Announcing Traefik Enterprise 2.6

With OIDC stateful mode and Microsoft AD support, Vault namespaces, and API portal enhancements.

We are pleased to announce the general availability of Traefik Enterprise 2.6, the latest update to our unified cloud native networking solution. Notably, this release focuses heavily on OpenID Connect (OIDC). Within the build/packaging mechanism, it also introduces a Docker image and binary that is compatible with ARM64.  Now, let's dig into the new features found in Traefik Enterprise 2.6.

OIDC improvements

The release of Traefik Enterprise 2.6 brings several improvements related to OpenID Connect (OIDC).

Stateful mode for OIDC middleware

Traefik Enterprise 2.6 includes the addition of a new stateful mode for OIDC middleware. The previous OIDC middleware offered a stateless option, requiring session data to be stored with cookies. Cookies can grow too large, introducing latency on the client’s side when they do.

With the new stateful mode, users can store all session data safely in a K/V store outside Traefik Enterprise, completely removing the overhead of storing cookies on the client application. The K/V stores currently supported include Consul, etcd, Zookeeper, and Redis. When enabled, they can reduce the total size of cookies used for client requests authenticating with OIDC from hundreds of kilobytes to just a few bytes. The introduction of a stateful mode will lower latency and increase efficiency.

Support for Microsoft AD

Traefik Enterprise 2.6 also brings two new customization options that can override the usual OIDC authorization flow. These options improve integrations with Microsoft Active Directory (AD) when using custom claims or enabling single sign-on without requiring consent after the user signs in.

Example of OIDC improvements

Below is an example of how OIDC can be configured to use a session store, with custom discovery and auth params applied on the authorization flow between Traefik Enterprise and the authentication server.

# Static Configuration
authSources:
  my-oidc-source:
    oidc:
      issuer: "http://my-auth-server-addr/auth/realms/traefik"
      clientID: "demo-app"
      clientSecret: "my-app-secret"
      #Required by Microsoft AD when returning custom claims
      discoveryParams:
        app-id: my-app-id
 
sessionStorages:
  consulStore:
    consul:
      tls: {}
      endpoints:
        - "my-consul-server:8501"
# Dynamic Configuration
http:
  middlewares:
    my-oidc:
      plugin:
        oidcAuth:
          source: my-oidc-source
          scopes:
            - openid
          redirectUrl: "/callback"
          session:
            store: consulStore
            name: "%s-session"
            path: "/"
            secret: my-secret-token
          # Overrides the prompt-consent option during the authorization phase with the IDP
          authParams:
                prompt: none
          forwardHeaders:
            X-Traefik-Group: groups
          claims: Contains(`groups`, `admin`)

Support for HashiCorp Vault namespaces

This release of Traefik Enterprise has improved support for HashiCorp Vault and Consul. It ensures compatibility with HashiCorp’s enterprise offerings by supporting their namespace isolation feature.

Currently, Traefik Enterprise supports Vault with two separate integrations. Firstly, a certificate resolver for Traefik leveraged the Vault PKI secrets engine. Secondly, a certificate store used its K/V secrets engine. Since there was no namespace configuration option, it was impossible to connect to a Vault enterprise instance that used that feature, such as the hosted option from HashiCorp, which uses namespaces by default.

Below is an example of a Vault PKI configuration.

certificatesResolvers:
     vaultpki:
       vault:
         url: "https://vault-cluster.mydomain:8200"
         auth:
           token: "my-secret-token"
         enginePath: "pki"
         role: "vault-role"
         namespace: "admin"

Below is an example of a Vault K/V configuration.

plugin:
    vault:
      url: "https://vault-cluster.mydomain:8200"
      auth:
        token: "my-secret-token"
      enginePath: "kv"
      syncInterval: "5s"
      rescanInterval: "60s"
      namespace: "certs"

If you’re interested in learning more about what you can do with the latest release of Traefik Enterprise, check out our blog post ‘Lock Down Your Network with Traefik Enterprise and Vault.‘

API portal enhancements

Traefik Enterprise 2.6 brings valuable enhancements to the API portal, all of which were requested by our customers. In previous versions of Traefik Enterprise, the API portal could only read JSON. It now reads YAML as well, following the direction of Open API.

It also supports more configuration options for how users fetch API endpoints. You can now specify arguments in the URL and specify the endpoint path for the API spec on the back-end.

Docker example:

labels:
  - "traefik.http.routers.openapi-yaml.entrypoints=web"
  - "traefik.http.routers.openapi-yaml.rule=Host(`openapi.docker.localhost`)"
  - "traefik.http.services.openapi-yaml.loadbalancer.server.port=8080"
  - "traefik.http.services.openapi-yaml.loadbalancer.apiportal.path=spec.yaml"

Kubernetes example:

apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/service.apiportal.path: spec.json
 
spec:
  ports:
    - name: web
      port: 80
  selector:
    app: traefiklabs
    task: whoami

Next steps

Traefik Enterprise 2.6 is only the latest iteration of our unified cloud native networking stack. In the future, we will continue evolving Traefik Enterprise to help ease the operations of modern, distributed applications.

If you’re new to or are learning about Traefik Enterprise, don’t hesitate to reach out if you’d like to request a demo or put your skills in action with a free, 30-day trial. And for more information, feel free to peruse our documentation.

As always, we would like to thank our customers for their continued support.

Secure, manage, & scale all your APIs.See how Traefik Enterprise simplifies, automates, and centralizes API management and security with one easy-to-use solution.Learn More
Related Posts
Announcing Traefik 2.2

Announcing Traefik 2.2

Manuel Zapf
·
Product News
·
March, 2020

Traefik 2.1 adds couple of long awaited features, but also brings simplicity in certain areas. Simplicity has always been a key feature of Traefik since the beginning and is utterly important for us, but also for you, our users.

Announcing Traefik Proxy 2.5

Announcing Traefik Proxy 2.5

Ryan McGuire
·
Product News
·
August, 2021

We are very happy to announce the general release of Traefik Proxy 2.5: the latest model of our capable, open-source, dynamic, cloud-native edge router, and application proxy.

Announcing Traefik Enterprise 2.5

Announcing Traefik Enterprise 2.5

Douglas De Toni Machado
·
Product News
·
September, 2021

We’re pleased to announce the new release of Traefik Enterprise 2.5 that not only integrates Traefik Proxy 2.5 but also brings its own set of customer-centric features.

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.