Traefik Proxy v3.2 - A Munster Release

After 3 months of intensive development and two release candidates, we are thrilled to announce the general availability of Traefik v3.2. With Halloween just around the corner, we wanted a munster codename for this new version 👹. Let’s dig deeper into the key changes.

As Traefik Labs continues to lead the Kubernetes Gateway API effort, it is no surprise that the new Gateway API v1.2 is supported out of the box in this latest Traefik release. We will explore the latest additions brought by the most recent development.

And that’s not all! The team has been working very hard on building an alternative HTTP reverse proxy engine for quite some time now, and the day has finally come to make it available to everyone. This Fast Proxy engine offers a whopping ~ 50% performance boost compared to the standard engine. Yes, that means approximately 50% more requests per second 💥

The clue's in the name—we're calling it a 'Munster' release for a (spooktacular) reason! Let’s dive in!

Performance Breakthrough

The Traefik team has been working on writing a complete new HTTP/1 engine. It took a long time to converge and we are extremely excited to announce that the new Fast Proxy engine is available for everyone in experimental.

experimental:
  fastProxy: {}

The Fast Proxy engine is a high-performance reverse proxy designed to enhance the performance of routing based on a zero allocation pipeline. This new engine significantly improves performance, boasting a remarkable 50% increase in speed compared to the standard engine.

Here are the results of an analysis conducted on our benchmark platform using the standard vs. the Fast Proxy Engine.

The difference between both engines is mind-blowing, you can now expect around 50% increase in throughput and 50% decrease in latency handled by Fast Proxy Engine through this new high performance proxy engine.

Kubernetes Gateway API v1.2

Traefik Labs has always been a key player in Kubernetes inbound traffic management. Gateway API, seen as the next generation for Ingress, is probably one of the most active Kubernetes projects. Traefik was amongst the first controllers to adopt and support the Gateway API first alpha release, and since v3.0, Traefik has continuously integrated updates. Today, Traefik v3.2 introduces support for the newly released Gateway API 1.2, and brings new additions like GRPCRoute and TLSRoute, as well as additional HTTPRoute features such as h2c (HTTP/2 without TLS), WebSocket support for backends, response header modifications, and more.

Let’s start with GRPCRoute, which is a type for specifying routing behavior of gRPC requests. gRPC is a widely adopted RPC framework popular across the industry, within Kubernetes itself. Therefore, a specific type to route this protocol provides a more granular configuration.

Similarly to HTTPRoute, the specification let you define hostnames (a list of hostnames to match against the Host header of the gRPC request), matches (conditions used for matching gRPC requests), filters (to process or alter the request) and backendRefs (defines the backend services to which matching requests should be sent). Here is an example of a GRPCRoute:

apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
  name: grpc-route
spec:
  parentRefs:
  - name: traefik-gateway
  hostnames:
  - "example.com"
  rules:
  - filters:
    - type: RequestHeaderModifier
      requestHeaderModifier:
        add:
          - name: my-header
            value: foo
  - matches:
    - method:
        service: com.example.User
        method: Login
    backendRefs:
    - name: login-v1
      port: 50051
  - matches:
    - headers:
      - type: Exact
        name: magic
        value: foo
      method:
        service: com.example.Foo
        method: DoFoo
    backendRefs:
    - name: foo-v1
      port: 50051
      weight: 90
    - name: foo-v2
      port: 50051
      weight: 10

TLSRoute support has also been added to Traefik in v3.2’s experimental channel, to enable multiplexing TLS connections via SNI.

apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
  name: tls-route
spec:
  hostnames:
  - example.com
  parentRefs:
  - name: traefik-gateway
  rules:
    - backendRefs:
        - name: backend-tls
          kind: Service
          port: 443

Introduced with Gateway API v1.2, Backend Protocol (through the appProtocol field) can now be set to specify the underlying protocol when a Route's backend references a Kubernetes Service. Currently, you can choose between http, https, kubernetes.io/h2c for HTTP/2 without TLS and kubernetes.io/ws for websocket over HTTP.

apiVersion: v1
kind: Service
metadata:
  name: test
spec:
  selector:
    app: test
  ports:
  - protocol: TCP
    appProtocol: kubernetes.io/h2c
    port: 8080
    targetPort: 8080

The ResponseHeaderModifier filter is now supported since Traedfik v3.2. It allows to setsetting a custom header for all responses being sent.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: http-response-header
spec:
  hostnames:
    - response.header.example
  rules:
    - backendRefs:
      - name: example-service-beta
        weight: 50
        port: 80
        # set a custom header for all responses being sent from the
        beta build of the backend server.
        filters:
           - type: ResponseHeaderModifier
             responseHeaderModifier:
               add:
                 name: build
                 value: beta
      - name: example-service-stable
        weight: 50
        port: 80

To learn more about how Traefik supports Gateway API, we encourage you to visit the Traefik Documentation.

Other Improvements

In addition to these exciting new features, Traefik v3.2 brings several updates to ACME certificate management (Let’s Encrypt), including the ability to use different email addresses in certificate resolvers (#11019 by Emrio), the support for custom CA certificates in certificate resolvers (#10816 by ldez), and a 30-days certificatesDuration threshold (#10970 by luker983).

BasicAuth support has been added to the Docker and Swarm endpoints (#10776 by 985492783).

Middlewares have been improved with IPv6 subnet support in ipStrategy for RateLimit and InFlightReq (#9747 by michal-kralik), an option to log the user in the ForwardAuth middleware (#10833 by GaleHuang), a new compression encodings option (#10943 by wollomatic), and the ability to mirror the full body in the mirroring (#11032 by MatteoPaier).

OpenTelemetry metrics now allow you to configure service.name for scenario with several Traefik instances (#10917 by cmartell-at-ocp), while access logs now capture trace IDs and EntryPoint span IDs (#10921 by weijiany).

A configurable maximum request header size option has also been added, allowing users to specify the maximum size for HTTP request headers beyond the default 1MB limit (#10995 by lucasrod16).

For detailed information on all changes, please refer to the full release notes on GitHub.

We extend our gratitude to all contributors for their efforts and dedication, which has made Traefik 3.2 an exceptional release. Thank you for driving Traefik forward!

Moving Forward

Traefik Proxy v3.2 is a major leap forward in performance, functionality, and security. This release introduces a groundbreaking Fast Proxy engine, which delivers unparalleled speed and efficiency. As a key contributor to the Kubernetes Gateway API project, Traefik Labs ensures cutting-edge support for the latest Gateway API v1.2 specifications. Along with many other enhancements, Traefik 3.2 empowers developers and organizations to effortlessly build and manage modern, cloud-native applications with unprecedented efficiency.

We encourage you to explore the new features and capabilities of Traefik 3.2 and experience the impact they can make in your infrastructure. Join the vibrant Traefik community, share your feedback, and help us shape the future of cloud-native networking.