Traefik Hub - API Gateway Perfection
Traefik Hub has profoundly transformed API Management. It provides a fully declarative approach to define, manage and run APIs while offering modularity and freedom of choice for its users through deep integration with the Cloud-Native ecosystem.
API Management brings critical capabilities to help companies handle their API fleet. Runtime API Governance is the cornerstone of Traefik Hub API Management: dynamic API discovery, logical grouping through collections, change and incident management through versioning and linters, and ease-of-consumption through developer portals. Traefik Hub API Management also adds an advanced security layer on top of it with industry-leading Granular Access Control and provides rich awareness and control of the whole API pool with precise monitoring and state-of-the-art observability.
Delivering on this simple yet powerful vision, Traefik Hub now delivers essential capabilities to help companies seamlessly start their API journey. See this as the wildly popular and familiar Traefik Proxy plus core API-focused features like Access Control (OAuth, OIDC, etc) and native scalability capabilities like Distributed Rate Limiting.
To put it more simply: Traefik Hub seamlessly transforms Traefik Proxy into the perfect API Gateway!
Let’s dig deeper into it.
From Traefik Proxy To Traefik Hub API Gateway
One key element of Traefik Hub API Gateway is how seamless it is to upgrade from Traefik Proxy. Take an existing Traefik Proxy ingress controller installed on Kubernetes.
- Step 1: Install the Traefik Hub agent with Helm, providing the same Traefik Proxy configuration options.
- Step 2: Remove Traefik Proxy, et voilà, you have a fully functioning API Gateway, that will act as the ingress controller exposing the existing ingress ressources.
API capabilities are configured using the Traefik Proxy middleware well known mechanism.
To illustrate this, let’s take a rate limiter attached to an IngressRoute used with Traefik Proxy:
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: ratelimit
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: ratelimit
spec:
rateLimit:
period: 1m
average: 600
To add OAuth authentication to this existing IngressRoute, just add an OAuth middleware and Traefik Hub will enforce OAuth authentication on it!
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: ratelimit
- name: oauth-client-creds
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: ratelimit
spec:
rateLimit:
period: 1m
average: 600
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth-client-creds
spec:
plugin:
oAuthClientCredentials:
url: https://tenant.auth0.com/oauth/token
How simple it is! As you can see, getting access to API Gateway capabilities when you already use Traefik Proxy is transparent.
Now, let’s explore all these new middlewares!
The many flavors of OAuth
OAuth 2.0 is an open standard dealing with resource access control and is the latest version of the authorization protocol OAuth. An OAuth client provides web, desktop, and mobile application authorization flows. We brought to Traefik Hub one of the most complete OAuth implementations which comes with two OAuth middlewares:
Token Introspection
Token introspection allows Traefik Hub to retrieve information about the user from an authentication server. Then, once the token is retrieved, it uses fine-grained configuration, including nested claims, to grant access or not to the route.
Let’s imagine that the token it retrieves is the following
{
"active": true,
"grp": "admin",
"scope": "reader writer deploy",
"referrer": "http://example.com/foo/bar",
"areas": [
"office",
"home"
]
}
You can validate this token using many functions, for example:
- Equals(‘grp’, ‘admin’) checks if the value of grp in the token is equal to “admin”
- Prefix(‘referrer’, ‘http://example.com’) checks if the value of referrer in the token starts with http://example.com
- Contains(‘referrer’, ‘/foo/’) checks if the value of referrer has the sub string foo. When used on an array of values, it will check whether the value is in the list or not.
- And others…
Most importantly, you can combine any of these using operators (and, or, not) creating powerful ways to express who should have access to what.
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: oauth-oauth-intro
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth-oauth-intro
spec:
plugin:
oAuthIntrospection:
tokenSource:
header: Authorization
headerAuthScheme: Bearer
Client Credential
Client Credential allows Traefik Hub to secure routes using the OAuth 2.0 Client Credentials flow as described in the RFC 6749. Access tokens are cached using an external KV store.
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: oauth-client-creds
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oauth-client-creds
spec:
plugin:
oAuthClientCredentials:
url: https://tenant.auth0.com/oauth/token
OIDC
OIDC is an authentication layer built on top of the OAuth 2.0 protocol. OpenID Connect allows an application to obtain user login information by exchanging cryptographic tokens with an identity provider and is often used to implement federated SSO between multiple applications. With OIDC, Traefik Hub allows you to delegate the authentication process to a third party (Google Accounts, LinkedIn, GitHub, etc.) to obtain the end-user information for authorization purposes, where you get the same set of functions / operators to define the rules.
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: oidc
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc
spec:
plugin:
oidc:
issuer: "https://tenant.auth0.com/realms/myrealm"
redirectUrl: "/callback"
clientID: my-oidc-client-name
clientSecret: mysecret
JWT
JWT is a popular tool for authenticating API calls and single sign-on (SSO) applications. It’s a method of digitally signing information as a JSON object. The JWT includes a set of claims, which typically describe what an authenticated user is allowed to do. With JWT validation, Traefik Hub is capable of verifying the validity of the token, extracting its information, and then as usual checking against the rules you want to define.
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: jwt
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: jwt
spec:
plugin:
jwt:
signingSecret: urn:k8s:secret:my-secret:signingSecret
API Keys
When you need a quick authorization mechanism, API Key is one of the best options. You configure the values that should allow consumption of the API, and where to retrieve it from (header, query param, cookie), and it’s as simple as that.
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: apikey
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: apikey
spec:
plugin:
apiKey:
keySource:
header: Authorization
headerAuthScheme: Bearer
Distributed Rate Limit
When scaling Traefik Hub with standard rate limiting, each replica computes its own rate limit, meaning that if you configure 10 requests per second, you’re actually allowing (instance number) * request limit over time. When reaching the limit, depending on how well traffic is load-balanced between the instances, there might be some (small) inconsistencies in the response.
The distributed rate limit solves this problem and eases the configuration, allowing each replica to be aware of the remaining allowed requests. When you configure a given request per time allowance, you’re guaranteed that whatever the number of replicas you run, this is what will go to your service.
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
entryPoints:
- web
routes:
- match: PathPrefix(`/foo`)
kind: Rule
services:
- name: service-foo
port: 80
middlewares:
- name: distributedratelimit
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: distributedratelimit
spec:
plugin:
distributedRateLimit:
limit: 100
Wrapping Up
An API journey is long and complex. The last thing you want is to choose the wrong product to support you. Start with an over-engineered product and your ability to quickly iterate under control will vanish. Start with a product you can’t upgrade and you will be locked in at an early stage, without the ability to evolve to more advanced practices and technologies.
Traefik Labs provides companies a very progressive stack to deploy and manage APIs. From the ingress controller use case with Traefik Proxy to route and load balance services, to the API Gateway with critical capabilities around security and centralized control, up to the full API Management solution. All this within Traefik Hub, the most modern and progressive API runtime platform for Cloud-Native environments.
