New authentication features for API gateways and more
After one year of existence, TraefikEE has grown up to add much more value on top of Traefik open source.
While Traefik open source is laser-focused on being a world-class reverse proxy optimized to manage external incoming connections, this release adds crucial new capabilities designed to tame the complexity of managing internal connections, especially with enhanced security options.
TraefikEE 2.1 now provides support for three new authentication protocols: JWT, HMAC, and OAuth2 Token Introspection, that can be used to easily secure both external and internal traffic.
Also included in this release: enhanced cluster management, Traefik 2.2 support, and RedHat OpenShift certification.
Three flavors of Authentication
Deploying a microservice architecture requires managing an infrastructure with many APIs. These APIs are reached by both external and internal systems, and the necessity to secure access to all your APIs takes on fundamental importance.
TraefikEE has acknowledged this need, firstly by adding the LDAP Middleware, and now by adding JWT, HMAC and oAuth2 Token Introspection.
No matter what your security needs are, TraefikEE has a middleware that can help!First flavor: JWT
JWT is a very popular technology to quickly secure your infrastructure, and TraefikEE now embeds a dedicated middleware to complement your microservice architecture. All it takes is one extra line of configuration!
services: whoami: image: containous/whoami labels: # … routing labels... - "traefik.http.middlewares.test-jwtAuth.plugin.jwtAuth.source=my-jwt-src" # Authentication Source declared in another place.
And for the icing on the cake, the JWT middleware behavior can be extended to allow operations such as authorization (using claims), and header forwarding.
Second flavor: OAuth2 Token Introspection
services: whoami: image: containous/whoami labels: # … routing labels... - "traefik.http.middlewares.test-jwtAuth.plugin.jwtAuth.source=my-jwt-src" # Authentication Source declared in another place. - "traefik.http.middlewares.test-jwtAuth.plugin.jwtAuth.claims=Equals(`team`, `admin`) || Equals(`team`, `dev`)" # Only users from admin and dev teams can reach your services.
Now, if you've already deployed an OAuth2 server with a token introspection endpoint, you probably want to leverage it to secure your services.
Good news then, TraefikEE can connect to it and add an authorization layer directly in your routing configuration. Securing a service has never been so easy!
# Static Configuration authSources: oait-src: oAuthIntrospection: url: http://myoauth2server # OAuth2 server endpoint authorizationHeader: Basic XXxxxx # Type of authentication
Third flavor: HMAC
version: '3.4' services: whoami: image: containous/whoami deploy: labels: # Dynamic Configuration # … routing labels... - "traefik.http.middlewares.test-oauth-intro.plugin.oAuthIntrospection.source=oait-src” - "traefik.http.middlewares.test-oauth-intro.plugin.oAuthIntrospection.claims= Equals(`team`, `admin`) || Equals(`team`, `dev`)" # Only users from admin and dev teams can reach your services.
Want to prevent your system from attacks such as man-in-middle, XSS injection, etc.?
You can enforce your infrastructure security by checking both the integrity and the sender's identity of the incoming requests with the new HMAC middleware.
# Static Configuration authSources: my-hmac-src: hmac: inline: # Declare here the authorized id/keys - id: "secret-key" key: "traefikee-approved"
version: '3.4' services: whoami: image: containous/whoami deploy: labels: # Dynamic Configuration # … routing labels... - "traefik.http.middlewares.test-hmac-auth.plugin.hmacauth.source=my-hmac-src"
Root-LESS Image, Secured-MORE Infrastructure
TraefikEE has always been focused on infrastructure security.
We’ve used a gRPC MTLS communication between the nodes and we’ve split the responsibilities between controllers and proxies to secure both internal and outgoing cluster connections.
In TraefikEE v2.1, we’ve added a rootless image to secure your infrastructure against potential vulnerabilities in the Docker daemon, and the container runtime.
Take advantage of this feature by following the comprehensive guide in the documentation.
Enhanced Cluster Management
Many users reported to us that they’ve had to maintain TraefiKEE clusters installed on both their Q&A and Production infrastructures, and they’d like to avoid specifying the cluster name on each command they launched.
In order to help them, and to improve the user experience, we’ve introduced a few commands into the CLI (teectl) to help manage multiple clusters, and especially, to customize the active cluster. Thus, users can set a cluster as the active one and not provide its name in each command.
Red Hat OpenShift Operator Certified
Like Traefik, TraefikEE eases your Ingress Controller integration regardless of your infrastructure, including Red Hat OpenShift clusters!
Starting with in TraefikEE v2.0, we introduced a Kubernetes Operator to install TraefikEE into OpenShift v4 clusters.
Today, we are proud to announce that TraefikEE v2.1 is Red Hat OpenShift Operator certified. With this certification, TraefikEE joins the Red Hat software certified partner ecosystem and is readily available through the Red Hat OpenShift Container Platform.
TraefikEE continues to bring more enterprise specific features. High Availability, distributed services, and enterprise authentication protocols are just a few of the benefits you can get from switching to TraefikEE.
Take a look at all these features in our 5-minute video to learn more about them.
As always, we are happy to answer your questions, and help you find the best solution for your projects.
If you want to test drive our new features, give Traefik Enterprise Edition 2.1 a try today.
This is a companion discussion topic for the original entry at https://containo.us/blog/traefik-enterprise-edition-2-1-now-available/