Announcing Traefik Enterprise 2.8 | Traefik Labs

With API Portal segmentation, improvements to our HashiCorp integrations, and OAuth Introspection middleware enhancements.

The latest version of Traefik Enterprise is live and, as always, it is packed with new features and enhancements. For this release, we focused on privacy and security improvements, several additions and improvements to our HashiCorp integrations, as well as a couple of minor updates to the web UI.

Let’s dig in!

API Portal segmentation

The Traefik Enterprise API Portal displays all the API specifications from your services into a web UI. Having privacy in mind, we are introducing a new function for the API Portal where information can be segmented and exposed to separate groups.

With API Portal groups, users can define which API Portal services are exposed to certain groups. For example, an organization can define a group for its internal development team and another group for external customers. This also allows organizations to present curated information to customers by exposing dedicated APIs to different customers.

You can define the services that are exposed to each group by adding the apiportal.groups annotation to your services.

Traefik Enterprise then dynamically creates new API Portals for each group that is referenced this way. You can configure the path to the endpoint serving the API specification file for each group. Groups that do not set an explicit path default to the path of the service, if set, or to the one defined in the static configuration.

Note: All API specifications are always exposed in the default API Portal.

HashiCorp integrations

This Traefik Enterprise release brings three important improvements to our HashiCorp integrations.

HashiCorp Consul full namespace support

This feature improves the support for Consul Enterprise and the HashiCorp Cloud Platform (HCP) by introducing the configuration key namespaces that allows you to reference multiple target namespaces from a single provider configuration.

Learn more about this feature here.

HashiCorp Nomad provider

With the release of Nomad Version 1.3, Traefik is now the first reverse proxy that integrates natively with the new Nomad Service Discovery. With Traefik Enterprise 2.8, users can benefit from built-in support for HashiCorp Nomad that improves direct usability in test environments and at the edge.

Learn more about this integration here.

Kubernetes auth for HashiCorp Vault

In our continuous effort to improve our integration with HashiCorp Vault and Kubernetes, we are adding support for Kubernetes auth. HashiCorp Vault supports multiple authentication methods and, up until now, Traefik Enterprise supported the use of Token and AppRole.

Starting from Traefik Enterprise 2.8, you can now authenticate to Vault using Kubernetes auth. This authentication method is particularly handy for users that have their Vault installation deployed in a Kubernetes cluster.

Here’s how you can configure Traefik Enterprise to authenticate to Vault using Kubernetes auth:

providers:
  plugin:
    vault:
      url: 'http://vault:8200'
      enginePath: secret
      syncInterval: 1
      rescanInterval: 1
      auth:
        kubernetes:
          role: traefikee
          path: kubernetes

To learn more about this feature, you can also check out the official HashiCorp Vault documentation.

Improving the OAuth Introspection middleware

The OAuth 2.0 Token Introspection allows Traefik Enterprise to retrieve metadata about an access token from an OAuth server using the Token Introspection extension. With the new Traefik Enterprise release, we are enhancing the OAuth Introspection middleware by improving the option to forward custom headers from the user request within the Introspection request.

Traefik Enterprise users have always been able to set custom headers on the Introspection request, but to do so, the values of the headers had to be hard-coded in the configuration. Starting from Traefik Enterprise 2.8, the value of these headers can be dynamically set based on the values from the original request using the Go templating.

authSources:
  oAuthIntroSource:
    oAuthIntrospection:
      customHeaders:
        Authorization: Basic dGVzdDp0ZXN0
        Source: traefikee
        Request-Host: {{ .Request.Host }}

Up until Traefik Enterprise 2.7, users could add a single global tag for Datadog. With the latest version, we are enhancing our Datadog integration and allowing users to add multiple tags, as seen below. This improvement provides better observability for aggregate data points in Datadog.

tracing:
  datadog:
    globalTags:
      foo: bar
      env: example

Web UI updates

Traefik Enterprise 2.8 comes with a couple of minor updates to the dashboard. Namely, you can now easily access the Plugin Catalog and Traefik Hub directly from the dashboard.

Next steps

This release is packed with big and small updates that will certainly help you tackle a few production challenges.

If you haven’t yet seen Traefik Enterprise in action, feel free to book a demo and discover everything Traefik Enterprise has to offer for your production environments.

Secure, manage, & scale all your APIs. Want to simplify API management and security? Request a demo today and see Traefik Enterprise in action.Request a demo


This is a companion discussion topic for the original entry at https://traefik.io/blog/announcing-traefik-enterprise-2-8/