Traefik Proxy v3.2 - A Munster Release
After 3 months of intensive development and two release candidates, we are thrilled to announce the general availability of Traefik v3.2. With Halloween just around the corner, we wanted a munster codename for this new version 👹. Let’s dig deeper into the key changes.
As Traefik Labs continues to lead the Kubernetes Gateway API effort, it is no surprise that the new Gateway API v1.2 is supported out of the box in this latest Traefik release. We will explore the latest additions brought by the most recent development.
And that’s not all! The team has been working very hard on building an alternative HTTP reverse proxy engine for quite some time now, and the day has finally come to make it available to everyone. This Fast Proxy engine offers a whopping ~ 50% performance boost compared to the standard engine. Yes, that means approximately 50% more requests per second 💥
The clue's in the name—we're calling it a 'Munster' release for a (spooktacular) reason! Let’s dive in!
Performance Breakthrough
The Traefik team has been working on writing a complete new HTTP/1 engine. It took a long time to converge and we are extremely excited to announce that the new Fast Proxy engine is available for everyone in experimental.
experimental:
fastProxy: {}
The Fast Proxy engine is a high-performance reverse proxy designed to enhance the performance of routing based on a zero allocation pipeline. This new engine significantly improves performance, boasting a remarkable 50% increase in speed compared to the standard engine.
Here are the results of an analysis conducted on our benchmark platform using the standard vs. the Fast Proxy Engine.
The difference between both engines is mind-blowing, you can now expect around 50% increase in throughput and 50% decrease in latency handled by Fast Proxy Engine through this new high performance proxy engine.
Kubernetes Gateway API v1.2
Traefik Labs has always been a key player in Kubernetes inbound traffic management. Gateway API, seen as the next generation for Ingress, is probably one of the most active Kubernetes projects. Traefik was amongst the first controllers to adopt and support the Gateway API first alpha release, and since v3.0, Traefik has continuously integrated updates. Today, Traefik v3.2 introduces support for the newly released Gateway API 1.2, and brings new additions like GRPCRoute
and TLSRoute
, as well as additional HTTPRoute
features such as h2c (HTTP/2 without TLS), WebSocket support for backends, response header modifications, and more.
Let’s start with GRPCRoute
, which is a type for specifying routing behavior of gRPC requests. gRPC is a widely adopted RPC framework popular across the industry, within Kubernetes itself. Therefore, a specific type to route this protocol provides a more granular configuration.
Similarly to HTTPRoute
, the specification let you define hostnames
(a list of hostnames to match against the Host header of the gRPC request), matches
(conditions used for matching gRPC requests), filters
(to process or alter the request) and backendRefs
(defines the backend services to which matching requests should be sent). Here is an example of a GRPCRoute
:
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
name: grpc-route
spec:
parentRefs:
- name: traefik-gateway
hostnames:
- "example.com"
rules:
- filters:
- type: RequestHeaderModifier
requestHeaderModifier:
add:
- name: my-header
value: foo
- matches:
- method:
service: com.example.User
method: Login
backendRefs:
- name: login-v1
port: 50051
- matches:
- headers:
- type: Exact
name: magic
value: foo
method:
service: com.example.Foo
method: DoFoo
backendRefs:
- name: foo-v1
port: 50051
weight: 90
- name: foo-v2
port: 50051
weight: 10
TLSRoute
support has also been added to Traefik in v3.2’s experimental channel, to enable multiplexing TLS connections via SNI.
apiVersion: gateway.networking.k8s.io/v1
kind: TLSRoute
metadata:
name: tls-route
spec:
hostnames:
- example.com
parentRefs:
- name: traefik-gateway
rules:
- backendRefs:
- name: backend-tls
kind: Service
port: 443
Introduced with Gateway API v1.2, Backend Protocol (through the appProtocol field) can now be set to specify the underlying protocol when a Route's backend references a Kubernetes Service. Currently, you can choose between http
, https
, kubernetes.io/h2c
for HTTP/2 without TLS and kubernetes.io/ws
for websocket over HTTP.
apiVersion: v1
kind: Service
metadata:
name: test
spec:
selector:
app: test
ports:
- protocol: TCP
appProtocol: kubernetes.io/h2c
port: 8080
targetPort: 8080
The ResponseHeaderModifier
filter is now supported since Traedfik v3.2. It allows to setsetting a custom header for all responses being sent.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: http-response-header
spec:
hostnames:
- response.header.example
rules:
- backendRefs:
- name: example-service-beta
weight: 50
port: 80
# set a custom header for all responses being sent from the
beta build of the backend server.
filters:
- type: ResponseHeaderModifier
responseHeaderModifier:
add:
name: build
value: beta
- name: example-service-stable
weight: 50
port: 80
To learn more about how Traefik supports Gateway API, we encourage you to visit the Traefik Documentation.
Other Improvements
In addition to these exciting new features, Traefik v3.2 brings several updates to ACME certificate management (Let’s Encrypt), including the ability to use different email addresses in certificate resolvers (#11019 by Emrio), the support for custom CA certificates in certificate resolvers (#10816 by ldez), and a 30-days certificatesDuration
threshold (#10970 by luker983).
BasicAuth support has been added to the Docker and Swarm endpoints (#10776 by 985492783).
Middlewares have been improved with IPv6 subnet support in ipStrategy
for RateLimit
and InFlightReq
(#9747 by michal-kralik), an option to log the user in the ForwardAuth middleware (#10833 by GaleHuang), a new compression encodings
option (#10943 by wollomatic), and the ability to mirror the full body in the mirroring (#11032 by MatteoPaier).
OpenTelemetry metrics now allow you to configure service.name
for scenario with several Traefik instances (#10917 by cmartell-at-ocp), while access logs now capture trace IDs and EntryPoint span IDs (#10921 by weijiany).
A configurable maximum request header size option has also been added, allowing users to specify the maximum size for HTTP request headers beyond the default 1MB limit (#10995 by lucasrod16).
For detailed information on all changes, please refer to the full release notes on GitHub.
We extend our gratitude to all contributors for their efforts and dedication, which has made Traefik 3.2 an exceptional release. Thank you for driving Traefik forward!
Moving Forward
Traefik Proxy v3.2 is a major leap forward in performance, functionality, and security. This release introduces a groundbreaking Fast Proxy engine, which delivers unparalleled speed and efficiency. As a key contributor to the Kubernetes Gateway API project, Traefik Labs ensures cutting-edge support for the latest Gateway API v1.2 specifications. Along with many other enhancements, Traefik 3.2 empowers developers and organizations to effortlessly build and manage modern, cloud-native applications with unprecedented efficiency.
We encourage you to explore the new features and capabilities of Traefik 3.2 and experience the impact they can make in your infrastructure. Join the vibrant Traefik community, share your feedback, and help us shape the future of cloud-native networking.
Useful Links
- Traefik 3.2 on GitHub & on DockerHub
- Traefik Documentation, Website, & GitHub
- Our Community Forum