Announcing Traefik Enterprise 2.6

With OIDC stateful mode and Microsoft AD support, Vault namespaces, and API portal enhancements.

We are pleased to announce the general availability of Traefik Enterprise 2.6, the latest update to our unified cloud native networking solution. Notably, this release focuses heavily on OpenID Connect (OIDC). Within the build/packaging mechanism, it also introduces a Docker image and binary that is compatible with ARM64.  Now, let's dig into the new features found in Traefik Enterprise 2.6.

OIDC improvements

The release of Traefik Enterprise 2.6 brings several improvements related to OpenID Connect (OIDC).

Stateful mode for OIDC middleware

Traefik Enterprise 2.6 includes the addition of a new stateful mode for OIDC middleware. The previous OIDC middleware offered a stateless option, requiring session data to be stored with cookies. Cookies can grow too large, introducing latency on the client’s side when they do.

With the new stateful mode, users can store all session data safely in a K/V store outside Traefik Enterprise, completely removing the overhead of storing cookies on the client application. The K/V stores currently supported include Consul, etcd, Zookeeper, and Redis. When enabled, they can reduce the total size of cookies used for client requests authenticating with OIDC from hundreds of kilobytes to just a few bytes. The introduction of a stateful mode will lower latency and increase efficiency.

Support for Microsoft AD

Traefik Enterprise 2.6 also brings two new customization options that can override the usual OIDC authorization flow. These options improve integrations with Microsoft Active Directory (AD) when using custom claims or enabling single sign-on without requiring consent after the user signs in.

Example of OIDC improvements

Below is an example of how OIDC can be configured to use a session store, with custom discovery and auth params applied on the authorization flow between Traefik Enterprise and the authentication server.

# Static Configuration
      issuer: "http://my-auth-server-addr/auth/realms/traefik"
      clientID: "demo-app"
      clientSecret: "my-app-secret"
      #Required by Microsoft AD when returning custom claims
        app-id: my-app-id
      tls: {}
        - "my-consul-server:8501"
# Dynamic Configuration
          source: my-oidc-source
            - openid
          redirectUrl: "/callback"
            store: consulStore
            name: "%s-session"
            path: "/"
            secret: my-secret-token
          # Overrides the prompt-consent option during the authorization phase with the IDP
                prompt: none
            X-Traefik-Group: groups
          claims: Contains(`groups`, `admin`)

Support for HashiCorp Vault namespaces

This release of Traefik Enterprise has improved support for HashiCorp Vault and Consul. It ensures compatibility with HashiCorp’s enterprise offerings by supporting their namespace isolation feature.

Currently, Traefik Enterprise supports Vault with two separate integrations. Firstly, a certificate resolver for Traefik leveraged the Vault PKI secrets engine. Secondly, a certificate store used its K/V secrets engine. Since there was no namespace configuration option, it was impossible to connect to a Vault enterprise instance that used that feature, such as the hosted option from HashiCorp, which uses namespaces by default.

Below is an example of a Vault PKI configuration.

         url: "https://vault-cluster.mydomain:8200"
           token: "my-secret-token"
         enginePath: "pki"
         role: "vault-role"
         namespace: "admin"

Below is an example of a Vault K/V configuration.

      url: "https://vault-cluster.mydomain:8200"
        token: "my-secret-token"
      enginePath: "kv"
      syncInterval: "5s"
      rescanInterval: "60s"
      namespace: "certs"

If you’re interested in learning more about what you can do with the latest release of Traefik Enterprise, check out our blog post ‘Lock Down Your Network with Traefik Enterprise and Vault.‘

API portal enhancements

Traefik Enterprise 2.6 brings valuable enhancements to the API portal, all of which were requested by our customers. In previous versions of Traefik Enterprise, the API portal could only read JSON. It now reads YAML as well, following the direction of Open API.

It also supports more configuration options for how users fetch API endpoints. You can now specify arguments in the URL and specify the endpoint path for the API spec on the back-end.

Docker example:

  - "traefik.http.routers.openapi-yaml.entrypoints=web"
  - "traefik.http.routers.openapi-yaml.rule=Host(`openapi.docker.localhost`)"
  - ""
  - ""

Kubernetes example:

apiVersion: v1
kind: Service
  name: whoami
  namespace: default
  annotations: spec.json
    - name: web
      port: 80
    app: traefiklabs
    task: whoami

Next steps

Traefik Enterprise 2.6 is only the latest iteration of our unified cloud native networking stack. In the future, we will continue evolving Traefik Enterprise to help ease the operations of modern, distributed applications.

If you’re new to or are learning about Traefik Enterprise, don’t hesitate to reach out if you’d like to request a demo or put your skills in action with a free, 30-day trial. And for more information, feel free to peruse our documentation.

As always, we would like to thank our customers for their continued support.

Secure, manage, & scale all your APIs.See how Traefik Enterprise simplifies, automates, and centralizes API management and security with one easy-to-use solution.Learn More
Related Posts
Traefik Proxy 2.4 Adds Advanced mTLS, Kubernetes Service APIs, and More

Traefik Proxy 2.4 Adds Advanced mTLS, Kubernetes Service APIs, and More

Manuel Zapf
Product News
January, 2021

Traefik 2.4 adds many nice enhancements such as ProxyProtocol Support on TCP Services, Advanced support for mTLS, Initial support for Kubernetes Service API, and more than 12 enhancements from our beloved community.

Announcing Multi-Cluster Let’s Encrypt and Plugin Support in Traefik Enterprise 2.4

Announcing Multi-Cluster Let’s Encrypt and Plugin Support in Traefik Enterprise 2.4

Nicolas Mengin
Product News
January, 2021

Traefik Enterprise 2.4 brings new features to ease multi-cluster platform management, integration with Traefik Pilot, and more.

Announcing Traefik Proxy 2.6

Announcing Traefik Proxy 2.6

Douglas De Toni Machado
Product News
January, 2022

We are very happy to announce the general availability of Traefik Proxy 2.6, the latest update to our cloud native edge router and application proxy solution.

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.