Announcing Traefik Enterprise 2.6
With OIDC stateful mode and Microsoft AD support, Vault namespaces, and API portal enhancements.
We are pleased to announce the general availability of Traefik Enterprise 2.6, the latest update to our unified cloud native networking solution. Notably, this release focuses heavily on OpenID Connect (OIDC). Within the build/packaging mechanism, it also introduces a Docker image and binary that is compatible with ARM64. Now, let's dig into the new features found in Traefik Enterprise 2.6.
OIDC improvements
The release of Traefik Enterprise 2.6 brings several improvements related to OpenID Connect (OIDC).
Stateful mode for OIDC middleware
Traefik Enterprise 2.6 includes the addition of a new stateful mode for OIDC middleware. The previous OIDC middleware offered a stateless option, requiring session data to be stored with cookies. Cookies can grow too large, introducing latency on the client’s side when they do.
With the new stateful mode, users can store all session data safely in a K/V store outside Traefik Enterprise, completely removing the overhead of storing cookies on the client application. The K/V stores currently supported include Consul, etcd, Zookeeper, and Redis. When enabled, they can reduce the total size of cookies used for client requests authenticating with OIDC from hundreds of kilobytes to just a few bytes. The introduction of a stateful mode will lower latency and increase efficiency.
Support for Microsoft AD
Traefik Enterprise 2.6 also brings two new customization options that can override the usual OIDC authorization flow. These options improve integrations with Microsoft Active Directory (AD) when using custom claims or enabling single sign-on without requiring consent after the user signs in.
Example of OIDC improvements
Below is an example of how OIDC can be configured to use a session store, with custom discovery and auth params applied on the authorization flow between Traefik Enterprise and the authentication server.
# Static Configuration
authSources:
my-oidc-source:
oidc:
issuer: "http://my-auth-server-addr/auth/realms/traefik"
clientID: "demo-app"
clientSecret: "my-app-secret"
#Required by Microsoft AD when returning custom claims
discoveryParams:
app-id: my-app-id
sessionStorages:
consulStore:
consul:
tls: {}
endpoints:
- "my-consul-server:8501"
# Dynamic Configuration
http:
middlewares:
my-oidc:
plugin:
oidcAuth:
source: my-oidc-source
scopes:
- openid
redirectUrl: "/callback"
session:
store: consulStore
name: "%s-session"
path: "/"
secret: my-secret-token
# Overrides the prompt-consent option during the authorization phase with the IDP
authParams:
prompt: none
forwardHeaders:
X-Traefik-Group: groups
claims: Contains(`groups`, `admin`)
Support for HashiCorp Vault namespaces
This release of Traefik Enterprise has improved support for HashiCorp Vault and Consul. It ensures compatibility with HashiCorp’s enterprise offerings by supporting their namespace isolation feature.
Currently, Traefik Enterprise supports Vault with two separate integrations. Firstly, a certificate resolver for Traefik leveraged the Vault PKI secrets engine. Secondly, a certificate store used its K/V secrets engine. Since there was no namespace configuration option, it was impossible to connect to a Vault enterprise instance that used that feature, such as the hosted option from HashiCorp, which uses namespaces by default.
Below is an example of a Vault PKI configuration.
certificatesResolvers:
vaultpki:
vault:
url: "https://vault-cluster.mydomain:8200"
auth:
token: "my-secret-token"
enginePath: "pki"
role: "vault-role"
namespace: "admin"
Below is an example of a Vault K/V configuration.
plugin:
vault:
url: "https://vault-cluster.mydomain:8200"
auth:
token: "my-secret-token"
enginePath: "kv"
syncInterval: "5s"
rescanInterval: "60s"
namespace: "certs"
If you’re interested in learning more about what you can do with the latest release of Traefik Enterprise, check out our blog post ‘Lock Down Your Network with Traefik Enterprise and Vault.‘
API portal enhancements
Traefik Enterprise 2.6 brings valuable enhancements to the API portal, all of which were requested by our customers. In previous versions of Traefik Enterprise, the API portal could only read JSON. It now reads YAML as well, following the direction of Open API.
It also supports more configuration options for how users fetch API endpoints. You can now specify arguments in the URL and specify the endpoint path for the API spec on the back-end.
Docker example:
labels:
- "traefik.http.routers.openapi-yaml.entrypoints=web"
- "traefik.http.routers.openapi-yaml.rule=Host(`openapi.docker.localhost`)"
- "traefik.http.services.openapi-yaml.loadbalancer.server.port=8080"
- "traefik.http.services.openapi-yaml.loadbalancer.apiportal.path=spec.yaml"
Kubernetes example:
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: default
annotations:
traefik.ingress.kubernetes.io/service.apiportal.path: spec.json
spec:
ports:
- name: web
port: 80
selector:
app: traefiklabs
task: whoami
Next steps
Traefik Enterprise 2.6 is only the latest iteration of our unified cloud native networking stack. In the future, we will continue evolving Traefik Enterprise to help ease the operations of modern, distributed applications.
If you’re new to or are learning about Traefik Enterprise, don’t hesitate to reach out if you’d like to request a demo or put your skills in action with a free, 30-day trial. And for more information, feel free to peruse our documentation.
As always, we would like to thank our customers for their continued support.
