multiplexing
• Axolotl Operator (Go)
• Policy-as-Code (Rego)
• Distributed tracing (OpenTelemetry)
• Multi-cluster federation

---

❤️ A Tribute to Pangolin

“We don’t replace Pangolin. We continue its evolution.”

Pangolin pioneered modular access control with Newt and Gerbil. Axolotl carries that legacy forward — embracing Kubernetes-native design, self-healing infrastructure, and regenerative security.

---

🧑‍💻 Contributing

We welcome contributions! Fork, discuss, and submit PRs at GitHub Issues.

---

⚖️ License

MIT License © 2025 Chanyub Park

---

🧩 Summary Tagline

Axolotl — Regenerative, Declarative, Invisible Security for Kubernetes.