Blog
March 15, 2022

Announcing Traefik Enterprise 2.6

With OIDC stateful mode and Microsoft AD support, Vault namespaces, and API portal enhancements.

We are pleased to announce the general availability of Traefik Enterprise 2.6, the latest update to our unified cloud native networking solution. Notably, this release focuses heavily on OpenID Connect (OIDC). Within the build/packaging mechanism, it also introduces a Docker image and binary that is compatible with ARM64.  Now, let's dig into the new features found in Traefik Enterprise 2.6.

OIDC improvements

The release of Traefik Enterprise 2.6 brings several improvements related to OpenID Connect (OIDC).

Stateful mode for OIDC middleware

Traefik Enterprise 2.6 includes the addition of a new stateful mode for OIDC middleware. The previous OIDC middleware offered a stateless option, requiring session data to be stored with cookies. Cookies can grow too large, introducing latency on the client’s side when they do.

With the new stateful mode, users can store all session data safely in a K/V store outside Traefik Enterprise, completely removing the overhead of storing cookies on the client application. The K/V stores currently supported include Consul, etcd, Zookeeper, and Redis. When enabled, they can reduce the total size of cookies used for client requests authenticating with OIDC from hundreds of kilobytes to just a few bytes. The introduction of a stateful mode will lower latency and increase efficiency.

Support for Microsoft AD

Traefik Enterprise 2.6 also brings two new customization options that can override the usual OIDC authorization flow. These options improve integrations with Microsoft Active Directory (AD) when using custom claims or enabling single sign-on without requiring consent after the user signs in.

Example of OIDC improvements

Below is an example of how OIDC can be configured to use a session store, with custom discovery and auth params applied on the authorization flow between Traefik Enterprise and the authentication server.

# Static Configuration
authSources:
  my-oidc-source:
    oidc:
      issuer: "http://my-auth-server-addr/auth/realms/traefik"
      clientID: "demo-app"
      clientSecret: "my-app-secret"
      #Required by Microsoft AD when returning custom claims
      discoveryParams:
        app-id: my-app-id
 
sessionStorages:
  consulStore:
    consul:
      tls: {}
      endpoints:
        - "my-consul-server:8501"
# Dynamic Configuration
http:
  middlewares:
    my-oidc:
      plugin:
        oidcAuth:
          source: my-oidc-source
          scopes:
            - openid
          redirectUrl: "/callback"
          session:
            store: consulStore
            name: "%s-session"
            path: "/"
            secret: my-secret-token
          # Overrides the prompt-consent option during the authorization phase with the IDP
          authParams:
                prompt: none
          forwardHeaders:
            X-Traefik-Group: groups
          claims: Contains(`groups`, `admin`)

Support for HashiCorp Vault namespaces

This release of Traefik Enterprise has improved support for HashiCorp Vault and Consul. It ensures compatibility with HashiCorp’s enterprise offerings by supporting their namespace isolation feature.

Currently, Traefik Enterprise supports Vault with two separate integrations. Firstly, a certificate resolver for Traefik leveraged the Vault PKI secrets engine. Secondly, a certificate store used its K/V secrets engine. Since there was no namespace configuration option, it was impossible to connect to a Vault enterprise instance that used that feature, such as the hosted option from HashiCorp, which uses namespaces by default.

Below is an example of a Vault PKI configuration.

certificatesResolvers:
     vaultpki:
       vault:
         url: "https://vault-cluster.mydomain:8200"
         auth:
           token: "my-secret-token"
         enginePath: "pki"
         role: "vault-role"
         namespace: "admin"

Below is an example of a Vault K/V configuration.

plugin:
    vault:
      url: "https://vault-cluster.mydomain:8200"
      auth:
        token: "my-secret-token"
      enginePath: "kv"
      syncInterval: "5s"
      rescanInterval: "60s"
      namespace: "certs"

If you’re interested in learning more about what you can do with the latest release of Traefik Enterprise, check out our blog post ‘Lock Down Your Network with Traefik Enterprise and Vault.‘

API portal enhancements

Traefik Enterprise 2.6 brings valuable enhancements to the API portal, all of which were requested by our customers. In previous versions of Traefik Enterprise, the API portal could only read JSON. It now reads YAML as well, following the direction of Open API.

It also supports more configuration options for how users fetch API endpoints. You can now specify arguments in the URL and specify the endpoint path for the API spec on the back-end.

Docker example:

labels:
  - "traefik.http.routers.openapi-yaml.entrypoints=web"
  - "traefik.http.routers.openapi-yaml.rule=Host(`openapi.docker.localhost`)"
  - "traefik.http.services.openapi-yaml.loadbalancer.server.port=8080"
  - "traefik.http.services.openapi-yaml.loadbalancer.apiportal.path=spec.yaml"

Kubernetes example:

apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/service.apiportal.path: spec.json
 
spec:
  ports:
    - name: web
      port: 80
  selector:
    app: traefiklabs
    task: whoami

Next steps

Traefik Enterprise 2.6 is only the latest iteration of our unified cloud native networking stack. In the future, we will continue evolving Traefik Enterprise to help ease the operations of modern, distributed applications.

If you’re new to or are learning about Traefik Enterprise, don’t hesitate to reach out if you’d like to request a demo or put your skills in action with a free, 30-day trial. And for more information, feel free to peruse our documentation.

As always, we would like to thank our customers for their continued support.

See the API Gateway Cloud Natives TrustWant to simplify the discovery, security, and deployment of APIs and microservices? Explore Traefik Enterprise today.Learn More

About the Author

Latest from Traefik Labs

How to Keep Your Services Secure With Traefik’s Rate Limiting
Blog

How to Keep Your Services Secure With Traefik’s Rate Limiting

Read more
Taming The Wild West of LLMs with Traefik AI Gateway
Blog

Taming The Wild West of LLMs with Traefik AI Gateway

Read more
GitOps-Driven Runtime API Governance: The Secret Sauce for Scale
Webinar

GitOps-Driven Runtime API Governance: The Secret Sauce for Scale

Watch now

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.