Announcing Multi-Cluster SSL and Plugins in Traefik Enterprise 2.4

As we ring in the New Year, Traefik Labs is proud to start 2021 with the release of a new version of Traefik Enterprise, our flagship unified cloud-native networking solution. Traefik Enterprise 2.4 brings new features to ease multi-cluster platform management, integration with Traefik Pilot, and more.

Visibility via Traefik Pilot Integration

Monitoring is a top concern of Traefik Enterprise customers. You’ve told us that you want to be able to monitor your traffic at a glance from the Traefik Enterprise dashboard.

To help you to achieve this goal, Traefik Enterprise 2.4 is now integrated with Traefik Pilot, our monitoring and management SaaS platform.

With the new version of Traefik Enterprise, you can now access the Traefik Pilot UI from your Traefik Enterprise dashboard and monitor crucial data points, including:

  • Health status and availability alerts
  • Version information and security alerts
  • Performance metrics:
  • Requests per second
  • Total requests
  • Request duration

Customize Your Clusters with Plugins

Traefik Enterprise ships with features designed to solve the most pressing problems facing companies today. Its built-in middlewares provide such features as enterprise-grade authentication and authorization, distributed rate limiting, HTTP caching, and more..

But each company has its own, unique needs. That's why, in addition to the current middlewares, Traefik Enterprise 2.4 provides support for plugins, a new way for customers to build their own middleware functions. You can create and use two kinds of plugins:

  • Community plugins. These allow customers to create middlewares and share them with the whole Traefik community via the Traefik Pilot public plugin catalog. You can contribute your own or use ones designed by others.
  • Private plugins. Traefik Enterprise also allows you to create proprietary plugins and deploy them exclusively to proxy instances on your own clusters.

Under the hood, Traefik Enterprise clusters embed a new Plugin Registry that houses both your public and your private plugins.

The teectl CLI includes new commands to insert, list and delete plugins.

$ teectl create pl --archivepath=./private-plugin.zip --version=v0.0.1
$ teectl get plugins
 SUMMARY                                                   MODULE                          VERSION
 [Demo] Add Request Header                                 privateplugin/demo              v0.0.1
 Blacklist (or whitelist) IP depending on some conditions  github.com/tommoulard/fail2ban  v0.4.0
$ teectl delete pl --modulename=privateplugin/demo --version=v0.0.1 

You can find more information about the way to create plugins in the documentation.

Expand Security with Multi-Cluster Let’s Encrypt

Increasingly today, managing multiple clusters is the new normal. But as clusters proliferate, the burden of TLS certificate management increases. Admins want to delegate this responsibility to Let's Encrypt, but integrating automated certificate management in a distributed environment is hard. How to avoid generating duplicate certificates? How to share certificates? That's where Traefik Enterprise 2.4 comes in.

Traefik Enterprise clusters can now communicate with an external agent to share Let's Encrypt certificates. The operating principle is simple: Traefik Enterprise clusters reach the agent to request certificates, the agent generates the certificates, and it stores them in a HashiCorp Vault instance. This Vault instance is used by your Traefik Enterprise clusters to provide the certificates, andhe cycle is complete.

For more information, take a look at our User Guide.

Centralized Authorization with Open Policy Agent

The more services you integrate into your infrastructure, the more complicated your access policies become. You have to define who can reach each service, who can read data from it, who can modify that data, and so on.

To make your life easier, Traefik Enterprise 2.4 includes an Open Policy Agent (OPA) middleware to centralize authorization management. OPA is a popular policy engine that allows you to define fine-grained authorization rules using a declarative language: Rego.

You just have to provide your policies to Traefik Enterprise, and... voilà!

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
 name: my-opa-middleware
 namespace: traefikee
spec:
 plugin:
   opa:
     # Define the value to check in the rego rule to allow the access
     allow: data.example.authz.allow
     # Add a header to the request
     forwardHeaders:
       # Add the header "Group" with the value set to 
       # "data.example.authz.group" in the rego rule
       Group: data.example.authz.group
     policy: |
       package example.authz
       default allow = false
       default group = ""
       # Use the JWT token claims to manage Authorization
       auth := split(input.headers.Authorization, " ")
       jwtDecode := io.jwt.decode(auth[1])
       payload := jwtDecode[1]
       allow {
         # Restrict the access to the claim "email"
         # with the value "foo@example.com"
         payload["email"] == "foo@example.com"
       }
       # If allow is true, group will hold payload["grp"] value
       group = g {
         allow
         g = payload["grp"]
       }

Traefik Enterprise’s OPA middleware embeds an agent that interprets the rules and secures the services access. Because you no longer need an external authorization agent, you simplify your architecture and reduce latency.

For more information, you can consult our User Guide.

What's Next

With the integration of Traefik Pilot and the creation of the Let’s Encrypt ACME agent, Traefik Enterprise brings important new functionalities to manage multi-clusters platforms. In 2021, we’ll continue to develop enterprise-specific features to solve networking issues for companies who choose Traefik Enterprise.

Join our webinar on February 17 to learn more about this new release and see a live demo of Traefik Enterprise. If you want to test drive this new version, sign up for a free trial of Traefik Enterprise 2.4.


This is a companion discussion topic for the original entry at https://traefik.io/blog/announcing-multi-cluster-lets-encrypt-and-plugin-support-in-traefik-enterprise-2-4/