Announcing Traefik Proxy v3.1
Traefik v3.0 was released less than 3 months ago with key new features introduced like WASM, Open Telemetry, and Kubernetes Gateway API support. The feedback from the community members about the v3 has been overwhelmingly positive (thank you!) and extremely motivating to continue improving Traefik Proxy. Today we are thrilled to release the v3.1 which further enhances WASM and Gateway API integrations.
With Gateway API now poised to become the new standard for exposing resources within a Kubernetes cluster, we are proud to announce that Traefik v3.1’s Kubernetes Gateway API is ready for production use 🎉
Let’s jump in!
Gateway API now production ready
Traefik has been a GatewayController since the early days of the Gateway API specification, but needed some adjustments to pass the conformance tests and fully meet the specification. Traefik v3.1 now meets and exceeds 100% of the core requirements, as shown in our SIG network conformance tests report. Our GatewayAPI provider is now ready for production use!
Oh, by the way, we just released a deep dive into Gateway API & Traefik, we strongly invite you to check it out.
Let’s see what’s new in v3.1 with Gateway API. First things first, If you were already using Gateway API in Traefik, you can now remove the experimental option from the helm chart:
## File values.yaml ##
experimental:
kubernetesGateway:
enabled: true
As usual, you can enable Gateway API by simply enabling kubernetesGateway
:
## File values.yaml ##
providers:
# Disable the Ingress provider (optional)
# We do not want to use Ingress objects anymore!
kubernetesIngress:
enabled: false
# Enable the GatewayAPI provider
kubernetesGateway:
enabled: true
# Allow the Gateway to expose HTTPRoute from all namespaces
gateway:
namespacePolicy: All
Now that you are up and running, let’s dig deeper into the changes made in Traefik.
Improved Status Management
Status management is an important piece of the Gateway API, enabling real-time monitoring of your infrastructure to ensure your GatewayAPI objects are ready to manage traffic. In Traefik v3.1, we've improved support for status management across all GatewayAPI objects, especially HTTPRoutes. Our status calculation now aligns perfectly with the GatewayAPI specification, providing you a ready-for-production status monitoring of your objects.
Route Priority Updates
Traefik has always used a route priority mechanism based on the rule length to prevent overlaps.
However, the GatewayAPI specification has its own priority rules, which differ from Traefik. In Traefik v3.1, we've updated our priority calculation for HTTPRoutes. This ensures that you can switch to Traefik from any other GatewayController without changing your route-matching system.
Introducing ReferenceGrant
The Ingress specification has always struggled with cross-namespace references because of security issues. However, in some cases, like multi-tenant environments, cross-namespace references are essential. Traefik has previously allowed such references through our custom IngressRoute, by adding a specific option to allow it (though security concerns remain).
With GatewayAPI's ReferenceGrant object, these security issues are addressed.
Using ReferenceGrant, you can now declare a Gateway in Traefik that serves a TLS certificate stored in a secret from another namespace or an HTTPRoute targeting a Service in a different namespace. This new feature makes cross-namespace referencing secure and straightforward.
# HTTRoute in the default namespace.
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami-http
namespace: default
spec:
parentRefs:
- name: traefik
kind: Gateway
rules:
- backendRefs:
- name: whoami
namespace: whoami
port: 80
# ReferenceGrant and Service in the whoami namespace.
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: whoami
namespace: whoami
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: default
to:
- group: ""
kind: Service
name: whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: whoami
spec:
selector:
app: whoami
ports:
- port: 80
Beyond the core features
In addition to the core features required to meet the specification, GatewayAPI offers optional extended features that a GatewayController can implement. Traefik v3.1 brings several of these extended features, including HTTPURLRewriteFilter, HTTPRouteRedirect, and support for method and query parameter matching.
More than the specification
When we started our journey with GatewayAPI, our goal was not just to meet the specification but to bring the same robust feature set as our own Kubernetes provider. That's why Traefik v3.1 also includes support for TCPRoute and TLSRoute, as well as the ability to add Traefik middlewares to your HTTPRoutes using the ExtensionRef mechanism. These features provide even more flexibility and control over your traffic management.
# HTTRoute in the default namespace.
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: whoami-http
namespace: default
spec:
parentRefs:
- name: traefik
kind: Gateway
rules:
- backendRefs:
- name: whoami
namespace: default
port: 80
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: add-prefix
# Traefik Middleware.
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: add-prefix
namespace: default
spec:
addPrefix:
prefix: /prefix
WASM better than ever
Traefik v3.0 introduced support for WASM plugins along with the original Yaegi plugins. However, the WASM support had some limitations. One of the limitations was the inability to make HTTP calls using the Go standard library from plugins. The technical reason for this is that a function export mechanism is needed for this, and it’s not yet implemented in Go (but is an accepted proposal).
The team found a workaround to simulate WASM exports in a WASM compiler in Go. It means, as of today, it is possible to create a full featured WASM plugin in Traefik which does HTTP calls (through the host), import any Go library, etc.
On top of that, we added the possibility to mount shared directories in plugins and also to configure environment variables.
experimental:
plugins:
example:
moduleName: github.com/traefik/plugindemowasm-http-call
version: v0.0.2
settings:
mounts:
- /path:/path:ro # Read only mount
- /tmp/test:/tmp/test # Read Write mount
envs:
- TEST_ENV_1
- TEST_ENV_2
Here is a simple example of a plugin in wasm that makes HTTP calls through the host.
# Static configuration
experimental:
plugins:
example:
moduleName: github.com/traefik/plugindemowasm-http-call
version: v0.0.2
---
# Dynamic configuration
http:
routers:
my-router:
rule: host(`demo.localhost`)
service: service-foo
entryPoints:
- web
middlewares:
- my-plugin
services:
service-foo:
loadBalancer:
servers:
- url: http://127.0.0.1:5000
middlewares:
my-plugin:
plugin:
example:
headerName: X-World-Time
Thanks to this innovative and unique approach, WASM is now a powerful plugin platform in Traefik that we will continue to improve upon moving forward.
Other Improvements
Several contributions were made on Kubernetes:
- By Marc Mognol who brought health checks to ExternalName services
- By Jesper Noordsij who migrated the Kubernetes provider to the EnpointSlices API
- By Joris Vergeer who added the possibility to use Node IPs for NodePort services
Another great contribution came from Antoine Aflalo who added Zstandard to the compress middleware (in addition to Gzip & Brotli). This algorithm is much faster, especially at decompressing.
Support for Content-Security-Policy-Report-Only was added by Roman Donchenko to the headers middleware.
Finally, we added support to systemd socket activation, which allows systemd to listen on socket and dynamically start the associated service. Simply use the same name for your entrypoint and file descriptor, and Traefik will start on systemd demand.
The full release note is available here.
Conclusion
Traefik release notes are usually pretty packed and this one is no exception. Traefik v3.1 brings critical features to the project with state-of-the-art WASM support that makes Traefik’s plugin platform one of the best in the industry. Being a Kubernetes native product, it goes without saying that Traefik closely follows the latest evolutions of the platform. Traefik is now getting full support of Gateway API v1.1.0 and is ready for production use.
Traefik is almost 10 years old, but like a good wine, is still getting better and better 🙂.
Lastly, a huge thank you to all contributors. Your assistance is invaluable.
See you on GitHub!
Useful Links
- Traefik 3.1 on GitHub & on DockerHub
- Traefik Documentation, Website, & GitHub
- Our Community Forum