Prepare release v3.0.0-beta2

Co-authored-by: Simon Delicata <simon.delicata@traefik.io>

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,16 +2,16 @@
 PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
-- for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.10
+- for Traefik v2: use branch v2.9
+- for Traefik v3: use branch master
 
 Bug fixes:
-- for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.10
+- for Traefik v2: use branch v2.9
+- for Traefik v3: use branch master
 
 Enhancements:
-- for Traefik v1: we only accept bug fixes
-- for Traefik v2: use branch master
+- for Traefik v2: we only accept bug fixes
+- for Traefik v3: use branch master
 
 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
 

.github/workflows/build.yaml

@@ -6,7 +6,7 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.20'
+  GO_VERSION: 1.19
   CGO_ENABLED: 0
   IN_DOCKER: ""
 

.github/workflows/check_doc.yml

@@ -19,7 +19,3 @@ jobs:
 
       - name: Check documentation
         run: make docs-pull-images docs
-        env:
-          # These variables are not passed to workflows that are triggered by a pull request from a fork.
-          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
-          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}

.github/workflows/documentation.yml

@@ -7,7 +7,7 @@ on:
       - v*
 
 env:
-  STRUCTOR_VERSION: v1.13.1
+  STRUCTOR_VERSION: v1.11.2
   MIXTUS_VERSION: v0.4.1
 
 jobs:
@@ -41,7 +41,7 @@ jobs:
       - name: Build documentation
         run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
         env:
-          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}
+          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
 
       - name: Apply seo
         run: $HOME/bin/seo -path=./site -product=traefik

.github/workflows/test-unit.yaml

@@ -6,7 +6,7 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.20'
+  GO_VERSION: 1.19
   IN_DOCKER: ""
 
 jobs:

.github/workflows/validate.yaml

@@ -6,8 +6,8 @@ on:
       - '*'
 
 env:
-  GO_VERSION: '1.20'
-  GOLANGCI_LINT_VERSION: v1.52.2
+  GO_VERSION: 1.19
+  GOLANGCI_LINT_VERSION: v1.50.0
   MISSSPELL_VERSION: v0.4.0
   IN_DOCKER: ""
 

.golangci.yml

@@ -6,10 +6,9 @@ run:
 
 linters-settings:
   govet:
-    enable-all: true
-    disable:
-      - shadow
-      - fieldalignment
+    check-shadowing: false
+  golint:
+    min-confidence: 0
   gocyclo:
     min-complexity: 14
   goconst:
@@ -34,112 +33,40 @@ linters-settings:
     keywords:
       - FIXME
   importas:
-    no-unaliased: true
-    alias:
-      - alias: composeapi
-        pkg: github.com/docker/compose/v2/pkg/api
-
-      # Standard Kubernetes rewrites:
-      - alias: corev1
-        pkg: "k8s.io/api/core/v1"
-      - alias: netv1
-        pkg: "k8s.io/api/networking/v1"
-      - alias: netv1beta1
-        pkg: "k8s.io/api/networking/v1beta1"
-      - alias: admv1
-        pkg: "k8s.io/api/admission/v1"
-      - alias: admv1beta1
-        pkg: "k8s.io/api/admission/v1beta1"
-      - alias: extv1beta1
-        pkg: "k8s.io/api/extensions/v1beta1"
-      - alias: metav1
-        pkg: "k8s.io/apimachinery/pkg/apis/meta/v1"
-      - alias: ktypes
-        pkg: "k8s.io/apimachinery/pkg/types"
-      - alias: kerror
-        pkg: "k8s.io/apimachinery/pkg/api/errors"
-      - alias: kclientset
-        pkg: "k8s.io/client-go/kubernetes"
-      - alias: kinformers
-        pkg: "k8s.io/client-go/informers"
-      - alias: ktesting
-        pkg: "k8s.io/client-go/testing"
-      - alias: kschema
-        pkg: "k8s.io/apimachinery/pkg/runtime/schema"
-      - alias: kscheme
-        pkg: "k8s.io/client-go/kubernetes/scheme"
-      - alias: kversion
-        pkg: "k8s.io/apimachinery/pkg/version"
-      - alias: kubefake
-        pkg: "k8s.io/client-go/kubernetes/fake"
-      - alias: discoveryfake
-        pkg: "k8s.io/client-go/discovery/fake"
-
-      # Kubernetes Gateway rewrites:
-      - alias: gateclientset
-        pkg: "sigs.k8s.io/gateway-api/pkg/client/clientset/gateway/versioned"
-      - alias: gateinformers
-        pkg: "sigs.k8s.io/gateway-api/pkg/client/informers/gateway/externalversions"
-      - alias: gatev1alpha2
-        pkg: "sigs.k8s.io/gateway-api/apis/v1alpha2"
-
-      # Traefik Kubernetes rewrites:
-      - alias: containousv1alpha1
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikcontainous/v1alpha1"
-      - alias: traefikv1alpha1
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefikio/v1alpha1"
-      - alias: traefikclientset
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned"
-      - alias: traefikinformers
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions"
-      - alias: traefikscheme
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
-      - alias: traefikcrdfake
-        pkg: "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/fake"
-  tagalign:
-    align: false
-    sort: true
-    order:
-      - description
-      - json
-      - toml
-      - yaml
-      - yml
-      - label
-      - label-slice-as-struct
-      - file
-      - kv
-      - export
+    corev1: k8s.io/api/core/v1
+    networkingv1beta1: k8s.io/api/networking/v1beta1
+    extensionsv1beta1: k8s.io/api/extensions/v1beta1
+    metav1: k8s.io/apimachinery/pkg/apis/meta/v1
+    kubeerror: k8s.io/apimachinery/pkg/api/errors
+    composeapi: github.com/docker/compose/v2/pkg/api
   revive:
     rules:
       - name: struct-tag
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-        disabled: true
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-        disabled: true
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: empty-block
-      - name: superfluous-else
-      - name: unused-parameter
-        disabled: true
-      - name: unreachable-code
-      - name: redefines-builtin-id
+  rules:
+    - name: blank-imports
+    - name: context-as-argument
+    - name: context-keys-type
+    - name: dot-imports
+    - name: error-return
+    - name: error-strings
+    - name: error-naming
+    - name: exported
+    - name: if-return
+    - name: increment-decrement
+    - name: var-naming
+    - name: var-declaration
+    - name: package-comments
+    - name: range
+    - name: receiver-naming
+    - name: time-naming
+    - name: unexported-return
+    - name: indent-error-flow
+    - name: errorf
+    - name: empty-block
+    - name: superfluous-else
+    - name: unused-parameter
+    - name: unreachable-code
+    - name: redefines-builtin-id
   gomoddirectives:
     replace-allow-list:
       - github.com/abbot/go-http-auth
@@ -207,15 +134,6 @@ issues:
   exclude:
     - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
     - "should have a package comment, unless it's in another file for this package"
-    - 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
-    - 'SA1019: cfg.SSLRedirect is deprecated'
-    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
-    - 'SA1019: cfg.SSLHost is deprecated'
-    - 'SA1019: cfg.SSLForceHost is deprecated'
-    - 'SA1019: cfg.FeaturePolicy is deprecated'
-    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
-    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
-    - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
   exclude-rules:
     - path: '(.+)_test.go'
       linters:
@@ -236,7 +154,7 @@ issues:
       text: "Function 'buildConstructor' has too many statements"
       linters:
         - funlen
-    - path: pkg/tracing/haystack/logger.go
+    - path: pkg/logs/haystack.go
       linters:
         - goprintffuncname
     - path: pkg/tracing/tracing.go
@@ -261,7 +179,3 @@ issues:
       text: 'Duplicate words \(sub\) found'
       linters:
         - dupword
-    - path: pkg/provider/kubernetes/gateway/client_mock_test.go
-      text: 'unusedwrite: unused write to field'
-      linters:
-        - govet

.semaphore/semaphore.yml

@@ -19,13 +19,13 @@ global_job_config:
   prologue:
     commands:
       - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.20
+      - sudo semgo go1.19
       - export "GOPATH=$(go env GOPATH)"
       - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
       - export "PATH=${GOPATH}/bin:${PATH}"
       - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
       - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.52.2
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.50.0
       - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
       - checkout
       - cache restore traefik-$(checksum go.sum)
@@ -64,7 +64,7 @@ blocks:
         - name: GH_VERSION
           value: 1.12.1
         - name: CODENAME
-          value: "saintmarcelin"
+          value: "beaufort"
         - name: IN_DOCKER
           value: ""
       prologue:

CHANGELOG.md

@@ -1,89 +1,15 @@
-## [v2.10.0-rc2](https://github.com/traefik/traefik/tree/v2.10.0-rc2) (2023-04-07)
-[All Commits](https://github.com/traefik/traefik/compare/v2.10.0-rc1...v2.10.0-rc2)
+## [v3.0.0-beta2](https://github.com/traefik/traefik/tree/v3.0.0-beta2) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta1...v3.0.0-beta2)
 
 **Enhancements:**
-- **[webui]** Display period setting of the RateLimit middleware in the webui ([#9822](https://github.com/traefik/traefik/pull/9822) by [smatyas](https://github.com/smatyas))
+- **[http3]** Moves HTTP/3 outside the experimental section ([#9570](https://github.com/traefik/traefik/pull/9570) by [sdelicata](https://github.com/sdelicata))
 
 **Bug fixes:**
-- **[docker]** Only warn about missing docker network when network_mode is not host or container ([#9799](https://github.com/traefik/traefik/pull/9799) by [sentriz](https://github.com/sentriz))
-- **[k8s/ingress,k8s]** chore: bump k8s.io/client-go from v0.22.1 to v0.26.3 ([#9808](https://github.com/traefik/traefik/pull/9808) by [ldez](https://github.com/ldez))
-- **[plugins]** Update Yaegi to v0.15.1 ([#9815](https://github.com/traefik/traefik/pull/9815) by [ldez](https://github.com/ldez))
-
-**Documentation:**
-- **[docker]** Update wording - add link descriptions ([#9816](https://github.com/traefik/traefik/pull/9816) by [svx](https://github.com/svx))
-- **[middleware]** Add accessControlAllowHeaders example ([#9810](https://github.com/traefik/traefik/pull/9810) by [yingshaoxo](https://github.com/yingshaoxo))
-- Update Call To Actions ([#9824](https://github.com/traefik/traefik/pull/9824) by [svx](https://github.com/svx))
-- Improve concepts page ([#9813](https://github.com/traefik/traefik/pull/9813) by [svx](https://github.com/svx))
-- Update wording ([#9811](https://github.com/traefik/traefik/pull/9811) by [svx](https://github.com/svx))
-
-## [v2.9.10](https://github.com/traefik/traefik/tree/v2.9.10) (2023-04-06)
-[All Commits](https://github.com/traefik/traefik/compare/v2.9.9...v2.9.10)
-
-## [v2.10.0-rc1](https://github.com/traefik/traefik/tree/v2.10.0-rc1) (2023-03-22)
-[All Commits](https://github.com/traefik/traefik/compare/b3f162a8a61d89beaa9edc8adc12cc4cb3e1de0f...v2.10.0-rc1)
-
-**Enhancements:**
-- **[docker]** Expose ContainerName in Docker provider ([#9770](https://github.com/traefik/traefik/pull/9770) by [quinot](https://github.com/quinot))
-- **[hub]** hub: get out of experimental. ([#9792](https://github.com/traefik/traefik/pull/9792) by [mpl](https://github.com/mpl))
-- **[k8s/crd]** Introduce traefik.io API Group CRDs ([#9765](https://github.com/traefik/traefik/pull/9765) by [rtribotte](https://github.com/rtribotte))
-- **[k8s/ingress,k8s/crd,k8s]** Native Kubernetes service load-balancing ([#9740](https://github.com/traefik/traefik/pull/9740) by [rtribotte](https://github.com/rtribotte))
-- **[middleware,metrics]** Add prometheus metric requests_total with headers ([#9783](https://github.com/traefik/traefik/pull/9783) by [rtribotte](https://github.com/rtribotte))
-- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9794](https://github.com/traefik/traefik/pull/9794) by [rtribotte](https://github.com/rtribotte))
-- **[tracing]** Add support to send DataDog traces via Unix Socket ([#9714](https://github.com/traefik/traefik/pull/9714) by [der-eismann](https://github.com/der-eismann))
-
-**Documentation:**
-- docs: update order of log levels ([#9791](https://github.com/traefik/traefik/pull/9791) by [svx](https://github.com/svx))
+- **[logs]** Change traefik cmd error log to error level ([#9569](https://github.com/traefik/traefik/pull/9569) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Rework Host and HostRegexp matchers ([#9559](https://github.com/traefik/traefik/pull/9559) by [tomMoulard](https://github.com/tomMoulard))
 
 **Misc:**
-- Merge current v2.9 into v2.10 ([#9798](https://github.com/traefik/traefik/pull/9798) by [ldez](https://github.com/ldez))
-
-## [v2.9.9](https://github.com/traefik/traefik/tree/v2.9.9) (2023-03-21)
-[All Commits](https://github.com/traefik/traefik/compare/v2.9.8...v2.9.9)
-
-**Bug fixes:**
-- **[acme]** Update go-acme/lego to v4.10.2 ([#9749](https://github.com/traefik/traefik/pull/9749) by [ldez](https://github.com/ldez))
-- **[http3]** Update quic-go to v0.33.0 ([#9737](https://github.com/traefik/traefik/pull/9737) by [ldez](https://github.com/ldez))
-- **[metrics]** Include user-defined default cert for traefik_tls_certs_not_after metric ([#9742](https://github.com/traefik/traefik/pull/9742) by [rtribotte](https://github.com/rtribotte))
-- **[middleware]** Update vulcand/oxy to a0e9f7ff1040 ([#9750](https://github.com/traefik/traefik/pull/9750) by [ldez](https://github.com/ldez))
-- **[nomad]** Fix default configuration settings for Nomad Provider ([#9758](https://github.com/traefik/traefik/pull/9758) by [aofei](https://github.com/aofei))
-- **[nomad]** Fix Nomad client TLS defaults ([#9795](https://github.com/traefik/traefik/pull/9795) by [rtribotte](https://github.com/rtribotte))
-- **[server]** Remove User-Agent header removal from ReverseProxy director func ([#9752](https://github.com/traefik/traefik/pull/9752) by [rtribotte](https://github.com/rtribotte))
-
-**Documentation:**
-- **[middleware]** Clarify ratelimit middleware ([#9777](https://github.com/traefik/traefik/pull/9777) by [mpl](https://github.com/mpl))
-- **[tcp]** Correcting variable name 'server address' in TCP Router ([#9743](https://github.com/traefik/traefik/pull/9743) by [ralphg6](https://github.com/ralphg6))
-
-## [v2.9.8](https://github.com/traefik/traefik/tree/v2.9.8) (2023-02-15)
-[All Commits](https://github.com/traefik/traefik/compare/v2.9.7...v2.9.8)
-
-**Bug fixes:**
-- **[server]** Update golang.org/x/net to v0.7.0 ([#9716](https://github.com/traefik/traefik/pull/9716) by [ldez](https://github.com/ldez))
-
-## [v2.9.7](https://github.com/traefik/traefik/tree/v2.9.7) (2023-02-14)
-[All Commits](https://github.com/traefik/traefik/compare/v2.9.6...v2.9.7)
-
-**Bug fixes:**
-- **[acme]** Update go-acme/lego to v4.10.0 ([#9705](https://github.com/traefik/traefik/pull/9705) by [ldez](https://github.com/ldez))
-- **[ecs]** Prevent panicking when a container has no network interfaces ([#9661](https://github.com/traefik/traefik/pull/9661) by [rtribotte](https://github.com/rtribotte))
-- **[file]** Make file provider more resilient wrt first configuration ([#9595](https://github.com/traefik/traefik/pull/9595) by [mpl](https://github.com/mpl))
-- **[logs]** Differentiate UDP stream and TCP connection in logs ([#9687](https://github.com/traefik/traefik/pull/9687) by [rtribotte](https://github.com/rtribotte))
-- **[middleware]** Prevent from no rate limiting when average is zero ([#9621](https://github.com/traefik/traefik/pull/9621) by [witalisoft](https://github.com/witalisoft))
-- **[middleware]** Prevents superfluous WriteHeader call in the error middleware ([#9620](https://github.com/traefik/traefik/pull/9620) by [tomMoulard](https://github.com/tomMoulard))
-- **[middleware]** Sanitize X-Forwarded-Proto header in RedirectScheme middleware ([#9598](https://github.com/traefik/traefik/pull/9598) by [ldez](https://github.com/ldez))
-- **[plugins]** Update paerser to v0.2.0 ([#9671](https://github.com/traefik/traefik/pull/9671) by [ldez](https://github.com/ldez))
-- **[plugins]** Update Yaegi to v0.15.0 ([#9700](https://github.com/traefik/traefik/pull/9700) by [ldez](https://github.com/ldez))
-- **[tls,http3]** Bump quic-go to 89769f409f ([#9685](https://github.com/traefik/traefik/pull/9685) by [mpl](https://github.com/mpl))
-- **[tls,tcp]** Adds the support for IPv6 in the TCP HostSNI matcher ([#9692](https://github.com/traefik/traefik/pull/9692) by [rtribotte](https://github.com/rtribotte))
-
-**Documentation:**
-- **[acme]** Add CNAME support and gotchas ([#9698](https://github.com/traefik/traefik/pull/9698) by [mpl](https://github.com/mpl))
-- **[acme]** Further Let's Encrypt ratelimit warnings ([#9627](https://github.com/traefik/traefik/pull/9627) by [hcooper](https://github.com/hcooper))
-- **[k8s]** Add info admonition about routing to k8 services ([#9645](https://github.com/traefik/traefik/pull/9645) by [svx](https://github.com/svx))
-- **[k8s]** Improve TLSStore CRD documentation ([#9579](https://github.com/traefik/traefik/pull/9579) by [mloiseleur](https://github.com/mloiseleur))
-- **[middleware]** doc: add note about remoteaddr strategy ([#9701](https://github.com/traefik/traefik/pull/9701) by [mpl](https://github.com/mpl))
-- Update copyright to match new standard ([#9651](https://github.com/traefik/traefik/pull/9651) by [paulocfjunior](https://github.com/paulocfjunior))
-- Update copyright for 2023 ([#9631](https://github.com/traefik/traefik/pull/9631) by [kevinpollet](https://github.com/kevinpollet))
-- Update submitting pull requests to include language about drafts ([#9609](https://github.com/traefik/traefik/pull/9609) by [tfny](https://github.com/tfny))
+- Merge current v2.9 into master ([#9586](https://github.com/traefik/traefik/pull/9586) by [tomMoulard](https://github.com/tomMoulard))
 
 ## [v2.9.6](https://github.com/traefik/traefik/tree/v2.9.6) (2022-12-07)
 [All Commits](https://github.com/traefik/traefik/compare/v2.9.5...v2.9.6)
@@ -104,6 +30,52 @@
 - **[k8s/helm]** Update Helm installation section ([#9564](https://github.com/traefik/traefik/pull/9564) by [mloiseleur](https://github.com/mloiseleur))
 - **[middleware]** Clarify PathPrefix matcher greediness ([#9519](https://github.com/traefik/traefik/pull/9519) by [mpl](https://github.com/mpl))
 
+## [v3.0.0-beta1](https://github.com/traefik/traefik/tree/v3.0.0-beta1) (2022-12-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v3.0.0-beta1)
+
+**Enhancements:**
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [jilleJr](https://github.com/jilleJr))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+
+**Documentation:**
+- **[metrics]** Update and publish official Grafana Dashboard ([#9493](https://github.com/traefik/traefik/pull/9493) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
 ## [v2.9.5](https://github.com/traefik/traefik/tree/v2.9.5) (2022-11-17)
 [All Commits](https://github.com/traefik/traefik/compare/v2.9.4...v2.9.5)
 
@@ -170,7 +142,13 @@ Release canceled.
 - **[acme]** Fix ACME panic ([#9365](https://github.com/traefik/traefik/pull/9365) by [ldez](https://github.com/ldez))
 
 **Documentation:**
+- Prepare release v2.9.0 ([#9409](https://github.com/traefik/traefik/pull/9409) by [tomMoulard](https://github.com/tomMoulard))
 - **[metrics]** Rework metrics overview page ([#9366](https://github.com/traefik/traefik/pull/9366) by [ddtmachado](https://github.com/ddtmachado))
+- Prepare release v2.9.0-rc5 ([#9402](https://github.com/traefik/traefik/pull/9402) by [ldez](https://github.com/ldez))
+- Prepare release v2.9.0-rc4 ([#9372](https://github.com/traefik/traefik/pull/9372) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v2.9.0-rc3 ([#9344](https://github.com/traefik/traefik/pull/9344) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v2.9.0-rc2 ([6c2c561](https://github.com/traefik/traefik/commit/6c2c561d8f935d76ccd07d28e1455c7768adc153) by [ldez](https://github.com/ldez))
+- Prepare release v2.9.0-rc1 ([#9334](https://github.com/traefik/traefik/pull/9334) by [rtribotte](https://github.com/rtribotte))
 
 **Misc:**
 - Merge current v2.8 into v2.9 ([#9400](https://github.com/traefik/traefik/pull/9400) by [ldez](https://github.com/ldez))

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2020 Containous SAS; 2020-2023 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2022 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -189,7 +189,7 @@ generate-genconf:
 .PHONY: release-packages
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 2 --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 4 --timeout="90m"
 	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \

README.md

@@ -57,7 +57,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
-- Websocket, HTTP/2, GRPC ready
+- Websocket, HTTP/2, gRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
 - Fast

build.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine
+FROM golang:1.19-alpine
 
 RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
     && update-ca-certificates \
@@ -13,7 +13,7 @@ RUN mkdir -p /usr/local/bin \
     | tar -xzC /usr/local/bin --transform 's#^.+/##x'
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.52.2
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.50.0
 
 # Download misspell binary to bin folder in $GOPATH
 RUN curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.4.0

cmd/traefik/logger.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"io"
+	stdlog "log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/natefinch/lumberjack"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/sirupsen/logrus"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/logs"
+)
+
+func init() {
+	// hide the first logs before the setup of the logger.
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+}
+
+func setupLogger(staticConfiguration *static.Configuration) {
+	// configure log format
+	w := getLogWriter(staticConfiguration)
+
+	// configure log level
+	logLevel := getLogLevel(staticConfiguration)
+
+	// create logger
+	logCtx := zerolog.New(w).With().Timestamp()
+	if logLevel <= zerolog.DebugLevel {
+		logCtx = logCtx.Caller()
+	}
+
+	log.Logger = logCtx.Logger().Level(logLevel)
+	zerolog.DefaultContextLogger = &log.Logger
+	zerolog.SetGlobalLevel(logLevel)
+
+	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
+	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
+
+	// configure default standard log.
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+}
+
+func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
+	var w io.Writer = os.Stderr
+
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		w = &lumberjack.Logger{
+			Filename:   staticConfiguration.Log.FilePath,
+			MaxSize:    staticConfiguration.Log.MaxSize,
+			MaxBackups: staticConfiguration.Log.MaxBackups,
+			MaxAge:     staticConfiguration.Log.MaxAge,
+			Compress:   true,
+		}
+	}
+
+	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
+		w = zerolog.ConsoleWriter{
+			Out:        w,
+			TimeFormat: time.RFC3339,
+			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
+		}
+	}
+
+	return w
+}
+
+func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
+	}
+
+	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
+	if err != nil {
+		log.Error().Err(err).
+			Str("logLevel", levelStr).
+			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
+
+		logLevel = zerolog.ErrorLevel
+	}
+
+	return logLevel
+}

cmd/traefik/traefik.go

@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"sort"
 	"strings"
 	"syscall"
@@ -18,7 +17,9 @@ import (
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
+	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/traefik/v2/cmd"
 	"github.com/traefik/traefik/v2/cmd/healthcheck"
@@ -28,12 +29,13 @@ import (
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/config/runtime"
 	"github.com/traefik/traefik/v2/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/logs"
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v2/pkg/provider/hub"
+	"github.com/traefik/traefik/v2/pkg/provider/tailscale"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server"
@@ -44,7 +46,6 @@ import (
 	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
 	"github.com/traefik/traefik/v2/pkg/types"
 	"github.com/traefik/traefik/v2/pkg/version"
-	"github.com/vulcand/oxy/v2/roundrobin"
 )
 
 func main() {
@@ -78,7 +79,7 @@ Complete documentation is available at https://traefik.io`,
 
 	err = cli.Execute(cmdTraefik)
 	if err != nil {
-		stdlog.Println(err)
+		log.Error().Err(err).Msg("Command error")
 		logrus.Exit(1)
 	}
 
@@ -86,27 +87,24 @@ Complete documentation is available at https://traefik.io`,
 }
 
 func runCmd(staticConfiguration *static.Configuration) error {
-	configureLogging(staticConfiguration)
+	setupLogger(staticConfiguration)
 
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
 
-	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
-	}
-
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}
 
-	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.Info().Str("version", version.Version).
+		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)
 
 	jsonConf, err := json.Marshal(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.Error().Err(err).Msg("Could not marshal static configuration")
+		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
 	}
 
 	if staticConfiguration.Global.CheckNewVersion {
@@ -131,16 +129,16 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.WithoutContext().Errorf("Failed to notify: %v", err)
+		log.Error().Err(err).Msg("Failed to notify")
 	}
 
 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
+		log.Error().Err(err).Msg("Could not enable Watchdog")
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
+		log.Info().Msgf("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -151,17 +149,17 @@ func runCmd(staticConfiguration *static.Configuration) error {
 
 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.WithoutContext().Error("Fail to tick watchdog")
+						log.Error().Msg("Fail to tick watchdog")
 					}
 				} else {
-					log.WithoutContext().Error(errHealthCheck)
+					log.Error().Err(errHealthCheck).Send()
 				}
 			}
 		})
 	}
 
 	svr.Wait()
-	log.WithoutContext().Info("Shutting down")
+	log.Info().Msg("Shutting down")
 	return nil
 }
 
@@ -190,6 +188,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
 
+	// Tailscale
+
+	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+
 	// Entrypoints
 
 	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
@@ -202,15 +204,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 
-	if staticConfiguration.Pilot != nil {
-		log.WithoutContext().Warn("Traefik Pilot has been removed.")
-	}
-
 	// Plugins
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
+		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
 	}
 
 	// Providers plugins
@@ -251,7 +249,26 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	// Service manager factory
 
-	roundTripperManager := service.NewRoundTripperManager()
+	var spiffeX509Source *workloadapi.X509Source
+	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
+		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
+			Msg("Waiting on SPIFFE SVID delivery")
+
+		spiffeX509Source, err = workloadapi.NewX509Source(
+			ctx,
+			workloadapi.WithClientOptions(
+				workloadapi.WithAddr(
+					staticConfiguration.Spiffe.WorkloadAPIAddr,
+				),
+			),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
+		}
+		log.Info().Msg("Successfully obtained SPIFFE SVID.")
+	}
+
+	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
 	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
 
@@ -278,7 +295,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
 
 		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
-		for _, certificate := range tlsManager.GetServerCertificates() {
+		for _, certificate := range tlsManager.GetCertificates() {
 			appendCertMetric(gauge, certificate)
 		}
 	})
@@ -311,13 +328,22 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
 
-	// ACME
+	// Certificate Resolvers
+
 	resolverNames := map[string]struct{}{}
+
+	// ACME
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}
 
+	// Tailscale
+	for _, p := range tsProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.HandleConfigUpdate)
+	}
+
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -329,7 +355,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
 				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
 				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
+					Msg("Router uses a non-existent certificate resolver")
 			}
 		}
 	})
@@ -350,8 +377,24 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid
 
 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
+
+	// Determines if at least one EntryPoint is configured to be used by default.
+	var hasDefinedDefaults bool
+	for _, ep := range staticConfiguration.EntryPoints {
+		if ep.AsDefault {
+			hasDefinedDefaults = true
+			break
+		}
+	}
+
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
+		// By default all entrypoints are considered.
+		// If at least one is flagged, then only flagged entrypoints are included.
+		if hasDefinedDefaults && !cfg.AsDefault {
+			continue
+		}
+
+		// Traefik Hub entryPoint should not be used as a default entryPoint.
 		if hub.APIEntrypoint == name || hub.TunnelEntrypoint == name {
 			continue
 		}
@@ -359,7 +402,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+			log.Error().Err(err).Msg("Invalid protocol")
 		}
 
 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -382,7 +425,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 	}
 }
 
-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
+// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}
 
@@ -405,7 +448,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}
 
 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
 			continue
 		}
 
@@ -419,6 +462,27 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }
 
+// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
+func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
+	var providers []*tailscale.Provider
+	for name, resolver := range cfg.CertificatesResolvers {
+		if resolver.Tailscale == nil {
+			continue
+		}
+
+		tsProvider := &tailscale.Provider{ResolverName: name}
+
+		if err := providerAggregator.AddProvider(tsProvider); err != nil {
+			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
+			continue
+		}
+
+		providers = append(providers, tsProvider)
+	}
+
+	return providers
+}
+
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -427,42 +491,70 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry
 
 	if metricsConfig.Prometheus != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
-		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
+
+		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+			logger.Debug().Msg("Configured Prometheus metrics")
 		}
 	}
 
 	if metricsConfig.Datadog != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
-		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
-		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
-			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
+
+		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
+		logger.Debug().
+			Str("address", metricsConfig.Datadog.Address).
+			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
+			Msgf("Configured Datadog metrics")
 	}
 
 	if metricsConfig.StatsD != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
-		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
-		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
-			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()
+
+		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
+		logger.Debug().
+			Str("address", metricsConfig.StatsD.Address).
+			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
+			Msg("Configured StatsD metrics")
 	}
 
 	if metricsConfig.InfluxDB != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
-		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
-		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
-			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb").Logger()
+
+		registries = append(registries, metrics.RegisterInfluxDB(logger.WithContext(context.Background()), metricsConfig.InfluxDB))
+		logger.Debug().
+			Str("address", metricsConfig.InfluxDB.Address).
+			Str("pushInterval", metricsConfig.InfluxDB.PushInterval.String()).
+			Msg("Configured InfluxDB metrics")
 	}
 
 	if metricsConfig.InfluxDB2 != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
-		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
+
+		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
-				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+			logger.Debug().
+				Str("address", metricsConfig.InfluxDB2.Address).
+				Str("bucket", metricsConfig.InfluxDB2.Bucket).
+				Str("organization", metricsConfig.InfluxDB2.Org).
+				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
+				Msg("Configured InfluxDB v2 metrics")
+		}
+	}
+
+	if metricsConfig.OpenTelemetry != nil {
+		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
+
+		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OpenTelemetry)
+		if openTelemetryRegistry != nil {
+			registries = append(registries, openTelemetryRegistry)
+			logger.Debug().
+				Str("address", metricsConfig.OpenTelemetry.Address).
+				Str("pushInterval", metricsConfig.OpenTelemetry.PushInterval.String()).
+				Msg("Configured OpenTelemetry metrics")
 		}
 	}
 
@@ -490,7 +582,7 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
 
 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
+		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
 	}
 
@@ -510,7 +602,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
 
 	if conf.Zipkin != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Zipkin backend.")
 		} else {
 			backend = conf.Zipkin
 		}
@@ -518,7 +610,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
 
 	if conf.Datadog != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Datadog backend.")
 		} else {
 			backend = conf.Datadog
 		}
@@ -526,7 +618,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
 
 	if conf.Instana != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Instana backend.")
 		} else {
 			backend = conf.Instana
 		}
@@ -534,7 +626,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
 
 	if conf.Haystack != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Haystack backend.")
 		} else {
 			backend = conf.Haystack
 		}
@@ -542,14 +634,22 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
 
 	if conf.Elastic != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Elastic backend.")
 		} else {
 			backend = conf.Elastic
 		}
 	}
 
+	if conf.OpenTelemetry != nil {
+		if backend != nil {
+			log.Error().Msg("Tracing backends are all mutually exclusive: cannot create OpenTelemetry backend.")
+		} else {
+			backend = conf.OpenTelemetry
+		}
+	}
+
 	if backend == nil {
-		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		log.Debug().Msg("Could not initialize tracing, using Jaeger by default")
 		defaultBackend := &jaeger.Config{}
 		defaultBackend.SetDefaults()
 		backend = defaultBackend
@@ -557,65 +657,12 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {
 
 	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		log.Warn().Err(err).Msg("Unable to create tracer")
 		return nil
 	}
 	return tracer
 }
 
-func configureLogging(staticConfiguration *static.Configuration) {
-	// configure default log flags
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-
-	// configure log level
-	// an explicitly defined log level always has precedence. if none is
-	// given and debug mode is disabled, the default is ERROR, and DEBUG
-	// otherwise.
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
-	}
-
-	level, err := logrus.ParseLevel(levelStr)
-	if err != nil {
-		log.WithoutContext().Errorf("Error getting level: %v", err)
-	}
-	log.SetLevel(level)
-
-	var logFile string
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		logFile = staticConfiguration.Log.FilePath
-	}
-
-	// configure log format
-	var formatter logrus.Formatter
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
-		formatter = &logrus.JSONFormatter{}
-	} else {
-		disableColors := len(logFile) > 0
-		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
-	}
-	log.SetFormatter(formatter)
-
-	if len(logFile) > 0 {
-		dir := filepath.Dir(logFile)
-
-		if err := os.MkdirAll(dir, 0o755); err != nil {
-			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
-		}
-
-		err = log.OpenFile(logFile)
-		logrus.RegisterExitHandler(func() {
-			if err := log.CloseFile(); err != nil {
-				log.WithoutContext().Errorf("Error while closing log: %v", err)
-			}
-		})
-		if err != nil {
-			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
-		}
-	}
-}
-
 func checkNewVersion() {
 	ticker := time.Tick(24 * time.Hour)
 	safe.Go(func() {
@@ -626,16 +673,16 @@ func checkNewVersion() {
 }
 
 func stats(staticConfiguration *static.Configuration) {
-	logger := log.WithoutContext()
+	logger := log.Info()
 
 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info(`Stats collection is enabled.`)
-		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Msg(`Stats collection is enabled.`)
+		logger.Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Msg(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info(`
+		logger.Msg(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -648,7 +695,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.WithoutContext().Debug(err)
+				log.Debug().Err(err).Send()
 			}
 		}
 	})

cmd/traefik/traefik_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )
 
 // FooCert is a PEM-encoded TLS cert.
@@ -114,3 +115,79 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
+
+func TestGetDefaultsEntrypoints(t *testing.T) {
+	testCases := []struct {
+		desc        string
+		entrypoints static.EntryPoints
+		expected    []string
+	}{
+		{
+			desc: "Skips special names",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"traefik": {
+					Address: ":8080",
+				},
+				"traefikhub-api": {
+					Address: ":9900",
+				},
+				"traefikhub-tunl": {
+					Address: ":9901",
+				},
+			},
+			expected: []string{"web"},
+		},
+		{
+			desc: "Two EntryPoints not attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+		{
+			desc: "Two EntryPoints only one attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"websecure"},
+		},
+		{
+			desc: "Two attachable EntryPoints",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address:   ":80",
+					AsDefault: true,
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			actual := getDefaultsEntrypoints(&static.Configuration{
+				EntryPoints: test.entrypoints,
+			})
+
+			assert.ElementsMatch(t, test.expected, actual)
+		})
+	}
+}

docs/content/contributing/advocating.md

@@ -9,7 +9,7 @@ Spread the Love & Tell Us about It
 {: .subtitle }
 
 Traefik Proxy was started by the community for the community.
-You can contribute to the Traefik community in three main ways:
+You can contribute to the Traefik community in three main ways: 
 
 **Spread the word!** Guides, videos, blog posts, how-to articles, and showing off your network design all help spread the word about Traefik Proxy
 and teach others in the community how to best implement it.
@@ -28,4 +28,4 @@ Luckily, as an open source community, our users can help by [building awesome fe
 We are a big community, so we do need to prioritize a bit.
 That is why we use the tag `contributor/wanted` to let you know which pull requests will make it to the front of the queue for design support and review.
 Feel free to grab one of these and run with it.
-Top contributors get unique swag to celebrate.
+Top contributors get unique swag to celebrate. 

docs/content/contributing/data-collection.md

@@ -10,8 +10,8 @@ Understanding How Traefik is Being Used
 
 ## Configuration Example
 
-Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.
-For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us, so we can benefit from your experience and use cases.
+Understanding how you use Traefik is very important to us: it helps us improve the solution in many different ways.  
+For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
 
 !!! example "Enabling Data Collection"
 
@@ -34,7 +34,9 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
 
 ## Collected Data
 
-This feature comes from this [public proposal](https://github.com/traefik/traefik/issues/2369).
+This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
+
+This feature is activated when using Traefik Pilot to better understand the community's need, and also to get information about plug-ins popularity.
 
 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
@@ -45,7 +47,7 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
 
 - the Traefik version number
 - a hash of the configuration
-- an **anonymized version** of the static configuration (token, username, password, URL, IP, domain, email, etc., are removed).
+- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
 
 !!! info
 
@@ -99,4 +101,4 @@ providers:
 
 If you want to dig into more details, here is the source code of the collecting system: [collector.go](https://github.com/traefik/traefik/blob/master/pkg/collector/collector.go)
 
-By default, we anonymize all configuration fields, except fields tagged with `export=true`.
+By default we anonymize all configuration fields, except fields tagged with `export=true`.

docs/content/contributing/maintainers-guidelines.md

@@ -11,7 +11,7 @@ Note: the document is a work in progress.
 
 Welcome to the Traefik Community.
 This document describes how to be part of the core team
-together with various responsibilities
+as well as various responsibilities
 and guidelines for Traefik maintainers.
 We are strongly promoting a philosophy of openness and sharing,
 and firmly standing against the elitist closed approach.
@@ -20,7 +20,7 @@ and wants to be part of that journey!
 
 ## Onboarding Process
 
-If you consider joining our community, please drop us a line using Twitter or leave a note in the issue.
+If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
 We will schedule a quick call to meet you and learn more about your motivation.
 During the call, the team will discuss the process of becoming a maintainer.
 We will be happy to answer any questions and explain all your doubts.
@@ -53,7 +53,7 @@ but we can suggest you start with activities such as:
       Each of the issues that are labeled as bug/possible bug/confirmed requires a reproducible use case. 
       You can help in creating a reproducible use case if it has not been added to the issue
       or use the sample code provided by the reporter.
-      Typically, a simple Docker Compose should be enough to reproduce the issue.
+      Typically, a simple docker compose should be enough to reproduce the issue.
 - Code contribution.
 - Documentation contribution.
     - Technical documentation is one of the most important components of the product.
@@ -61,7 +61,7 @@ but we can suggest you start with activities such as:
       using the official documentation,
       is a game changer.
 - You will be listed on our Maintainers GitHub page
-  and on our website in the section [maintainers](maintainers.md).
+  as well as on our website in the section [maintainers](maintainers.md).
 - We will be promoting you on social channels (mostly on Twitter).
 
 ## Governance
@@ -71,7 +71,7 @@ but we can suggest you start with activities such as:
 ## Communicating
 
 - All of our maintainers are added to Slack #traefik-maintainers channel that belongs to Traefik labs workspace.
-  Having the team in one place helps us to communicate effectively.
+  Having the team in one place helps us to communicate effectively. 
   You can reach Traefik core developers directly,
   which offers the possibility to discuss issues, pull requests, enhancements more efficiently
   and get the feedback almost immediately.
@@ -112,9 +112,9 @@ maintainers' activity and involvement will be reviewed on a regular basis.
 
 - Be able to put yourself in users’ shoes.
 - Be open-minded and respectful with other maintainers and other community members.
-- Keep the communication public -
+- Keep the communication public - 
   if anyone tries to communicate with you directly,
-  ask politely to move the conversation to a public communication channel.
+  ask him politely to move the conversation to a public communication channel.
 - Stay away from defensive comments.
 - Please try to express your thoughts clearly enough
   and note that some of us are not native English speakers.
@@ -122,7 +122,7 @@ maintainers' activity and involvement will be reviewed on a regular basis.
   none of us is able to predict your thoughts.
 - There are a lot of use cases of using Traefik
   and even more issues that are difficult to reproduce.
-  If the issue can’t be replicated due to a lack of reproducible case (a simple Docker Compose should be enough) -
+  If the issue can’t be replicated due to a lack of reproducible case (a simple docker compose should be enough) - 
   set your time limits while working on the issue
   and express clearly that you were not able to replicate it.
   You can come back later to that case.

docs/content/contributing/submitting-issues.md

@@ -9,10 +9,10 @@ Help Us Help You!
 {: .subtitle }
 
 Issues are perfect for requesting a feature/enhancement or reporting a suspected bug.
-We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik.
+We use the [GitHub issue tracker](https://github.com/traefik/traefik/issues) to keep track of issues in Traefik. 
 
 The process of sorting and checking the issues is a daunting task, and requires a lot of work (more than an hour a day ... just for sorting).
-To help us (and other community members) quickly and effortlessly understand what you need,
+To help us (and other community members) quickly and easily understand what you need,
 be sure to follow the guidelines below.
 
 !!! important "Getting Help Vs Reporting an Issue"
@@ -33,17 +33,16 @@ Examples:
 
 ## Feature Request
 
-Traefik is an open source project and aims to be the best edge router possible.
+Traefik is an open source project and aims to be the best edge router possible. 
 
 Remember when asking for new features that these must be useful to the majority (and not only useful in edge case scenarios, or hack-like setups).
 Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/feature-request.yml) as much as possible.
 
 Do your best to explain what you're looking for, and why it would improve Traefik for everyone.
 Be detailed and share the use-case(s) to allow us to see the value of your feature request as quickly as possible.
+Features with a lot of positive interaction (claps, +1s, conversation about how this would impact them) indicate higher community interest and help us to prioritize.  
 
-Features with a lot of positive interaction (claps, +1s, conversation about how this would impact them) indicate higher community interest and help us to prioritize.
-
-If you are interested in creating a PR for your feature request, let us know in the issue, so we can work with you.
+If you are interested in creating a PR for your feature request, let us know in the the issue so we can work with you.  
 It can take a lot of work to make sure a PR can integrate with our existing code and planning with the team ahead of time can make sure that your PR can be accepted and merged quickly.
 
 ## Issues or Possible Bug Reports
@@ -51,13 +50,13 @@ It can take a lot of work to make sure a PR can integrate with our existing code
 Follow the [issue template](https://github.com/traefik/traefik/blob/master/.github/ISSUE_TEMPLATE/bug_report.yml) as much as possible.
 
 Explain the conditions in which you encountered the issue; what is your context?
-Share any logs you may have, and make sure to share the steps it takes to reproduce your issue or bug.
+Share any logs you may have and make sure to share the steps it takes to reproduce your issue or bug. 
 
 Remain as clear and concise as possible.
 
-Take time to polish the format of your message, so we'll enjoy reading it and working on it.
+Take time to polish the format of your message so we'll enjoy reading it and working on it. 
 Help your readers focus on what matters and help them understand the structure of your message (see the [GitHub Markdown Syntax](https://docs.github.com/en/get-started/writing-on-github)).
 
 ## International English
 
-Every maintainer / Traefik user is not a native English speaker, so if you sometimes feel that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.
+Every maintainer / Traefik user is not a native English speaker, so if you feel sometimes that some messages sound rude, remember that it probably is a language barrier problem from someone willing to help you.

docs/content/contributing/submitting-pull-requests.md

@@ -5,22 +5,22 @@ description: "Looking to contribute to Traefik Proxy? This guide will show you t
 
 # Before You Submit a Pull Request
 
-This guide is for contributors who already have a pull request to submit.
-If you are looking for information on setting up your developer environment
-and creating code to contribute to Traefik Proxy or related projects,
+This guide is for contributors who already have a pull request to submit. 
+If you are looking for information on setting up your developer environment 
+and creating code to contribute to Traefik Proxy or related projects, 
 see the [development guide](https://docs.traefik.io/contributing/building-testing/).
 
-Looking for a way to contribute to Traefik Proxy?
-Check out this list of [Priority Issues](https://github.com/traefik/traefik/labels/contributor%2Fwanted),
-the [Good First Issue](https://github.com/traefik/traefik/labels/contributor%2Fgood-first-issue) list,
+Looking for a way to contribute to Traefik Proxy? 
+Check out this list of [Priority Issues](https://github.com/traefik/traefik/labels/contributor%2Fwanted), 
+the [Good First Issue](https://github.com/traefik/traefik/labels/contributor%2Fgood-first-issue) list, 
 or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2Fbug%2Fconfirmed) waiting to be remedied.
 
 ## How We Prioritize
 
-We wish we could review every pull request right away.
-Unfortunately, our team has to prioritize pull requests (PRs) for review
-(but we are welcoming new [maintainers](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md) to speed this up,
-if you are interested, check it out and apply).
+We wish we could review every pull request right away. 
+Unfortunately, our team has to prioritize pull requests (PRs) for review 
+(but we are welcoming new [maintainers](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md) to speed this up, 
+so if you are interested, check it out and apply). 
 
 The PRs we are able to handle fastest are:
 
@@ -30,20 +30,20 @@ The PRs we are able to handle fastest are:
 
 PRs that take more time to address include:
 
-* Enhancements or Features without the `contributor/wanted` tag.
-
-If you have an idea for an enhancement or feature that you would like to build,
-[create an issue](https://github.com/traefik/traefik/issues/new/choose) for it first
-and tell us you are interested in writing the PR.
-If an issue already exists, definitely comment on it to tell us you are interested in creating a PR.
-
-This will allow us to communicate directly and let you know if it is something we would accept.
-
-It also allows us to make sure you have all the information you need during the design phase
-so that it can be reviewed and merged quickly.
-
-Read more about the [Triage process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in the docs.
+* Enhancements or Features without the `contributor/wanted` tag.  
+  
+If you have an idea for an enhancement or feature that you would like to build, 
+[create an issue](https://github.com/traefik/traefik/issues/new/choose) for it first 
+and tell us you are interested in writing the PR. 
+If an issue already exists, definitely comment on it to tell us you are interested in creating a PR. 
 
+This will allow us to communicate directly and let you know if it is something we would accept. 
+It also allows us to make sure you have all the information you need during the design phase 
+so that it can be reviewed and merged quickly. 
+  
+If you have questions about the Triage process,
+[read more here](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).  
+  
 ## The Pull Request Submit Process
 
 Merging a PR requires the following steps to be completed before it is merged automatically.
@@ -56,15 +56,14 @@ Merging a PR requires the following steps to be completed before it is merged au
     * Do not open the PR from an organization repository.
     * Keep "allows edit from maintainer" checked.
     * Use semantic line breaks for documentation.
-    * Ensure your PR is not a draft. We do not review drafts, but do answer questions and confer with developers on them as needed.
 * Pass the validation check.
 * Pass all tests.
 * Receive 3 approving reviews maintainers.
 
 ## Pull Request Review Cycle
 
-Learn about our [Triage Process](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md),
-in short, it looks like this:
+You can read about our Triage Process [here](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md), 
+but in short, it looks like this:
 
 * We triage every new PR or comment before entering it into the review process.
     * We ensure that all prerequisites for review have been met.
@@ -76,20 +75,20 @@ in short, it looks like this:
 * Code Review.
     * We review the code in-depth and run tests.
     * We may ask for changes here.
-    * During code review, we ask that you be reasonably responsive,
-      if a PR languishes in code review it is at risk of rejection,
+    * During code review, we ask that you be reasonably responsive, 
+      if a PR languishes in code review it is at risk of rejection, 
       or we may take ownership of the PR and the contributor will become a co-author.
-* Merge.
+* Merge. 
     * Success!
 
 !!! note
 
-    Occasionally, we may freeze our codebase when working towards a specific feature or goal that could impact other development.
+    Occasionally, we may freeze our codebase when working towards a specific feature or goal that could impact other development. 
     During this time, your pull request could remain unmerged while the release work is completed.
 
 ## Run Local Verifications
 
-You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration.
+You must run these local verifications before you submit your pull request to predict the pass or failure of continuous integration. 
 Your PR will not be reviewed until these are green on the CI.
 
 * `make validate`
@@ -98,10 +97,10 @@ Your PR will not be reviewed until these are green on the CI.
 
 ## The Testing and Merge Workflow
 
-Pull Requests are managed by the bot [Myrmica Lobicornis](https://github.com/traefik/lobicornis).
-This bot is responsible for verifying GitHub Checks (CI, Tests, etc), mergability, and minimum reviews.
-In addition, it rebases or merges with the base PR branch if needed.
-It performs several other housekeeping items
+Pull Requests are managed by the bot [Myrmica Lobicornis](https://github.com/traefik/lobicornis). 
+This bot is responsible for verifying GitHub Checks (CI, Tests, etc), mergability, and minimum reviews. 
+In addition, it rebases or merges with the base PR branch if needed. 
+It performs several other housekeeping items 
 and you can read more about those on the [README](https://github.com/traefik/lobicornis) for Lobicornis.
 
 The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
@@ -110,7 +109,7 @@ By default, a squash-rebase merge will be carried out.
 
 The status `status/4-merge-in-progress` is only used by the bot.
 
-If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.
+If the bot is not able to perform the merge, the label `bot/need-human-merge` is added. 
 In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
 
 To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
@@ -126,23 +125,23 @@ This label can be used when:
 
 ## Why Was My Pull Request Closed?
 
-Traefik Proxy is made by the community for the community,
-as such the goal is to engage the community to make Traefik the best reverse proxy available.
-Part of this goal is maintaining a lean codebase and ensuring code velocity.
+Traefik Proxy is made by the community for the community, 
+as such the goal is to engage the community to make Traefik the best reverse proxy available. 
+Part of this goal is maintaining a lean codebase and ensuring code velocity. 
 unfortunately, this means that sometimes we will not be able to merge a pull request.
 
-Because we respect the work you did, you will always be told why we are closing your pull request.
-If you do not agree with our decision, do not worry; closed pull requests are effortless to recreate,
+Because we respect the work you did, you will always be told why we are closing your pull request. 
+If you do not agree with our decision, do not worry; closed pull requests are easy to recreate, 
 and little work is lost by closing a pull request that subsequently needs to be reopened.
 
 Your pull request might be closed if:
 
-* Your PR's design conflicts with our existing codebase in such a way that merging is not an option
+* Your PR's design conflicts with our existing codebase in such a way that Merging is not an option 
   and the work needed to make your pull request usable is too high.
     * To prevent this, make sure you created an issue first
       and think about including Traefik Proxy maintainers in your design phase to minimize conflicts.
 * Your PR is for an enhancement or feature that we will not use.
-    * Please remember to create an issue for any pull request **before** you create a PR
+    * Please remember to create an issue for any pull request **before** you create a PR 
       to ensure that your goal is something we can merge and that you have any design insight you might need from the team.
 * Your PR has been waiting for feedback from the contributor for over 90 days.
 
@@ -150,54 +149,54 @@ Your pull request might be closed if:
 
 A few factors affect how long your pull request might wait for review.
 
-We must prioritize which PRs we focus on.
-Our first priority is PRs we have identified as having high community engagement and broad applicability.
-We put our top priorities on our roadmap, and you can identify them by the `contributor/wanted` tag.
-These PRs will enter our review process the fastest.
+We must prioritize which PRs we focus on. 
+Our first priority is PRs we have identified as having high community engagement and broad applicability. 
+We put our top priorities on our roadmap and you can identify them by the `contributor/wanted` tag. 
+These PRs will enter our review process the fastest. 
 
-Our second priority is bug fixes.
-Especially for bugs that have already been tagged with `bug/confirmed`.
+Our second priority is bug fixes. 
+Especially for bugs that have already been tagged with `bug/confirmed`. 
 These reviews enter the process quickly.
 
-If your PR does not meet the criteria above,
-it will take longer for us to review, as any PRs that do meet the criteria above will be prioritized.
+If your PR does not meet the criteria above, 
+it will take longer for us to review as any PRs that do meet the criteria above will be prioritized. 
 
-Additionally, during the last few weeks of a milestone, we stop reviewing PRs to reduce churn and stabilize.
-We will resume after the release.
+Additionally, during the last few weeks of a milestone, we stop reviewing PRs to reduce churn and stabilize. 
+We will resume after the release. 
 
-The second major reason that we deprioritize your PR is that you are not following best practices.
+The second major reason that we deprioritize your PR is that you are not following best practices. 
 
 The most common failures to follow best practices are:
 
-* You did not create an issue for the PR you wish to make.
-  If you do not create an issue before submitting your PR,
-  we will not be able to answer any design questions and let you know how likely your PR is to be merged.
+* You did not create an issue for the PR you wish to make. 
+  If you do not create an issue before submitting your PR, 
+  we will not be able to answer any design questions and let you know how likely your PR is to be merged. 
 * You created pull requests that are too large to review.
     * Break your pull requests up.
-      If you can extract whole ideas from your pull request and send those as pull requests of their own,
-      you should do that instead.
-      It is better to have many pull requests addressing one thing than one pull request addressing many things.
-    * Traefik Proxy is a fast-moving codebase — lock in your changes ASAP with your small pull request,
+      If you can extract whole ideas from your pull request and send those as pull requests of their own, 
+      you should do that instead. 
+      It is better to have many pull requests addressing one thing than one pull request addressing many things. 
+    * Traefik Proxy is a fast-moving codebase — lock in your changes ASAP with your small pull request, 
       and make merges be someone else's problem.
-      We want every pull request to be useful on its own,
+      We want every pull request to be useful on its own, 
       so use your best judgment on what should be a pull request vs. a commit.
 * You did not comment well.
     * Comment everything.
 
-Please remember that we are working internationally, cross-culturally, and with different use-cases.
+Please remember that we are working internationally, cross-culturally, and with different use-cases. 
 Your reviewer will not intuitively understand the problem the same way you do or solve it the same way you would.
-This is why every change you make must be explained, and your strategy for coding must also be explained.
+This is why every change you make must be explained and your strategy for coding must also be explained.   
 
 * Your tests were inadequate or absent.
-    * If you do not know how to test your PR, please ask!
+    * If you do not know how to test your PR, please ask! 
       We will be happy to help you or suggest appropriate test cases.
 
-If you have already followed the best practices and your PR still has not received a response,
+If you have already followed the best practices and your PR still has not received a response, 
 here are some things you can do to move the process along:
 
-* If you have fixed all the issues from a review,
-  remember to re-request a review (using the designated button) to let your reviewer know that you are ready.
-  You can choose to comment with the changes you made.
+* If you have fixed all the issues from a review, 
+  remember to re-request a review (using the designated button) to let your reviewer know that you are ready. 
+  You can choose to comment with the changes you made. 
 * Ping `@tfny` if you have not been assigned to a reviewer.
 
 For more information on best practices, try these links:
@@ -209,23 +208,23 @@ For more information on best practices, try these links:
 
 ## It's OK to Push Back
 
-Sometimes reviewers make mistakes.
-It is OK to push back on changes your reviewer requested.
+Sometimes reviewers make mistakes. 
+It is OK to push back on changes your reviewer requested. 
 If you have a good reason for doing something a certain way, you are absolutely allowed to debate the merits of a requested change.
 Both the reviewer and reviewee should strive to discuss these issues in a polite and respectful manner.
 
-You might be overruled, but you might also prevail.
+You might be overruled, but you might also prevail. 
 We are pretty reasonable people.
 
 Another phenomenon of open-source projects (where anyone can comment on any issue) is the dog-pile -
-your pull request gets so many comments from so many people it becomes hard to follow.
-In this situation, you can ask the primary reviewer (assignee) whether they want you to fork a new pull request
-to clear out all the comments.
-You do not have to fix every issue raised by every person who feels like commenting,
+your pull request gets so many comments from so many people it becomes hard to follow. 
+In this situation, you can ask the primary reviewer (assignee) whether they want you to fork a new pull request 
+to clear out all the comments. 
+You do not have to fix every issue raised by every person who feels like commenting, 
 but you should answer reasonable comments with an explanation.
 
 ## Common Sense and Courtesy
 
-No document can take the place of common sense and good taste.
-Use your best judgment, while you put a bit of thought into how your work can be made easier to review.
-If you do these things, your pull requests will get merged with less friction.
+No document can take the place of common sense and good taste. 
+Use your best judgment, while you put a bit of thought into how your work can be made easier to review. 
+If you do these things your pull requests will get merged with less friction.

docs/content/contributing/submitting-security-issues.md

@@ -12,7 +12,7 @@ You can subscribe sending a mail to security+subscribe@traefik.io or on [the onl
 
 ## CVE
 
-Reported vulnerabilities can be found on
+Reported vulnerabilities can be found on 
 [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
 
 ## Report a Vulnerability

docs/content/deprecation/features.md

@@ -2,43 +2,4 @@
 
 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
 
-| Feature                                                                                             | Deprecated | End of Support | Removal |
-|-----------------------------------------------------------------------------------------------------|------------|----------------|---------|
-| [Pilot](#pilot)                                                                                     | 2.7        | 2.8            | 2.9     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace)                                         | 2.8        | N/A            | 3.0     |
-| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                                                           | N/A        | 2.8            | N/A     |
-| [Nomad Namespace](#nomad-namespace)                                                                 | 2.10       | N/A            | 3.0     |
-| [Kubernetes CRDs API Group `traefik.containo.us`](#kubernetes-crds-api-group-traefikcontainous)     | 2.10       | N/A            | 3.0     |
-| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crds-api-version-traefikiov1alpha1) | N/A        | N/A            | 3.0     |
-
-## Impact
-
-### Pilot
-
-Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
-
-Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
-Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
-
-### Consul Enterprise Namespace
-
-Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
-please use the `namespaces` options instead.  
-
-### TLS 1.0 and 1.1
-
-Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
-
-### Nomad Namespace
-
-Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
-please use the `namespaces` options instead.
-
-### Kubernetes CRDs API Group `traefik.containo.us`
-
-In v2.10, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
-
-### Kubernetes CRDs API Version `traefik.io/v1alpha1`
-
-The newly introduced Kubernetes CRD API Version `traefik.io/v1alpha1` will subsequently be removed in Traefik v3. The following version will be `traefik.io/v1`.
+There is no feature deprecation in Traefik v3 for now.

docs/content/getting-started/concepts.md

@@ -1,34 +1,19 @@
 ---
-title: Concepts
-description: Traefik - base concepts and main features
+title: "Traefik Concepts Documentation"
+description: "Get started with Traefik Proxy. Read the technical documentation for an introduction into the key concepts behind our open source edge router."
 ---
 
 # Concepts
 
-This page explains the base concepts of Traefik.
-
----
-
-## Introduction
-
-Traefik is based on the concept of EntryPoints, Routers, Middelwares and Services.
-
-The main features include dynamic configuration, automatic service discovery, and support for multiple backends and protocols.
-
-1. [EntryPoints](../routing/entrypoints.md "Link to docs about EntryPoints"): EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
-
-2. [Routers](../routing/routers/index.md "Link to docs about routers"): A router is in charge of connecting incoming requests to the services that can handle them.
-
-3. [Middlewares](../middlewares/overview.md "Link to docs about middlewares"): Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
-
-4. [Services](../routing/services/index.md "Link to docs about services"): Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
+Everything You Need to Know
+{: .subtitle }
 
 ## Edge Router
 
-Traefik is an *Edge Router*, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
-it knows all the logic and every [rule](../routing/routers/index.md#rule "Link to docs about routing rules") that determine which services handle which requests (based on the *path*, the *host*, *headers*, etc.).
+Traefik is an _Edge Router_, it means that it's the door to your platform, and that it intercepts and routes every incoming request:
+it knows all the logic and every rule that determine which services handle which requests (based on the [path](../routing/routers/index.md#rule), the [host](../routing/routers/index.md#rule), [headers](../routing/routers/index.md#rule), [and so on](../routing/routers/index.md#rule) ...).
 
-![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png "Picture explaining the infrastructure")
+![The Door to Your Infrastructure](../assets/img/traefik-concepts-1.png)
 
 ## Auto Service Discovery
 
@@ -36,7 +21,7 @@ Where traditionally edge routers (or reverse proxies) need a configuration file
 
 Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.
 
-![Decentralized Configuration](../assets/img/traefik-concepts-2.png "Picture about Decentralized Configuration")
+![Decentralized Configuration](../assets/img/traefik-concepts-2.png)
 
 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
 Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.
@@ -45,16 +30,14 @@ You no longer need to create and synchronize configuration files cluttered with
 
 !!! info "Many different rules"
 
-    In the example above, we used the request [path rule](../routing/routers/index.md#rule "Link to docs about routing rules") to determine which service was in charge.
-    Certainly, you can use many other different [rules](../routing/routers/index.md#rule "Link to docs about routing rules").
+    In the example above, we used the request [path](../routing/routers/index.md#rule) to determine which service was in charge, but of course you can use many other different [rules](../routing/routers/index.md#rule).
 
 !!! info "Updating the requests"
 
-    In the [middleware](../middlewares/overview.md "Link to middleware documentation") section, you can learn about how to update the requests before forwarding them to the services.
+    In the [middleware](../middlewares/overview.md) section, you can learn about how to update the requests before forwarding them to the services.
 
 !!! question "How does Traefik discover the services?"
 
-    Traefik is able to use your cluster API to discover the services and read the attached information.
-    In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
+    Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
 
 {!traefik-for-business-applications.md!}

docs/content/getting-started/configuration-overview.md

@@ -79,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v2.10 --help
+# ex: docker run traefik:v3.0 --help
 ```
 
 All available arguments can also be found [here](../reference/static-configuration/cli.md).

docs/content/getting-started/faq.md

@@ -181,23 +181,3 @@ and the message should help in figuring out the mistake(s) in the configuration,
 
 When using the file provider,
 one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
-
-## Why does Let's Encrypt wildcard certificate renewal/generation with DNS challenge fail?
-
-If you're trying to renew wildcard certificates, with DNS challenge,
-and you're getting errors such as:
-
-```txt
-msg="Error renewing certificate from LE: {example.com [*.example.com]}"
-providerName=letsencrypt.acme error="error: one or more domains had a problem:
-[example.com] acme: error presenting token: gandiv5: unexpected authZone example.com. for fqdn example.com."
-```
-
-then it could be due to `CNAME` support.
-
-In which case, you should make sure your infrastructure is properly set up for a
-`DNS` challenge that does not rely on `CNAME`, and you should try disabling `CNAME` support with:
-
-```bash
-LEGO_DISABLE_CNAME_SUPPORT=true
-```

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.10/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.10/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.toml)
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.10
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.10`
+    ex: `traefik:v3.0`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 
@@ -121,7 +121,7 @@ by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`)
 
 ```yaml
 # dashboard.yaml
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: dashboard

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -130,7 +130,7 @@ spec:
       serviceAccountName: traefik-account
       containers:
         - name: traefik
-          image: traefik:v2.10
+          image: traefik:v3.0
           args:
             - --api.insecure
             - --providers.kubernetesingress

docs/content/getting-started/quick-start.md

@@ -20,7 +20,7 @@ version: '3'
 services:
   reverse-proxy:
     # The official v2 Traefik docker image
-    image: traefik:v2.10
+    image: traefik:v3.0
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:

docs/content/https/acme.md

@@ -11,11 +11,7 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
 
 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to __one week__, and can not be overridden.
-    
-    When running Traefik in a container this file should be persisted across restarts. 
-    If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
-    To configure where certificates are stored, please take a look at the [storage](#storage) configuration.
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
 
     Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
     when experimenting to avoid hitting this limit too fast.
@@ -283,19 +279,8 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
     # ...
     ```
 
-!!! warning "`CNAME` support"
-
-    `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
-    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
-
-    If needed, `CNAME` support can be disabled with the following environment variable:
-
-    ```bash
-    LEGO_DISABLE_CNAME_SUPPORT=true
-    ```
-
-!!! important
-    A `provider` is mandatory.
+    !!! important
+        A `provider` is mandatory.
 
 #### `providers`
 
@@ -308,121 +293,117 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 
 For complete details, refer to your provider's _Additional configuration_ link.
 
-| Provider Name                                                            | Provider Code      | Environment Variables                                                                                                                       |                                                                                 |
-|--------------------------------------------------------------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns)                           | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
-| [Alibaba Cloud](https://www.alibabacloud.com)                            | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
-| [all-inkl](https://all-inkl.com)                                         | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
-| [ArvanCloud](https://www.arvancloud.com/en)                              | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
-| [Auroradns](https://www.pcextreme.com/dns-health-checks)                 | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
-| [Autodns](https://www.internetx.com/domains/autodns/)                    | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
-| [Azure](https://azure.microsoft.com/services/dns/)                       | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
-| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)               | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
-| [Blue Cat](https://www.bluecatnetworks.com/)                             | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
-| [Checkdomain](https://www.checkdomain.de/)                               | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
-| [Civo](https://www.civo.com/)                                            | `civo`             | `CIVO_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
-| [CloudDNS](https://vshosting.eu/)                                        | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
-| [Cloudflare](https://www.cloudflare.com)                                 | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
-| [ClouDNS](https://www.cloudns.net/)                                      | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
-| [CloudXNS](https://www.cloudxns.net)                                     | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
-| [ConoHa](https://www.conoha.jp)                                          | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
-| [Constellix](https://constellix.com)                                     | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
-| [deSEC](https://desec.io)                                                | `desec`            | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
-| [DigitalOcean](https://www.digitalocean.com)                             | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
-| [DNS Made Easy](https://dnsmadeeasy.com)                                 | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
-| [dnsHome.de](https://www.dnshome.de)                                     | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
-| [DNSimple](https://dnsimple.com)                                         | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
-| [DNSPod](https://www.dnspod.com/)                                        | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
-| [Domain Offensive (do.de)](https://www.do.de/)                           | `dode`             | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
-| [Domeneshop](https://domene.shop)                                        | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
-| [DreamHost](https://www.dreamhost.com/)                                  | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
-| [Duck DNS](https://www.duckdns.org/)                                     | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
-| [Dyn](https://dyn.com)                                                   | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
-| [Dynu](https://www.dynu.com)                                             | `dynu`             | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
-| [EasyDNS](https://easydns.com/)                                          | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
-| [EdgeDNS](https://www.akamai.com/)                                       | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
-| [Epik](https://www.epik.com)                                             | `epik`             | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
-| [Exoscale](https://www.exoscale.com)                                     | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
-| [Fast DNS](https://www.akamai.com/)                                      | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
-| [Freemyip.com](https://freemyip.com)                                     | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
-| [G-Core Lab](https://gcorelabs.com/dns/)                                 | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
-| [Gandi v5](https://doc.livedns.gandi.net)                                | `gandiv5`          | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)          |
-| [Gandi](https://www.gandi.net)                                           | `gandi`            | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)            |
-| [Glesys](https://glesys.com/)                                            | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
-| [GoDaddy](https://www.godaddy.com)                                       | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/)                   | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
-| [Hetzner](https://hetzner.com)                                           | `hetzner`          | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
-| [hosting.de](https://www.hosting.de)                                     | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
-| [Hosttech](https://www.hosttech.eu)                                      | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
-| [Hurricane Electric](https://dns.he.net)                                 | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
-| [HyperOne](https://www.hyperone.com)                                     | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
-| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                      | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
-| [IIJ DNS Platform Service](https://www.iij.ad.jp)                        | `iijdpf`           | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)           |
-| [IIJ](https://www.iij.ad.jp/)                                            | `iij`              | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)              |
-| [Infoblox](https://www.infoblox.com/)                                    | `infoblox`         | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)         |
-| [Infomaniak](https://www.infomaniak.com)                                 | `infomaniak`       | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)       |
-| [Internet.bs](https://internetbs.net)                                    | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
-| [INWX](https://www.inwx.de/en)                                           | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
-| [ionos](https://ionos.com/)                                              | `ionos`            | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
-| [iwantmyname](https://iwantmyname.com)                                   | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
-| [Joker.com](https://joker.com)                                           | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
-| [Liara](https://liara.ir)                                                | `liara`            | `LIARA_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
-| [Lightsail](https://aws.amazon.com/lightsail/)                           | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
-| [Linode v4](https://www.linode.com)                                      | `linode`           | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
-| [Liquid Web](https://www.liquidweb.com/)                                 | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
-| [Loopia](https://loopia.com/)                                            | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
-| [LuaDNS](https://luadns.com)                                             | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
-| [MyDNS.jp](https://www.mydns.jp/)                                        | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
-| [Mythic Beasts](https://www.mythic-beasts.com)                           | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
-| [name.com](https://www.name.com/)                                        | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
-| [Namecheap](https://www.namecheap.com)                                   | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
-| [Namesilo](https://www.namesilo.com/)                                    | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
-| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)                | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
-| [Netcup](https://www.netcup.eu/)                                         | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
-| [Netlify](https://www.netlify.com)                                       | `netlify`          | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
-| [Nicmanager](https://www.nicmanager.com)                                 | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm)                      | `nifcloud`         | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)         |
-| [Njalla](https://njal.la)                                                | `njalla`           | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
-| [NS1](https://ns1.com/)                                                  | `ns1`              | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
-| [Open Telekom Cloud](https://cloud.telekom.de)                           | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
-| [Openstack Designate](https://docs.openstack.org/designate)              | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
-| [Oracle Cloud](https://cloud.oracle.com/home)                            | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
-| [OVH](https://www.ovh.com)                                               | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
-| [Porkbun](https://porkbun.com/)                                          | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
-| [PowerDNS](https://www.powerdns.com)                                     | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
-| [Rackspace](https://www.rackspace.com/cloud/dns)                         | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
-| [reg.ru](https://www.reg.ru)                                             | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
-| [RFC2136](https://tools.ietf.org/html/rfc2136)                           | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
-| [RimuHosting](https://rimuhosting.com)                                   | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
-| [Route 53](https://aws.amazon.com/route53/)                              | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/)                              | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
-| [Scaleway](https://www.scaleway.com)                                     | `scaleway`         | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
-| [Selectel](https://selectel.ru/en/)                                      | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
-| [Servercow](https://servercow.de)                                        | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
-| [Simply.com](https://www.simply.com/en/domains/)                         | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
-| [Sonic](https://www.sonic.com/)                                          | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
-| [Stackpath](https://www.stackpath.com/)                                  | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
-| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)               | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
-| [TransIP](https://www.transip.nl/)                                       | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
-| [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html)   | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
-| [Ultradns](https://neustarsecurityservices.com/dns-services)             | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
-| [Variomedia](https://www.variomedia.de/)                                 | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API)                          | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
-| [Vercel](https://vercel.com)                                             | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
-| [Versio](https://www.versio.nl/domeinnamen)                              | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
-| [VinylDNS](https://www.vinyldns.io)                                      | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
-| [VK Cloud](https://mcs.mail.ru/)                                         | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
-| [Vscale](https://vscale.io/)                                             | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
-| [VULTR](https://www.vultr.com)                                           | `vultr`            | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
-| [Websupport](https://websupport.sk)                                      | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
-| [WEDOS](https://www.wedos.com)                                           | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
-| [Yandex Cloud](https://cloud.yandex.com/en/)                             | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
-| [Yandex](https://yandex.com)                                             | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
-| [Zone.ee](https://www.zone.ee)                                           | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
-| [Zonomi](https://zonomi.com)                                             | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
-| External Program                                                         | `exec`             | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
-| HTTP request                                                             | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
-| manual                                                                   | `manual`           | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                                 |
+| Provider Name                                                                                      | Provider Code      | Environment Variables                                                                                                                       |                                                                                 |
+|----------------------------------------------------------------------------------------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
+| [ACME DNS](https://github.com/joohoi/acme-dns)                                                     | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
+| [Alibaba Cloud](https://www.alibabacloud.com)                                                      | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
+| [all-inkl](https://all-inkl.com)                                                                   | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
+| [ArvanCloud](https://www.arvancloud.com/en)                                                        | `arvancloud`       | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)       |
+| [Auroradns](https://www.pcextreme.com/dns-health-checks)                                           | `auroradns`        | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)        |
+| [Autodns](https://www.internetx.com/domains/autodns/)                                              | `autodns`          | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)          |
+| [Azure](https://azure.microsoft.com/services/dns/)                                                 | `azure`            | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]`   | [Additional configuration](https://go-acme.github.io/lego/dns/azure)            |
+| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)                                         | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
+| [Blue Cat](https://www.bluecatnetworks.com/)                                                       | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
+| [Checkdomain](https://www.checkdomain.de/)                                                         | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
+| [Civo](https://www.civo.com/)                                                                      | `civo`             | `CIVO_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
+| [CloudDNS](https://vshosting.eu/)                                                                  | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
+| [Cloudflare](https://www.cloudflare.com)                                                           | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
+| [ClouDNS](https://www.cloudns.net/)                                                                | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
+| [CloudXNS](https://www.cloudxns.net)                                                               | `cloudxns`         | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)         |
+| [ConoHa](https://www.conoha.jp)                                                                    | `conoha`           | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)           |
+| [Constellix](https://constellix.com)                                                               | `constellix`       | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)       |
+| [deSEC](https://desec.io)                                                                          | `desec`            | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
+| [DigitalOcean](https://www.digitalocean.com)                                                       | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
+| [DNS Made Easy](https://dnsmadeeasy.com)                                                           | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
+| [DNSimple](https://dnsimple.com)                                                                   | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
+| [DNSPod](https://www.dnspod.com/)                                                                  | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
+| [Domain Offensive (do.de)](https://www.do.de/)                                                     | `dode`             | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
+| [Domeneshop](https://domene.shop)                                                                  | `domeneshop`       | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)       |
+| [DreamHost](https://www.dreamhost.com/)                                                            | `dreamhost`        | `DREAMHOST_API_KEY`                                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost)        |
+| [Duck DNS](https://www.duckdns.org/)                                                               | `duckdns`          | `DUCKDNS_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns)          |
+| [Dyn](https://dyn.com)                                                                             | `dyn`              | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/dyn)              |
+| [Dynu](https://www.dynu.com)                                                                       | `dynu`             | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)             |
+| [EasyDNS](https://easydns.com/)                                                                    | `easydns`          | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)          |
+| [EdgeDNS](https://www.akamai.com/)                                                                 | `edgedns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Epik](https://www.epik.com)                                                                       | `epik`             | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)             |
+| [Exoscale](https://www.exoscale.com)                                                               | `exoscale`         | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)         |
+| [Fast DNS](https://www.akamai.com/)                                                                | `fastdns`          | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)          |
+| [Freemyip.com](https://freemyip.com)                                                               | `freemyip`         | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)         |
+| [G-Core Lab](https://gcorelabs.com/dns/)                                                           | `gcore`            | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)            |
+| [Gandi v5](https://doc.livedns.gandi.net)                                                          | `gandiv5`          | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)          |
+| [Gandi](https://www.gandi.net)                                                                     | `gandi`            | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)            |
+| [Glesys](https://glesys.com/)                                                                      | `glesys`           | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)           |
+| [GoDaddy](https://godaddy.com/)                                                                    | `godaddy`          | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)          |
+| [Google Cloud DNS](https://cloud.google.com/dns/docs/)                                             | `gcloud`           | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)           |
+| [Hetzner](https://hetzner.com)                                                                     | `hetzner`          | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)          |
+| [hosting.de](https://www.hosting.de)                                                               | `hostingde`        | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)        |
+| [Hosttech](https://www.hosttech.eu)                                                                | `hosttech`         | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)         |
+| [Hurricane Electric](https://dns.he.net)                                                           | `hurricane`        | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)        |
+| [HyperOne](https://www.hyperone.com)                                                               | `hyperone`         | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)         |
+| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                                                | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
+| [IIJ DNS Platform Service](https://www.iij.ad.jp)                                                  | `iijdpf`           | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)           |
+| [IIJ](https://www.iij.ad.jp/)                                                                      | `iij`              | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)              |
+| [Infoblox](https://www.infoblox.com/)                                                              | `infoblox`         | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)         |
+| [Infomaniak](https://www.infomaniak.com)                                                           | `infomaniak`       | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)       |
+| [Internet.bs](https://internetbs.net)                                                              | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
+| [INWX](https://www.inwx.de/en)                                                                     | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
+| [ionos](https://ionos.com/)                                                                        | `ionos`            | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
+| [iwantmyname](https://iwantmyname.com)                                                             | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
+| [Joker.com](https://joker.com)                                                                     | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [Lightsail](https://aws.amazon.com/lightsail/)                                                     | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
+| [Linode v4](https://www.linode.com)                                                                | `linode`           | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
+| [Liquid Web](https://www.liquidweb.com/)                                                           | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
+| [Loopia](https://loopia.com/)                                                                      | `loopia`           | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)           |
+| [LuaDNS](https://luadns.com)                                                                       | `luadns`           | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)           |
+| [MyDNS.jp](https://www.mydns.jp/)                                                                  | `mydnsjp`          | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)          |
+| [Mythic Beasts](https://www.mythic-beasts.com)                                                     | `mythicbeasts`     | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts)     |
+| [name.com](https://www.name.com/)                                                                  | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
+| [Namecheap](https://www.namecheap.com)                                                             | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
+| [Namesilo](https://www.namesilo.com/)                                                              | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
+| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)                                          | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
+| [Netcup](https://www.netcup.eu/)                                                                   | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
+| [Netlify](https://www.netlify.com)                                                                 | `netlify`          | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
+| [Nicmanager](https://www.nicmanager.com)                                                           | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
+| [NIFCloud](https://cloud.nifty.com/service/dns.htm)                                                | `nifcloud`         | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)         |
+| [Njalla](https://njal.la)                                                                          | `njalla`           | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)           |
+| [NS1](https://ns1.com/)                                                                            | `ns1`              | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)              |
+| [Open Telekom Cloud](https://cloud.telekom.de)                                                     | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
+| [Openstack Designate](https://docs.openstack.org/designate)                                        | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
+| [Oracle Cloud](https://cloud.oracle.com/home)                                                      | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
+| [OVH](https://www.ovh.com)                                                                         | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
+| [Porkbun](https://porkbun.com/)                                                                    | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
+| [PowerDNS](https://www.powerdns.com)                                                               | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
+| [Rackspace](https://www.rackspace.com/cloud/dns)                                                   | `rackspace`        | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)        |
+| [reg.ru](https://www.reg.ru)                                                                       | `regru`            | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)            |
+| [RFC2136](https://tools.ietf.org/html/rfc2136)                                                     | `rfc2136`          | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)          |
+| [RimuHosting](https://rimuhosting.com)                                                             | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
+| [Route 53](https://aws.amazon.com/route53/)                                                        | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
+| [Sakura Cloud](https://cloud.sakura.ad.jp/)                                                        | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
+| [Scaleway](https://www.scaleway.com)                                                               | `scaleway`         | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Selectel](https://selectel.ru/en/)                                                                | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [Servercow](https://servercow.de)                                                                  | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
+| [Simply.com](https://www.simply.com/en/domains/)                                                   | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
+| [Sonic](https://www.sonic.com/)                                                                    | `sonic`            | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)            |
+| [Stackpath](https://www.stackpath.com/)                                                            | `stackpath`        | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)        |
+| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)                                         | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
+| [TransIP](https://www.transip.nl/)                                                                 | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
+| [UKFast SafeDNS](https://www.ans.co.uk/cloud-and-infrastructure/dedicated-servers/dns-management/) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
+| [Variomedia](https://www.variomedia.de/)                                                           | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
+| [VegaDNS](https://github.com/shupp/VegaDNS-API)                                                    | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
+| [Vercel](https://vercel.com)                                                                       | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
+| [Versio](https://www.versio.nl/domeinnamen)                                                        | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
+| [VinylDNS](https://www.vinyldns.io)                                                                | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
+| [VK Cloud](https://mcs.mail.ru/)                                                                   | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
+| [Vscale](https://vscale.io/)                                                                       | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
+| [VULTR](https://www.vultr.com)                                                                     | `vultr`            | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
+| [WEDOS](https://www.wedos.com)                                                                     | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
+| [Yandex Cloud](https://cloud.yandex.com/en/)                                                       | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
+| [Yandex](https://yandex.com)                                                                       | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
+| [Zone.ee](https://www.zone.ee)                                                                     | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
+| [Zonomi](https://zonomi.com)                                                                       | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
+| External Program                                                                                   | `exec`             | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)             |
+| HTTP request                                                                                       | `httpreq`          | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)          |
+| manual                                                                                             | `manual`           | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                                 |
 
 [^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
 [^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).

docs/content/https/include-acme-multiple-domains-example.md

@@ -22,7 +22,7 @@ deploy:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: blogtls

docs/content/https/include-acme-multiple-domains-from-rule-example.md

@@ -18,7 +18,7 @@ deploy:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: blogtls

docs/content/https/include-acme-single-domain-example.md

@@ -18,7 +18,7 @@ deploy:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: blogtls

docs/content/https/spiffe.md

@@ -0,0 +1,54 @@
+---
+title: "Traefik SPIFFE Documentation"
+description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
+---
+
+# SPIFFE
+
+Secure the backend connection with SPIFFE.
+{: .subtitle }
+
+[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
+provides a secure identity in the form of a specially crafted X.509 certificate, 
+to every workload in an environment.
+
+Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
+
+## Configuration
+
+### General
+
+Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments.
+
+### Workload API
+
+The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
+
+!!! info "Enabling SPIFFE in ServersTransports"
+
+    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
+    Each [ServersTransport](../routing/services/index.md#serverstransport_1) that is meant to be secured with SPIFFE must [explicitly](../routing/services/index.md#spiffe) enable it.
+
+!!! warning "SPIFFE can cause Traefik to stall"
+	When using SPIFFE,
+	Traefik will wait for the first SVID to be delivered before starting.
+	If Traefik is hanging when waiting on SPIFFE SVID delivery,
+	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
+
+```yaml tab="File (YAML)"
+## Static configuration
+spiffe:
+    workloadAPIAddr: localhost
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[spiffe]
+    workloadAPIAddr: localhost
+```
+
+```bash tab="CLI"
+## Static configuration
+--spiffe.workloadAPIAddr=localhost
+```

docs/content/https/tailscale.md

@@ -0,0 +1,237 @@
+---
+title: "Traefik Tailscale Documentation"
+description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
+---
+
+# Tailscale
+
+Provision TLS certificates for your internal Tailscale services.
+{: .subtitle }
+
+To protect a service with TLS, a certificate from a public Certificate Authority is needed.
+In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
+
+## Certificate resolvers
+
+To obtain a TLS certificate from the Tailscale daemon,
+a Tailscale certificate resolver needs to be configured as below.
+
+!!! info "Referencing a certificate resolver"
+
+    Defining a certificate resolver does not imply that routers are going to use it automatically.
+    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+    myresolver:
+        tailscale: {}
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.tailscale]
+```
+
+```bash tab="CLI"
+--certificatesresolvers.myresolver.tailscale=true
+```
+
+## Domain Definition
+
+A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
+
+- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
+  in the [router's rule](../routing/routers/index.md#rule).
+
+!!! info "Tailscale Domain Format"
+
+    The domain is only taken into account if it is a Tailscale-specific one,
+    i.e. of the form `machine-name.domains-alias.ts.net`.
+
+## Configuration Example
+
+!!! example "Enabling Tailscale certificate resolution"
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+
+      websecure:
+        address: ":443"
+
+    certificatesResolvers:
+      myresolver:
+        tailscale: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.tailscale]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.tailscale=true
+    ```
+
+!!! example "Domain from Router's Rule Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+    ```
+
+    ```json tab="Marathon"
+    labels: {
+      "traefik.http.routers.blog.rule": "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)",
+      "traefik.http.routers.blog.tls.certresolver": "myresolver",
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+      [http.routers.blog.tls]
+        certResolver = "myresolver"
+    ```
+
+!!! example "Domain from Router's tls.domain Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: monitoring.yak-bebop.ts.net
+    ```
+
+    ```json tab="Marathon"
+    labels: {
+      "traefik.http.routers.blog.rule": "Path(`/metrics`)",
+      "traefik.http.routers.blog.tls.certresolver": "myresolver",
+      "traefik.http.routers.blog.tls.domains[0].main": "monitoring.yak-bebop.ts.net",
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+            domains:
+              - main: "monitoring.yak-bebop.ts.net"
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+        rule = "Path(`/metrics`)"
+        [http.routers.blog.tls]
+          certResolver = "myresolver"
+          [[http.routers.blog.tls.domains]]
+            main = "monitoring.yak-bebop.ts.net"
+    ```
+
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
+and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.

docs/content/https/tls.md

@@ -134,7 +134,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSStore
 metadata:
   name: default
@@ -195,7 +195,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSStore
 metadata:
   name: default
@@ -277,7 +277,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default
@@ -287,7 +287,7 @@ spec:
   minVersion: VersionTLS12
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: mintls13
@@ -328,7 +328,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default
@@ -338,7 +338,7 @@ spec:
   maxVersion: VersionTLS13
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: maxtls12
@@ -373,7 +373,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default
@@ -418,7 +418,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default
@@ -454,7 +454,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default
@@ -493,7 +493,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default
@@ -545,7 +545,7 @@ tls:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: default

docs/content/includes/traefik-for-business-applications.md

@@ -2,10 +2,15 @@
 
 !!! question "Using Traefik for Business Applications?"
 
-    If you are using Traefik in your organization, consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/). You can use it as your:
+    If you are using Traefik for commercial applications,
+    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
+    You can use it as your:
 
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
     - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
     - [Docker Swarm Ingress Controller](https://traefik.io/solutions/docker-swarm-ingress/)
+    - [API Gateway](https://traefik.io/solutions/api-gateway/)
 
-    Traefik Enterprise simplifies the discovery, security, and deployment of APIs and microservices across any environment. See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo).
+    Traefik Enterprise enables centralized access management,
+    distributed Let's Encrypt,
+    and other advanced capabilities.
+    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/index.md

@@ -24,8 +24,10 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    Join our user friendly and active [Community Forum]((https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the traefik community.
-
-    Using Traefik in your organization? Consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/ "Lino to Traefik Enterprise"), our unified API Gateway and Ingress that simplifies the discovery, security, and deployment of APIs and microservices across any environment.
-
-    See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo "Link to video walkthrough").
+    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
+    
+    Using Traefik for commercial applications?
+    Consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik as your [Kubernetes Ingress](https://traefik.io/solutions/kubernetes-ingress/), 
+    your [Docker Swarm Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/), 
+    or your [API gateway](https://traefik.io/solutions/api-gateway/). 
+    Get started with a [free 30-day trial](https://info.traefik.io/get-traefik-enterprise-free-for-30-days).

docs/content/middlewares/http/addprefix.md

@@ -22,7 +22,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Prefixing with /foo
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: add-foo

docs/content/middlewares/http/basicauth.md

@@ -28,7 +28,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -114,7 +114,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -207,7 +207,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -274,7 +274,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -322,7 +322,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: my-auth
@@ -367,7 +367,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth

docs/content/middlewares/http/buffering.md

@@ -26,7 +26,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Sets the maximum request body to 2MB
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: limit
@@ -84,7 +84,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: limit
@@ -134,7 +134,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: limit
@@ -186,7 +186,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: limit
@@ -236,7 +236,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: limit
@@ -288,7 +288,7 @@ You can have the Buffering middleware replay the request using `retryExpression`
     ```
 
     ```yaml tab="Kubernetes"
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: limit

docs/content/middlewares/http/chain.md

@@ -15,7 +15,7 @@ It makes reusing the same groups easier.
 
 ## Configuration Example
 
-Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
 
 ```yaml tab="Docker"
 labels:
@@ -25,12 +25,12 @@ labels:
   - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
   - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
   - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
   - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: test
@@ -47,7 +47,7 @@ spec:
       middlewares:
         - name: secured
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: secured
@@ -58,7 +58,7 @@ spec:
     - name: known-ips
     - name: auth-users
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: auth-users
@@ -67,7 +67,7 @@ spec:
     users:
     - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: https-only
@@ -75,12 +75,12 @@ spec:
   redirectScheme:
     scheme: https
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: known-ips
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourceRange:
     - 192.168.1.7
     - 127.0.0.1/32
@@ -93,7 +93,7 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
@@ -105,7 +105,7 @@ spec:
   "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
   "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
   "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
-  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
+  "traefik.http.middlewares.known-ips.ipallowlist.sourceRange": "192.168.1.7,127.0.0.1/32",
   "traefik.http.services.service1.loadbalancer.server.port": "80"
 }
 ```
@@ -118,7 +118,7 @@ labels:
   - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
   - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
   - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
   - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```
 
@@ -150,7 +150,7 @@ http:
         scheme: https
 
     known-ips:
-      ipWhiteList:
+      ipAllowList:
         sourceRange:
           - "192.168.1.7"
           - "127.0.0.1/32"
@@ -180,7 +180,7 @@ http:
   [http.middlewares.https-only.redirectScheme]
     scheme = "https"
 
-  [http.middlewares.known-ips.ipWhiteList]
+  [http.middlewares.known-ips.ipAllowList]
     sourceRange = ["192.168.1.7", "127.0.0.1/32"]
 
 [http.services]

docs/content/middlewares/http/circuitbreaker.md

@@ -38,7 +38,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Latency Check
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: latency-check

docs/content/middlewares/http/compress.md

@@ -5,24 +5,25 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before
 
 # Compress
 
-Compress Responses before Sending them to the Client
+Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }
 
 ![Compress](../../assets/img/middleware/compress.png)
 
-The Compress middleware uses gzip compression.
+The Compress middleware supports gzip and Brotli compression.
+The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Enable gzip compression
+# Enable compression
 labels:
   - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```yaml tab="Kubernetes"
-# Enable gzip compression
-apiVersion: traefik.io/v1alpha1
+# Enable compression
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-compress
@@ -31,7 +32,7 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Enable gzip compression
+# Enable compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
@@ -42,13 +43,13 @@ spec:
 ```
 
 ```yaml tab="Rancher"
-# Enable gzip compression
+# Enable compression
 labels:
   - "traefik.http.middlewares.test-compress.compress=true"
 ```
 
 ```yaml tab="File (YAML)"
-# Enable gzip compression
+# Enable compression
 http:
   middlewares:
     test-compress:
@@ -56,7 +57,7 @@ http:
 ```
 
 ```toml tab="File (TOML)"
-# Enable gzip compression
+# Enable compression
 [http.middlewares]
   [http.middlewares.test-compress.compress]
 ```
@@ -65,30 +66,41 @@ http:
 
     Responses are compressed when the following criteria are all met:
 
-    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
-    * The `Accept-Encoding` request header contains `gzip`.
+    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+    If the `Accept-Encoding` request header is absent, it is meant as br compression is requested.
+    If it is present, but its value is the empty string, then compression is disabled.
     * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
-    It will also set the `Content-Type` header according to the detected MIME type.
+    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes).
+    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).
 
 ## Configuration Options
 
 ### `excludedContentTypes`
 
+_Optional, Default=""_ 
+
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.
 
 The responses with content types defined in `excludedContentTypes` are not compressed.
 
 Content types are compared in a case-insensitive, whitespace-ignored manner.
 
+!!! info "In the case of gzip"
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
+!!! info "gRPC"
+
+    Note that `application/grpc` is never compressed.
+
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-compress
@@ -130,9 +142,9 @@ http:
 
 ### `minResponseBodyBytes`
 
-`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+_Optional, Default=1024_
 
-The default value is `1024`, which should be a reasonable value for most cases.
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
 
 Responses smaller than the specified values will not be compressed.
 
@@ -142,7 +154,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-compress

docs/content/middlewares/http/contenttype.md

@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
 ---
 
 # ContentType
@@ -8,84 +8,59 @@ description: "Traefik Proxy's HTTP middleware can automatically specify the cont
 Handling Content-Type auto-detection
 {: .subtitle }
 
-The Content-Type middleware - or rather its `autoDetect` option -
-specifies whether to let the `Content-Type` header,
-if it has not been defined by the backend,
-be automatically set to a value derived from the contents of the response.
-
-As a proxy, the default behavior should be to leave the header alone,
-regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was not already defined,
-and altering this behavior would be a breaking change which would impact many users.
-
-This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
+when it is not set by the backend.
 
 !!! info
 
-    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
-    is still to automatically set the `Content-Type` header.
-    Therefore, given the default value of the `autoDetect` option (false),
-    simply enabling this middleware for a router switches the router's behavior.
-
     The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
     Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```
 
 ```yaml tab="Kubernetes"
-# Disable auto-detection
-apiVersion: traefik.io/v1alpha1
+# Enable auto-detection
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: autodetect
 spec:
-  contentType:
-    autoDetect: false
+  contentType: {}
 ```
 
 ```yaml tab="Consul Catalog"
-# Disable auto-detection
-- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+# Enable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype=true"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+  "traefik.http.middlewares.autodetect.contenttype": "true"
 }
 ```
 
 ```yaml tab="Rancher"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```
 
 ```yaml tab="File (YAML)"
-# Disable auto-detection
+# Enable auto-detection
 http:
   middlewares:
     autodetect:
-      contentType:
-        autoDetect: false
+      contentType: {}
 ```
 
 ```toml tab="File (TOML)"
-# Disable auto-detection
+# Enable auto-detection
 [http.middlewares]
   [http.middlewares.autodetect.contentType]
-     autoDetect=false
-```
-
-## Configuration Options
-
-### `autoDetect`
-
-`autoDetect` specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
-be automatically set to a value derived from the contents of the response.
+```

docs/content/middlewares/http/digestauth.md

@@ -22,7 +22,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -90,7 +90,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -161,7 +161,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -228,7 +228,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -276,7 +276,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: my-auth
@@ -326,7 +326,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth

docs/content/middlewares/http/errorpages.md

@@ -27,7 +27,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-errors

docs/content/middlewares/http/forwardauth.md

@@ -24,7 +24,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Forward authentication to example.com
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -90,7 +90,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -138,7 +138,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -190,7 +190,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -248,7 +248,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -307,7 +307,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -371,7 +371,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -440,7 +440,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -518,7 +518,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth
@@ -594,7 +594,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-auth

docs/content/middlewares/http/grpcweb.md

@@ -0,0 +1,77 @@
+---
+title: "Traefik GrpcWeb Documentation"
+description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
+---
+
+# GrpcWeb
+
+Converting gRPC Web requests to HTTP/2 gRPC requests.
+{: .subtitle }
+
+The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
+
+!!! tip
+
+    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
+    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-grpcweb
+spec:
+  grpcWeb:
+    allowOrigins:
+      - "*"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins": "*"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins=*"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-grpcweb:
+      grpcWeb:
+        allowOrigins:
+          - "*"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-grpcweb.grpcWeb]
+    allowOrigins = ["*"]
+```
+
+## Configuration Options
+
+### `allowOrigins`
+
+The `allowOrigins` contains the list of allowed origins.
+A wildcard origin `*` can also be configured to match all requests.
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)

docs/content/middlewares/http/headers.md

@@ -27,7 +27,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-header
@@ -90,7 +90,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-header
@@ -158,7 +158,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-header
@@ -207,21 +207,18 @@ http:
 CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
 This functionality allows for more advanced security features to quickly be set.
 If CORS headers are set, then the middleware does not pass preflight requests to any service,
-instead the response will be generated and sent back to the client directly.  
-Please note that the example below is by no means authoritative or exhaustive,
-and should not be used as is for production.
+instead the response will be generated and sent back to the client directly.
 
 ```yaml tab="Docker"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
   - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-header
@@ -231,7 +228,6 @@ spec:
       - "GET"
       - "OPTIONS"
       - "PUT"
-    accessControlAllowHeaders: "*"
     accessControlAllowOriginList:
       - "https://foo.bar.org"
       - "https://example.org"
@@ -241,7 +237,6 @@ spec:
 
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-- "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
 - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
@@ -250,7 +245,6 @@ spec:
 ```json tab="Marathon"
 "labels": {
   "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*",
   "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
   "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
   "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
@@ -260,7 +254,6 @@ spec:
 ```yaml tab="Rancher"
 labels:
   - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
   - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
   - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
   - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
@@ -275,7 +268,6 @@ http:
           - GET
           - OPTIONS
           - PUT
-        accessControlAllowHeaders: "*"
         accessControlAllowOriginList:
           - https://foo.bar.org
           - https://example.org
@@ -287,7 +279,6 @@ http:
 [http.middlewares]
   [http.middlewares.testHeader.headers]
     accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowHeaders= "*"
     accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
     accessControlMaxAge = 100
     addVaryHeader = true
@@ -373,43 +364,11 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.
 
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
 
-### `sslRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-The `sslRedirect` only allow HTTPS requests when set to `true`.
-
-### `sslTemporaryRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-
-### `sslHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
-
 ### `sslProxyHeaders`
 
 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
 
-### `sslForceHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
-
 ### `stsSeconds`
 
 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@@ -461,14 +420,6 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates
 
 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
 
-### `featurePolicy`
-
-!!! warning
-
-    Deprecated in favor of `permissionsPolicy`
-
-The `featurePolicy` allows sites to control browser features.
-
 ### `permissionsPolicy`
 
 The `permissionsPolicy` allows sites to control browser features.

docs/content/middlewares/http/inflightreq.md

@@ -20,7 +20,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-inflightreq
@@ -75,7 +75,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-inflightreq
@@ -127,8 +127,6 @@ If none are set, the default is to use the `requestHost`.
 
 The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
-!!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."
-
 ##### `ipStrategy.depth`
 
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
@@ -152,7 +150,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-inflightreq
@@ -217,7 +215,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-inflightreq
@@ -274,7 +272,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-inflightreq
@@ -325,7 +323,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-inflightreq

docs/content/middlewares/http/ipallowlist.md

@@ -1,32 +1,30 @@
 ---
-title: "Traefik HTTP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik HTTP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---
 
-# IPWhiteList
+# IPAllowList
 
 Limiting Clients to Specific IPs
 {: .subtitle }
 
-![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
-IPWhitelist accepts / refuses requests based on the client IP.
+IPAllowList accepts / refuses requests based on the client IP.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourceRange:
       - 127.0.0.1/32
       - 192.168.1.7
@@ -34,27 +32,27 @@ spec:
 
 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```
 
 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
   middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
         sourceRange:
           - "127.0.0.1/32"
           - "192.168.1.7"
@@ -63,7 +61,7 @@ http:
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
     sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```
 
@@ -75,10 +73,7 @@ The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using
 
 ### `ipStrategy`
 
-The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.  
-If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
-
-!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
 #### `ipStrategy.depth`
 
@@ -89,7 +84,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 
 !!! example "Examples of Depth & X-Forwarded-For"
 
-    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
 
     | `X-Forwarded-For`                       | `depth` | clientIP     |
     |-----------------------------------------|---------|--------------|
@@ -98,20 +93,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
     | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |
 
 ```yaml tab="Docker"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```
 
 ```yaml tab="Kubernetes"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-apiVersion: traefik.io/v1alpha1
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourceRange:
       - 127.0.0.1/32
       - 192.168.1.7
@@ -120,31 +115,31 @@ spec:
 ```
 
 ```yaml tab="Consul Catalog"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
 }
 ```
 
 ```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```
 
 ```yaml tab="File (YAML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
   middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
         sourceRange:
           - "127.0.0.1/32"
           - "192.168.1.7"
@@ -153,11 +148,11 @@ http:
 ```
 
 ```toml tab="File (TOML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
     sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
       depth = 2
 ```
 
@@ -180,17 +175,17 @@ http:
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
 # Exclude from `X-Forwarded-For`
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
     ipStrategy:
       excludedIPs:
         - 127.0.0.1/32
@@ -199,27 +194,27 @@ spec:
 
 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```
 
 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
   middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
         ipStrategy:
           excludedIPs:
             - "127.0.0.1/32"
@@ -229,7 +224,7 @@ http:
 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
       excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```

docs/content/middlewares/http/overview.md

@@ -29,9 +29,9 @@ whoami:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewares.traefik.io
+  name: middlewares.traefik.containo.us
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: Middleware
@@ -40,7 +40,7 @@ spec:
   scope: Namespaced
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: stripprefix
@@ -50,7 +50,7 @@ spec:
       - /stripit
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: ingressroute
@@ -142,7 +142,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |

docs/content/middlewares/http/passtlsclientcert.md

@@ -25,7 +25,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-passtlsclientcert
@@ -95,7 +95,7 @@ http:
 
     ```yaml tab="Kubernetes"
     # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: test-passtlsclientcert

docs/content/middlewares/http/ratelimit.md

@@ -10,8 +10,6 @@ To Control the Number of Requests Going to a Service
 
 The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.
 
-It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation. In this analogy, the [average](#average) parameter (defined below) is the rate at which the bucket refills, and the [burst](#burst) is the size (volume) of the bucket.
-
 ## Configuration Example
 
 ```yaml tab="Docker"
@@ -25,7 +23,7 @@ labels:
 ```yaml tab="Kubernetes"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -96,7 +94,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # 100 reqs/s
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -156,7 +154,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # 6 reqs/minute
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -216,7 +214,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -264,8 +262,6 @@ If none are set, the default is to use the request's remote address field (as an
 
 The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
 
-!!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."
-
 ##### `ipStrategy.depth`
 
 The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
@@ -289,7 +285,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -381,7 +377,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -438,7 +434,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit
@@ -489,7 +485,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-ratelimit

docs/content/middlewares/http/redirectregex.md

@@ -26,7 +26,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Redirect with domain replacement
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-redirectregex

docs/content/middlewares/http/redirectscheme.md

@@ -34,7 +34,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-redirectscheme
@@ -98,7 +98,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-redirectscheme
@@ -159,7 +159,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-redirectscheme
@@ -215,7 +215,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-redirectscheme

docs/content/middlewares/http/replacepath.md

@@ -24,7 +24,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Replace the path with /foo
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-replacepath

docs/content/middlewares/http/replacepathregex.md

@@ -25,7 +25,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Replace path with regex
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-replacepathregex

docs/content/middlewares/http/retry.md

@@ -27,7 +27,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Retry 4 times with exponential backoff
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-retry

docs/content/middlewares/http/stripprefix.md

@@ -24,7 +24,7 @@ labels:
 
 ```yaml tab="Kubernetes"
 # Strip prefix /foobar and /fiibar
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-stripprefix
@@ -88,85 +88,3 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 
 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
-
-### `forceSlash`
-
-_Optional, Default=true_
-
-The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It is recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-
-    - `forceSlash=true`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-    - `forceSlash=false`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: example
-spec:
-  stripPrefix:
-    prefixes:
-      - "/foobar"
-    forceSlash: false
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    example:
-      stripPrefix:
-        prefixes:
-          - "/foobar"
-        forceSlash: false
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.example.stripPrefix]
-    prefixes = ["/foobar"]
-    forceSlash = false
-```

docs/content/middlewares/http/stripprefixregex.md

@@ -18,7 +18,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: test-stripprefixregex

docs/content/middlewares/overview.md

@@ -37,7 +37,7 @@ whoami:
 
 ```yaml tab="Kubernetes IngressRoute"
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: stripprefix
@@ -47,7 +47,7 @@ spec:
       - /stripit
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: ingressroute

docs/content/middlewares/tcp/inflightconn.md

@@ -13,7 +13,7 @@ labels:
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
   name: test-inflightconn

docs/content/middlewares/tcp/ipallowlist.md

@@ -1,30 +1,30 @@
 ---
-title: "Traefik TCP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik TCP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---
 
-# IPWhiteList
+# IPAllowList
 
 Limiting Clients to Specific IPs
 {: .subtitle }
 
-IPWhitelist accepts / refuses connections based on the client IP.
+IPAllowList accepts / refuses connections based on the client IP.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
 # Accepts connections from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourceRange:
       - 127.0.0.1/32
       - 192.168.1.7
@@ -32,25 +32,25 @@ spec:
 
 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
-- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+  "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```
 
 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```
 
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [tcp.middlewares]
-  [tcp.middlewares.test-ipwhitelist.ipWhiteList]
+  [tcp.middlewares.test-ipallowlist.ipAllowList]
     sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```
 
@@ -58,8 +58,8 @@ labels:
 # Accepts request from defined IP
 tcp:
   middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
         sourceRange:
           - "127.0.0.1/32"
           - "192.168.1.7"

docs/content/middlewares/tcp/overview.md

@@ -18,10 +18,10 @@ whoami:
   #  A container that exposes an API to show its IP address
   image: traefik/whoami
   labels:
-    # Create a middleware named `foo-ip-whitelist`
-    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
+    # Create a middleware named `foo-ip-allowlist`
+    - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```
 
 ```yaml tab="Kubernetes IngressRoute"
@@ -29,9 +29,9 @@ whoami:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewaretcps.traefik.io
+  name: middlewaretcps.traefik.containo.us
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: MiddlewareTCP
@@ -40,18 +40,18 @@ spec:
   scope: Namespaced
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: foo-ip-whitelist
+  name: foo-ip-allowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
     sourcerange:
       - 127.0.0.1/32
       - 192.168.1.7
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
   name: ingressroute
@@ -60,30 +60,30 @@ spec:
   routes:
     # more fields...
     middlewares:
-      - name: foo-ip-whitelist
+      - name: foo-ip-allowlist
 ```
 
 ```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-whitelist`
-- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
+# Create a middleware named `foo-ip-allowlist`
+- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
-  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
+  "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
+  "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@marathon"
 }
 ```
 
 ```yaml tab="Rancher"
 # As a Rancher Label
 labels:
-  # Create a middleware named `foo-ip-whitelist`
-  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
+  # Create a middleware named `foo-ip-allowlist`
+  - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+  - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@rancher"
 ```
 
 ```toml tab="File (TOML)"
@@ -91,11 +91,11 @@ labels:
 [tcp.routers]
   [tcp.routers.router1]
     service = "myService"
-    middlewares = ["foo-ip-whitelist"]
+    middlewares = ["foo-ip-allowlist"]
     rule = "Host(`example.com`)"
 
 [tcp.middlewares]
-  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
+  [tcp.middlewares.foo-ip-allowlist.ipAllowList]
     sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 
 [tcp.services]
@@ -114,12 +114,12 @@ tcp:
     router1:
       service: myService
       middlewares:
-        - "foo-ip-whitelist"
+        - "foo-ip-allowlist"
       rule: "Host(`example.com`)"
 
   middlewares:
-    foo-ip-whitelist:
-      ipWhiteList:
+    foo-ip-allowlist:
+      ipAllowList:
         sourceRange:
           - "127.0.0.1/32"
           - "192.168.1.7"
@@ -137,4 +137,4 @@ tcp:
 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
 | [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |

docs/content/migration/v1-to-v2.md

@@ -110,7 +110,7 @@ Then any router can refer to an instance of the wanted middleware.
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
     # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: basicauth
@@ -123,7 +123,7 @@ Then any router can refer to an instance of the wanted middleware.
           - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
 
     ---
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: ingressroutebar
@@ -281,7 +281,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
     # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
       name: mytlsoption
@@ -297,7 +297,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
     ---
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: ingressroutebar
@@ -443,7 +443,7 @@ To apply a redirection:
     ```
 
     ```yaml tab="K8s IngressRoute"
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: http-redirect-ingressroute
@@ -461,7 +461,7 @@ To apply a redirection:
             - name: https-redirect
 
     ---
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: https-ingressroute
@@ -478,7 +478,7 @@ To apply a redirection:
       tls: {}
 
     ---
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: https-redirect
@@ -597,7 +597,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
 
     ```yaml tab="Kubernetes IngressRoute"
     ---
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: http-redirect-ingressroute
@@ -614,7 +614,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
           middlewares:
             - name: admin-stripprefix
     ---
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: admin-stripprefix

docs/content/migration/v2-to-v3.md

@@ -0,0 +1,57 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+The version 3 of Traefik introduces a number of breaking changes,
+which require one to update their configuration when they migrate from v2 to v3.
+The goal of this page is to recapitulate all of these changes, and in particular to give examples,
+feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
+
+## IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+## gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
+
+## Deprecated Options Removal
+
+- The `pilot` option has been removed from the static configuration.
+- The `tracing.datadog.globaltag` option has been removed.
+- The `namespace` option of Consul, Consul Catalog and Nomad providers has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- the `preferServerCipherSuites` option has been removed.
+
+## Matchers
+
+In v3, the `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Headers`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+## Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
+
+## HTTP/3
+
+In v3, HTTP/3 is no longer an experimental feature.
+The `experimental.http3` option has been removed from the static configuration.

docs/content/migration/v2.md

@@ -65,18 +65,13 @@ rules:
     verbs:
       - update
   - apiGroups:
-      - traefik.io
       - traefik.containo.us
     resources:
       - middlewares
-      - middlewaretcps
       - ingressroutes
       - traefikservices
       - ingressroutetcps
-      - ingressrouteudps
       - tlsoptions
-      - tlsstores
-      - serverstransports
     verbs:
       - get
       - list
@@ -172,18 +167,17 @@ rules:
       - traefik.containo.us
     resources:
       - middlewares
-      - middlewaretcps
       - ingressroutes
       - traefikservices
       - ingressroutetcps
       - ingressrouteudps
       - tlsoptions
       - tlsstores
-      - serverstransports
     verbs:
       - get
       - list
       - watch
+
 ```
 
 After having both resources applied, Traefik will work properly.
@@ -502,18 +496,3 @@ In `v2.9`, Traefik Pilot support has been removed.
 ### Nomad Namespace
 
 In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
-
-## v2.10
-
-### Kubernetes CRDs
-
-In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
-
-As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
-it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.
-
-In addition, the Kubernetes CRDs API Version `traefik.io/v1alpha1` will not be supported in Traefik v3 itself.
-
-### Traefik Hub
-
-In `v2.10`, Traefik Hub is GA and the `experimental.hub` flag is deprecated.

docs/content/observability/access-logs.md

@@ -229,6 +229,7 @@ accessLog:
     | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
     | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
     | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
+    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |
 
 ## Log Rotation
 
@@ -254,7 +255,7 @@ version: "3.7"
 
 services:
   traefik:
-    image: traefik:v2.10
+    image: traefik:v3.0
     environment:
       - TZ=US/Alaska
     command:

docs/content/observability/logs.md

@@ -64,9 +64,7 @@ log:
 
 #### `level`
 
-By default, the `level` is set to `ERROR`.
-
-Alternative logging levels are `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.
+By default, the `level` is set to `ERROR`. Alternative logging levels are `TRACE`, `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
 
 ```yaml tab="File (YAML)"
 log:
@@ -82,10 +80,101 @@ log:
 --log.level=DEBUG
 ```
 
+#### `noColor`
+
+When using the 'common' format, disables the colorized output.
+
+```yaml tab="File (YAML)"
+log:
+  noColor: true
+```
+
+```toml tab="File (TOML)"
+[log]
+  noColor = true
+```
+
+```bash tab="CLI"
+--log.nocolor=true
+```
+
 ## Log Rotation
 
-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
+The rotation of the log files can be configured with the following options.
 
-!!! warning
-    This does not work on Windows due to the lack of USR signals.
+### `maxSize`
+
+`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
+It defaults to 100 megabytes.
+
+```yaml tab="File (YAML)"
+log:
+  maxSize: 1
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxSize = 1
+```
+
+```bash tab="CLI"
+--log.maxsize=1
+```
+
+### `maxBackups`
+
+`maxBackups` is the maximum number of old log files to retain.
+The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
+
+```yaml tab="File (YAML)"
+log:
+  maxBackups: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxBackups = 3
+```
+
+```bash tab="CLI"
+--log.maxbackups=3
+```
+
+### `maxAge`
+
+`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
+Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
+The default is not to remove old log files based on age.
+
+```yaml tab="File (YAML)"
+log:
+  maxAge: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxAge = 3
+```
+
+```bash tab="CLI"
+--log.maxage=3
+```
+
+### `compress`
+
+`compress` determines if the rotated log files should be compressed using gzip.
+The default is not to perform compression.
+
+```yaml tab="File (YAML)"
+log:
+  compress: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  compress = 3
+```
+
+```bash tab="CLI"
+--log.compress=3
+```

docs/content/observability/metrics/opentelemetry.md

@@ -0,0 +1,353 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several metrics backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry:
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry exporter will export metrics to the collector by using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.address=localhost:4318
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addEntryPointsLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addEntryPointsLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addEntryPointsLabels=true
+```
+
+#### `addRoutersLabels`
+
+_Optional, Default=false_
+
+Enable metrics on routers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addRoutersLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addRoutersLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addRoutersLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addServicesLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addServicesLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addServicesLabels=true
+```
+
+#### `explicitBoundaries`
+
+_Optional, Default=".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10"_
+
+Explicit boundaries for Histogram data points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    explicitBoundaries:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    explicitBoundaries = [0.1,0.3,1.2,5.0]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.explicitBoundaries=0.1,0.3,1.2,5.0
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.headers.foo=bar --metrics.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.insecure=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+Interval at which metrics are sent to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    pushInterval: 10s
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    pushInterval = "10s"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.pushInterval=10s
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending metrics.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.grpc=true
+```

docs/content/observability/metrics/overview.md

@@ -13,6 +13,8 @@ Traefik supports these metrics backends:
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)
 
+Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346) and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
+
 ## Global Metrics
 
 | Metric                                      | Type    | Description                                             |

docs/content/observability/metrics/prometheus.md

@@ -165,66 +165,3 @@ metrics:
 ```bash tab="CLI"
 --metrics.prometheus.manualrouting=true
 ```
-
-#### `headerLabels`
-
-_Optional_
-
-Defines the extra labels for the `requests_total` metrics, and for each of them, the request header containing the value for this label.
-Please note that if the header is not present in the request it will be added nonetheless with an empty value.
-In addition, the label should be a valid label name for Prometheus metrics, 
-otherwise, the Prometheus metrics provider will fail to serve any Traefik-related metric.
-
-```yaml tab="File (YAML)"
-metrics:
-  prometheus:
-    headerLabels:
-      label: headerKey
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    [metrics.prometheus.headerLabels]
-      label = "headerKey"
-```
-
-```bash tab="CLI"
---metrics.prometheus.headerlabels.label=headerKey
-```
-
-##### Example
-
-Here is an example of the entryPoint `requests_total` metric with an additional "useragent" label.
-
-When configuring the label in Static Configuration:
-
-```yaml tab="File (YAML)"
-metrics:
-  prometheus:
-    headerLabels:
-      useragent: User-Agent
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    [metrics.prometheus.headerLabels]
-      useragent = "User-Agent"
-```
-
-```bash tab="CLI"
---metrics.prometheus.headerlabels.useragent=User-Agent
-```
-
-And performing a request with a custom User-Agent:
-
-```bash
-curl -H "User-Agent: foobar" http://localhost
-```
-
-The following metric is produced :
-
-```bash
-traefik_entrypoint_requests_total{code="200",entrypoint="web",method="GET",protocol="http",useragent="foobar"} 1
-```

docs/content/observability/tracing/datadog.md

@@ -23,46 +23,24 @@ tracing:
 
 #### `localAgentHostPort`
 
-_Optional, Default="localhost:8126"_
+_Required, Default="127.0.0.1:8126"_
 
 Local Agent Host Port instructs the reporter to send spans to the Datadog Agent at this address (host:port).
 
 ```yaml tab="File (YAML)"
 tracing:
   datadog:
-    localAgentHostPort: localhost:8126
+    localAgentHostPort: 127.0.0.1:8126
 ```
 
 ```toml tab="File (TOML)"
 [tracing]
   [tracing.datadog]
-    localAgentHostPort = "localhost:8126"
+    localAgentHostPort = "127.0.0.1:8126"
 ```
 
 ```bash tab="CLI"
---tracing.datadog.localAgentHostPort=localhost:8126
-```
-
-#### `localAgentSocket`
-
-_Optional, Default=""_
-
-Local Agent Socket instructs the reporter to send spans to the Datadog Agent at this UNIX socket.
-
-```yaml tab="File (YAML)"
-tracing:
-  datadog:
-    localAgentSocket: /var/run/datadog/apm.socket
-```
-
-```toml tab="File (TOML)"
-[tracing]
-  [tracing.datadog]
-    localAgentSocket = "/var/run/datadog/apm.socket"
-```
-
-```bash tab="CLI"
---tracing.datadog.localAgentSocket=/var/run/datadog/apm.socket
+--tracing.datadog.localAgentHostPort=127.0.0.1:8126
 ```
 
 #### `debug`
@@ -87,30 +65,6 @@ tracing:
 --tracing.datadog.debug=true
 ```
 
-#### `globalTag`
-
-??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
-
-    _Optional, Default=empty_
-    
-    Applies a shared key:value tag on all spans.
-    
-    ```yaml tab="File (YAML)"
-    tracing:
-      datadog:
-        globalTag: sample
-    ```
-    
-    ```toml tab="File (TOML)"
-    [tracing]
-      [tracing.datadog]
-        globalTag = "sample"
-    ```
-    
-    ```bash tab="CLI"
-    --tracing.datadog.globalTag=sample
-    ```
-
 #### `globalTags`
 
 _Optional, Default=empty_

docs/content/observability/tracing/opentelemetry.md

@@ -0,0 +1,246 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry tracer:
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry trace reporter will export traces to the collector using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+!!! info "Trace sampling"
+
+	By default, the OpenTelemetry trace reporter will sample 100% of traces.
+	See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send spans to.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.address=localhost:4318
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with spans by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.headers.foo=bar --tracing.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send spans to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.insecure=true
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending traces.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+_Optional_
+
+This instructs the reporter to send spans to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.grpc=true
+```

docs/content/operations/dashboard.md

@@ -72,7 +72,7 @@ to allow defining:
 
 - One or more security features through [middlewares](../middlewares/overview.md)
   like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
-  [forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
+  [forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).
 
 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
   through Traefik itself (sometimes referred as "Traefik-ception").
@@ -93,12 +93,12 @@ rule = "Host(`traefik.example.com`)"
 
 ```bash tab="Path Prefix Rule"
 # The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
-rule = "PathPrefix(`/api`, `/dashboard`)"
+rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```
 
 ```bash tab="Combination of Rules"
 # The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.example.com`) && PathPrefix(`/api`, `/dashboard`)"
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```
 
 ??? example "Dashboard Dynamic Configuration Examples"

docs/content/operations/include-api-examples.md

@@ -20,7 +20,7 @@ deploy:
 ```
 
 ```yaml tab="Kubernetes CRD"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: traefik-dashboard
@@ -34,7 +34,7 @@ spec:
     middlewares:
       - name: auth
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: auth

docs/content/operations/include-dashboard-examples.md

@@ -20,7 +20,7 @@ deploy:
 ```
 
 ```yaml tab="Kubernetes CRD"
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: traefik-dashboard
@@ -34,7 +34,7 @@ spec:
     middlewares:
       - name: auth
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: auth

docs/content/providers/consul-catalog.md

@@ -667,41 +667,6 @@ providers:
 
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        namespace: "production" 
-        # ...
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-      namespace = "production"
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consulcatalog.namespace=production
-    # ...
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/providers/consul.md

@@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace to query.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        # ...
-        namespace: "production"
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consul]
-      # ...
-      namespace = "production"
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consul.namespace=production
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/providers/docker.md

@@ -95,7 +95,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 ## Routing Configuration
 
 When using Docker as a [provider](./overview.md),
-Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
 
 See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
 
@@ -265,7 +265,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
 
     services:
       traefik:
-         image: traefik:v2.10 # The official v2 Traefik docker image
+         image: traefik:v3.0 # The official v2 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -440,11 +440,10 @@ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 
 The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
 
-It must be a valid [Go template](https://pkg.go.dev/text/template/),
-and can use [sprig template functions](https://masterminds.github.io/sprig/).
-The container name can be accessed with the `ContainerName` identifier.
-The service name can be accessed with the `Name` identifier.
-The template has access to all the labels defined on this container with the `Labels` identifier.
+It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
+[sprig template functions](https://masterminds.github.io/sprig/).
+The container service name can be accessed with the `Name` identifier,
+and the template has access to all the labels defined on this container.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/ecs.md

@@ -234,6 +234,30 @@ providers:
 # ...
 ```
 
+### `healthyTasksOnly`
+
+_Optional, Default=false_
+
+Determines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    healthyTasksOnly: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  healthyTasksOnly = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.healthyTasksOnly=true
+# ...
+```
+
 ### `defaultRule`
 
 _Optional, Default=```Host(`{{ normalize .Name }}`)```_

docs/content/providers/file.md

@@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen
 
 !!! tip
 
-    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)
 
 ## Configuration Examples
 

docs/content/providers/http.md

@@ -76,6 +76,26 @@ providers:
 --providers.http.pollTimeout=5s
 ```
 
+### `headers`
+
+_Optional_
+
+Defines custom headers to be sent to the endpoint.
+
+```yaml tab="File (YAML)"
+providers:
+  headers:
+    name: value
+```
+
+```toml tab="File (TOML)"
+[providers.http.headers]
+  name = "value"
+```
+
+```bash tab="CLI"
+--providers.http.headers.name=value
+
 ### `tls`
 
 _Optional_

docs/content/providers/kubernetes-crd.md

@@ -35,10 +35,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
 
     ```bash
     # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
     
     # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
     ```
 
 ## Resource Configuration

docs/content/providers/kubernetes-ingress.md

@@ -502,6 +502,6 @@ providers:
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.10/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.9/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
 {!traefik-for-business-applications.md!}

docs/content/providers/nomad.md

@@ -440,36 +440,6 @@ providers:
 
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 
-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-
-    The `namespace` option defines the namespace in which the Nomad services will be discovered.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-
-    ```yaml tab="File (YAML)"
-    providers:
-      nomad:
-        namespace: "production"
-        # ...
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.nomad]
-      namespace = "production"
-      # ...
-    ```
-
-    ```bash tab="CLI"
-    --providers.nomad.namespace=production
-    # ...
-    ```
-
 ### `namespaces`
 
 _Optional, Default=""_

docs/content/providers/overview.md

@@ -82,7 +82,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
     ```
 
     ```yaml tab="Kubernetes Ingress Route"
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
       name: ingressroutestripprefix
@@ -104,7 +104,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
     ```
 
     ```yaml tab="Kubernetes Ingress"
-    apiVersion: traefik.io/v1alpha1
+    apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
       name: stripprefix

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -17,7 +17,7 @@
 - "traefik.http.middlewares.middleware05.compress=true"
 - "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware05.compress.minresponsebodybytes=42"
-- "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
+- "traefik.http.middlewares.middleware06.contenttype=true"
 - "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.removeheader=true"
@@ -31,7 +31,6 @@
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
-- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
@@ -54,7 +53,6 @@
 - "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
-- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
 - "traefik.http.middlewares.middleware10.headers.framedeny=true"
 - "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
@@ -62,18 +60,14 @@
 - "traefik.http.middlewares.middleware10.headers.permissionspolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
-- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
-- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
-- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
-- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
 - "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
 - "traefik.http.middlewares.middleware10.headers.stspreload=true"
 - "traefik.http.middlewares.middleware10.headers.stsseconds=42"
-- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
-- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
-- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware12.inflightreq.amount=42"
 - "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
@@ -118,9 +112,9 @@
 - "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware20.retry.attempts=42"
 - "traefik.http.middlewares.middleware20.retry.initialinterval=42"
-- "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware23.grpcweb.alloworigins=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"
@@ -152,8 +146,10 @@
 - "traefik.http.services.service01.loadbalancer.healthcheck.interval=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.path=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.method=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.status=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.port=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.mode=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.timeout=foobar"
 - "traefik.http.services.service01.loadbalancer.passhostheader=true"
 - "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval=foobar"
@@ -165,7 +161,7 @@
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service01.loadbalancer.server.port=foobar"
 - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
-- "traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -53,18 +53,20 @@
           url = "foobar"
         [http.services.Service01.loadBalancer.healthCheck]
           scheme = "foobar"
+          mode = "foobar"
           path = "foobar"
           method = "foobar"
+          status = 42
           port = 42
-          interval = "foobar"
-          timeout = "foobar"
+          interval = "42s"
+          timeout = "42s"
           hostname = "foobar"
           followRedirects = true
           [http.services.Service01.loadBalancer.healthCheck.headers]
             name0 = "foobar"
             name1 = "foobar"
         [http.services.Service01.loadBalancer.responseForwarding]
-          flushInterval = "foobar"
+          flushInterval = "42s"
     [http.services.Service02]
       [http.services.Service02.mirroring]
         service = "foobar"
@@ -135,7 +137,6 @@
         minResponseBodyBytes = 42
     [http.middlewares.Middleware06]
       [http.middlewares.Middleware06.contentType]
-        autoDetect = true
     [http.middlewares.Middleware07]
       [http.middlewares.Middleware07.digestAuth]
         users = ["foobar", "foobar"]
@@ -157,7 +158,6 @@
         authRequestHeaders = ["foobar", "foobar"]
         [http.middlewares.Middleware09.forwardAuth.tls]
           ca = "foobar"
-          caOptional = true
           cert = "foobar"
           key = "foobar"
           insecureSkipVerify = true
@@ -173,10 +173,6 @@
         addVaryHeader = true
         allowedHosts = ["foobar", "foobar"]
         hostsProxyHeaders = ["foobar", "foobar"]
-        sslRedirect = true
-        sslTemporaryRedirect = true
-        sslHost = "foobar"
-        sslForceHost = true
         stsSeconds = 42
         stsIncludeSubdomains = true
         stsPreload = true
@@ -189,7 +185,6 @@
         contentSecurityPolicy = "foobar"
         publicKey = "foobar"
         referrerPolicy = "foobar"
-        featurePolicy = "foobar"
         permissionsPolicy = "foobar"
         isDevelopment = true
         [http.middlewares.Middleware10.headers.customRequestHeaders]
@@ -202,9 +197,9 @@
           name0 = "foobar"
           name1 = "foobar"
     [http.middlewares.Middleware11]
-      [http.middlewares.Middleware11.ipWhiteList]
+      [http.middlewares.Middleware11.ipAllowList]
         sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware11.ipWhiteList.ipStrategy]
+        [http.middlewares.Middleware11.ipAllowList.ipStrategy]
           depth = 42
           excludedIPs = ["foobar", "foobar"]
     [http.middlewares.Middleware12]
@@ -280,10 +275,12 @@
     [http.middlewares.Middleware21]
       [http.middlewares.Middleware21.stripPrefix]
         prefixes = ["foobar", "foobar"]
-        forceSlash = true
     [http.middlewares.Middleware22]
       [http.middlewares.Middleware22.stripPrefixRegex]
         regex = ["foobar", "foobar"]
+    [http.middlewares.Middleware23]
+      [http.middlewares.Middleware23.grpcWeb]
+        allowOrigins = ["foobar", "foobar"]
   [http.serversTransports]
     [http.serversTransports.ServersTransport0]
       serverName = "foobar"
@@ -300,12 +297,18 @@
       [[http.serversTransports.ServersTransport0.certificates]]
         certFile = "foobar"
         keyFile = "foobar"
+
       [http.serversTransports.ServersTransport0.forwardingTimeouts]
         dialTimeout = "42s"
         responseHeaderTimeout = "42s"
         idleConnTimeout = "42s"
         readIdleTimeout = "42s"
         pingTimeout = "42s"
+
+      [http.serversTransports.ServersTransport0.spiffe]
+        ids = ["foobar", "foobar"]
+        trustDomain = "foobar"
+
     [http.serversTransports.ServersTransport1]
       serverName = "foobar"
       insecureSkipVerify = true
@@ -321,6 +324,7 @@
       [[http.serversTransports.ServersTransport1.certificates]]
         certFile = "foobar"
         keyFile = "foobar"
+
       [http.serversTransports.ServersTransport1.forwardingTimeouts]
         dialTimeout = "42s"
         responseHeaderTimeout = "42s"
@@ -328,6 +332,10 @@
         readIdleTimeout = "42s"
         pingTimeout = "42s"
 
+      [http.serversTransports.ServersTransport1.spiffe]
+        ids = ["foobar", "foobar"]
+        trustDomain = "foobar"
+
 [tcp]
   [tcp.routers]
     [tcp.routers.TCPRouter0]
@@ -390,7 +398,7 @@
           weight = 42
   [tcp.middlewares]
     [tcp.middlewares.TCPMiddleware00]
-      [tcp.middlewares.TCPMiddleware00.ipWhiteList]
+      [tcp.middlewares.TCPMiddleware00.ipAllowList]
         sourceRange = ["foobar", "foobar"]
     [tcp.middlewares.TCPMiddleware01]
       [tcp.middlewares.TCPMiddleware01.inFlightConn]
@@ -442,7 +450,6 @@
       cipherSuites = ["foobar", "foobar"]
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
-      preferServerCipherSuites = true
       alpnProtocols = ["foobar", "foobar"]
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
@@ -453,7 +460,6 @@
       cipherSuites = ["foobar", "foobar"]
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
-      preferServerCipherSuites = true
       alpnProtocols = ["foobar", "foobar"]
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]

docs/content/reference/dynamic-configuration/file.yaml

@@ -58,11 +58,13 @@ http:
           - url: foobar
         healthCheck:
           scheme: foobar
+          mode: foobar
           path: foobar
           method: foobar
+          status: 42
           port: 42
-          interval: foobar
-          timeout: foobar
+          interval: 42s
+          timeout: 42s
           hostname: foobar
           followRedirects: true
           headers:
@@ -70,7 +72,7 @@ http:
             name1: foobar
         passHostHeader: true
         responseForwarding:
-          flushInterval: foobar
+          flushInterval: 42s
         serversTransport: foobar
     Service02:
       mirroring:
@@ -139,8 +141,7 @@ http:
           - foobar
         minResponseBodyBytes: 42
     Middleware06:
-      contentType:
-        autoDetect: true
+      contentType: {}
     Middleware07:
       digestAuth:
         users:
@@ -162,7 +163,6 @@ http:
         address: foobar
         tls:
           ca: foobar
-          caOptional: true
           cert: foobar
           key: foobar
           insecureSkipVerify: true
@@ -206,13 +206,9 @@ http:
         hostsProxyHeaders:
           - foobar
           - foobar
-        sslRedirect: true
-        sslTemporaryRedirect: true
-        sslHost: foobar
         sslProxyHeaders:
           name0: foobar
           name1: foobar
-        sslForceHost: true
         stsSeconds: 42
         stsIncludeSubdomains: true
         stsPreload: true
@@ -225,11 +221,10 @@ http:
         contentSecurityPolicy: foobar
         publicKey: foobar
         referrerPolicy: foobar
-        featurePolicy: foobar
         permissionsPolicy: foobar
         isDevelopment: true
     Middleware11:
-      ipWhiteList:
+      ipAllowList:
         sourceRange:
           - foobar
           - foobar
@@ -317,12 +312,16 @@ http:
         prefixes:
           - foobar
           - foobar
-        forceSlash: true
     Middleware22:
       stripPrefixRegex:
         regex:
           - foobar
           - foobar
+    Middleware23:
+      grpcWeb:
+        allowOrigins:
+          - foobar
+          - foobar
   serversTransports:
     ServersTransport0:
       serverName: foobar
@@ -344,6 +343,12 @@ http:
         pingTimeout: 42s
       disableHTTP2: true
       peerCertURI: foobar
+      spiffe:
+        ids:
+          - foobar
+          - foobar
+        trustDomain: foobar
+
     ServersTransport1:
       serverName: foobar
       insecureSkipVerify: true
@@ -364,6 +369,12 @@ http:
         pingTimeout: 42s
       disableHTTP2: true
       peerCertURI: foobar
+      spiffe:
+        ids:
+          - foobar
+          - foobar
+        trustDomain: foobar
+
 tcp:
   routers:
     TCPRouter0:
@@ -430,7 +441,7 @@ tcp:
             weight: 42
   middlewares:
     TCPMiddleware00:
-      ipWhiteList:
+      ipAllowList:
         sourceRange:
           - foobar
           - foobar
@@ -490,7 +501,6 @@ tls:
           - foobar
         clientAuthType: foobar
       sniStrict: true
-      preferServerCipherSuites: true
       alpnProtocols:
         - foobar
         - foobar
@@ -509,7 +519,6 @@ tls:
           - foobar
         clientAuthType: foobar
       sniStrict: true
-      preferServerCipherSuites: true
       alpnProtocols:
         - foobar
         - foobar

docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1beta1.yml

@@ -1,10 +1,10 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: ingressroutes.traefik.io
+  name: ingressroutes.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: IngressRoute
@@ -16,10 +16,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewares.traefik.io
+  name: middlewares.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: Middleware
@@ -31,10 +31,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewaretcps.traefik.io
+  name: middlewaretcps.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: MiddlewareTCP
@@ -46,10 +46,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: ingressroutetcps.traefik.io
+  name: ingressroutetcps.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: IngressRouteTCP
@@ -61,10 +61,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: ingressrouteudps.traefik.io
+  name: ingressrouteudps.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: IngressRouteUDP
@@ -76,10 +76,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: tlsoptions.traefik.io
+  name: tlsoptions.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: TLSOption
@@ -91,10 +91,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: tlsstores.traefik.io
+  name: tlsstores.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: TLSStore
@@ -106,10 +106,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: traefikservices.traefik.io
+  name: traefikservices.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: TraefikService
@@ -121,10 +121,10 @@ spec:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: serverstransports.traefik.io
+  name: serverstransports.traefik.containo.us
 
 spec:
-  group: traefik.io
+  group: traefik.containo.us
   version: v1alpha1
   names:
     kind: ServersTransport

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -32,7 +32,6 @@ rules:
     verbs:
       - update
   - apiGroups:
-      - traefik.io
       - traefik.containo.us
     resources:
       - middlewares

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -1,4 +1,4 @@
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TraefikService
 metadata:
   name: wrr2
@@ -17,7 +17,7 @@ spec:
         port: 80
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TraefikService
 metadata:
   name: wrr1
@@ -34,7 +34,7 @@ spec:
         port: 80
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TraefikService
 metadata:
   name: mirror1
@@ -53,7 +53,7 @@ spec:
         percent: 20
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TraefikService
 metadata:
   name: mirror2
@@ -73,7 +73,7 @@ spec:
         port: 80
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: ingressroute
@@ -133,7 +133,7 @@ spec:
       namespace: default
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
   name: ingressroutetcp.crd
@@ -148,7 +148,7 @@ spec:
         - name: whoamitcp
           port: 8080
       middlewares:
-        - name: ipwhitelist
+        - name: ipallowlist
   tls:
     secretName: foosecret
     passthrough: false
@@ -157,7 +157,7 @@ spec:
       namespace: default
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteUDP
 metadata:
   name: ingressrouteudp.crd
@@ -172,7 +172,7 @@ spec:
           port: 8080
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: TLSOption
 metadata:
   name: tlsoption
@@ -193,13 +193,12 @@ spec:
       - foobar
     clientAuthType: RequireAndVerifyClientCert
   sniStrict: true
-  preferServerCipherSuites: true
   alpnProtocols:
     - foobar
     - foobar
 
 ---
-apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.containo.us/v1alpha1
 kind: ServersTransport
 metadata:
   name: mytransport

docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml

@@ -74,7 +74,7 @@ spec:
             value: /foo
 
       backendRefs:
-        - group: traefik.io
+        - group: traefik.containo.us
           kind: TraefikService
           name: myservice@file
           weight: 1