Use Cases For Traefik Hub On-Premises API Mocking
In the setup guide we established the Traefik Hub API Mocking environment. In this guide, we’ll explore the following key use cases for Traefik Hub API mocking:
- API sandbox for early feedback.
- Validating gateway security and policy enforcement.
- Implementing canary and blue/green deployments for controlled rollouts.
Use case 1: API sandbox for early feedback
Traefik Hub API mocking delivers considerable business value by enabling:
- Rapid prototyping: Quickly share a live API mock with partners and early adopters.
- Risk reduction: Developers can test API behavior in a sandbox environment before full-scale production.
- Developer empowerment: Enable developers to explore the API on their own through the Developer Portal.
Technical implementation
-
Prerequisites:
- The pastry API has been deployed using the steps in the setup page.
- The Microcks-generated mock is exposed on the gateway via an IngressRoute.
-
Use the API resource to define your API:
apiVersion: hub.traefik.io/v1alpha1
kind: API
metadata:
name: local-pastry
namespace: default
spec:
openApiSpec:
url: https://doc.traefik.io/traefik-hub/assets/files/pastry-open-api-8809d128776b1935ebd8c37bcae99670.yaml # Define the external url of your OAS
override:
servers:
- url: http://pastry.docker.localhost
Please ensure that you use the same URL for your OpenAPI specification as the one used to feed Microcks in the setup page, as this centralizes the management of your OpenAPI Spec.
- Use APICatalogItem to control which APIs appear on the Developer Portal for specific user groups:
apiVersion: hub.traefik.io/v1alpha1
kind: APICatalogItem
metadata:
name: pastry-api-catalog
namespace: default
spec:
groups:
- admin
apis:
- name: local-pastry
- Create an APIPlan to set rate limits and quotas for API consumption:
apiVersion: hub.traefik.io/v1alpha1
kind: APIPlan
metadata:
name: free-plan
namespace: default
spec:
title: "Free Plan"
description: "A free plan for sandbox usage with strict rate limits."
rateLimit:
limit: 1
period: 1s
quota:
limit: 10000
period: 750h
- Use ManagedSubscription to grant specific applications the right to consume your API:
apiVersion: hub.traefik.io/v1alpha1
kind: ManagedSubscription
metadata:
name: pastry-subscription
namespace: default
spec:
applications:
- appId: "my-app-id" # your application ID
apis:
- name: local-pastry
apiPlan:
name: free-plan
You can generate an appId by creating a new application via the deployed API Portal. This method is applicable only when using API keys or when no IdP is involved in generating JWTs for gateway access.
Test the API sandbox by sending a request to the /pastry endpoint:
$ curl -s http://pastry.docker.localhost/pastry | jq
[
{
"name": "Baba Rhum",
"description": "Delicieux Baba au Rhum pas calorique du tout",
"size": "L",
"price": 3.2,
"status": "available"
},
{
"name": "Divorces",
"description": "Delicieux Divorces pas calorique du tout",
"size": "M",
"price": 2.8,
"status": "available"
},
{
"name": "Tartelette Fraise",
"description": "Delicieuse Tartelette aux Fraises fraiches",
"size": "S",
"price": 2,
"status": "available"
}
]
In the Traefik Hub API Portal, you can see your API with its openAPI spec.
- API Overview
- API OpenAPI Spec
Use case 2: gateway policy testing
As an API Platform Admin or Developer, Traefik Hub API mocking enables you to test and refine gateway settings before full-scale production deployment. It helps you validate that security policies—such as JWT authentication, rate limiting, and WAF rules—are properly enforced.
For example, if you want to secure your mock APIs with JWT authentication and observe how your API behaves under these conditions, our API mocking solution allows you to simulate this scenario effectively.
Technical implementation
- IngressRoute
- WAF Middleware
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: pastry-ingress
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`pastry.docker.localhost`)
kind: Rule
services:
- name: mock-api-pastry-2-0@microcks
kind: TraefikService
middlewares:
- name: cors-middleware
- name: waf
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: waf
namespace: default
spec:
plugin:
coraza:
crsEnabled: true
directives:
- Include @coraza.conf-recommended
- Include @crs-setup.conf.example
- Include @owasp_crs/*.conf
- SecRuleEngine On
- SecRequestBodyAccess On
- SecResponseBodyAccess Off
Test the API sandbox by sending a request to the /pastry endpoint. The sandbox is secured with JWT authentication and protected by Traefik Hub WAF:
- The mock is now secured with JWT authentication. The request will return a 401 Unauthorized response:
$ curl -sv http://pastry.docker.localhost/pastry | jq
* Host pastry.docker.localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:80...
* Connected to pastry.docker.localhost (::1) port 80
> GET /pastry HTTP/1.1
> Host: pastry.docker.localhost
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Content-Length: 0
<
* Connection 0 to host pastry.docker.localhost left intact
- The request will return a 200 OK response with the JWT token:
$ curl -sv -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIFRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.tUxzO0E-aQf2VWc9SWUBU2m8ckT6izY5jv_0YQHdZpA" \
http://pastry.docker.localhost/pastry | jq
[
{
"name": "Baba Rhum",
"description": "Delicieux Baba au Rhum pas calorique du tout",
"size": "L",
"price": 3.2,
"status": "available"
},
{
"name": "Divorces",
"description": "Delicieux Divorces pas calorique du tout",
"size": "M",
"price": 2.8,
"status": "available"
},
{
"name": "Tartelette Fraise",
"description": "Delicieuse Tartelette aux Fraises fraiches",
"size": "S",
"price": 2,
"status": "available"
}
]
- The request will return a 403 Forbidden response if we try to exploit the Log4j vulnerability:
$ curl -sv -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIFRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.tUxzO0E-aQf2VWc9SWUBU2m8ckT6izY5jv_0YQHdZpA" \
-H "User-Agent: \${jndi:ldap://127.0.0.1/a}" \
http://pastry.docker.localhost/pastry | jq
* Host pastry.docker.localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:80...
* Connected to pastry.docker.localhost (::1) port 80
> GET /pastry HTTP/1.1
> Host: pastry.docker.localhost
> Accept: */*
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIFRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.tUxzO0E-aQf2VWc9SWUBU2m8ckT6izY5jv_0YQHdZpA
> User-Agent: ${jndi:ldap://127.0.0.1/a}
>
* Request completely sent off
< HTTP/1.1 403 Forbidden
< Content-Length: 0
<
* Connection 0 to host pastry.docker.localhost left intact
Use case 3: canary & blue/green deployments
As a Platform Engineer, you can leverage Microcks mocks to implement advanced deployment mechanisms such as Canary or Blue/Green deployments. You can split traffic between real implementations and mocks, ensuring a smooth transition and fallback options, all while maintaining a seamless experience for API consumers.
For example, you can implement a Canary deployment with a 95/5 split between the real implementation and the mock. The real implementation will be available at http://pastry.docker.localhost/pastry, and the mock will also be available at http://pastry.docker.localhost/pastry.
Technical implementation
- Use a
TraefikServiceto split traffic evenly between the Microcks mock and the real pastry API:
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: pastry
namespace: default
spec:
weighted:
services:
- name: microcks
namespace: microcks
kind: TraefikService
weight: 10
- name: pastry-api
port: 8080
weight: 1
- Expose via an IngressRoute for deployment testing:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: pastry-ingress
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`pastry.docker.localhost`)
kind: Rule
services:
- name: mock-api-pastry-2-0@microcks
kind: TraefikService
middlewares:
- name: cors-middleware
- name: waf
Now, let's test the setup.
If you make a call to the mock API:
$ curl -s -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIFRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.tUxzO0E-aQf2VWc9SWUBU2m8ckT6izY5jv_0YQHdZpA" \
http://pastry.docker.localhost/pastry | jq
[
{
"name": "Baba Rhum",
"description": "Delicieux Baba au Rhum pas calorique du tout",
"size": "L",
"price": 3.2,
"status": "available"
},
{
"name": "Divorces",
"description": "Delicieux Divorces pas calorique du tout",
"size": "M",
"price": 2.8,
"status": "available"
},
{
"name": "Tartelette Fraise",
"description": "Delicieuse Tartelette aux Fraises fraiches",
"size": "S",
"price": 2,
"status": "available"
}
]
If you make a call to the real implementation of the API:
$ curl -s -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIFRlc3QiLCJpYXQiOjE1MTYyMzkwMjJ9.tUxzO0E-aQf2VWc9SWUBU2m8ckT6izY5jv_0YQHdZpA" \
http://pastry.docker.localhost/pastry | jq
[
{
"name": "Éclair au Chocolat",
"description": "Pâte à choux fourrée de crème pâtissière au chocolat",
"size": "M",
"price": 3.5,
"status": "available"
},
{
"name": "Mille-feuille",
"description": "Couches de pâte feuilletée et crème pâtissière",
"size": "L",
"price": 4,
"status": "available"
},
{
"name": "Macaron Framboise",
"description": "Délicate coque d'amande fourrée à la framboise",
"size": "S",
"price": 1.8,
"status": "available"
},
{
"name": "Tarte au Citron Meringuée",
"description": "Tarte acidulée au citron recouverte de meringue",
"size": "M",
"price": 3.2,
"status": "available"
},
{
"name": "Pain au Chocolat",
"description": "Viennoiserie feuilletée aux barres de chocolat",
"size": "M",
"price": 1.5,
"status": "available"
},
{
"name": "Chausson aux Pommes",
"description": "Pâte feuilletée garnie de compote de pommes",
"size": "L",
"price": 2.5,
"status": "available"
},
{
"name": "Religieuse au Café",
"description": "Deux choux superposés fourrés de crème au café",
"size": "M",
"price": 3.8,
"status": "available"
},
{
"name": "Financier",
"description": "Petit gâteau moelleux à la poudre d'amande",
"size": "S",
"price": 1.2,
"status": "available"
},
{
"name": "Paris-Brest",
"description": "Couronne de pâte à choux fourrée de crème pralinée",
"size": "L",
"price": 4.5,
"status": "available"
},
{
"name": "Croissant aux Amandes",
"description": "Croissant feuilleté garni de crème d'amandes",
"size": "M",
"price": 2.2,
"status": "available"
}
]
This setup allows you to control traffic distribution between versions, making canary or blue/green deployments a safe and manageable process.
Conclusion
By combining Traefik Hub’s robust management and security capabilities with Microcks’ rapid API mocking, you can achieve a scalable, secure, and efficient API delivery platform that accelerates development, testing, and production readiness.
Related content
- Learn how to set up the Traefik Hub API mocking environment in its dedicated section.