Announcing Traefik Proxy v3.1

Blog
1

Traefik v3.0 was released less than 3 months ago with key new features introduced like WASM, Open Telemetry, and Kubernetes Gateway API support. The feedback from the community members about the v3 has been overwhelmingly positive (thank you!) and extremely motivating to continue improving Traefik Proxy. Today we are thrilled to release the v3.1 which further enhances WASM and Gateway API integrations.

With Gateway API now poised to become the new standard for exposing resources within a Kubernetes cluster, we are proud to announce that Traefik v3.1’s Kubernetes Gateway API is ready for production use 🎉

Let’s jump in!

Gateway API now production ready

Traefik has been a GatewayController since the early days of the Gateway API specification, but needed some adjustments to pass the conformance tests and fully meet the specification. Traefik v3.1 now meets and exceeds 100% of the core requirements, as shown in our SIG network conformance tests report. Our GatewayAPI provider is now ready for production use!

Oh, by the way, we just released a deep dive into Gateway API & Traefik, we strongly invite you to check it out.

Let’s see what’s new in v3.1 with Gateway API. First things first, If you were already using Gateway API in Traefik, you can now remove the experimental option from the helm chart:

## File values.yaml ##
experimental:
  kubernetesGateway:
    enabled: true

As usual, you can enable Gateway API by simply enabling kubernetesGateway:

## File values.yaml ##
providers:
  # Disable the Ingress provider (optional)
  # We do not want to use Ingress objects anymore!
  kubernetesIngress:
	enabled: false
  # Enable the GatewayAPI provider
  kubernetesGateway:
	enabled: true
# Allow the Gateway to expose HTTPRoute from all namespaces
gateway:
  namespacePolicy: All

Now that you are up and running, let’s dig deeper into the changes made in Traefik.

Improved Status Management

Status management is an important piece of the Gateway API, enabling real-time monitoring of your infrastructure to ensure your GatewayAPI objects are ready to manage traffic. In Traefik v3.1, we've improved support for status management across all GatewayAPI objects, especially HTTPRoutes. Our status calculation now aligns perfectly with the GatewayAPI specification, providing you a ready-for-production status monitoring of your objects.

Route Priority Updates

Traefik has always used a route priority mechanism based on the rule length to prevent overlaps.

However, the GatewayAPI specification has its own priority rules, which differ from Traefik. In Traefik v3.1, we've updated our priority calculation for HTTPRoutes. This ensures that you can switch to Traefik from any other GatewayController without changing your route-matching system.

Introducing ReferenceGrant

The Ingress specification has always struggled with cross-namespace references because of security issues. However, in some cases, like multi-tenant environments, cross-namespace references are essential. Traefik has previously allowed such references through our custom IngressRoute, by adding a specific option to allow it (though security concerns remain).

With GatewayAPI's ReferenceGrant object, these security issues are addressed.

Using ReferenceGrant, you can now declare a Gateway in Traefik that serves a TLS certificate stored in a secret from another namespace or an HTTPRoute targeting a Service in a different namespace. This new feature makes cross-namespace referencing secure and straightforward.

# HTTRoute in the default namespace.
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: whoami-http
  namespace: default
spec:
  parentRefs:
    - name: traefik
      kind: Gateway
  rules:
     - backendRefs:
        - name: whoami
          namespace: whoami
          port: 80
# ReferenceGrant and Service in the whoami namespace.
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: whoami
  namespace: whoami
spec:
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: default
  to:
    - group: ""
      kind: Service
      name: whoami
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: whoami
spec:
  selector:
    app: whoami
  ports:
    - port: 80

Beyond the core features

In addition to the core features required to meet the specification, GatewayAPI offers optional extended features that a GatewayController can implement. Traefik v3.1 brings several of these extended features, including HTTPURLRewriteFilter, HTTPRouteRedirect, and support for method and query parameter matching.

More than the specification

When we started our journey with GatewayAPI, our goal was not just to meet the specification but to bring the same robust feature set as our own Kubernetes provider. That's why Traefik v3.1 also includes support for TCPRoute and TLSRoute, as well as the ability to add Traefik middlewares to your HTTPRoutes using the ExtensionRef mechanism. These features provide even more flexibility and control over your traffic management.

# HTTRoute in the default namespace.
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: whoami-http
  namespace: default
spec:
  parentRefs:
    - name: traefik
      kind: Gateway
  rules:
    - backendRefs:
       - name: whoami
         namespace: default
         port: 80
      filters:
       - type: ExtensionRef
         extensionRef:
           group: traefik.io
           kind: Middleware
           name: add-prefix
# Traefik Middleware.
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: add-prefix
  namespace: default
spec:
  addPrefix:
    prefix: /prefix

WASM better than ever

Traefik v3.0 introduced support for WASM plugins along with the original Yaegi plugins. However, the WASM support had some limitations. One of the limitations was the inability to make HTTP calls using the Go standard library from plugins. The technical reason for this is that a function export mechanism is needed for this, and it’s not yet implemented in Go (but is an accepted proposal).

The team found a workaround to simulate WASM exports in a WASM compiler in Go. It means, as of today, it is possible to create a full featured WASM plugin in Traefik which does HTTP calls (through the host), import any Go library, etc.

On top of that, we added the possibility to mount shared directories in plugins and also to configure environment variables.

experimental:
  plugins:
    example:
      moduleName: github.com/traefik/plugindemowasm-http-call
      version: v0.0.2
      settings:
        mounts:
          - /path:/path:ro # Read only mount
          - /tmp/test:/tmp/test # Read Write mount
        envs:
          - TEST_ENV_1
          - TEST_ENV_2

Here is a simple example of a plugin in wasm that makes HTTP calls through the host.

# Static configuration
experimental:
  plugins:
    example:
      moduleName: github.com/traefik/plugindemowasm-http-call
      version: v0.0.2
---
# Dynamic configuration
http:
  routers:
    my-router:
      rule: host(`demo.localhost`)
      service: service-foo
      entryPoints:
        - web
      middlewares:
        - my-plugin
  services:
   service-foo:
      loadBalancer:
        servers:
          - url: http://127.0.0.1:5000

middlewares:

my-plugin:

plugin:

example:

headerName: X-World-Time

Thanks to this innovative and unique approach, WASM is now a powerful plugin platform in Traefik that we will continue to improve upon moving forward.

Other Improvements

Several contributions were made on Kubernetes:

Another great contribution came from Antoine Aflalo who added Zstandard to the compress middleware (in addition to Gzip & Brotli). This algorithm is much faster, especially at decompressing.

Support for Content-Security-Policy-Report-Only was added by Roman Donchenko to the headers middleware.

Finally, we added support to systemd socket activation, which allows systemd to listen on socket and dynamically start the associated service. Simply use the same name for your entrypoint and file descriptor, and Traefik will start on systemd demand.

The full release note is available here.

Conclusion

Traefik release notes are usually pretty packed and this one is no exception. Traefik v3.1 brings critical features to the project with state-of-the-art WASM support that makes Traefik’s plugin platform one of the best in the industry. Being a Kubernetes native product, it goes without saying that Traefik closely follows the latest evolutions of the platform. Traefik is now getting full support of Gateway API v1.1.0 and is ready for production use.

Traefik is almost 10 years old, but like a good wine, is still getting better and better 🙂.

Lastly, a huge thank you to all contributors. Your assistance is invaluable.

See you on GitHub!

Useful Links

This is a companion discussion topic for the original entry at https://traefik.io/blog/announcing-traefik-proxy-v3-1
2

Thanks for the great work Emile!

Are there any plans to support the Gateway Api in the community dashboard?
Since we're turning off the IngressProvider in the dashboard.
Simply enabling the kubernetes gateway providers int the args annotation isn't ready yet correct?