Prepare Release v2.4.1

Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>

.github/ISSUE_TEMPLATE.md

@@ -17,7 +17,7 @@ Bug
 <!--
 
 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -22,7 +22,7 @@ Bug
 <!--
 
 The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://docs.traefik.io/v2.0/getting-started/configuration-overview/.
+Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
 
 -->
 

.github/PULL_REQUEST_TEMPLATE.md

@@ -3,17 +3,17 @@ PLEASE READ THIS MESSAGE.
 
 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.4
 
 Bug fixes:
 - for Traefik v1: use branch v1.7
-- for Traefik v2: use branch v2.2
+- for Traefik v2: use branch v2.4
 
 Enhancements:
 - for Traefik v1: we only accept bug fixes
 - for Traefik v2: use branch master
 
-HOW TO WRITE A GOOD PULL REQUEST? https://docs.traefik.io/contributing/submitting-pull-requests/
+HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
 
 -->
 

.github/workflows/documentation.yml

@@ -0,0 +1,46 @@
+name: Build and Publish Documentation
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+jobs:
+
+  docs:
+    name: Doc Process
+    runs-on: ubuntu-latest
+    if: github.repository == 'traefik/traefik'
+    env:
+      STRUCTOR_VERSION: v1.11.2
+      MIXTUS_VERSION: v0.4.1
+
+    steps:
+
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Install Structor ${{ env.STRUCTOR_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
+
+      - name: Install Mixtus ${{ env.MIXTUS_VERSION }}
+        run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
+
+      - name: Build documentation
+        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
+        env:
+          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
+
+      - name: Publish documentation
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}

.gitignore

@@ -17,3 +17,4 @@
 cover.out
 vendor/
 plugins-storage/
+traefik_changelog.md

.golangci.toml

@@ -54,7 +54,14 @@
     "nestif", # Too many false-positive.
     "noctx", # Too strict
     "exhaustive", # Too strict
-    "nlreturn", # Too strict
+    "nlreturn", # Not relevant
+    "wrapcheck", # Too strict
+    "tparallel", # Not relevant
+    "paralleltest", # Not relevant
+    "exhaustivestruct", # Not relevant
+    "makezero", # not relevant
+    "forbidigo", # not relevant
+    "ifshort", # not relevant
   ]
 
 [issues]
@@ -113,4 +120,4 @@
     text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
  [[issues.exclude-rules]]
     path = "pkg/log/deprecated.go"
-    linters = ["godot"]
+    linters = ["godot"]

.semaphoreci/vars

@@ -10,7 +10,7 @@ else
   export VERSION=''
 fi
 
-export CODENAME=picodon
+export CODENAME=livarot
 
 export N_MAKE_JOBS=2
 

.travis.yml

@@ -11,7 +11,7 @@ env:
   global:
     - REPO=$TRAVIS_REPO_SLUG
     - VERSION=$TRAVIS_TAG
-    - CODENAME=picodon
+    - CODENAME=livarot
     - GO111MODULE=on
 
 script:
@@ -25,14 +25,11 @@ before_deploy:
       sudo -E apt-get -yq update;
       sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
       docker version;
+      echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin;
       make build-image;
       if [ "$TRAVIS_TAG" ]; then
         make release-packages;
       fi;
-      curl -sfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | bash -s -- -b "${GOPATH}/bin" ${STRUCTOR_VERSION}
-      curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b "${GOPATH}/bin" ${MIXTUS_VERSION}
-      structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug;
-      mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=traefik --src-repo-name=traefik;
     fi
 
 deploy:
@@ -50,11 +47,4 @@ deploy:
     on:
       repo: traefik/traefik
       tags: true
-  - provider: pages
-    edge: false
-    github_token: ${GITHUB_TOKEN}
-    local_dir: site
-    skip_cleanup: true
-    on:
-      repo: traefik/traefik
-      all_branches: true
+

CHANGELOG.md

@@ -1,3 +1,332 @@
+## [v2.4.1](https://github.com/traefik/traefik/tree/v2.4.1) (2021-02-01)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.0...v2.4.1)
+
+**Bug fixes:**
+- **[acme,provider]** Fix HTTP challenge router unexpected delayed creation ([#7805](https://github.com/traefik/traefik/pull/7805) by [jspdown](https://github.com/jspdown))
+- **[acme]** Update go-acme/lego to v4.2.0 ([#7793](https://github.com/traefik/traefik/pull/7793) by [ldez](https://github.com/ldez))
+- **[api,plugins]** Fix plugin type on middleware endpoint response ([#7782](https://github.com/traefik/traefik/pull/7782) by [jspdown](https://github.com/jspdown))
+- **[authentication,middleware]** Forward Proxy-Authorization header to authentication server ([#7433](https://github.com/traefik/traefik/pull/7433) by [Scapal](https://github.com/Scapal))
+- **[k8s,k8s/ingress]** Add support for multiple ingress classes ([#7799](https://github.com/traefik/traefik/pull/7799) by [LandryBe](https://github.com/LandryBe))
+- **[middleware]** Improve forwarded header and recovery middlewares performances ([#7783](https://github.com/traefik/traefik/pull/7783) by [juliens](https://github.com/juliens))
+- **[pilot]** Reduce pressure of pilot services when errors occurs ([#7824](https://github.com/traefik/traefik/pull/7824) by [darkweaver87](https://github.com/darkweaver87))
+- **[provider]** Fix aggregator test comment ([#7840](https://github.com/traefik/traefik/pull/7840) by [rtribotte](https://github.com/rtribotte))
+- **[provider]** Fix servers transport not found ([#7839](https://github.com/traefik/traefik/pull/7839) by [jspdown](https://github.com/jspdown))
+
+**Documentation:**
+- **[consulcatalog]** Fix refresh interval option description in consulcatalog provider ([#7810](https://github.com/traefik/traefik/pull/7810) by [GabeL7r](https://github.com/GabeL7r))
+- **[docker]** Fix missing serverstransport documentation ([#7822](https://github.com/traefik/traefik/pull/7822) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s]** Fix YAML syntax in providers docs ([#7787](https://github.com/traefik/traefik/pull/7787) by [4ops](https://github.com/4ops))
+- **[service]** Fix typo in server transports documentation ([#7797](https://github.com/traefik/traefik/pull/7797) by [obezuk](https://github.com/obezuk))
+
+## [v2.4.0](https://github.com/traefik/traefik/tree/v2.4.0) (2021-01-19)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.0-rc1...v2.4.0)
+
+**Enhancements:**
+- **[acme]** New HTTP and TLS challenges implementations ([#7458](https://github.com/traefik/traefik/pull/7458) by [ldez](https://github.com/ldez))
+- **[acme]** Add external account binding support ([#7599](https://github.com/traefik/traefik/pull/7599) by [ldez](https://github.com/ldez))
+- **[authentication,middleware]** Middlewares: add forwardAuth.authResponseHeadersRegex ([#7449](https://github.com/traefik/traefik/pull/7449) by [iamolegga](https://github.com/iamolegga))
+- **[authentication,middleware]** Filter ForwardAuth request headers ([#7226](https://github.com/traefik/traefik/pull/7226) by [nkonev](https://github.com/nkonev))
+- **[k8s,k8s/ingress]** Update more than one LoadBalancer IP ([#6951](https://github.com/traefik/traefik/pull/6951) by [iameli](https://github.com/iameli))
+- **[k8s,k8s/ingress]** Set kubernetes client User-Agent to something meaningful ([#7392](https://github.com/traefik/traefik/pull/7392) by [sylr](https://github.com/sylr))
+- **[k8s]** Add Kubernetes Gateway Provider ([#7416](https://github.com/traefik/traefik/pull/7416) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Bump k8s client to v0.19.2 ([#7402](https://github.com/traefik/traefik/pull/7402) by [rtribotte](https://github.com/rtribotte))
+- **[kv]** Allows multi-level KV prefixes ([#6664](https://github.com/traefik/traefik/pull/6664) by [niki-timofe](https://github.com/niki-timofe))
+- **[logs,middleware,docker]** Support configuring a HTTP client timeout in the Docker provider ([#7094](https://github.com/traefik/traefik/pull/7094) by [sirlatrom](https://github.com/sirlatrom))
+- **[marathon]** Extend marathon port discovery to allow port names as identifier ([#7359](https://github.com/traefik/traefik/pull/7359) by [basert](https://github.com/basert))
+- **[metrics]** Re-add server up metrics ([#6461](https://github.com/traefik/traefik/pull/6461) by [coder-hugo](https://github.com/coder-hugo))
+- **[middleware]** Feature: Exponential Backoff in Retry Middleware ([#7460](https://github.com/traefik/traefik/pull/7460) by [danieladams456](https://github.com/danieladams456))
+- **[middleware]** Allow to use regular expressions for `AccessControlAllowOriginList` ([#6881](https://github.com/traefik/traefik/pull/6881) by [jodosha](https://github.com/jodosha))
+- **[pilot]** Enable stats collection when pilot is enabled ([#7483](https://github.com/traefik/traefik/pull/7483) by [mmatur](https://github.com/mmatur))
+- **[pilot]** Send anonymized dynamic configuration to Pilot ([#7615](https://github.com/traefik/traefik/pull/7615) by [jspdown](https://github.com/jspdown))
+- **[server]** Added support for tcp proxyProtocol v1&v2 to backend ([#7320](https://github.com/traefik/traefik/pull/7320) by [mschneider82](https://github.com/mschneider82))
+- **[service,tls]** Add ServersTransport on services ([#7203](https://github.com/traefik/traefik/pull/7203) by [juliens](https://github.com/juliens))
+- **[webui]** Display Proxy Protocol version for backend services in web dashboard ([#7602](https://github.com/traefik/traefik/pull/7602) by [95ulisse](https://github.com/95ulisse))
+- Improve setup readability ([#7604](https://github.com/traefik/traefik/pull/7604) by [juliens](https://github.com/juliens))
+
+**Bug fixes:**
+- **[docker]** Fix default value of docker client timeout ([#7345](https://github.com/traefik/traefik/pull/7345) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,k8s/crd]** Add AccessControlAllowOriginListRegex field to deepcopy ([#7512](https://github.com/traefik/traefik/pull/7512) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[middleware]** Rephrase forwardauth.authRequestHeaders documentation ([#7701](https://github.com/traefik/traefik/pull/7701) by [Beanow](https://github.com/Beanow))
+- Update copyright year for 2021 ([#7754](https://github.com/traefik/traefik/pull/7754) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v2.4.0-rc2 ([#7747](https://github.com/traefik/traefik/pull/7747) by [kevinpollet](https://github.com/kevinpollet))
+- **[kv]** KV doc reference ([#7415](https://github.com/traefik/traefik/pull/7415) by [rtribotte](https://github.com/rtribotte))
+- Add jspdown to maintainers ([#7671](https://github.com/traefik/traefik/pull/7671) by [emilevauge](https://github.com/emilevauge))
+- Add kevinpollet to maintainers ([#7464](https://github.com/traefik/traefik/pull/7464) by [SantoDE](https://github.com/SantoDE))
+- Add security policies ([#7110](https://github.com/traefik/traefik/pull/7110) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- Merge current v2.3 branch into v2.4 ([#7765](https://github.com/traefik/traefik/pull/7765) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into v2.4 ([#7760](https://github.com/traefik/traefik/pull/7760) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into v2.4 ([#7744](https://github.com/traefik/traefik/pull/7744) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into v2.4 ([#7742](https://github.com/traefik/traefik/pull/7742) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into v2.4 ([#7727](https://github.com/traefik/traefik/pull/7727) by [mmatur](https://github.com/mmatur))
+- Merge current v2.3 branch into v2.4 ([#7703](https://github.com/traefik/traefik/pull/7703) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into v2.4 ([#7689](https://github.com/traefik/traefik/pull/7689) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into master ([#7677](https://github.com/traefik/traefik/pull/7677) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into master ([#7670](https://github.com/traefik/traefik/pull/7670) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into master ([#7653](https://github.com/traefik/traefik/pull/7653) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into master ([#7574](https://github.com/traefik/traefik/pull/7574) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into master ([#7529](https://github.com/traefik/traefik/pull/7529) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7472](https://github.com/traefik/traefik/pull/7472) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.3 branch into master ([#7453](https://github.com/traefik/traefik/pull/7453) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.3 branch into master ([#7405](https://github.com/traefik/traefik/pull/7405) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7401](https://github.com/traefik/traefik/pull/7401) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into master ([#7346](https://github.com/traefik/traefik/pull/7346) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7335](https://github.com/traefik/traefik/pull/7335) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7299](https://github.com/traefik/traefik/pull/7299) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7263](https://github.com/traefik/traefik/pull/7263) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7215](https://github.com/traefik/traefik/pull/7215) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7122](https://github.com/traefik/traefik/pull/7122) by [ldez](https://github.com/ldez))
+
+## [v2.4.0-rc2](https://github.com/traefik/traefik/tree/v2.4.0-rc2) (2021-01-12)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.0-rc1...v2.4.0-rc2)
+
+**Documentation:**
+- **[middleware]** Rephrase forwardauth.authRequestHeaders documentation ([#7701](https://github.com/traefik/traefik/pull/7701) by [Beanow](https://github.com/Beanow))
+
+**Misc:**
+- Merge current v2.3 branch into v2.4 ([#7744](https://github.com/traefik/traefik/pull/7744) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into v2.4 ([#7742](https://github.com/traefik/traefik/pull/7742) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into v2.4 ([#7727](https://github.com/traefik/traefik/pull/7727) by [mmatur](https://github.com/mmatur))
+- Merge current v2.3 branch into v2.4 ([#7703](https://github.com/traefik/traefik/pull/7703) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into v2.4 ([#7689](https://github.com/traefik/traefik/pull/7689) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.3.7](https://github.com/traefik/traefik/tree/v2.3.7) (2021-01-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.6...v2.3.7)
+
+**Bug fixes:**
+- **[k8s,k8s/ingress]** Fix wildcard hostname issue ([#7711](https://github.com/traefik/traefik/pull/7711) by [avdhoot](https://github.com/avdhoot))
+- **[k8s,k8s/ingress]** Compile kubernetes ingress annotation regex only once ([#7647](https://github.com/traefik/traefik/pull/7647) by [hensur](https://github.com/hensur))
+- **[middleware,webui]** webui: fix missing custom request and response header names ([#7706](https://github.com/traefik/traefik/pull/7706) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Fix log level on error pages middleware ([#7737](https://github.com/traefik/traefik/pull/7737) by [Nowheresly](https://github.com/Nowheresly))
+
+**Documentation:**
+- **[docker]** docs: fix broken links to docker-compose documentation ([#7702](https://github.com/traefik/traefik/pull/7702) by [kevinpollet](https://github.com/kevinpollet))
+- **[ecs]** Add ECS to supported providers list ([#7714](https://github.com/traefik/traefik/pull/7714) by [anilmaurya](https://github.com/anilmaurya))
+- Update copyright year for 2021 ([#7734](https://github.com/traefik/traefik/pull/7734) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.3.6](https://github.com/traefik/traefik/tree/v2.3.6) (2020-12-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.5...v2.3.6)
+
+**Bug fixes:**
+- **[logs]** Update Logrus to v1.7.0 ([#7663](https://github.com/traefik/traefik/pull/7663) by [jspdown](https://github.com/jspdown))
+- **[plugins]** Update Yaegi to v0.9.8 ([#7659](https://github.com/traefik/traefik/pull/7659) by [ldez](https://github.com/ldez))
+- **[rules]** Disable router when a rule has an error ([#7680](https://github.com/traefik/traefik/pull/7680) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[logs]** Add configuration example for access log filePath ([#7655](https://github.com/traefik/traefik/pull/7655) by [wernerfred](https://github.com/wernerfred))
+- **[middleware]** Add missing quotes in errorpages k8s example yaml ([#7675](https://github.com/traefik/traefik/pull/7675) by [icelynjennings](https://github.com/icelynjennings))
+
+## [v2.4.0-rc1](https://github.com/traefik/traefik/tree/v2.4.0-rc1) (2020-12-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.0-rc1...v2.4.0-rc1)
+
+**Enhancements:**
+- **[acme]** New HTTP and TLS challenges implementations ([#7458](https://github.com/traefik/traefik/pull/7458) by [ldez](https://github.com/ldez))
+- **[acme]** Add external account binding support ([#7599](https://github.com/traefik/traefik/pull/7599) by [ldez](https://github.com/ldez))
+- **[authentication,middleware]** Middlewares: add forwardAuth.authResponseHeadersRegex ([#7449](https://github.com/traefik/traefik/pull/7449) by [iamolegga](https://github.com/iamolegga))
+- **[authentication,middleware]** Filter ForwardAuth request headers ([#7226](https://github.com/traefik/traefik/pull/7226) by [nkonev](https://github.com/nkonev))
+- **[k8s,k8s/ingress]** Update more than one LoadBalancer IP ([#6951](https://github.com/traefik/traefik/pull/6951) by [iameli](https://github.com/iameli))
+- **[k8s,k8s/ingress]** Set kubernetes client User-Agent to something meaningful ([#7392](https://github.com/traefik/traefik/pull/7392) by [sylr](https://github.com/sylr))
+- **[k8s]** Add Kubernetes Gateway Provider ([#7416](https://github.com/traefik/traefik/pull/7416) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Bump k8s client to v0.19.2 ([#7402](https://github.com/traefik/traefik/pull/7402) by [rtribotte](https://github.com/rtribotte))
+- **[kv]** Allows multi-level KV prefixes ([#6664](https://github.com/traefik/traefik/pull/6664) by [niki-timofe](https://github.com/niki-timofe))
+- **[logs,middleware,docker]** Support configuring a HTTP client timeout in the Docker provider ([#7094](https://github.com/traefik/traefik/pull/7094) by [sirlatrom](https://github.com/sirlatrom))
+- **[marathon]** Extend marathon port discovery to allow port names as identifier ([#7359](https://github.com/traefik/traefik/pull/7359) by [basert](https://github.com/basert))
+- **[metrics]** Re-add server up metrics ([#6461](https://github.com/traefik/traefik/pull/6461) by [coder-hugo](https://github.com/coder-hugo))
+- **[middleware]** Feature: Exponential Backoff in Retry Middleware ([#7460](https://github.com/traefik/traefik/pull/7460) by [danieladams456](https://github.com/danieladams456))
+- **[middleware]** Allow to use regular expressions for `AccessControlAllowOriginList` ([#6881](https://github.com/traefik/traefik/pull/6881) by [jodosha](https://github.com/jodosha))
+- **[pilot]** Enable stats collection when pilot is enabled ([#7483](https://github.com/traefik/traefik/pull/7483) by [mmatur](https://github.com/mmatur))
+- **[pilot]** Send anonymized dynamic configuration to Pilot ([#7615](https://github.com/traefik/traefik/pull/7615) by [jspdown](https://github.com/jspdown))
+- **[server]** Added support for tcp proxyProtocol v1&v2 to backend ([#7320](https://github.com/traefik/traefik/pull/7320) by [mschneider82](https://github.com/mschneider82))
+- **[service,tls]** Add ServersTransport on services ([#7203](https://github.com/traefik/traefik/pull/7203) by [juliens](https://github.com/juliens))
+- **[webui]** Display Proxy Protocol version for backend services in web dashboard ([#7602](https://github.com/traefik/traefik/pull/7602) by [95ulisse](https://github.com/95ulisse))
+- Improve setup readability ([#7604](https://github.com/traefik/traefik/pull/7604) by [juliens](https://github.com/juliens))
+
+**Bug fixes:**
+- **[docker]** Fix default value of docker client timeout ([#7345](https://github.com/traefik/traefik/pull/7345) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,k8s/crd]** Add AccessControlAllowOriginListRegex field to deepcopy ([#7512](https://github.com/traefik/traefik/pull/7512) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[kv]** KV doc reference ([#7415](https://github.com/traefik/traefik/pull/7415) by [rtribotte](https://github.com/rtribotte))
+- Add jspdown to maintainers ([#7671](https://github.com/traefik/traefik/pull/7671) by [emilevauge](https://github.com/emilevauge))
+- Add kevinpollet to maintainers ([#7464](https://github.com/traefik/traefik/pull/7464) by [SantoDE](https://github.com/SantoDE))
+- Add security policies ([#7110](https://github.com/traefik/traefik/pull/7110) by [ldez](https://github.com/ldez))
+
+**Misc:**
+- Merge current v2.3 branch into master ([#7677](https://github.com/traefik/traefik/pull/7677) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into master ([#7670](https://github.com/traefik/traefik/pull/7670) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into master ([#7653](https://github.com/traefik/traefik/pull/7653) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into master ([#7574](https://github.com/traefik/traefik/pull/7574) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.3 branch into master ([#7529](https://github.com/traefik/traefik/pull/7529) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7472](https://github.com/traefik/traefik/pull/7472) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.3 branch into master ([#7453](https://github.com/traefik/traefik/pull/7453) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.3 branch into master ([#7405](https://github.com/traefik/traefik/pull/7405) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7401](https://github.com/traefik/traefik/pull/7401) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.3 branch into master ([#7346](https://github.com/traefik/traefik/pull/7346) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7335](https://github.com/traefik/traefik/pull/7335) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7299](https://github.com/traefik/traefik/pull/7299) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7263](https://github.com/traefik/traefik/pull/7263) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7215](https://github.com/traefik/traefik/pull/7215) by [ldez](https://github.com/ldez))
+- Merge current v2.3 branch into master ([#7122](https://github.com/traefik/traefik/pull/7122) by [ldez](https://github.com/ldez))
+
+## [v2.3.5](https://github.com/traefik/traefik/tree/v2.3.5) (2020-12-10)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.4...v2.3.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.1.3 ([#7625](https://github.com/traefik/traefik/pull/7625) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd]** IngressRoute: add an option to disable cross-namespace routing ([#7595](https://github.com/traefik/traefik/pull/7595) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/crd,k8s/ingress]** Fix concatenation of IPv6 addresses and ports ([#7620](https://github.com/traefik/traefik/pull/7620) by [jspdown](https://github.com/jspdown))
+- **[tcp,tls]** Fix TLS options fallback when domain and options are the same  ([#7609](https://github.com/traefik/traefik/pull/7609) by [jspdown](https://github.com/jspdown))
+- **[webui]** Fix UI bug on long service name ([#7535](https://github.com/traefik/traefik/pull/7535) by [ipinak](https://github.com/ipinak))
+
+**Documentation:**
+- **[docker]** Add example for multiple service per container ([#7610](https://github.com/traefik/traefik/pull/7610) by [notsureifkevin](https://github.com/notsureifkevin))
+- Documentation: Add spacing to sidebars so the last item is always visible ([#7616](https://github.com/traefik/traefik/pull/7616) by [paulocfjunior](https://github.com/paulocfjunior))
+- Fix typos in migration guide  ([#7596](https://github.com/traefik/traefik/pull/7596) by [marsavela](https://github.com/marsavela))
+
+## [v2.3.4](https://github.com/traefik/traefik/tree/v2.3.4) (2020-11-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.3...v2.3.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.1.2 ([#7577](https://github.com/traefik/traefik/pull/7577) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,k8s/ingress]** Apply labelSelector as a TweakListOptions for Kubernetes informers ([#7521](https://github.com/traefik/traefik/pull/7521) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Do not evaluate templated URL in redirectRegex middleware ([#7573](https://github.com/traefik/traefik/pull/7573) by [jspdown](https://github.com/jspdown))
+- **[provider]** fix: invalid slice parsing. ([#7583](https://github.com/traefik/traefik/pull/7583) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[ecs]** Fix clusters option in ECS provider documentation ([#7586](https://github.com/traefik/traefik/pull/7586) by [skapin](https://github.com/skapin))
+
+## [v2.3.3](https://github.com/traefik/traefik/tree/v2.3.3) (2020-11-19)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.2...v2.3.3)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.1.0 ([#7526](https://github.com/traefik/traefik/pull/7526) by [ldez](https://github.com/ldez))
+- **[consulcatalog,ecs]** Fix missing allow-empty tag on ECS and Consul Catalog providers ([#7561](https://github.com/traefik/traefik/pull/7561) by [jspdown](https://github.com/jspdown))
+- **[consulcatalog]** consulcatalog to update before the first interval ([#7514](https://github.com/traefik/traefik/pull/7514) by [greut](https://github.com/greut))
+- **[consulcatalog]** Fix consul catalog panic when health and services are not in sync ([#7558](https://github.com/traefik/traefik/pull/7558) by [jspdown](https://github.com/jspdown))
+- **[ecs]** Translate configured server port into correct mapped host port ([#7480](https://github.com/traefik/traefik/pull/7480) by [alekitto](https://github.com/alekitto))
+- **[k8s,k8s/crd,k8s/ingress]** Filter out Helm secrets from informer caches ([#7562](https://github.com/traefik/traefik/pull/7562) by [jspdown](https://github.com/jspdown))
+- **[plugins]** Update Yaegi to v0.9.5 ([#7527](https://github.com/traefik/traefik/pull/7527) by [ldez](https://github.com/ldez))
+- **[plugins]** Update Yaegi to v0.9.7 ([#7569](https://github.com/traefik/traefik/pull/7569) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Update Yaegi to v0.9.4 ([#7451](https://github.com/traefik/traefik/pull/7451) by [ldez](https://github.com/ldez))
+- **[tcp]** Ignore errors when setting keepalive period is not supported by the system ([#7410](https://github.com/traefik/traefik/pull/7410) by [tristan-weil](https://github.com/tristan-weil))
+- **[tcp]** Improve service name lookup on TCP routers ([#7370](https://github.com/traefik/traefik/pull/7370) by [ddtmachado](https://github.com/ddtmachado))
+- Improve anonymize configuration ([#7482](https://github.com/traefik/traefik/pull/7482) by [mmatur](https://github.com/mmatur))
+
+**Documentation:**
+- **[ecs]** Add ECS menu to dynamic config reference ([#7501](https://github.com/traefik/traefik/pull/7501) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/ingress]** Fix ingress documentation ([#7424](https://github.com/traefik/traefik/pull/7424) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** fix documentation ([#7469](https://github.com/traefik/traefik/pull/7469) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s]** Fix grammar in kubernetes ingress controller documentation ([#7565](https://github.com/traefik/traefik/pull/7565) by [ivorscott](https://github.com/ivorscott))
+- **[logs]** Clarify time-based field units ([#7447](https://github.com/traefik/traefik/pull/7447) by [tomtastic](https://github.com/tomtastic))
+- **[middleware]** Forwardauth headers ([#7506](https://github.com/traefik/traefik/pull/7506) by [w4tsn](https://github.com/w4tsn))
+- **[provider]** fix typo in providers overview documentation ([#7441](https://github.com/traefik/traefik/pull/7441) by [pirey](https://github.com/pirey))
+- **[tls]** Fix docs for TLS ([#7541](https://github.com/traefik/traefik/pull/7541) by [james426759](https://github.com/james426759))
+- fix: exclude protected link from doc verify ([#7477](https://github.com/traefik/traefik/pull/7477) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Add missed tls config for yaml example ([#7450](https://github.com/traefik/traefik/pull/7450) by [andrew-demb](https://github.com/andrew-demb))
+- Resolve broken URLs causing make docs to fail ([#7444](https://github.com/traefik/traefik/pull/7444) by [tomtastic](https://github.com/tomtastic))
+- Fix Traefik Proxy product nav in docs ([#7523](https://github.com/traefik/traefik/pull/7523) by [PCM2](https://github.com/PCM2))
+- add links to contributors guide ([#7435](https://github.com/traefik/traefik/pull/7435) by [notsureifkevin](https://github.com/notsureifkevin))
+
+## [v2.3.2](https://github.com/traefik/traefik/tree/v2.3.2) (2020-10-19)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.1...v2.3.2)
+
+**Bug fixes:**
+- **[acme]** fix: restrict protocol for TLS Challenge. ([#7400](https://github.com/traefik/traefik/pull/7400) by [ldez](https://github.com/ldez))
+- **[acme]** fix: use provider keytype instead of account keytype. ([#7387](https://github.com/traefik/traefik/pull/7387) by [mmatur](https://github.com/mmatur))
+- **[acme]** acme: Fix race condition in LocalStore during saving. ([#7355](https://github.com/traefik/traefik/pull/7355) by [walkline](https://github.com/walkline))
+- **[plugins]** fix: update Yaegi to v0.9.4 ([#7426](https://github.com/traefik/traefik/pull/7426) by [ldez](https://github.com/ldez))
+- **[udp]** fix: udp json struct tag ([#7375](https://github.com/traefik/traefik/pull/7375) by [mschneider82](https://github.com/mschneider82))
+
+**Documentation:**
+- **[consulcatalog]** fix: Consul Catalog address documentation. ([#7429](https://github.com/traefik/traefik/pull/7429) by [ldez](https://github.com/ldez))
+- **[middleware]** Moving Provider Namespace documentation topic to Configuration Discovery section ([#7423](https://github.com/traefik/traefik/pull/7423) by [AndrewSav](https://github.com/AndrewSav))
+- **[pilot]** fix: pilot static configuration documentation ([#7399](https://github.com/traefik/traefik/pull/7399) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[plugins]** Revise Traefik Pilot documentation section ([#7427](https://github.com/traefik/traefik/pull/7427) by [PCM2](https://github.com/PCM2))
+- **[tls]** Adding details about the default TLS options to the documentation ([#7422](https://github.com/traefik/traefik/pull/7422) by [AndrewSav](https://github.com/AndrewSav))
+- doc: add YAML sample. ([#7397](https://github.com/traefik/traefik/pull/7397) by [ldez](https://github.com/ldez))
+- Fix containous links in readme ([#7394](https://github.com/traefik/traefik/pull/7394) by [kevinpollet](https://github.com/kevinpollet))
+- Fix broken logo ([#7390](https://github.com/traefik/traefik/pull/7390) by [Bencey](https://github.com/Bencey))
+
+## [v2.3.1](https://github.com/traefik/traefik/tree/v2.3.1) (2020-09-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.0...v2.3.1)
+
+**Bug fixes:**
+- **[webui]** Fix blank webui on some browsers ([#7364](https://github.com/traefik/traefik/pull/7364) by [matthieuh](https://github.com/matthieuh))
+
+**Documentation:**
+- **[k8s/helm]** Update of the helm repo localisation ([#7352](https://github.com/traefik/traefik/pull/7352) by [dgoujard](https://github.com/dgoujard))
+- restore traefik logo ([#7344](https://github.com/traefik/traefik/pull/7344) by [notsureifkevin](https://github.com/notsureifkevin))
+- Removes invalid items in the changelog. ([#7339](https://github.com/traefik/traefik/pull/7339) by [ldez](https://github.com/ldez))
+
+## [v2.3.0](https://github.com/traefik/traefik/tree/v2.3.0) (2020-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.2.0-rc1...v2.3.0)
+
+**Enhancements:**
+- **[api]** Add custom ping http code when Traefik is terminating ([#6696](https://github.com/traefik/traefik/pull/6696) by [L3o-pold](https://github.com/L3o-pold))
+- **[ecs]** Add AWS ECS provider ([#6749](https://github.com/traefik/traefik/pull/6749) by [alekitto](https://github.com/alekitto))
+- **[file]** feat: use parser to load dynamic config from file. ([#6875](https://github.com/traefik/traefik/pull/6875) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/crd,k8s/ingress]** Upgrade Client-go to 0.18.2 ([#6779](https://github.com/traefik/traefik/pull/6779) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/ingress]** Add new ingressClass support to ingress provider ([#6831](https://github.com/traefik/traefik/pull/6831) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/ingress]** Add example for the IngressClass usage ([#7219](https://github.com/traefik/traefik/pull/7219) by [SantoDE](https://github.com/SantoDE))
+- **[metrics,pilot]** Pilot metrics provider ([#7139](https://github.com/traefik/traefik/pull/7139) by [rtribotte](https://github.com/rtribotte))
+- **[pilot]** Moves pilot outside the experimental section. ([#7287](https://github.com/traefik/traefik/pull/7287) by [ldez](https://github.com/ldez))
+- **[pilot,plugins]** Traefik Pilot: plugins support and alert system (EXPERIMENTAL FEATURES) ([#7041](https://github.com/traefik/traefik/pull/7041) by [ldez](https://github.com/ldez))
+- **[plugins]** Improve plugins builder. ([#7255](https://github.com/traefik/traefik/pull/7255) by [ldez](https://github.com/ldez))
+- **[provider]** Add HTTP Provider ([#6976](https://github.com/traefik/traefik/pull/6976) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Add iOS specific icons ([#6946](https://github.com/traefik/traefik/pull/6946) by [Heisenberg74](https://github.com/Heisenberg74))
+
+**Bug fixes:**
+- **[acme]** fix: precheck function. ([#7333](https://github.com/traefik/traefik/pull/7333) by [ldez](https://github.com/ldez))
+- **[ecs]** Improve region resolution for ECS provider ([#7145](https://github.com/traefik/traefik/pull/7145) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/ingress]** Delete an unnecessary warning log ([#6568](https://github.com/traefik/traefik/pull/6568) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s,k8s/ingress]** Support Kubernetes Ingress pathType ([#7087](https://github.com/traefik/traefik/pull/7087) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/ingress]** Use semantic versioning to enable ingress class support ([#7065](https://github.com/traefik/traefik/pull/7065) by [kevinpollet](https://github.com/kevinpollet))
+- **[metrics]** fix: uint64 alignment in go-kit. ([#7289](https://github.com/traefik/traefik/pull/7289) by [ldez](https://github.com/ldez))
+- **[middleware]** Allow multiple secure middlewares to operate independently  ([#6604](https://github.com/traefik/traefik/pull/6604) by [dtomcej](https://github.com/dtomcej))
+- **[pilot,webui]** Avoid Traefik Pilot iframe code in Traefik webui regarding notifications ([#7272](https://github.com/traefik/traefik/pull/7272) by [matthieuh](https://github.com/matthieuh))
+- **[pilot,webui]** Add ability to dismiss pilot notification ([#7200](https://github.com/traefik/traefik/pull/7200) by [matthieuh](https://github.com/matthieuh))
+- **[pilot]** fix: pilot metrics unit for req duration. ([#7309](https://github.com/traefik/traefik/pull/7309) by [ldez](https://github.com/ldez))
+- **[pilot]** fix: start of Traefik Pilot ([#7304](https://github.com/traefik/traefik/pull/7304) by [ldez](https://github.com/ldez))
+- **[provider]** file parser: skip nil value. ([#7058](https://github.com/traefik/traefik/pull/7058) by [ldez](https://github.com/ldez))
+- **[tracing]** Update jaeger-client-go dependency to v2.25.0 ([#7198](https://github.com/traefik/traefik/pull/7198) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[consul]** Fix consul catalog router tag example ([#7332](https://github.com/traefik/traefik/pull/7332) by [rtribotte](https://github.com/rtribotte))
+- **[ecs]** Fix documentation for ECS ([#7107](https://github.com/traefik/traefik/pull/7107) by [mmatur](https://github.com/mmatur))
+- **[k8s]** docs: add missing apigroup to Kubernetes RBAC ([#7199](https://github.com/traefik/traefik/pull/7199) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s]** Add the ingressclass resource in the ingress RBAC documentation ([#7290](https://github.com/traefik/traefik/pull/7290) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- **[k8s]** Add migration documentation for IngressClass ([#7083](https://github.com/traefik/traefik/pull/7083) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** Fixes config samples regarding forceSlash option ([#6811](https://github.com/traefik/traefik/pull/6811) by [volkerw00](https://github.com/volkerw00))
+- **[plugins]** Update availability info ([#7060](https://github.com/traefik/traefik/pull/7060) by [PCM2](https://github.com/PCM2))
+- Fix yaml documentation ([#7331](https://github.com/traefik/traefik/pull/7331) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge current v2.2 branch into v2.3 ([#7288](https://github.com/traefik/traefik/pull/7288) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.2 branch into v2.3 ([#7257](https://github.com/traefik/traefik/pull/7257) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into v2.3 ([#7249](https://github.com/traefik/traefik/pull/7249) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into v2.3 ([#7218](https://github.com/traefik/traefik/pull/7218) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into v2.3 ([#7175](https://github.com/traefik/traefik/pull/7175) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into v2.3 ([#7160](https://github.com/traefik/traefik/pull/7160) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into v2.3 ([#7116](https://github.com/traefik/traefik/pull/7116) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into v2.3 ([#7086](https://github.com/traefik/traefik/pull/7086) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.2 branch into master ([#7052](https://github.com/traefik/traefik/pull/7052) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into master ([#7022](https://github.com/traefik/traefik/pull/7022) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.2 branch into master ([#6921](https://github.com/traefik/traefik/pull/6921) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.2 branch into master ([#6822](https://github.com/traefik/traefik/pull/6822) by [mmatur](https://github.com/mmatur))
+- Merge current v2.2 branch into master ([#6754](https://github.com/traefik/traefik/pull/6754) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into master ([#6533](https://github.com/traefik/traefik/pull/6533) by [ldez](https://github.com/ldez))
+- Merge current v2.2 branch into master ([#6468](https://github.com/traefik/traefik/pull/6468) by [ldez](https://github.com/ldez))
+
+## [v2.3.0-rc7](https://github.com/traefik/traefik/tree/v2.3.0-rc7) (2020-09-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.3.0-rc6...v2.3.0-rc7)
+
+**Bug fixes:**
+- **[pilot]** fix: pilot metrics unit for req duration. ([#7309](https://github.com/traefik/traefik/pull/7309) by [ldez](https://github.com/ldez))
+- **[pilot]** fix: start of Traefik Pilot ([#7304](https://github.com/traefik/traefik/pull/7304) by [ldez](https://github.com/ldez))
+
 ## [v2.3.0-rc6](https://github.com/traefik/traefik/tree/v2.3.0-rc6) (2020-09-16)
 [All Commits](https://github.com/traefik/traefik/compare/v2.3.0-rc5...v2.3.0-rc6)
 

CODE_OF_CONDUCT.md

@@ -36,7 +36,7 @@ Representation of a project may be further defined and clarified by project main
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@containo.us
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
 Further details of specific enforcement policies may be posted separately.
@@ -48,4 +48,4 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[version]: http://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -1,4 +1,4 @@
 # Contributing
 
-- https://docs.traefik.io/contributing/submitting-pull-requests/
-- https://docs.traefik.io/contributing/submitting-issues/
+- https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
+- https://doc.traefik.io/traefik/contributing/submitting-issues/

LICENSE.md

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016-2020 Containous SAS; 2020 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -4,11 +4,11 @@
 </p>
 
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
-[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://docs.traefik.io)
+[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
-[![Join the community support forum at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
 
 
@@ -33,7 +33,7 @@ Pointing Traefik at your orchestrator should be the _only_ configuration step yo
 
 ---
 
-:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://docs.traefik.io/).
+:warning: Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now. If you're running v2, please ensure you are using a [v2 configuration](https://doc.traefik.io/traefik/).
 
 ## Overview
 
@@ -69,15 +69,15 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 
 ## Supported Backends
 
-- [Docker](https://docs.traefik.io/providers/docker/) / [Swarm mode](https://docs.traefik.io/providers/docker/)
-- [Kubernetes](https://docs.traefik.io/providers/kubernetes-crd/)
-- [Marathon](https://docs.traefik.io/providers/marathon/)
-- [Rancher](https://docs.traefik.io/providers/rancher/) (Metadata)
-- [File](https://docs.traefik.io/providers/file/)
+- [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
+- [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
+- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
+- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
+- [File](https://doc.traefik.io/traefik/providers/file/)
 
 ## Quickstart
 
-To get your hands on Traefik, you can use the [5-Minute Quickstart](https://docs.traefik.io/getting-started/quick-start/) in our documentation (you will need Docker).
+To get your hands on Traefik, you can use the [5-Minute Quickstart](https://doc.traefik.io/traefik/getting-started/quick-start/) in our documentation (you will need Docker).
 
 ## Web UI
 
@@ -87,18 +87,18 @@ You can access the simple HTML frontend of Traefik.
 
 ## Documentation
 
-You can find the complete documentation of Traefik v2 at [https://docs.traefik.io](https://docs.traefik.io).
+You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).
 
-If you are using Traefik v1, you can find the complete documentation at [https://docs.traefik.io/v1.7/](https://docs.traefik.io/v1.7/).
+If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
 
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).
 
 ## Support
 
 To get community support, you can:
-- join the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+- join the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 
-If you need commercial support, please contact [Containo.us](https://containo.us) by mail: <mailto:support@containo.us>.
+If you need commercial support, please contact [Traefik.io](https://traefik.io) by mail: <mailto:support@traefik.io>.
 
 ## Download
 
@@ -122,7 +122,7 @@ git clone https://github.com/traefik/traefik
 
 ## Introductory Videos
 
-You can find high level and deep dive videos on [videos.containo.us](https://videos.containo.us).
+You can find high level and deep dive videos on [videos.traefik.io](https://videos.traefik.io).
 
 ## Maintainers
 
@@ -137,7 +137,7 @@ By participating in this project, you agree to abide by its terms.
 
 ## Release Cycle
 
-- We release a new version (e.g. 1.1.0, 1.2.0, 1.3.0) every other month.
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
 - Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
 - Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
 
@@ -152,9 +152,9 @@ We use [Semantic Versioning](https://semver.org/).
 
 ## Credits
 
-Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the logo ![logo](docs/content/assets/img/traefik.icon.png).
+Kudos to [Peka](http://peka.byethost11.com/photoblog/) for his awesome work on the gopher's logo!.
 
-Traefik's logo is licensed under the Creative Commons 3.0 Attributions license.
+The gopher's logo of Traefik is licensed under the Creative Commons 3.0 Attributions license.
 
-Traefik's logo was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
+The gopher's logo of Traefik was inspired by the gopher stickers made by [Takuya Ueda](https://twitter.com/tenntenn).
 The original Go gopher was designed by [Renee French](https://reneefrench.blogspot.com/).

SECURITY.md

@@ -0,0 +1,29 @@
+# Security Policy
+
+We strongly advise you to register your Traefik instances to [Pilot](http://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
+You can also join our security mailing list to be aware of the latest announcements from our security team.
+You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
+
+Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
+
+## Supported Versions
+
+- We usually release 3/4 new versions (e.g. 1.1.0, 1.2.0, 1.3.0) per year.
+- Release Candidates are available before the release (e.g. 1.1.0-rc1, 1.1.0-rc2, 1.1.0-rc3, 1.1.0-rc4, before 1.1.0).
+- Bug-fixes (e.g. 1.1.1, 1.1.2, 1.2.1, 1.2.3) are released as needed (no additional features are delivered in those versions, bug-fixes only).
+
+Each version is supported until the next one is released (e.g. 1.1.x will be supported until 1.2.0 is out).
+
+We use [Semantic Versioning](https://semver.org/).
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| `2.2.x`   | :white_check_mark: |
+| `< 2.2.x` | :x:                |
+| `1.7.x`   | :white_check_mark: |
+| `< 1.7.x` | :x:                |
+
+## Reporting a Vulnerability
+
+We want to keep Traefik safe for everyone.
+If you've discovered a security vulnerability in Traefik, we appreciate your help in disclosing it to us in a responsible manner, using [this form](https://security.traefik.io).

build.Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.31.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.36.0
 
 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

cmd/traefik/plugins.go

@@ -7,6 +7,15 @@ import (
 
 const outputDir = "./plugins-storage/"
 
+func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
+	client, plgs, devPlugin, err := initPlugins(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	return plugins.NewBuilder(client, plgs, devPlugin)
+}
+
 func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, *plugins.DevPlugin, error) {
 	if !isPilotEnabled(staticCfg) || !hasPlugins(staticCfg) {
 		return nil, map[string]plugins.Descriptor{}, nil, nil
@@ -36,5 +45,5 @@ func isPilotEnabled(staticCfg *static.Configuration) bool {
 
 func hasPlugins(staticCfg *static.Configuration) bool {
 	return staticCfg.Experimental != nil &&
-		len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil
+		(len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil)
 }

cmd/traefik/traefik.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/coreos/go-systemd/daemon"
 	assetfs "github.com/elazarl/go-bindata-assetfs"
+	"github.com/go-acme/lego/v4/challenge"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/traefik/v2/autogen/genstatic"
@@ -28,7 +29,6 @@ import (
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
 	"github.com/traefik/traefik/v2/pkg/pilot"
-	"github.com/traefik/traefik/v2/pkg/plugins"
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
@@ -173,15 +173,28 @@ func runCmd(staticConfiguration *static.Configuration) error {
 func setupServer(staticConfiguration *static.Configuration) (*server.Server, error) {
 	providerAggregator := aggregator.NewProviderAggregator(*staticConfiguration.Providers)
 
+	ctx := context.Background()
+	routinesPool := safe.NewPool(ctx)
+
 	// adds internal provider
 	err := providerAggregator.AddProvider(traefik.New(*staticConfiguration))
 	if err != nil {
 		return nil, err
 	}
 
-	tlsManager := traefiktls.NewManager()
+	// ACME
 
-	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager)
+	tlsManager := traefiktls.NewManager()
+	httpChallengeProvider := acme.NewChallengeHTTP()
+	tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
+	err = providerAggregator.AddProvider(tlsChallengeProvider)
+	if err != nil {
+		return nil, err
+	}
+
+	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)
+
+	// Entrypoints
 
 	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
 	if err != nil {
@@ -193,91 +206,98 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 
-	ctx := context.Background()
-	routinesPool := safe.NewPool(ctx)
-
-	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	// Pilot
 
 	var aviator *pilot.Pilot
+	var pilotRegistry *metrics.PilotRegistry
 	if isPilotEnabled(staticConfiguration) {
-		pilotRegistry := metrics.RegisterPilot()
+		pilotRegistry = metrics.RegisterPilot()
 
 		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
+
 		routinesPool.GoCtx(func(ctx context.Context) {
 			aviator.Tick(ctx)
 		})
+	}
 
+	// Plugins
+
+	pluginBuilder, err := createPluginBuilder(staticConfiguration)
+	if err != nil {
+		return nil, err
+	}
+
+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	if pilotRegistry != nil {
 		metricRegistries = append(metricRegistries, pilotRegistry)
 	}
-
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
+	// Service manager factory
+
+	roundTripperManager := service.NewRoundTripperManager()
+	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)
+
+	// Router factory
+
 	accessLog := setupAccessLog(staticConfiguration.AccessLog)
 	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry)
-
-	client, plgs, devPlugin, err := initPlugins(staticConfiguration)
-	if err != nil {
-		return nil, err
-	}
-
-	pluginBuilder, err := plugins.NewBuilder(client, plgs, devPlugin)
-	if err != nil {
-		return nil, err
-	}
-
 	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder)
 
-	var defaultEntryPoints []string
-	for name, cfg := range staticConfiguration.EntryPoints {
-		protocol, err := cfg.GetProtocol()
-		if err != nil {
-			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
-		}
-
-		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
-			defaultEntryPoints = append(defaultEntryPoints, name)
-		}
-	}
-
-	sort.Strings(defaultEntryPoints)
+	// Watcher
 
 	watcher := server.NewConfigurationWatcher(
 		routinesPool,
 		providerAggregator,
 		time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
-		defaultEntryPoints,
+		getDefaultsEntrypoints(staticConfiguration),
 	)
 
+	// TLS
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		ctx := context.Background()
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
 	})
 
+	// Metrics
 	watcher.AddListener(func(_ dynamic.Configuration) {
 		metricsRegistry.ConfigReloadsCounter().Add(1)
 		metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
 	})
 
-	watcher.AddListener(switchRouter(routerFactory, acmeProviders, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
-
+	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
-		if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
-			var eps []string
-			for key := range serverEntryPointsTCP {
-				eps = append(eps, key)
-			}
-
-			metrics.OnConfigurationUpdate(conf, eps)
-		}
+		roundTripperManager.Update(conf.HTTP.ServersTransports)
 	})
 
+	// Switch router
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+
+	// Metrics
+	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
+		var eps []string
+		for key := range serverEntryPointsTCP {
+			eps = append(eps, key)
+		}
+		watcher.AddListener(func(conf dynamic.Configuration) {
+			metrics.OnConfigurationUpdate(conf, eps)
+		})
+	}
+
+	// TLS challenge
+	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)
+
+	// ACME
 	resolverNames := map[string]struct{}{}
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}
 
+	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
 			if rt.TLS == nil || rt.TLS.CertResolver == "" {
@@ -293,23 +313,43 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	return server.NewServer(routinesPool, serverEntryPointsTCP, serverEntryPointsUDP, watcher, chainBuilder, accessLog), nil
 }
 
-func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Provider, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvider http.Handler) http.Handler {
+	var acmeHTTPHandler http.Handler
+	for _, p := range acmeProviders {
+		if p != nil && p.HTTPChallenge != nil {
+			acmeHTTPHandler = httpChallengeProvider
+			break
+		}
+	}
+	return acmeHTTPHandler
+}
+
+func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
+	var defaultEntryPoints []string
+	for name, cfg := range staticConfiguration.EntryPoints {
+		protocol, err := cfg.GetProtocol()
+		if err != nil {
+			// Should never happen because Traefik should not start if protocol is invalid.
+			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+		}
+
+		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
+			defaultEntryPoints = append(defaultEntryPoints, name)
+		}
+	}
+
+	sort.Strings(defaultEntryPoints)
+	return defaultEntryPoints
+}
+
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
 	return func(conf dynamic.Configuration) {
 		rtConf := runtime.NewConfig(conf)
 
 		routers, udpRouters := routerFactory.CreateRouters(rtConf)
 
-		for entryPointName, rt := range routers {
-			for _, p := range acmeProviders {
-				if p != nil && p.HTTPChallenge != nil && p.HTTPChallenge.EntryPoint == entryPointName {
-					rt.HTTPHandler(p.CreateHandler(rt.GetHTTPHandler()))
-					break
-				}
-			}
-		}
-
 		if aviator != nil {
-			aviator.SetRuntimeConfiguration(rtConf)
+			aviator.SetDynamicConfiguration(conf)
 		}
 
 		serverEntryPointsTCP.Switch(routers)
@@ -318,8 +358,7 @@ func switchRouter(routerFactory *server.RouterFactory, acmeProviders []*acme.Pro
 }
 
 // initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
-func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager) []*acme.Provider {
-	challengeStore := acme.NewLocalChallengeStore()
+func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}
 
 	var resolvers []*acme.Provider
@@ -330,10 +369,11 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 			}
 
 			p := &acme.Provider{
-				Configuration:  resolver.ACME,
-				Store:          localStores[resolver.ACME.Storage],
-				ChallengeStore: challengeStore,
-				ResolverName:   name,
+				Configuration:         resolver.ACME,
+				Store:                 localStores[resolver.ACME.Storage],
+				ResolverName:          name,
+				HTTPChallengeProvider: httpChallengeProvider,
+				TLSChallengeProvider:  tlsChallengeProvider,
 			}
 
 			if err := providerAggregator.AddProvider(p); err != nil {
@@ -343,15 +383,12 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 
 			p.SetTLSManager(tlsManager)
 
-			if p.TLSChallenge != nil {
-				tlsManager.TLSAlpnGetter = p.GetTLSALPNCertificate
-			}
-
 			p.SetConfigListenerChan(make(chan dynamic.Configuration))
 
 			resolvers = append(resolvers, p)
 		}
 	}
+
 	return resolvers
 }
 
@@ -478,13 +515,13 @@ func stats(staticConfiguration *static.Configuration) {
 		logger.Info(`Stats collection is enabled.`)
 		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
 		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://docs.traefik.io/contributing/data-collection/`)
+		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
 		logger.Info(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
-More details on: https://docs.traefik.io/contributing/data-collection/
+More details on: https://doc.traefik.io/traefik/contributing/data-collection/
 `)
 	}
 }

contrib/grafana/traefik-kubernetes.json

@@ -130,7 +130,7 @@
       "tableColumn": "",
       "targets": [
         {
-          "expr": "count(kube_pod_status_ready{namespace=\"$namespace\",condition=\"true\",pod=~\"traefik.*\"})",
+          "expr": "count(kube_pod_status_ready{condition=\"true\",pod=~\"traefik.*\"})",
           "format": "time_series",
           "intervalFactor": 1,
           "refId": "A"
@@ -150,10 +150,7 @@
       "valueName": "current"
     },
     {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
       "bars": false,
       "dashLength": 10,
       "dashes": false,
@@ -183,22 +180,17 @@
       "pointradius": 5,
       "points": false,
       "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
       "spaceLength": 10,
       "stack": false,
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\", code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
           "refId": "A"
         }
       ],
@@ -281,7 +273,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "{{ instance }}",
@@ -343,7 +335,7 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
@@ -379,7 +371,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(traefik_entrypoint_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_entrypoint_open_connections) by (method)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{ method }}",
@@ -431,7 +423,7 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
@@ -465,7 +457,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -511,9 +503,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
       "type": "row"
     },
     {
@@ -522,7 +602,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 16
+        "y": 33
       },
       "id": 24,
       "panels": [
@@ -531,13 +611,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 0,
-            "y": 17
+            "y": 34
           },
           "id": 25,
           "legend": {
@@ -567,7 +647,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(traefik_backend_open_connections{namespace=\"$namespace\"}) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{ method }}",
@@ -619,13 +699,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 12,
-            "y": 17
+            "y": 34
           },
           "id": 26,
           "legend": {
@@ -653,7 +733,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{namespace=\"$namespace\",le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{namespace=\"$namespace\",code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -699,9 +779,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Backends",
+      "title": "Services",
       "type": "row"
     },
     {
@@ -710,7 +878,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 17
+        "y": 51
       },
       "id": 15,
       "panels": [
@@ -725,7 +893,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 18
+            "y": 52
           },
           "id": 5,
           "legend": {
@@ -755,7 +923,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -813,7 +981,7 @@
             "h": 9,
             "w": 12,
             "x": 12,
-            "y": 18
+            "y": 52
           },
           "id": 27,
           "legend": {
@@ -841,7 +1009,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -899,95 +1067,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 27
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\"}[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 27
+            "y": 61
           },
           "id": 6,
           "legend": {
@@ -1016,7 +1096,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{namespace=\"$namespace\",code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{ method }} : {{code}}",
@@ -1026,7 +1106,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -1064,7 +1144,7 @@
           }
         }
       ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
       "type": "row"
     },
     {
@@ -1073,7 +1153,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 18
+        "y": 70
       },
       "id": 35,
       "panels": [
@@ -1082,13 +1162,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 19
+            "y": 71
           },
           "id": 31,
           "legend": {
@@ -1116,21 +1196,21 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "max(container_memory_usage_bytes{namespace=\"$namespace\", container_name=\"traefik\"})",
+              "expr": "sum(container_memory_usage_bytes{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Max memory used",
+              "legendFormat": "Memory used",
               "refId": "A"
             },
             {
-              "expr": "avg(kube_pod_container_resource_requests_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_memory_bytes{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Requested memory usage",
+              "legendFormat": "Requested memory",
               "refId": "B"
             },
             {
-              "expr": "avg(kube_pod_container_resource_limits_memory_bytes{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_memory_bytes{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Limit memory usage",
@@ -1140,7 +1220,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Traefik max memory usage",
+          "title": "Traefik memory usage",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -1182,13 +1262,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 9,
             "w": 12,
             "x": 12,
-            "y": 19
+            "y": 71
           },
           "id": 33,
           "legend": {
@@ -1215,21 +1295,21 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "max(rate(container_cpu_usage_seconds_total{namespace=\"$namespace\", container_name=\"traefik\"}[1m]))",
+              "expr": "sum(rate(container_cpu_usage_seconds_total{container=\"traefik\"}[2m]))",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Max cpu used",
+              "legendFormat": "Cpu used",
               "refId": "A"
             },
             {
-              "expr": "avg(kube_pod_container_resource_requests_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_requests_cpu_cores{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
-              "legendFormat": "Requested cpu usage",
+              "legendFormat": "Requested cpu",
               "refId": "B"
             },
             {
-              "expr": "avg(kube_pod_container_resource_limits_cpu_cores{namespace=\"$namespace\", container=\"traefik\"})",
+              "expr": "sum(kube_pod_container_resource_limits_cpu_cores{container=\"traefik\"})",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Limit cpu usage",
@@ -1239,7 +1319,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Traefik max CPU usage",
+          "title": "Traefik CPU usage",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -1277,7 +1357,7 @@
           }
         }
       ],
-      "title": "Pods ressources",
+      "title": "Pods resources",
       "type": "row"
     }
   ],
@@ -1288,26 +1368,6 @@
   ],
   "templating": {
     "list": [
-      {
-        "allValue": null,
-        "current": {},
-        "datasource": "${DS_PROMETHEUS}",
-        "hide": 0,
-        "includeAll": false,
-        "label": null,
-        "multi": false,
-        "name": "namespace",
-        "options": [],
-        "query": "label_values(traefik_config_reloads_total, namespace)",
-        "refresh": 1,
-        "regex": "",
-        "sort": 0,
-        "tagValuesQuery": "",
-        "tags": [],
-        "tagsQuery": "",
-        "type": "query",
-        "useTags": false
-      },
       {
         "allValue": null,
         "current": {
@@ -1370,5 +1430,5 @@
   "timezone": "",
   "title": "Traefik",
   "uid": "traefik-kubernetes",
-  "version": 1
+  "version": 2
 }

contrib/grafana/traefik.json

@@ -64,10 +64,7 @@
       "type": "row"
     },
     {
-      "aliasColors": {
-        "Latency over 1 min": "rgb(9, 116, 190)",
-        "Latency over 5 min": "#bf1b00"
-      },
+      "aliasColors": {},
       "bars": false,
       "dashLength": 10,
       "dashes": false,
@@ -97,22 +94,17 @@
       "pointradius": 5,
       "points": false,
       "renderer": "flot",
-      "seriesOverrides": [
-        {
-          "alias": "Latency over 5 min",
-          "yaxis": 1
-        }
-      ],
+      "seriesOverrides": [],
       "spaceLength": 10,
       "stack": false,
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m])) by (le))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (le))",
           "format": "time_series",
           "hide": false,
           "intervalFactor": 1,
-          "legendFormat": "Latency over 1 min",
+          "legendFormat": "Latency over 5 min",
           "refId": "A"
         }
       ],
@@ -195,7 +187,7 @@
       "steppedLine": false,
       "targets": [
         {
-          "expr": "histogram_quantile(0.$percentiles, rate(traefik_entrypoint_request_duration_seconds_bucket{code=\"200\",method=\"GET\"}[5m]))",
+          "expr": "histogram_quantile(0.$percentiles, sum(rate(traefik_entrypoint_request_duration_seconds_bucket{code=~\"2..\"}[5m])) by (instance, le))",
           "format": "time_series",
           "intervalFactor": 1,
           "legendFormat": "{{ instance }}",
@@ -257,13 +249,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 0,
-            "y": 2
+            "y": 16
           },
           "id": 19,
           "legend": {
@@ -345,13 +337,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 12,
-            "y": 2
+            "y": 16
           },
           "id": 22,
           "legend": {
@@ -379,7 +371,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_entrypoint_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_entrypoint_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -425,9 +417,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 23
+          },
+          "id": 3,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_entrypoint_requests_total[1m])) by (entrypoint)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ entrypoint }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per entrypoint",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Frontends (entrypoints)",
+      "title": "Entrypoints",
       "type": "row"
     },
     {
@@ -436,7 +516,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 16
+        "y": 33
       },
       "id": 24,
       "panels": [
@@ -445,13 +525,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 7,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 0,
-            "y": 3
+            "y": 34
           },
           "id": 25,
           "legend": {
@@ -481,7 +561,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(traefik_backend_open_connections) by (method)",
+              "expr": "sum(traefik_service_open_connections) by (method)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "{{ method }}",
@@ -533,13 +613,13 @@
           "bars": false,
           "dashLength": 10,
           "dashes": false,
-          "datasource": null,
+          "datasource": "${DS_PROMETHEUS}",
           "fill": 1,
           "gridPos": {
             "h": 7,
             "w": 12,
             "x": 12,
-            "y": 3
+            "y": 34
           },
           "id": 26,
           "legend": {
@@ -567,7 +647,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) / sum(rate(traefik_backend_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
+              "expr": "(sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.1\",code=\"200\"}[5m])) by (job) + sum(rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",code=\"200\"}[5m])) by (job)) / 2 / sum(rate(traefik_service_request_duration_seconds_count{code=\"200\"}[5m])) by (job)",
               "format": "time_series",
               "intervalFactor": 1,
               "legendFormat": "Code 200",
@@ -613,9 +693,97 @@
             "align": false,
             "alignLevel": null
           }
+        },
+        {
+          "aliasColors": {},
+          "bars": true,
+          "dashLength": 10,
+          "dashes": false,
+          "datasource": "${DS_PROMETHEUS}",
+          "fill": 1,
+          "gridPos": {
+            "h": 10,
+            "w": 24,
+            "x": 0,
+            "y": 41
+          },
+          "id": 4,
+          "legend": {
+            "alignAsTable": true,
+            "avg": true,
+            "current": true,
+            "max": true,
+            "min": false,
+            "rightSide": false,
+            "show": true,
+            "sort": "avg",
+            "sortDesc": true,
+            "total": false,
+            "values": true
+          },
+          "lines": false,
+          "linewidth": 1,
+          "links": [],
+          "nullPointMode": "null",
+          "percentage": false,
+          "pointradius": 5,
+          "points": false,
+          "renderer": "flot",
+          "seriesOverrides": [],
+          "spaceLength": 10,
+          "stack": false,
+          "steppedLine": false,
+          "targets": [
+            {
+              "expr": "sum(rate(traefik_service_requests_total[1m])) by (service)",
+              "format": "time_series",
+              "intervalFactor": 2,
+              "legendFormat": "{{ service }}",
+              "refId": "A"
+            }
+          ],
+          "thresholds": [],
+          "timeFrom": null,
+          "timeShift": null,
+          "title": "Service total requests over 1min per service",
+          "tooltip": {
+            "shared": true,
+            "sort": 0,
+            "value_type": "individual"
+          },
+          "type": "graph",
+          "xaxis": {
+            "buckets": null,
+            "mode": "time",
+            "name": null,
+            "show": true,
+            "values": []
+          },
+          "yaxes": [
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            },
+            {
+              "format": "short",
+              "label": null,
+              "logBase": 1,
+              "max": null,
+              "min": null,
+              "show": true
+            }
+          ],
+          "yaxis": {
+            "align": false,
+            "alignLevel": null
+          }
         }
       ],
-      "title": "Backends",
+      "title": "Services",
       "type": "row"
     },
     {
@@ -624,7 +792,7 @@
         "h": 1,
         "w": 24,
         "x": 0,
-        "y": 17
+        "y": 51
       },
       "id": 15,
       "panels": [
@@ -639,7 +807,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 4
+            "y": 52
           },
           "id": 5,
           "legend": {
@@ -669,7 +837,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"2..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"2..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -727,7 +895,7 @@
             "h": 9,
             "w": 12,
             "x": 12,
-            "y": 4
+            "y": 52
           },
           "id": 27,
           "legend": {
@@ -755,7 +923,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{code=~\"5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code=~\"5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{method}} : {{code}}",
@@ -813,95 +981,7 @@
             "h": 9,
             "w": 12,
             "x": 0,
-            "y": 13
-          },
-          "id": 3,
-          "legend": {
-            "alignAsTable": true,
-            "avg": true,
-            "current": true,
-            "max": true,
-            "min": false,
-            "rightSide": true,
-            "show": true,
-            "sort": "avg",
-            "sortDesc": true,
-            "total": false,
-            "values": true
-          },
-          "lines": false,
-          "linewidth": 1,
-          "links": [],
-          "nullPointMode": "null",
-          "percentage": false,
-          "pointradius": 5,
-          "points": false,
-          "renderer": "flot",
-          "seriesOverrides": [],
-          "spaceLength": 10,
-          "stack": false,
-          "steppedLine": false,
-          "targets": [
-            {
-              "expr": "sum(rate(traefik_backend_requests_total[1m])) by (backend)",
-              "format": "time_series",
-              "intervalFactor": 2,
-              "legendFormat": "{{ backend }}",
-              "refId": "A"
-            }
-          ],
-          "thresholds": [],
-          "timeFrom": null,
-          "timeShift": null,
-          "title": "Backend total requests over 1min per backend",
-          "tooltip": {
-            "shared": true,
-            "sort": 0,
-            "value_type": "individual"
-          },
-          "type": "graph",
-          "xaxis": {
-            "buckets": null,
-            "mode": "time",
-            "name": null,
-            "show": true,
-            "values": []
-          },
-          "yaxes": [
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            },
-            {
-              "format": "short",
-              "label": null,
-              "logBase": 1,
-              "max": null,
-              "min": null,
-              "show": true
-            }
-          ],
-          "yaxis": {
-            "align": false,
-            "alignLevel": null
-          }
-        },
-        {
-          "aliasColors": {},
-          "bars": true,
-          "dashLength": 10,
-          "dashes": false,
-          "datasource": "${DS_PROMETHEUS}",
-          "fill": 1,
-          "gridPos": {
-            "h": 9,
-            "w": 12,
-            "x": 12,
-            "y": 13
+            "y": 61
           },
           "id": 6,
           "legend": {
@@ -930,7 +1010,7 @@
           "steppedLine": false,
           "targets": [
             {
-              "expr": "sum(rate(traefik_backend_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
+              "expr": "sum(rate(traefik_service_requests_total{code!~\"2..|5..\"}[5m])) by (method, code)",
               "format": "time_series",
               "intervalFactor": 2,
               "legendFormat": "{{ method }} : {{code}}",
@@ -940,7 +1020,7 @@
           "thresholds": [],
           "timeFrom": null,
           "timeShift": null,
-          "title": "Others status code over 5min",
+          "title": "Others statuses code over 5min",
           "tooltip": {
             "shared": true,
             "sort": 0,
@@ -978,7 +1058,7 @@
           }
         }
       ],
-      "title": "HTTP Codes  stats",
+      "title": "HTTP Codes stats",
       "type": "row"
     }
   ],
@@ -1051,5 +1131,5 @@
   "timezone": "",
   "title": "Traefik",
   "uid": "traefik",
-  "version": 1
+  "version": 2
 }

contrib/systemd/traefik.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Traefik
-Documentation=https://docs.traefik.io
+Documentation=https://doc.traefik.io/traefik/
 #After=network-online.target
 #AssertFileIsExecutable=/usr/bin/traefik
 #AssertPathExists=/etc/traefik/traefik.toml

docs/check.Dockerfile

@@ -1,5 +1,5 @@
 
-FROM alpine:3.10 as alpine
+FROM alpine:3.13 as alpine
 
 RUN apk --no-cache --no-progress add \
     libcurl \

docs/content/CNAME

@@ -1 +0,0 @@
-docs.traefik.io

docs/content/assets/styles/atom-one-light.css

@@ -1,96 +0,0 @@
-/*
-
-Atom One Light by Daniel Gamage
-Original One Light Syntax theme from https://github.com/atom/one-light-syntax
-
-base:    #fafafa
-mono-1:  #383a42
-mono-2:  #686b77
-mono-3:  #a0a1a7
-hue-1:   #0184bb
-hue-2:   #4078f2
-hue-3:   #a626a4
-hue-4:   #50a14f
-hue-5:   #e45649
-hue-5-2: #c91243
-hue-6:   #986801
-hue-6-2: #c18401
-
-*/
-
-.hljs {
-  display: block;
-  overflow-x: auto;
-  padding: 0.5em;
-  color: #383a42;
-  background: #fafafa;
-}
-
-.hljs-comment,
-.hljs-quote {
-  color: #a0a1a7;
-  font-style: italic;
-}
-
-.hljs-doctag,
-.hljs-keyword,
-.hljs-formula {
-  color: #a626a4;
-}
-
-.hljs-section,
-.hljs-name,
-.hljs-selector-tag,
-.hljs-deletion,
-.hljs-subst {
-  color: #e45649;
-}
-
-.hljs-literal {
-  color: #0184bb;
-}
-
-.hljs-string,
-.hljs-regexp,
-.hljs-addition,
-.hljs-attribute,
-.hljs-meta-string {
-  color: #50a14f;
-}
-
-.hljs-built_in,
-.hljs-class .hljs-title {
-  color: #c18401;
-}
-
-.hljs-attr,
-.hljs-variable,
-.hljs-template-variable,
-.hljs-type,
-.hljs-selector-class,
-.hljs-selector-attr,
-.hljs-selector-pseudo,
-.hljs-number {
-  color: #986801;
-}
-
-.hljs-symbol,
-.hljs-bullet,
-.hljs-link,
-.hljs-meta,
-.hljs-selector-id,
-.hljs-title {
-  color: #4078f2;
-}
-
-.hljs-emphasis {
-  font-style: italic;
-}
-
-.hljs-strong {
-  font-weight: bold;
-}
-
-.hljs-link {
-  text-decoration: underline;
-}

docs/content/assets/styles/content.css

@@ -1,70 +0,0 @@
-.md-container {
-  padding-top: 0;
-}
-
-.md-content h1 {
-  color: var(--dark) !important;
-  font-weight: bold !important;
-}
-
-.md-content a {
-  color: var(--blue) !important;
-}
-
-.md-content a:hover {
-  font-weight: bold !important;
-}
-
-.md-typeset p code,
-.md-typeset .codehilite,
-.md-typeset .highlight {
-  background-color: var(--light-blue) !important;
-}
-
-.md-typeset table:not([class]) th {
-  background: var(--dark) !important;
-  color: white !important;
-}
-
-/* Front page image size */
-img[src$='#small'] {
-  width: 150px;
-}
-img[src$='#medium'] {
-  width: 300px;
-}
-
-/* Center table and objects */
-.center,
-img,
-.md-typeset__table {
-  display: block !important;
-  margin: 0 auto;
-}
-
-.md-typeset table:not([class]) tr td:first-child {
-  text-align: left;
-}
-.md-typeset table:not([class]) th:not([align]),
-.md-typeset table:not([class]) td:not([align]) {
-  text-align: center;
-}
-article p:not([class]),
-article ul:not([class]),
-article ol:not([class]) {
-  padding-left: 0.8em !important;
-}
-
-/* Fix for Chrome */
-.md-typeset__table td code {
-  word-break: unset;
-}
-
-.md-typeset__table tr :nth-child(1) {
-  word-wrap: break-word;
-  max-width: 30em;
-}
-
-p {
-  text-align: justify;
-}

docs/content/assets/styles/footer.css

@@ -1,10 +0,0 @@
-.md-footer-meta {
-  background-color: var(--dark);
-}
-
-.md-footer-privacy-policy {
-  margin: 0 .6rem;
-  padding: .4rem 0;
-  color: hsla(0,0%,100%,.3);
-  font-size: .64rem;
-}

docs/content/assets/styles/header.css

@@ -1,462 +0,0 @@
-@import url('https://fonts.googleapis.com/css?family=Rubik:300i,400,400i,500,500i,700&display=swap');
-
-.wrapper-1200 {
-  width: 100%;
-  max-width: 61rem;
-  margin: 0 auto;
-  padding: 0 .6rem;
-}
-
-@media (max-width: 700px) {
-  .wrapper-1200 {
-    padding: 0 20px;
-  }
-}
-
-.btn-type-1 {
-  outline: none;
-  border: none;
-  background-color: #1e54d5;
-  line-height: 1em;
-  border-radius: 8px;
-  padding: 12px 15px;
-  text-transform: uppercase;
-  letter-spacing: 0.05em;
-  font-size: 1.25rem;
-  background-image: linear-gradient(to top, rgba(0, 0, 0, 0.28) 1%, #1e54d5 99%);
-  font-weight: 500;
-  text-align: center;
-  color: white;
-  transition: all 0.2s;
-}
-
-.button--secondary {
-  outline: none;
-  border: 2px solid #1e54d5 !important;
-  background: transparent;
-  line-height: 1em;
-  border-radius: 8px;
-  padding: 9px 13px;
-  letter-spacing: 0;
-  font-size: 1.3rem;
-  font-weight: 500;
-  text-align: center;
-  color: #1e54d5;
-  transition: all 0.2s;
-  display: inline-block;
-}
-.button--secondary:hover {
-  color: white !important;
-  background: #1e54d5;
-}
-.button--secondary:focus {
-  color: white !important;
-  background: #1e54d5;
-}
-
-.site-header-and-placeholder-wrapper {
-  position: relative;
-  height: 64px;
-}
-
-.site-header {
-  position: fixed;
-  width: 100%;
-  top: 0;
-  left: 0;
-  transition: height 0.1s;
-  z-index: 100;
-  background: white;
-  box-shadow: 0 0 7px 0 #00000021;
-  border-bottom: 1px solid #e2e2e2;
-  height: 64px;
-  display: flex;
-  align-items: center;
-  font-size: 10px;
-  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
-    'Helvetica Neue', sans-serif;
-  color: #06102a;
-  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-}
-
-.site-header.scrolled {
-  box-shadow: 0 0 5px 0 #00000028;
-  position: fixed;
-  top: 0;
-  height: 52px;
-}
-.site-header.scrolled .site-header__title a {
-  font-size: 2.2em;
-}
-
-.header-placeholder {
-  background: none;
-  width: 100%;
-  height: 64px;
-  position: absolute;
-}
-.header-placeholder.active {
-  display: block;
-}
-
-.site-header .wrapper-1200 {
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-}
-.site-header .wrapper-1200 .left {
-  display: flex;
-  align-items: center;
-  justify-content: flex-start;
-}
-
-.site-header__logo {
-  max-width: 145px;
-}
-
-.site-header__title a {
-  color: #06102a;
-  font-size: 2.2em;
-  font-weight: 500;
-  transition: all 0.2s;
-  text-transform: uppercase;
-  letter-spacing: 0.02em;
-}
-
-/* Navigation */
-.site-header__nav .menu-item-wrapper {
-  display: inline-block;
-  padding-left: 30px;
-}
-.site-header__nav .menu-item {
-  color: #06102a;
-  transition: all 0.05s;
-  font-size: 1.45em;
-  line-height: 1em;
-  font-weight: 500;
-}
-.site-header__nav .menu-item:hover {
-  color: #8a959e;
-}
-.site-header__nav .menu-item--with-icon {
-  display: flex;
-  align-items: center;
-  justify-content: flex-start;
-}
-.site-header__nav .menu-item--with-icon .title {
-  margin-right: 3px;
-}
-.site-header__nav .menu-item--with-icon .icon {
-  width: 20px;
-  height: 20px;
-  transition: all 0.1s;
-}
-.site-header__nav .menu-item--with-icon .icon svg {
-  stroke-width: 2.5 !important;
-  width: 100%;
-  height: 100%;
-}
-.site-header__nav .menu-item-wrapper--dropdown {
-  position: relative;
-}
-.site-header__nav .menu-item-wrapper--dropdown:hover .nav-dropdown-menu {
-  display: block;
-}
-.site-header__nav .nav-dropdown-menu {
-  display: none;
-}
-
-.nav-dropdown-menu {
-  position: absolute;
-  z-index: 500;
-  background: transparent;
-}
-
-.nav-dropdown-menu-wrapper {
-  border-radius: 8px;
-  box-shadow: 0 12px 40px 0 rgba(1, 10, 32, 0.24);
-  background: white;
-  margin: 8px 0;
-  overflow: hidden;
-}
-
-/* Products, Solutions dropdown menu */
-.nav-dropdown-menu--products,
-.nav-dropdown-menu--solutions {
-  width: 500px;
-}
-.nav-dropdown-menu--products .nav-dropdown-menu-wrapper,
-.nav-dropdown-menu--solutions .nav-dropdown-menu-wrapper {
-  padding: 20px;
-}
-.nav-dropdown-menu--products .dm-header,
-.nav-dropdown-menu--solutions .dm-header {
-  font-size: 1.1em;
-  font-weight: 500;
-  font-stretch: normal;
-  font-style: normal;
-  line-height: normal;
-  letter-spacing: 3.67px;
-  color: #505769;
-  margin-bottom: 20px;
-  text-transform: uppercase;
-}
-.nav-dropdown-menu--products .dm-item,
-.nav-dropdown-menu--solutions .dm-item {
-  border: none;
-  margin: 0 0 20px;
-  color: #06102a;
-  transition: all 0.1s;
-  position: relative;
-  width: 100%;
-}
-.nav-dropdown-menu--products .dm-item:last-child,
-.nav-dropdown-menu--solutions .dm-item:last-child {
-  margin-bottom: 0;
-}
-.nav-dropdown-menu--products .dm-item .dmi-image,
-.nav-dropdown-menu--solutions .dm-item .dmi-image {
-  width: 118px;
-  height: 92px;
-  position: absolute;
-  background: #f4f4f4;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  padding: 20px;
-  border-radius: 4px;
-  z-index: 0;
-}
-.nav-dropdown-menu--products .dm-item .dmi-image img,
-.nav-dropdown-menu--solutions .dm-item .dmi-image img {
-  width: 100%;
-}
-.nav-dropdown-menu--products .dm-item .dmi-details,
-.nav-dropdown-menu--solutions .dm-item .dmi-details {
-  padding: 8px 0 10px 135px;
-  width: 100%;
-  background: transparent;
-  display: block;
-  color: #06102a;
-  position: relative;
-  z-index: 1;
-}
-.nav-dropdown-menu--products .dm-item .dmi-details:hover,
-.nav-dropdown-menu--solutions .dm-item .dmi-details:hover {
-  color: #1e54d5;
-}
-.nav-dropdown-menu--products .dm-item .dmi-title,
-.nav-dropdown-menu--solutions .dm-item .dmi-title {
-  font-size: 1.6em;
-  font-weight: 500;
-  margin: 0 0 2px;
-}
-.nav-dropdown-menu--products .dm-item .dmi-description,
-.nav-dropdown-menu--solutions .dm-item .dmi-description {
-  font-size: 1.4em;
-  opacity: 0.7;
-  line-height: 1.6em;
-}
-.nav-dropdown-menu--products .dm-item--traefikee .dmi-image img,
-.nav-dropdown-menu--solutions .dm-item--traefikee .dmi-image img {
-  transform: scale(1.1);
-}
-
-.nav-dropdown-menu--solutions .dm-item .dmi-image {
-  width: 65px;
-  padding: 10px;
-  background: white;
-  height: auto;
-}
-.nav-dropdown-menu--solutions .dm-item .dmi-details {
-  padding: 5px 0 0 80px;
-}
-.nav-dropdown-menu--solutions .dm-item:last-child {
-  margin-bottom: 10px;
-}
-
-/* Dropdown menu: Learn */
-.nav-dropdown-menu--learn {
-  width: 250px;
-}
-.nav-dropdown-menu--company {
-  width: 500px;
-}
-.nav-dropdown-menu--company .nav-dropdown-menu-wrapper {
-  display: grid;
-  grid-template-columns: 50% 50%;
-}
-.nav-dropdown-menu--learn .dm-left,
-.nav-dropdown-menu--company .dm-left {
-  padding: 25px;
-}
-.nav-dropdown-menu--learn .dm-header,
-.nav-dropdown-menu--company .dm-header {
-  font-size: 1.1em;
-  font-weight: 500;
-  font-stretch: normal;
-  font-style: normal;
-  line-height: normal;
-  letter-spacing: 3.67px;
-  color: #505769;
-  margin-bottom: 20px;
-  text-transform: uppercase;
-}
-.nav-dropdown-menu--learn .dm-item,
-.nav-dropdown-menu--company .dm-item {
-  display: block;
-  font-size: 1.6em;
-  font-weight: 500;
-  color: #06102a;
-  margin-bottom: 15px;
-}
-.nav-dropdown-menu--learn .dm-item:last-child,
-.nav-dropdown-menu--company .dm-item:last-child {
-  margin-bottom: 0;
-}
-.nav-dropdown-menu--learn .dm-item:hover,
-.nav-dropdown-menu--company .dm-item:hover {
-  color: #1e54d5;
-}
-
-.dm-preview {
-  background: #edeff4;
-  overflow: hidden;
-  height: 100%;
-  display: flex;
-  flex-direction: column;
-}
-
-.dm-preview__feature-image {
-  overflow: hidden;
-  display: block;
-}
-
-.dm-preview__feature-image img {
-  width: 100%;
-  height: 145px;
-  background: #ffffff no-repeat 50%;
-  object-fit: cover;
-  vertical-align: middle;
-}
-
-.dm-preview__content {
-  padding: 15px;
-  display: flex;
-  justify-content: flex-start;
-  align-items: flex-start;
-  flex-direction: column;
-  flex: 1;
-  position: relative;
-}
-
-.dm-preview__tag {
-  display: block;
-  font-size: 1.2em;
-  color: #db7d11;
-  letter-spacing: 2.5px;
-  font-weight: 500;
-  margin: 0 0;
-  text-transform: uppercase;
-}
-
-.dm-preview__title {
-  font-size: 1.6em;
-  font-weight: 500;
-  line-height: 1.6em;
-  margin: 0;
-  color: #06102a;
-  display: block;
-  flex: 1;
-  position: relative;
-  z-index: 1;
-  padding-bottom: 20px;
-}
-
-.dm-preview .arrow-link {
-  justify-content: flex-start;
-  font-size: 1.4em;
-  position: absolute;
-  bottom: 12px;
-  z-index: 0;
-}
-
-/* Dropdown menu: Company */
-.nav-dropdown-menu--company {
-  width: 450px;
-}
-
-.nav-dropdown-menu--company .dm-right {
-  background: #06102a;
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  flex-direction: column;
-  color: white;
-  padding: 20px;
-}
-.nav-dropdown-menu--company .dm-right p {
-  font-size: 1.6em;
-  font-weight: 500;
-  margin: 0 0 15px;
-  text-align: center;
-}
-.nav-dropdown-menu--company .dm-right a {
-  text-transform: uppercase;
-  line-height: 1.5em;
-  padding: 9px 12px;
-  font-size: 1.2em;
-}
-
-/* Demo */
-.site-header__demo-button .button--secondary {
-  font-size: 1.4em;
-  padding: 8px 12px;
-  border-radius: 6px;
-}
-
-/* Drawer */
-.site-header .drawer {
-  display: none;
-}
-
-@media (max-width: 1060px) {
-  .site-header__nav .menu-item-wrapper {
-    padding-left: 20px;
-  }
-}
-@media (max-width: 980px) {
-  .site-header__nav {
-    display: none;
-  }
-
-  .site-header .drawer {
-    display: block;
-  }
-
-  .site-header .right .site-header__demo-button {
-    display: none;
-  }
-
-  html [data-md-color-primary=indigo] .md-nav--primary .md-nav__title--site {
-    background-color: #06102a;
-  }
-
-  html .md-nav--primary .md-nav__title {
-    padding: 64px .8rem .2rem;
-  }
-
-  .md-search__inner {
-    top: 64px;
-    right: 0;
-  }
-}
-
-.md-header .md-search {
-  margin-left: 12.1rem;
-} 
-
-.site-header__main {
-  display: flex;
-  align-items: center;
-}

docs/content/assets/styles/menu.css

@@ -1,101 +0,0 @@
-.md-nav__link {
-  margin-left: -0.4rem;
-  padding: 0 0.4rem;
-  line-height: 32px;
-  color: var(--dark) !important;
-}
-
-.md-nav__link::after {
-  font-size: 16px;
-  vertical-align: -.25em;
-}
-
-.md-nav__toggle:checked + .md-nav__link,
-.md-nav__link--active,
-.md-nav__link:hover {
-  border-radius: 8px;
-  background-color: var(--light-blue) !important;
-  color: var(--dark) !important;
-  transition: background-color 0.3s ease;
-}
-
-.md-nav__link--active {
-  color: var(--blue) !important;
-  font-weight: bold;
-}
-
-.md-sidebar--primary {
-  background-color: white;
-}
-
-.md-sidebar--secondary .md-nav__title {
-  font-size: 12px;
-  text-transform: uppercase;
-  margin-bottom: 0.4rem;
-  padding: 0;
-}
-
-.md-sidebar--secondary .md-sidebar__scrollwrap {
-  border-radius: 8px;
-  background-color: var(--light-blue) !important;
-}
-
-.md-sidebar--secondary .md-nav__title {
-  padding: 0.8rem 0.4rem 0.8rem;
-}
-
-.md-sidebar--secondary .md-nav__list {
-  padding: 0 0.4rem 0.8rem 1.2rem;
-}
-
-.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link {
-  font-weight: 300;
-}
-
-.md-sidebar--secondary
-  .md-sidebar__scrollwrap
-  .md-nav__link[data-md-state='blur'],
-.md-sidebar--secondary .md-sidebar__scrollwrap .md-nav__link:hover {
-  color: var(--blue) !important;
-  font-weight: bold;
-}
-
-.md-sidebar--secondary .md-nav__item {
-  padding: 0 0 0 0.4rem;
-}
-
-.md-sidebar--secondary .md-nav__link {
-  margin-top: 0.225em;
-  padding: 0.1rem 0.2rem;
-}
-
-.md-sidebar--secondary li {
-  list-style-type: disc;
-}
-
-.md-sidebar--secondary .repo_url {
-  padding: 10px 0 14px 0;
-}
-
-
-.md-search__inner {
-  width: inherit;
-  float: inherit;
-}
-
-.md-search__input {
-  margin-bottom: 10px;
-  border-radius: 4px; 
-  background-color: inherit;
-  border: 1px solid rgba(0,0,0,.07);
-}
-
-.md-search__input::placeholder {
-  color: rgba(0,0,0,.07);
-}
-
-@media only screen and (min-width: 60em) {
-  [data-md-toggle=search]:checked~.md-header .md-search__inner {
-    margin-top: 100px;
-  }
-}

docs/content/assets/styles/product-switcher.css

@@ -1,11 +0,0 @@
-.product-switcher {
-  font-size: 10px;
-  font-family: 'Rubik', -apple-system, 'BlinkMacSystemFont', 'Segoe UI',
-    'Helvetica Neue', sans-serif;
-  color: #06102a;
-  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-}
-
-.product-switcher img {
-  margin-right: 10px;
-}

docs/content/assets/styles/root.css

@@ -1,10 +0,0 @@
-:root {
-  --dark: #06102a;
-  --blue: #04B5D1;
-  --light-blue: #E4F7FA;
-
-  --input-bg-color: white;
-  --input-color: black;
-  --input-placeholder-color: #bbb;
-  --input-border-color: #dcdcdc;
-}

docs/content/contributing/advocating.md

@@ -5,6 +5,6 @@ Spread the Love & Tell Us about It
 
 There are many ways to contribute to the project, and there is one that always spark joy: when we see/read about users talking about how Traefik helps them solve their problems.
 
-If you're talking about Traefik, [let us know](https://blog.containo.us/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
+If you're talking about Traefik, [let us know](https://blog.traefik.io/spread-the-love-ba5a40aa72e7) and we'll promote your enthusiasm!
 
 Also, if you've written about Traefik or shared useful information you'd like to promote, feel free to add links in the [dedicated wiki page on Github](https://github.com/traefik/traefik/wiki/Awesome-Traefik).

docs/content/contributing/data-collection.md

@@ -31,6 +31,8 @@ For this very reason, the sendAnonymousUsage option is mandatory: we want you to
 
 This feature comes from the public proposal [here](https://github.com/traefik/traefik/issues/2369).
 
+This feature is activated when using Traefik Pilot to better understand the community's need, and also to get information about plug-ins popularity.
+
 In order to help us learn more about how Traefik is being used and improve it, we collect anonymous usage statistics from running instances.
 Those data help us prioritize our developments and focus on what's important for our users (for example, which provider is popular, and which is not).
 

docs/content/contributing/documentation.md

@@ -10,7 +10,7 @@ Let's see how.
 
 ### General
 
-This [documentation](https://docs.traefik.io/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
 
 ### Method 1: `Docker` and `make`
 

docs/content/contributing/maintainers.md

@@ -11,75 +11,22 @@
 * Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
-* Marco Jantke [@marco-jantke](https://github.com/marco-jantke)
+* Marco Jantke [@mjantke](https://github.com/mjeri)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
 * Gérald Croës [@geraldcroes](https://github.com/geraldcroes)
 * Jean-Baptiste Doumenjou [@jbdoumenjou](https://github.com/jbdoumenjou)
 * Mathieu Lonjaret [@mpl](https://github.com/mpl)
 * Romain Tribotté [@rtribotte](https://github.com/rtribotte)
+* Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
+* Harold Ozouf [@jspdown](https://github.com/jspdown)
 
-## Contributions Daily Meeting
+## Issue Triage
 
-* 3 Maintainers should attend to a Contributions Daily Meeting where we sort and label new issues ([is:issue label:status/0-needs-triage](https://github.com/traefik/traefik/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Astatus%2F0-needs-triage+)), and review every Pull Requests
-* Every pull request should be checked during the Contributions Daily Meeting
-    * Even if it’s already assigned
-    * Even PR labelled with `contributor/waiting-for-corrections` or `contributor/waiting-for-feedback`
-* Issues labeled with `priority/P0` and `priority/P1` should be assigned.
-* Modifying an issue or a pull request (labels, assignees, milestone) is only possible:
-    * During the Contributions Daily Meeting
-    * By an assigned maintainer
-    * In case of emergency, if a change proposal is approved by 2 other maintainers (on Slack, Discord, Discourse, etc)
+Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).
 
 ## PR review process:
 
-* The status `needs-design-review` is only used in complex/heavy/tricky PRs.
-* From `1` to `2`: 1 comment that says “design LGTM” (by a senior maintainer).
-* From `2` to `3`: 3 LGTM approvals by any maintainer.
-* If needed, a specific maintainer familiar with a particular domain can be requested for the review.
-* If a PR has been implemented in pair programming, one peer's LGTM goes into the review for free
-* Amending someone else's pull request is authorized only in emergency, if a rebase is needed, or if the initial contributor is silent
-
-We use [PRM](https://github.com/ldez/prm) to manage locally pull requests.
-
-## Bots
-
-### [Myrmica Lobicornis](https://github.com/traefik/lobicornis/)
-
-Update and Merge Pull Request.
-
-The maintainer giving the final LGTM must add the `status/3-needs-merge` label to trigger the merge bot.
-
-By default, a squash-rebase merge will be carried out.
-To preserve commits, add `bot/merge-method-rebase` before `status/3-needs-merge`.
-
-The status `status/4-merge-in-progress` is only used by the bot.
-
-If the bot is not able to perform the merge, the label `bot/need-human-merge` is added.  
-In such a situation, solve the conflicts/CI/... and then remove the label `bot/need-human-merge`.
-
-To prevent the bot from automatically merging a PR, add the label `bot/no-merge`.
-
-The label `bot/light-review` decreases the number of required LGTM from 3 to 1.
-
-This label is used when:
-
-* Updating the vendors from previously reviewed PRs
-* Merging branches into the master
-* Preparing the release
-
-### [Myrmica Bibikoffi](https://github.com/traefik/bibikoffi/)
-
-* closes stale issues [cron]
-    * use some criterion as number of days between creation, last update, labels, ...
-
-### [Myrmica Aloba](https://github.com/traefik/aloba)
-
-Manage GitHub labels.
-
-* Add labels on new PR [GitHub WebHook]
-* Add milestone to a new PR based on a branch version (1.4, 1.3, ...) [GitHub WebHook]
-* Add and remove `contributor/waiting-for-corrections` label when a review request changes [GitHub WebHook]
-* Weekly report of PR status on Slack (CaptainPR) [cron]
+The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.
 
 ## Labels
 

docs/content/contributing/submitting-issues.md

@@ -14,7 +14,7 @@ To save us some time and get quicker feedback, be sure to follow the guide lines
 
     For end-user related support questions, try using first:
 
-    - the Traefik community forum: [![Join the chat at https://community.containo.us/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.containo.us/)
+    - the Traefik community forum: [![Join the chat at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 
 ## Issue Title
 

docs/content/contributing/submitting-pull-requests.md

@@ -5,41 +5,5 @@ A Quick Guide for Efficient Contributions
 
 So you've decided to improve Traefik? 
 Thank You! 
-Now the last step is to submit your Pull Request in a way that makes sure it gets the attention it deserves.
 
-Let's go through the classic pitfalls to make sure everything is right. 
-
-## Title
-
-The title must be short and descriptive. (~60 characters)
-
-## Description
-
-Follow the [pull request template](https://github.com/traefik/traefik/blob/master/.github/PULL_REQUEST_TEMPLATE.md) as much as possible.
-
-Explain the conditions which led you to write this PR: give us context.
-The context should lead to something, an idea or a problem that you’re facing.
-
-Remain clear and concise.
-
-Take time to polish the format of your message so we'll enjoy reading it and working on it.
-Help the readers focus on what matters, and help them understand the structure of your message (see the [Github Markdown Syntax](https://help.github.com/articles/github-flavored-markdown)).
-
-## PR Content
-
-- Make it small.
-- One feature per Pull Request.
-- Write useful descriptions and titles.
-- Avoid re-formatting code that is not on the path of your PR.
-- Make sure the [code builds](building-testing.md).
-- Make sure [all tests pass](building-testing.md).
-- Add tests.
-- Address review comments in terms of additional commits (and don't amend/squash existing ones unless the PR is trivial).
-
-!!! note "Third-Party Dependencies"
-
-    If a PR involves changes to third-party dependencies, the commits pertaining to the vendor folder and the manifest/lock file(s) should be committed separated.
-
-!!! tip "10 Tips for Better Pull Requests"
-
-    We enjoyed this article, maybe you will too! [10 tips for better pull requests](https://blog.ploeh.dk/2015/01/15/10-tips-for-better-pull-requests/).
+Please review the [guidelines on creating PRs](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md) for Traefik in our [contributors guide repository](https://github.com/traefik/contributors-guide).

docs/content/getting-started/install-traefik.md

@@ -9,11 +9,14 @@ You can install Traefik with the following flavors:
 
 ## Use the Official Docker Image
 
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with the [sample configuration file](https://raw.githubusercontent.com/traefik/traefik/v2.3/traefik.sample.toml):
+Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
+
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.yml)
 
 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.3
+    -v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.4
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -30,7 +33,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! warning
     
     The Traefik Chart from 
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://docs.traefik.io/v1.7).
+    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
 
 Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.
 
@@ -42,7 +45,7 @@ Ensure that the following requirements are met:
 Add Traefik's chart repository to Helm:
 
 ```bash
-helm repo add traefik https://traefik.github.io/traefik-helm-chart
+helm repo add traefik https://helm.traefik.io/traefik
 ```
 
 You can update the chart repository by running:

docs/content/getting-started/quick-start.md

@@ -15,7 +15,7 @@ version: '3'
 services:
   reverse-proxy:
     # The official v2 Traefik docker image
-    image: traefik:v2.3
+    image: traefik:v2.4
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:

docs/content/glossary.md

@@ -12,7 +12,7 @@ Where Every Technical Word finds its Definition`
 - [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
 - [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
 - [ ] ACME
-- [ ] TraefikEE
+- [ ] Traefik Enterprise
 - [ ] Tracing
 - [ ] Metrics
 - [ ] Orchestrator

docs/content/https/acme.md

@@ -10,7 +10,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
 
     Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
     when experimenting to avoid hitting this limit too fast.
-    
+
 ## Certificate Resolvers
 
 Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
@@ -322,11 +322,14 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
+| [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
-| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
+| [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)       |
+| [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
 | [Lightsail](https://aws.amazon.com/lightsail/)              | `lightsail`    | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)    |
 | [Linode v4](https://www.linode.com)                         | `linode`       | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)       |
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
+| [Loopia](https://loopia.com/)                               | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
 | [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
 | manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
@@ -407,6 +410,35 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
 
+## External Account Binding
+
+- `kid`: Key identifier from External CA
+- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.eab]
+    kid = "abc-keyID-xyz"
+    hmacEncoded = "abc-hmac-xyz"
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      eab:
+        kid: abc-keyID-xyz
+        hmacEncoded: abc-hmac-xyz
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
+--certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz
+```
+
 ## More Configuration
 
 ### `caServer`
@@ -516,6 +548,34 @@ certificatesResolvers:
 # ...
 ```
 
+### `keyType`
+
+_Optional, Default="RSA4096"_
+
+KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  keyType = "RSA4096"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      keyType: 'RSA4096'
+      # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+# ...
+```
+
 ## Fallback
 
 If Let's Encrypt is not reachable, the following certificates will apply:

docs/content/https/tls.md

@@ -64,7 +64,7 @@ tls:
 !!! important "Restriction"
 
     Any store definition other than the default one (named `default`) will be ignored,
-    and there is thefore only one globally available TLS store.
+    and there is therefore only one globally available TLS store.
 
 In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
 
@@ -134,14 +134,23 @@ If no default certificate is provided, Traefik generates and uses a self-signed
 
 The TLS options allow one to configure some parameters of the TLS connection.
 
+!!! important "'default' TLS Option"
+
+    The `default` option is special.
+    When no tls options are specified in a tls router, the `default` option is used.  
+    When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.  
+    Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
+    you must specify the provider namespace, for example:  
+    `traefik.http.routers.myrouter.tls.options=myoptions@file`
+
 !!! important "TLSOptions in Kubernetes"
 
     When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
-    if not explicitly overwritten, should apply to all ingresses. To achieve that, you'll have to
-    create a TLSOptions CR with the name `default`. There may exist only one TLSOption with the 
-    name `default` (across all namespaces) - otherwise they will be dropped.  
-    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources) you'll 
-    have to add an annotation to the Ingress in the following form:
+    if not explicitly overwritten, should apply to all ingresses.  
+    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
+    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
+    you'll have to add an annotation to the Ingress in the following form:
     `traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd`
 
 ### Minimum TLS Version

docs/content/index.md

@@ -20,9 +20,9 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
 
 !!! info
 
-    Join our user friendly and active [Community Forum](https://community.containo.us) to discuss, learn, and connect with the traefik community.
+    Join our user friendly and active [Community Forum](https://community.traefik.io) to discuss, learn, and connect with the traefik community.
     
     If you're a business running critical services behind Traefik,
-    know that [Containous](https://containo.us), the company that sponsors Traefik's development,
-    can provide [commercial support](https://info.containo.us/commercial-services)
-    and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.
+    know that [Traefik Labs](https://traefik.io), the company that sponsors Traefik's development,
+    can provide [commercial support](https://info.traefik.io/commercial-services)
+    and develops an [Enterprise Edition](https://traefik.io/traefik-enterprise/) of Traefik.

docs/content/middlewares/errorpages.md

@@ -28,7 +28,7 @@ metadata:
 spec:
   errors:
     status:
-      - 500-599
+      - "500-599"
     query: /{status}.html
     service:
       name: whoami

docs/content/middlewares/forwardauth.md

@@ -61,6 +61,18 @@ http:
         address: "https://example.com/auth"
 ```
 
+## Forward-Request Headers
+
+The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
+
+| Property          | Forward-Request Header |
+|-------------------|------------------------|
+| HTTP Method       | X-Forwarded-Method     |
+| Protocol          | X-Forwarded-Proto      |
+| Host              | X-Forwarded-Host       |
+| Request URI       | X-Forwarded-Uri        |
+| Source IP-Address | X-Forwarded-For        |
+
 ## Configuration Options
 
 ### `address`
@@ -164,7 +176,7 @@ http:
 
 ### `authResponseHeaders`
 
-The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request.
+The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request. All incoming request's headers in this list are deleted from the request before any copy happens.
 
 ```yaml tab="Docker"
 labels:
@@ -217,6 +229,116 @@ http:
           - "X-Secret"
 ```
 
+### `authResponseHeadersRegex`
+
+The `authResponseHeadersRegex` option is the regex to match the headers that should be copied from the authentication server to the request. All incoming request's headers matching this regex are deleted from the request before any copy happens.
+It allows partial matching of the regular expression against the header's key.
+You should use start of string (`^`) and end of string (`$`) anchors to ensure a full match against the header's key.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authResponseHeadersRegex: ^X-
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authResponseHeadersRegex = "^X-"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authResponseHeadersRegex: "^X-"
+```
+
+### `authRequestHeaders`
+
+The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
+It allows filtering headers that should not be passed to the authentication server.
+If not set or empty then all request headers will be passed.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    address: https://example.com/auth
+    authRequestHeaders:
+      - "Accept"
+      - "X-CustomHeader"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    authRequestHeaders = "Accept,X-CustomHeader"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        address: "https://example.com/auth"
+        authRequestHeaders:
+          - "Accept"
+          - "X-CustomHeader"
+```
+
 ### `tls`
 
 The `tls` option is the TLS configuration from Traefik to the authentication server.

docs/content/middlewares/headers.md

@@ -306,7 +306,7 @@ The `accessControlAllowOriginList` indicates whether a resource can be shared by
 A wildcard origin `*` can also be configured, and will match all requests.
 If this value is set by a backend server, it will be overwritten by Traefik
 
-This value can contains a list of allowed origins.
+This value can contain a list of allowed origins.
 
 More information including how to use the settings can be found on:
 
@@ -316,6 +316,14 @@ More information including how to use the settings can be found on:
 
 Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
 
+### `accessControlAllowOriginListRegex`
+
+The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
+It will allow all origin that contains any match of a regular expression in the `accessControlAllowOriginList`.
+
+!!! tip
+    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
 ### `accessControlExposeHeaders`
 
 The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.

docs/content/middlewares/overview.md

@@ -11,6 +11,11 @@ There are several available middleware in Traefik, some can modify the request,
 
 Pieces of middleware can be combined in chains to fit every scenario.
 
+!!! warning "Provider Namespace"
+
+    Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section. 
+    It also applies to Middlewares.
+
 ## Configuration Example
 
 ```yaml tab="Docker"
@@ -128,106 +133,6 @@ http:
           - url: "http://127.0.0.1:80"
 ```
 
-## Provider Namespace
-
-When you declare a middleware, it lives in its provider's namespace.
-For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
-
-If you use multiple providers and wish to reference a middleware declared in another provider
-(aka referencing a cross-provider middleware),
-then you'll have to append to the middleware name, the `@` separator, followed by the provider name.
-
-```text
-<resource-name>@<provider-name>
-```
-
-!!! important "Kubernetes Namespace"
-
-    As Kubernetes also has its own notion of namespace, one should not confuse the "provider namespace"
-    with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.
-    In this case, since the definition of the middleware is not in kubernetes,
-    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
-    and therefore this specification would be ignored even if present.
-    On the other hand, if you declare the middleware as a Custom Resource in Kubernetes and use the 
-    non-crd Ingress objects, you'll have to add the kubernetes namespace of the middleware to the 
-    annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
-
-!!! abstract "Referencing a Middleware from Another Provider"
-
-    Declaring the add-foo-prefix in the file provider.
-
-    ```toml tab="File (TOML)"
-    [http.middlewares]
-      [http.middlewares.add-foo-prefix.addPrefix]
-        prefix = "/foo"
-    ```
-    
-    ```yaml tab="File (YAML)"
-    http:
-      middlewares:
-        add-foo-prefix:
-          addPrefix:
-            prefix: "/foo"
-    ```
-
-    Using the add-foo-prefix middleware from other providers:
-
-    ```yaml tab="Docker"
-    your-container: #
-      image: your-docker-image
-
-      labels:
-        # Attach add-foo-prefix@file middleware (declared in file)
-        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
-    ```
-
-    ```yaml tab="Kubernetes Ingress Route"
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: ingressroutestripprefix
-
-    spec:
-      entryPoints:
-        - web
-      routes:
-        - match: Host(`example.com`)
-          kind: Rule
-          services:
-            - name: whoami
-              port: 80
-          middlewares:
-            - name: add-foo-prefix@file
-            # namespace: bar
-            # A namespace specification such as above is ignored
-            # when the cross-provider syntax is used.
-    ```
-    
-    ```yaml tab="Kubernetes Ingress"
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: Middleware
-    metadata:
-      name: stripprefix
-      namespace: appspace
-    spec:
-      stripPrefix:
-        prefixes:
-          - /stripit
-    
-    ---
-    apiVersion: networking.k8s.io/v1
-    kind: Ingress
-    metadata:
-      name: ingress
-      namespace: appspace
-      annotations:
-        # referencing a middleware from Kubernetes CRD provider: 
-        # <middleware-namespace>-<middleware-name>@kubernetescrd
-        "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd
-    spec:
-      # ... regular ingress definition
-    ```
-
 ## Available Middlewares
 
 | Middleware                                | Purpose                                           | Area                        |

docs/content/middlewares/retry.md

@@ -9,17 +9,19 @@ TODO: add schema
 
 The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
 To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.
+The Retry middleware has an optional configuration for exponential backoff.
 
 ## Configuration Examples
 
 ```yaml tab="Docker"
-# Retry to send request 4 times
+# Retry to send request 4 times with exponential backoff
 labels:
   - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
 ```yaml tab="Kubernetes"
-# Retry to send request 4 times
+# Retry to send request 4 times with exponential backoff
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -27,45 +29,55 @@ metadata:
 spec:
   retry:
     attempts: 4
+    initialInterval: 100ms
 ```
 
 ```yaml tab="Consul Catalog"
-# Retry to send request 4 times
+# Retry to send request 4 times with exponential backoff
 - "traefik.http.middlewares.test-retry.retry.attempts=4"
+- "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-retry.retry.attempts": "4"
+  "traefik.http.middlewares.test-retry.retry.attempts": "4",
+  "traefik.http.middlewares.test-retry.retry.initialinterval": "100ms",
 }
 ```
 
 ```yaml tab="Rancher"
-# Retry to send request 4 times
+# Retry to send request 4 times with exponential backoff
 labels:
   - "traefik.http.middlewares.test-retry.retry.attempts=4"
+  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```
 
 ```toml tab="File (TOML)"
 # Retry to send request 4 times
 [http.middlewares]
   [http.middlewares.test-retry.retry]
-     attempts = 4
+    attempts = 4
+    initialInterval = "100ms"
 ```
 
 ```yaml tab="File (YAML)"
-# Retry to send request 4 times
+# Retry to send request 4 times with exponential backoff
 http:
   middlewares:
     test-retry:
       retry:
-       attempts: 4
+        attempts: 4
+        initialInterval: 100ms
 ```
 
 ## Configuration Options
 
-### `attempts` 
+### `attempts`
 
 _mandatory_
 
 The `attempts` option defines how many times the request should be retried.
+
+### `initialInterval`
+
+The `initialInterval` option defines the first wait time in the exponential backoff series (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)). The maximum interval is calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.

docs/content/migration/v1-to-v2.md

@@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: Middleware
     metadata:
@@ -275,7 +275,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 
     ```yaml tab="K8s IngressRoute"
     # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://docs.traefik.io/v2.2/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
     apiVersion: traefik.containo.us/v1alpha1
     kind: TLSOption
     metadata:
@@ -385,7 +385,7 @@ To apply a redirection:
     
     entryPoints:
       web:
-        address: 80
+        address: ":80"
         http:
           redirections:
             entrypoint:
@@ -393,7 +393,7 @@ To apply a redirection:
               scheme: https
     
       websecure:
-        address: 443
+        address: ":443"
     ```
 
 !!! example "HTTP to HTTPS redirection per domain"
@@ -1145,4 +1145,4 @@ Supported [providers](../providers/overview.md), for now:
 - Now, configuration elements can be referenced between different providers by using the provider namespace notation: `@<provider>`.
   For instance, a router named `myrouter` in a File Provider can refer to a service named `myservice` defined in Docker Provider with the following notation: `myservice@docker`.
 - Middlewares are applied in the same order as their declaration in router.
-- If you have any questions feel free to join our [community forum](https://community.containo.us).
+- If you have any questions feel free to join our [community forum](https://community.traefik.io).

docs/content/observability/access-logs.md

@@ -26,6 +26,20 @@ accessLog: {}
 By default access logs are written to the standard output.
 To write the logs into a log file, use the `filePath` option.
 
+```toml tab="File (TOML)"
+[accessLog]
+  filePath = "/path/to/access.log"
+```
+
+```yaml tab="File (YAML)"
+accessLog:
+  filePath: "/path/to/access.log"
+```
+
+```bash tab="CLI"
+--accesslog.filepath=/path/to/access.log
+```
+
 ### `format`
  
 By default, logs are written using the Common Log Format (CLF).
@@ -60,7 +74,6 @@ accessLog:
 
 ```bash tab="CLI"
 # Configuring a buffer of 100 lines
---accesslog=true
 --accesslog.filepath=/path/to/access.log
 --accesslog.bufferingsize=100
 ```
@@ -74,7 +87,7 @@ The available filters are:
 
 - `statusCodes`, to limit the access logs to requests with a status codes in the specified range
 - `retryAttempts`, to keep the access logs when at least one retry has happened
-- `minDuration`, to keep access logs when requests take longer than the specified duration
+- `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration))
 
 ```toml tab="File (TOML)"
 # Configuring Multiple Filters
@@ -103,7 +116,6 @@ accessLog:
 
 ```bash tab="CLI"
 # Configuring Multiple Filters
---accesslog=true
 --accesslog.filepath=/path/to/access.log
 --accesslog.format=json
 --accesslog.filters.statuscodes=200,300-302
@@ -163,7 +175,6 @@ accessLog:
 
 ```bash tab="CLI"
 # Limiting the Logs to Specific Fields
---accesslog=true
 --accesslog.filepath=/path/to/access.log
 --accesslog.format=json
 --accesslog.fields.defaultmode=keep
@@ -198,7 +209,7 @@ accessLog:
     | `RequestScheme`         | The HTTP scheme requested `http` or `https`.                                                                                                                        |
     | `RequestLine`           | `RequestMethod` + `RequestPath` + `RequestProtocol`                                                                                                                 |
     | `RequestContentSize`    | The number of bytes in the request entity (a.k.a. body) sent by the client.                                                                                         |
-    | `OriginDuration`        | The time taken by the origin server ('upstream') to return its response.                                                                                            |
+    | `OriginDuration`        | The time taken (in nanoseconds) by the origin server ('upstream') to return its response.                                                                                            |
     | `OriginContentSize`     | The content length specified by the origin server, or 0 if unspecified.                                                                                             |
     | `OriginStatus`          | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent.     |
     | `OriginStatusLine`      | `OriginStatus` + Status code explanation                                                                                                                            |
@@ -207,7 +218,7 @@ accessLog:
     | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
     | `RequestCount`          | The number of requests received since the Traefik instance started.                                                                                                 |
     | `GzipRatio`             | The response body compression ratio achieved.                                                                                                                       |
-    | `Overhead`              | The processing time overhead caused by Traefik.                                                                                                                     |
+    | `Overhead`              | The processing time overhead (in nanoseconds) caused by Traefik.                                                                                                                     |
     | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
 
 ## Log Rotation
@@ -238,7 +249,6 @@ services:
     environment:
       - TZ=US/Alaska
     command:
-      - --accesslog
       - --accesslog.fields.names.StartUTC=drop
       - --providers.docker
     ports:

docs/content/plugins/index.md

@@ -0,0 +1,49 @@
+# Plugins and Traefik Pilot
+
+Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities.
+It offers a number of features to enhance observability and control of Traefik through a global control plane and dashboard, including:
+
+* Metrics for network activity of Traefik proxies and groups of proxies
+* Alerts for service health issues and security vulnerabilities
+* Plugins that extend the functionality of Traefik
+
+!!! important "Learn More About Traefik Pilot"
+    This section is intended only as a brief overview for Traefik users who are not familiar with Traefik Pilot. 
+    To explore all that Traefik Pilot has to offer, please consult the [Traefik Pilot Documentation](https://doc.traefik.io/traefik-pilot/)
+
+!!! Note "Prerequisites"
+    Traefik Pilot is compatible with Traefik Proxy 2.3 or later.
+
+## Connecting to Traefik Pilot
+
+To connect your Traefik proxies to Traefik Pilot, login or create an account at the [Traefik Pilot homepage](https://pilot.traefik.io) and choose **Register New Traefik Instance**.
+
+To complete the connection, Traefik Pilot will issue a token that must be added to your Traefik static configuration, according to the instructions provided by the Traefik Pilot dashboard.
+For more information, consult the [Quick Start Guide](https://doc.traefik.io/traefik-pilot/connecting/)
+
+Health and security alerts for registered Traefik instances can be enabled from the Preferences in your [Traefik Pilot Profile](https://pilot.traefik.io/profile).
+
+## Plugins
+
+Plugins are available to any Traefik proxies that are connected to Traefik Pilot.
+They are a powerful feature for extending Traefik with custom features and behaviors.
+
+You can browse community-contributed plugins from the catalog in the [Traefik Pilot Dashboard](https://pilot.traefik.io/plugins).
+
+To add a new plugin to a Traefik instance, you must modify that instance's static configuration.
+The code to be added is provided for you when you choose **Install the Plugin** from the Traefik Pilot dashboard.
+To learn more about Traefik plugins, consult the [documentation](https://doc.traefik.io/traefik-pilot/plugins/overview/).
+
+!!! danger "Experimental Features"
+    Plugins can potentially modify the behavior of Traefik in unforeseen ways.
+    Exercise caution when adding new plugins to production Traefik instances.
+
+## Build Your Own Plugins
+
+Traefik users can create their own plugins and contribute them to the Traefik Pilot catalog to share them with the community.
+
+Traefik plugins are loaded dynamically. 
+They need not be compiled, and no complex toolchain is necessary to build them. 
+The experience of implementing a Traefik plugin is comparable to writing a web browser extension.
+
+To learn more and see code for example Traefik plugins, please see the [developer documentation](https://doc.traefik.io/traefik-pilot/plugins/plugin-dev/).

docs/content/plugins/overview.md

@@ -1,38 +0,0 @@
-# Plugins and Traefik Pilot
-
-Overview
-{: .subtitle}
-
-Traefik Pilot is a software-as-a-service (SaaS) platform that connects to Traefik to extend its capabilities.
-It does this through *plugins*, which are dynamically loaded components that enable new features.
-
-For example, Traefik plugins can add features to modify requests or headers, issue redirects, add authentication, and so on, providing similar functionality to Traefik [middlewares](https://docs.traefik.io/middlewares/overview/).
-
-Traefik Pilot can also monitor connected Traefik instances and issue alerts when one is not responding, or when it is subject to security vulnerabilities.
-
-!!! note "Availability"
-    Plugins are available for Traefik v2.3.0-rc1 and later.
-    
-!!! danger "Experimental Features"
-    Plugins can potentially modify the behavior of Traefik in unforeseen ways.
-    Exercise caution when adding new plugins to production Traefik instances.
-
-## Connecting to Traefik Pilot
-
-Plugins are available when a Traefik instance is connected to Traefik Pilot.
-
-To register a new instance and begin working with plugins, login or create an account at the [Traefik Pilot homepage](https://pilot.traefik.io) and choose **Register New Instance**.
-
-To complete the connection, Traefik Pilot will issue a token that must be added to your Traefik static configuration by following the instructions provided.
-
-!!! note "Enabling Alerts" 
-    Health and security alerts for registered Traefik instances can be enabled from the Preferences in your [Traefik Pilot Profile](https://pilot.traefik.io/profile).
-
-## Creating Plugins
-
-Traefik users can create their own plugins and contribute them to the Traefik Pilot catalog to share them with the community.
-
-Plugins are written in [Go](https://golang.org/) and their code is executed by an [embedded Go interpreter](https://github.com/traefik/yaegi).
-There is no need to compile binaries and all plugins are 100% cross-platform.
-
-To learn more and see code for example Traefik plugins, please see the [developer documentation](https://github.com/traefik/plugindemo).

docs/content/plugins/using-plugins.md

@@ -1,122 +0,0 @@
-# Using Plugins
-
-Plugins are available to any instance of Traefik v2.3 or later that is [registered](overview.md#connecting-to-traefik-pilot) with Traefik Pilot.
-Plugins are hosted on GitHub, but you can browse plugins to add to your registered Traefik instances from the Traefik Pilot UI.
-
-!!! danger "Experimental Features"
-    Plugins can potentially modify the behavior of Traefik in unforeseen ways.
-    Exercise caution when adding new plugins to production Traefik instances.
-
-## Add a Plugin
-
-To add a new plugin to a Traefik instance, you must modify that instance's static configuration.
-The code to be added is provided by the Traefik Pilot UI when you choose **Install the Plugin**.
-
-In the example below, we add the [`blockpath`](http://github.com/traefik/plugin-blockpath) and [`rewritebody`](https://github.com/traefik/plugin-rewritebody) plugins:
-
-```toml tab="File (TOML)"
-[entryPoints]
-  [entryPoints.web]
-    address = ":80"
-
-[pilot]
-  token = "xxxxxxxxx"
-
-[experimental.plugins]
-  [experimental.plugins.block]
-    modulename = "github.com/traefik/plugin-blockpath"
-    version = "v0.2.0"
-    
-  [experimental.plugins.rewrite]
-    modulename = "github.com/traefik/plugin-rewritebody"
-    version = "v0.3.0"
-```
-
-```yaml tab="File (YAML)"
-entryPoints:
-  web:
-    address: :80
-
-pilot:
-    token: xxxxxxxxx
-
-experimental:
-  plugins:
-    block:
-      modulename: github.com/traefik/plugin-blockpath
-      version: v0.2.0
-    rewrite:
-      modulename: github.com/traefik/plugin-rewritebody
-      version: v0.3.0
-```
-
-```bash tab="CLI"
---entryPoints.web.address=:80
---pilot.token=xxxxxxxxx
---experimental.plugins.block.modulename=github.com/traefik/plugin-blockpath
---experimental.plugins.block.version=v0.2.0
---experimental.plugins.rewrite.modulename=github.com/traefik/plugin-rewritebody
---experimental.plugins.rewrite.version=v0.3.0
-```
-
-## Configuring Plugins
-
-Some plugins will need to be configured by adding a dynamic configuration.
-For the `bodyrewrite` plugin, for example:
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example"
-  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: my-rewritebody
-spec:
-  plugin:
-    rewrite:
-      rewrites:
-        - regex: example
-          replacement: test
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example"
-- "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex": "example",
-  "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement": "test"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].regex=example"
-  - "traefik.http.middlewares.my-rewritebody.plugin.rewrite.rewrites[0].replacement=test"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.my-rewritebody.plugin.rewrite]
-    lastModified = true
-    [[http.middlewares.my-rewritebody.plugin.rewrite.rewrites]]
-      regex = "example"
-      replacement = "test"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    my-rewritebody:
-      plugin:
-        rewrite:
-          rewrites:
-            - regex: example
-              replacement: test
-```

docs/content/providers/consul-catalog.md

@@ -29,7 +29,7 @@ Attach tags to your services and let Traefik do the rest!
     Attaching tags to services
 
     ```yaml
-    - traefik.http.services.my-service.rule=Host(`example.com`)
+    - traefik.http.routers.my-router.rule=Host(`example.com`)
     ```
 
 ## Routing Configuration
@@ -164,12 +164,12 @@ Defines the Consul server endpoint.
 
 #### `address`
 
-_Optional, Default="http://127.0.0.1:8500"_
+_Optional, Default="127.0.0.1:8500"_
 
 ```toml tab="File (TOML)"
 [providers.consulCatalog]
   [providers.consulCatalog.endpoint]
-    address = "http://127.0.0.1:8500"
+    address = "127.0.0.1:8500"
     # ...
 ```
 
@@ -177,12 +177,12 @@ _Optional, Default="http://127.0.0.1:8500"_
 providers:
   consulCatalog:
     endpoint:
-      address: http://127.0.0.1:8500
+      address: 127.0.0.1:8500
     # ...
 ```
 
 ```bash tab="CLI"
---providers.consulcatalog.endpoint.address=http://127.0.0.1:8500
+--providers.consulcatalog.endpoint.address=127.0.0.1:8500
 # ...
 ```
 

docs/content/providers/docker.md

@@ -60,14 +60,17 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
     providers:
       docker:
         # swarm classic (1.12-)
-        # endpoint = "tcp://127.0.0.1:2375"
+        # endpoint: "tcp://127.0.0.1:2375"
         # docker swarm mode (1.12+)
-        endpoint: "tcp://127.0.0.1:2375"
+        endpoint: "tcp://127.0.0.1:2377"
         swarmMode: true
     ```
     
     ```bash tab="CLI"
-    --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # swarm classic (1.12-)
+    # --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # docker swarm mode (1.12+)
+    --providers.docker.endpoint=tcp://127.0.0.1:2377
     --providers.docker.swarmMode=true
     ```
 
@@ -95,8 +98,8 @@ See the list of labels in the dedicated [routing](../routing/providers/docker.md
 By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.
 
 When using Docker Compose, labels are specified by the directive
-[`labels`](https://docs.docker.com/compose/compose-file/#labels) from the
-["services" objects](https://docs.docker.com/compose/compose-file/#service-configuration-reference).
+[`labels`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels) from the
+["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).
 
 !!! tip "Not Only Docker"
     Please note that any tool like Nomad, Terraform, Ansible, etc.
@@ -141,8 +144,8 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
     Accessing the Docker API without any restriction is a security concern:
     If Traefik is attacked, then the attacker might get access to the underlying host.
     {: #security-note }
-    
-    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)):
+
+    As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/#docker-daemon-attack-surface)):
 
     !!! quote
         [...] only **trusted** users should be allowed to control your Docker daemon [...]
@@ -163,7 +166,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
 
     ??? info "More Resources and Examples"
         - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
-        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.containo.us/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
+        - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
         - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
         - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
         - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
@@ -183,9 +186,9 @@ set the [`swarmMode`](#swarmmode) directive to `true`.
 While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
 
 Therefore, if you use a compose file with Swarm Mode, labels should be defined in the
-[`deploy`](https://docs.docker.com/compose/compose-file/#labels-1) part of your service.
+[`deploy`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-1) part of your service.
 
-This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file)).
+This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/)).
 
 ### Port Detection
 
@@ -261,7 +264,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
 
     services:
       traefik:
-         image: traefik:v2.3 # The official v2 Traefik docker image
+         image: traefik:v2.4 # The official v2 Traefik docker image
          ports:
            - "80:80"
          volumes:
@@ -491,6 +494,30 @@ providers:
 
 Defines the polling interval (in seconds) in Swarm Mode.
 
+### `httpClientTimeout`
+
+_Optional, Default=0_
+
+```toml tab="File (TOML)"
+[providers.docker]
+  httpClientTimeout = 300
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    httpClientTimeout: 300
+    # ...
+```
+
+```bash tab="CLI"
+--providers.docker.httpClientTimeout=300
+# ...
+```
+
+Defines the client timeout (in seconds) for HTTP connections. If zero, no timeout is set.
+
 ### `watch`
 
 _Optional, Default=true_

docs/content/providers/ecs.md

@@ -13,18 +13,15 @@ Attach labels to your ECS containers and let Traefik do the rest!
     
     ```toml tab="File (TOML)"
     [providers.ecs]
-      clusters = ["default"]
     ```
     
     ```yaml tab="File (YAML)"
     providers:
-      ecs:
-        clusters:
-          - default
+      ecs: {}
     ```
     
     ```bash tab="CLI"
-    --providers.ecs.clusters=default
+    --providers.ecs=true
     ```
 
 ## Policy
@@ -90,7 +87,7 @@ _Optional, Default=["default"]_
 
 ```toml tab="File (TOML)"
 [providers.ecs]
-  cluster = ["default"]
+  clusters = ["default"]
   # ...
 ```
 

docs/content/providers/kubernetes-crd.md

@@ -53,11 +53,11 @@ For this reason, users can run multiple instances of Traefik at the same time to
 
 When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
 
-If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature.
 
-If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+If you want to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
 When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
 A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
@@ -78,7 +78,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    endpoint = "http://localhost:8080"
+    endpoint: "http://localhost:8080"
     # ...
 ```
 
@@ -112,7 +112,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    token = "mytoken"
+    token: "mytoken"
     # ...
 ```
 
@@ -177,26 +177,32 @@ _Optional,Default: empty (process all resources)_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  labelselector = "A and not B"
+  labelselector = "app=traefik"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    labelselector: "A and not B"
+    labelselector: "app=traefik"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.labelselector="A and not B"
+--providers.kubernetescrd.labelselector="app=traefik"
 ```
 
 By default, Traefik processes all resource objects in the configured namespaces.
-A label selector can be defined to filter on specific resource objects only.
+A label selector can be defined to filter on specific resource objects only,
+this will apply only on Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
+and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
 
 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
+!!! warning
+
+    As the LabelSelector is applied to all Traefik Custom Resources, they all must match the filter. 
+
 ### `ingressClass`
 
 _Optional, Default: empty_
@@ -244,6 +250,34 @@ providers:
 --providers.kubernetescrd.throttleDuration=10s
 ```
 
+### `allowCrossNamespace`
+
+_Optional, Default: true_
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  allowCrossNamespace = false
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    allowCrossNamespace: false
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.allowCrossNamespace=false
+```
+
+If the parameter is set to `false`, an IngressRoute will not be able to reference any resources
+in another namespace than the IngressRoute namespace.
+
+!!! warning "Deprecation"
+    
+    Please notice that the default value for this option will be set to `false` in a future version.
+
 ## Further
 
 Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.

docs/content/providers/kubernetes-gateway.md

@@ -0,0 +1,252 @@
+# Traefik & Kubernetes with Gateway API
+
+The Kubernetes Gateway API, The Experimental Way.
+{: .subtitle }
+
+Gateway API is the evolution of Kubernetes APIs that relate to `Services`, e.g. `Ingress`.
+The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
+
+The Kubernetes Gateway provider is a Traefik implementation of the [service apis](https://github.com/kubernetes-sigs/service-apis)
+specifications from the Kubernetes SIGs.   
+
+This provider is proposed as an experimental feature and partially supports the service apis [v0.1.0](https://github.com/kubernetes-sigs/service-apis/releases/tag/v0.1.0) specification. 
+
+!!! warning "Enabling The Experimental Kubernetes Gateway Provider"
+    
+    As this provider is in experimental stage, it needs to be activated in the experimental section of the static configuration. 
+    
+    ```toml tab="File (TOML)"
+    [experimental]
+      kubernetesGateway = true
+    
+    [providers.kubernetesGateway]
+    #...
+    ```
+    
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesGateway: true
+    
+    providers:
+      kubernetesGateway: {}
+      #...
+    ```
+    
+    ```bash tab="CLI"
+    --experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
+    ```
+
+## Configuration Requirements
+
+!!! tip "All Steps for a Successful Deployment"
+  
+    * Add/update the Kubernetes Gateway API [definitions](../reference/dynamic-configuration/kubernetes-gateway.md#definitions).
+    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources.
+    * Add all needed Kubernetes Gateway API [resources](../reference/dynamic-configuration/kubernetes-gateway.md#resources).
+
+## Examples
+
+??? example "Kubernetes Gateway Provider Basic Example"
+
+    ```yaml tab="Gateway API"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml"
+    ```
+
+    ```yaml tab="Whoami Service"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-whoami-svc.yml"
+    ```
+    
+    ```yaml tab="Traefik Service"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml"
+    ```
+    
+    ```yaml tab="Gateway API CRDs"
+    # All resources definition must be declared
+    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
+    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
+    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
+    ```
+
+    ```yaml tab="RBAC"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
+    ```
+    
+The Kubernetes Service APIs provides several [guides](https://kubernetes-sigs.github.io/service-apis/guides/) of how to use their API.
+Those guides will help you to go further than the example above.
+The [getting started](https://kubernetes-sigs.github.io/service-apis/getting-started/) show you how to install the CRDs from their repository.
+Thus, keep in mind that the Traefik Gateway provider only supports the `v0.1.0`.
+
+For now, the Traefik Gateway Provider could be used to achieve the following set-up guides:
+
+* [Simple Gateway](https://kubernetes-sigs.github.io/service-apis/simple-gateway/)
+* [HTTP routing](https://kubernetes-sigs.github.io/service-apis/http-routing/)
+* [TLS](https://kubernetes-sigs.github.io/service-apis/tls/) (Partial support: only on listeners with terminate mode)
+
+## Resource Configuration
+
+When using Kubernetes Gateway API as a provider,
+Traefik uses Kubernetes 
+[Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
+to retrieve its routing configuration.
+
+All concepts can be found in the official API concepts [documentation](https://kubernetes-sigs.github.io/service-apis/api-overview/).
+Traefik implements the following resources:
+
+* `GatewayClass` defines a set of Gateways that share a common configuration and behaviour.
+* `Gateway` describes how traffic can be translated to Services within the cluster.
+* `HTTPRoute` define HTTP rules for mapping requests from a Gateway to Kubernetes Services.
+
+## Provider Configuration 
+
+### `endpoint`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  endpoint = "http://localhost:8080"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    endpoint: "http://localhost:8080"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.endpoint=http://localhost:8080
+```
+
+The Kubernetes server endpoint as URL.
+
+When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
+
+The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+Both are mounted automatically when deployed inside Kubernetes.
+
+The endpoint may be specified to override the environment variable values inside a cluster.
+
+When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
+In this case, the endpoint is required.
+Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
+
+### `token`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  token = "mytoken"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    token: "mytoken"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.token=mytoken
+```
+
+Bearer token used for the Kubernetes client configuration.
+
+### `certAuthFilePath`
+
+_Optional, Default=empty_
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  certAuthFilePath = "/my/ca.crt"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    certAuthFilePath: "/my/ca.crt"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.certauthfilepath=/my/ca.crt
+```
+
+Path to the certificate authority file.
+Used for the Kubernetes client configuration.
+
+### `namespaces`
+
+_Optional, Default: all namespaces (empty array)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  namespaces = ["default", "production"]
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    namespaces:
+    - "default"
+    - "production"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.namespaces=default,production
+```
+
+Array of namespaces to watch.
+
+### `labelselector`
+
+_Optional, Default: empty (process all resources)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  labelselector = "app=traefik"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    labelselector: "app=traefik"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.labelselector="app=traefik"
+```
+
+By default, Traefik processes all resource objects in the configured namespaces.
+A label selector can be defined to filter on specific GatewayClass objects only.
+
+See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
+
+### `throttleDuration`
+
+_Optional, Default: 0 (no throttling)_
+
+```toml tab="File (TOML)"
+[providers.kubernetesGateway]
+  throttleDuration = "10s"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesGateway:
+    throttleDuration: "10s"
+    # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesgateway.throttleDuration=10s
+```

docs/content/providers/kubernetes-ingress.md

@@ -4,7 +4,7 @@ The Kubernetes Ingress Controller.
 {: .subtitle }
 
 The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
-it manages access to a cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
+it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
 
 ## Routing Configuration
 
@@ -65,11 +65,11 @@ When using a single instance of Traefik with LetsEncrypt, no issues should be en
 however this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled,
 because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this,
+Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
 but due to sub-optimal performance was dropped as a feature in 2.0.
 
 If you require LetsEncrypt with HA in a kubernetes environment,
-we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
+we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature.
 
 If you are wanting to continue to run Traefik Community Edition,
 LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
@@ -91,7 +91,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress:
-    endpoint = "http://localhost:8080"
+    endpoint: "http://localhost:8080"
     # ...
 ```
 
@@ -124,7 +124,7 @@ _Optional, Default=empty_
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress:
-    token = "mytoken"
+    token: "mytoken"
     # ...
 ```
 
@@ -158,29 +158,6 @@ providers:
 Path to the certificate authority file.
 Used for the Kubernetes client configuration.
 
-### `disablePassHostHeaders`
-
-_Optional, Default=false_
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-  disablePassHostHeaders = true
-  # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
-  kubernetesIngress:
-    disablePassHostHeaders: true
-    # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.disablepasshostheaders=true
-```
-
-Whether to disable PassHost Headers.
-
 ### `namespaces`
 
 _Optional, Default: all namespaces (empty array)_
@@ -212,23 +189,23 @@ _Optional,Default: empty (process all Ingresses)_
 
 ```toml tab="File (TOML)"
 [providers.kubernetesIngress]
-  labelSelector = "A and not B"
+  labelSelector = "app=traefik"
   # ...
 ```
 
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress:
-    labelselector: "A and not B"
+    labelselector: "app=traefik"
     # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetesingress.labelselector="A and not B"
+--providers.kubernetesingress.labelselector="app=traefik"
 ```
 
-By default, Traefik processes all Ingress objects in the configured namespaces.
-A label selector can be defined to filter on specific Ingress objects only.
+By default, Traefik processes all `Ingress` objects in the configured namespaces.
+A label selector can be defined to filter on specific `Ingress` objects only.
 
 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
 
@@ -391,4 +368,4 @@ providers:
 ### Further
 
 If one wants to know more about the various aspects of the Ingress spec that Traefik supports,
-many examples of Ingresses definitions are located in the tests [data](https://github.com/traefik/traefik/tree/v2.3/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the tests [data](https://github.com/traefik/traefik/tree/v2.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

docs/content/providers/overview.md

@@ -22,6 +22,106 @@ Even if each provider is different, we can categorize them in four groups:
 - Annotation based (a separate object, with annotations, defines the characteristics of the container)
 - File based (the good old configuration file)
 
+## Provider Namespace
+
+When you declare certain objects, in Traefik dynamic configuration,
+such as middleware, service, TLS options or servers transport, they live in its provider's namespace.
+For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace.
+
+If you use multiple providers and wish to reference such an object declared in another provider 
+(aka referencing a cross-provider object, e.g. middleware), then you'll have to append the `@` separator, 
+followed by the provider name to the object name.
+
+```text
+<resource-name>@<provider-name>
+```
+
+!!! important "Kubernetes Namespace"
+
+    As Kubernetes also has its own notion of namespace,
+    one should not confuse the "provider namespace" with the "kubernetes namespace" of a resource when in the context of a cross-provider usage.  
+    In this case, since the definition of a traefik dynamic configuration object is not in kubernetes,
+    specifying a "kubernetes namespace" when referring to the resource does not make any sense,
+    and therefore this specification would be ignored even if present.  
+    On the other hand, if you, say, declare a middleware as a Custom Resource in Kubernetes and use the non-crd Ingress objects,
+    you'll have to add the Kubernetes namespace of the middleware to the annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
+
+!!! abstract "Referencing a Traefik dynamic configuration object from Another Provider"
+
+    Declaring the add-foo-prefix in the file provider.
+
+    ```toml tab="File (TOML)"
+    [http.middlewares]
+      [http.middlewares.add-foo-prefix.addPrefix]
+        prefix = "/foo"
+    ```
+    
+    ```yaml tab="File (YAML)"
+    http:
+      middlewares:
+        add-foo-prefix:
+          addPrefix:
+            prefix: "/foo"
+    ```
+
+    Using the add-foo-prefix middleware from other providers:
+
+    ```yaml tab="Docker"
+    your-container: #
+      image: your-docker-image
+
+      labels:
+        # Attach add-foo-prefix@file middleware (declared in file)
+        - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
+    ```
+
+    ```yaml tab="Kubernetes Ingress Route"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: ingressroutestripprefix
+
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - match: Host(`example.com`)
+          kind: Rule
+          services:
+            - name: whoami
+              port: 80
+          middlewares:
+            - name: add-foo-prefix@file
+            # namespace: bar
+            # A namespace specification such as above is ignored
+            # when the cross-provider syntax is used.
+    ```
+    
+    ```yaml tab="Kubernetes Ingress"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: Middleware
+    metadata:
+      name: stripprefix
+      namespace: appspace
+    spec:
+      stripPrefix:
+        prefixes:
+          - /stripit
+    
+    ---
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
+    metadata:
+      name: ingress
+      namespace: appspace
+      annotations:
+        # referencing a middleware from Kubernetes CRD provider: 
+        # <middleware-namespace>-<middleware-name>@kubernetescrd
+        "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd
+    spec:
+      # ... regular ingress definition
+    ```
+
 ## Supported Providers 
 
 Below is the list of the currently supported providers in Traefik. 
@@ -31,19 +131,20 @@ Below is the list of the currently supported providers in Traefik.
 | [Docker](./docker.md)                 | Orchestrator | Label                      |
 | [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource or Ingress |
 | [Consul Catalog](./consul-catalog.md) | Orchestrator | Label                      |
+| [ECS](./ecs.md)                       | Orchestrator | Label                      |
 | [Marathon](./marathon.md)             | Orchestrator | Label                      |
 | [Rancher](./rancher.md)               | Orchestrator | Label                      |
 | [File](./file.md)                     | Manual       | TOML/YAML format           |
 | [Consul](./consul.md)                 | KV           | KV                         |
 | [Etcd](./etcd.md)                     | KV           | KV                         |
-| [Redis](./redis.md)                   | KV           | KV                         |
 | [ZooKeeper](./zookeeper.md)           | KV           | KV                         |
+| [Redis](./redis.md)                   | KV           | KV                         |
 | [HTTP](./http.md)                     | Manual       | JSON format                |
 
 !!! info "More Providers"
 
     The current version of Traefik doesn't support (yet) every provider.
-    See the [previous version (v1.7)](https://docs.traefik.io/v1.7/) for more providers.
+    See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.
 
 ### Configuration reload frequency
 

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -24,6 +24,8 @@
 - "traefik.http.middlewares.middleware08.errors.status=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.address=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders=foobar, foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
+- "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
@@ -35,6 +37,7 @@
 - "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist=foobar, foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlistregex=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
 - "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
@@ -109,6 +112,7 @@
 - "traefik.http.middlewares.middleware19.replacepathregex.regex=foobar"
 - "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware20.retry.attempts=42"
+- "traefik.http.middlewares.middleware20.retry.initialinterval=42"
 - "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
@@ -155,6 +159,7 @@
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service01.loadbalancer.server.port=foobar"
 - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.serverstransport=foobar"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.rule=foobar"
 - "traefik.tcp.routers.tcprouter0.service=foobar"
@@ -179,6 +184,7 @@
 - "traefik.tcp.routers.tcprouter1.tls.passthrough=true"
 - "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay=42"
 - "traefik.tcp.services.tcpservice01.loadbalancer.server.port=foobar"
+- "traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol.version=42"
 - "traefik.udp.routers.udprouter0.entrypoints=foobar, foobar"
 - "traefik.udp.routers.udprouter0.service=foobar"
 - "traefik.udp.routers.udprouter1.entrypoints=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -38,6 +38,7 @@
     [http.services.Service01]
       [http.services.Service01.loadBalancer]
         passHostHeader = true
+        serversTransport = "foobar"
         [http.services.Service01.loadBalancer.sticky]
           [http.services.Service01.loadBalancer.sticky.cookie]
             name = "foobar"
@@ -138,6 +139,8 @@
         address = "foobar"
         trustForwardHeader = true
         authResponseHeaders = ["foobar", "foobar"]
+        authResponseHeadersRegex = "foobar"
+        authRequestHeaders = ["foobar", "foobar"]
         [http.middlewares.Middleware09.forwardAuth.tls]
           ca = "foobar"
           caOptional = true
@@ -151,6 +154,7 @@
         accessControlAllowMethods = ["foobar", "foobar"]
         accessControlAllowOrigin = "foobar"
         accessControlAllowOriginList = ["foobar", "foobar"]
+        accessControlAllowOriginListRegex = ["foobar", "foobar"]
         accessControlExposeHeaders = ["foobar", "foobar"]
         accessControlMaxAge = 42
         addVaryHeader = true
@@ -257,6 +261,7 @@
     [http.middlewares.Middleware20]
       [http.middlewares.Middleware20.retry]
         attempts = 42
+        initialInterval = 42
     [http.middlewares.Middleware21]
       [http.middlewares.Middleware21.stripPrefix]
         prefixes = ["foobar", "foobar"]
@@ -264,6 +269,41 @@
     [http.middlewares.Middleware22]
       [http.middlewares.Middleware22.stripPrefixRegex]
         regex = ["foobar", "foobar"]
+  [http.serversTransports]
+    [http.serversTransports.ServersTransport0]
+      serverName = "foobar"
+      insecureSkipVerify = true
+      rootCAs = ["foobar", "foobar"]
+      maxIdleConnsPerHost = 42
+
+      [[http.serversTransports.ServersTransport0.certificates]]
+        certFile = "foobar"
+        keyFile = "foobar"
+
+      [[http.serversTransports.ServersTransport0.certificates]]
+        certFile = "foobar"
+        keyFile = "foobar"
+      [http.serversTransports.ServersTransport0.forwardingTimeouts]
+        dialTimeout = "42s"
+        responseHeaderTimeout = "42s"
+        idleConnTimeout = "42s"
+    [http.serversTransports.ServersTransport1]
+      serverName = "foobar"
+      insecureSkipVerify = true
+      rootCAs = ["foobar", "foobar"]
+      maxIdleConnsPerHost = 42
+
+      [[http.serversTransports.ServersTransport1.certificates]]
+        certFile = "foobar"
+        keyFile = "foobar"
+
+      [[http.serversTransports.ServersTransport1.certificates]]
+        certFile = "foobar"
+        keyFile = "foobar"
+      [http.serversTransports.ServersTransport1.forwardingTimeouts]
+        dialTimeout = "42s"
+        responseHeaderTimeout = "42s"
+        idleConnTimeout = "42s"
 
 [tcp]
   [tcp.routers]
@@ -303,6 +343,8 @@
     [tcp.services.TCPService01]
       [tcp.services.TCPService01.loadBalancer]
         terminationDelay = 42
+        [tcp.services.TCPService01.loadBalancer.proxyProtocol]
+          version = 42
 
         [[tcp.services.TCPService01.loadBalancer.servers]]
           address = "foobar"

docs/content/reference/dynamic-configuration/file.yaml

@@ -70,6 +70,7 @@ http:
         passHostHeader: true
         responseForwarding:
           flushInterval: foobar
+        serversTransport: foobar
     Service02:
       mirroring:
         service: foobar
@@ -157,6 +158,10 @@ http:
         authResponseHeaders:
         - foobar
         - foobar
+        authResponseHeadersRegex: foobar
+        authRequestHeaders:
+        - foobar
+        - foobar
     Middleware10:
       headers:
         customRequestHeaders:
@@ -176,6 +181,9 @@ http:
         accessControlAllowOriginList:
         - foobar
         - foobar
+        accessControlAllowOriginListRegex:
+        - foobar
+        - foobar
         accessControlExposeHeaders:
         - foobar
         - foobar
@@ -256,7 +264,7 @@ http:
     Middleware14:
       plugin:
         PluginConf:
-          foo = "bar"
+          foo: bar
     Middleware15:
       rateLimit:
         average: 42
@@ -290,6 +298,7 @@ http:
     Middleware20:
       retry:
         attempts: 42
+        initialInterval: 42
     Middleware21:
       stripPrefix:
         prefixes:
@@ -301,6 +310,39 @@ http:
         regex:
         - foobar
         - foobar
+  serversTransports:
+    ServersTransport0:
+      serverName: foobar
+      insecureSkipVerify: true
+      rootCAs:
+      - foobar
+      - foobar
+      certificates:
+      - certFile: foobar
+        keyFile: foobar
+      - certFile: foobar
+        keyFile: foobar
+      maxIdleConnsPerHost: 42
+      forwardingTimeouts:
+        dialTimeout: 42s
+        responseHeaderTimeout: 42s
+        idleConnTimeout: 42s
+    ServersTransport1:
+      serverName: foobar
+      insecureSkipVerify: true
+      rootCAs:
+      - foobar
+      - foobar
+      certificates:
+      - certFile: foobar
+        keyFile: foobar
+      - certFile: foobar
+        keyFile: foobar
+      maxIdleConnsPerHost: 42
+      forwardingTimeouts:
+        dialTimeout: 42s
+        responseHeaderTimeout: 42s
+        idleConnTimeout: 42s
 tcp:
   routers:
     TCPRouter0:
@@ -345,6 +387,8 @@ tcp:
     TCPService01:
       loadBalancer:
         terminationDelay: 42
+        proxyProtocol:
+          version: 42
         servers:
         - address: foobar
         - address: foobar

docs/content/reference/dynamic-configuration/kubernetes-crd-definition.yml

@@ -101,3 +101,18 @@ spec:
     plural: traefikservices
     singular: traefikservice
   scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: serverstransports.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: ServersTransport
+    plural: serverstransports
+    singular: serverstransport
+  scope: Namespaced

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -40,6 +40,7 @@ rules:
       - ingressrouteudps
       - tlsoptions
       - tlsstores
+      - serverstransports
     verbs:
       - get
       - list

docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml

@@ -96,6 +96,7 @@ spec:
           strategy: RoundRobin
         - name: s2
           port: 433
+          serversTransport: mytransport
     - match: PathPrefix(`/misc`)
       services:
         - name: s3
@@ -186,3 +187,25 @@ spec:
     clientAuthType: foobar
   sniStrict: true
   preferServerCipherSuites: true
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+  serverName: foobar
+  insecureSkipVerify: true
+  rootCAsSecrets:
+    - foobar
+    - foobar
+  certificatesSecrets:
+    - foobar
+    - foobar
+  maxIdleConnsPerHost: 1
+  forwardingTimeouts:
+    dialTimeout: 42s
+    responseHeaderTimeout: 42s
+    idleConnTimeout: 42s

docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml

@@ -0,0 +1,49 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gateway-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.x-k8s.io
+    resources:
+      - gatewayclasses
+      - gateways
+      - httproutes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.x-k8s.io
+    resources:
+      - gatewayclasses/status
+      - gateways/status
+      - httproutes/status
+    verbs:
+      - update
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: gateway-controller
+
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: gateway-role
+subjects:
+  - kind: ServiceAccount
+    name: traefik-controller
+    namespace: default

docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml

@@ -0,0 +1,46 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-http.yml

@@ -0,0 +1,47 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          matchLabels:
+            app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "whoami"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml

@@ -0,0 +1,48 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:
+    - protocol: HTTPS
+      port: 443
+      tls:
+        certificateRef:
+          group: "core"
+          kind: "Secret"
+          name: "mysecret"
+      routes:
+        kind: HTTPRoute
+        selector:
+          matchLabels:
+            app: foo
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "whoami"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /foo
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml

@@ -0,0 +1,56 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: traefik-controller
+
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: traefik
+
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-lb
+  template:
+    metadata:
+      labels:
+        app: traefik-lb
+    spec:
+      serviceAccountName: traefik-controller
+      containers:
+        - name: traefik
+          image: traefik/traefik:latest
+          imagePullPolicy: IfNotPresent
+          args:
+            - --entrypoints.web.address=:80
+            - --entrypoints.websecure.address=:443
+            - --experimental.kubernetesgateway
+            - --providers.kubernetesgateway
+          ports:
+            - name: web
+              containerPort: 80
+            - name: websecure
+              containerPort: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik
+spec:
+  selector:
+    app: traefik-lb
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: web
+      name: web
+    - protocol: TCP
+      port: 443
+      targetPort: websecure
+      name: websecure
+  type: LoadBalancer

docs/content/reference/dynamic-configuration/kubernetes-gateway.md

@@ -0,0 +1,24 @@
+# Kubernetes Configuration Reference
+
+Dynamic configuration with Kubernetes Gateway provider.
+{: .subtitle }
+
+## Definitions
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
+--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
+--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
+```
+
+## Resources
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-gateway-resource.yml"
+```
+
+## RBAC
+
+```yaml
+--8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
+```

docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml

@@ -0,0 +1,32 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: whoami
+
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - name: whoami
+          image: traefik/whoami
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+
+spec:
+  ports:
+    - protocol: TCP
+      port: 80
+  selector:
+    app: whoami

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -27,8 +27,11 @@
 | `traefik/http/middlewares/Middleware08/errors/status/0` | `foobar` |
 | `traefik/http/middlewares/Middleware08/errors/status/1` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/address` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/authRequestHeaders/0` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/authRequestHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/1` | `foobar` |
+| `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/ca` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/cert` | `foobar` |
@@ -43,6 +46,8 @@
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowOrigin` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/1` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginListRegex/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginListRegex/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlMaxAge` | `42` |
@@ -124,6 +129,7 @@
 | `traefik/http/middlewares/Middleware19/replacePathRegex/regex` | `foobar` |
 | `traefik/http/middlewares/Middleware19/replacePathRegex/replacement` | `foobar` |
 | `traefik/http/middlewares/Middleware20/retry/attempts` | `42` |
+| `traefik/http/middlewares/Middleware20/retry/initialInterval` | `42` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/forceSlash` | `true` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/1` | `foobar` |
@@ -159,6 +165,30 @@
 | `traefik/http/routers/Router1/tls/domains/1/sans/0` | `foobar` |
 | `traefik/http/routers/Router1/tls/domains/1/sans/1` | `foobar` |
 | `traefik/http/routers/Router1/tls/options` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/certificates/0/certFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/certificates/0/keyFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/certificates/1/certFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/certificates/1/keyFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/dialTimeout` | `42s` |
+| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/idleConnTimeout` | `42s` |
+| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/responseHeaderTimeout` | `42s` |
+| `traefik/http/serversTransports/ServersTransport0/insecureSkipVerify` | `true` |
+| `traefik/http/serversTransports/ServersTransport0/maxIdleConnsPerHost` | `42` |
+| `traefik/http/serversTransports/ServersTransport0/rootCAs/0` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/rootCAs/1` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/serverName` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/certificates/0/certFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/certificates/0/keyFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/certificates/1/certFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/certificates/1/keyFile` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/dialTimeout` | `42s` |
+| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/idleConnTimeout` | `42s` |
+| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/responseHeaderTimeout` | `42s` |
+| `traefik/http/serversTransports/ServersTransport1/insecureSkipVerify` | `true` |
+| `traefik/http/serversTransports/ServersTransport1/maxIdleConnsPerHost` | `42` |
+| `traefik/http/serversTransports/ServersTransport1/rootCAs/0` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/rootCAs/1` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/serverName` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/followRedirects` | `true` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name0` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name1` | `foobar` |
@@ -172,6 +202,7 @@
 | `traefik/http/services/Service01/loadBalancer/responseForwarding/flushInterval` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/servers/0/url` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/servers/1/url` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/serversTransport` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service01/loadBalancer/sticky/cookie/name` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/sticky/cookie/sameSite` | `foobar` |
@@ -216,6 +247,7 @@
 | `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/1` | `foobar` |
 | `traefik/tcp/routers/TCPRouter1/tls/options` | `foobar` |
 | `traefik/tcp/routers/TCPRouter1/tls/passthrough` | `true` |
+| `traefik/tcp/services/TCPService01/loadBalancer/proxyProtocol/version` | `42` |
 | `traefik/tcp/services/TCPService01/loadBalancer/servers/0/address` | `foobar` |
 | `traefik/tcp/services/TCPService01/loadBalancer/servers/1/address` | `foobar` |
 | `traefik/tcp/services/TCPService01/loadBalancer/terminationDelay` | `42` |

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -24,6 +24,8 @@
 "traefik.http.middlewares.middleware08.errors.status": "foobar, foobar",
 "traefik.http.middlewares.middleware09.forwardauth.address": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
+"traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex": "foobar",
+"traefik.http.middlewares.middleware09.forwardauth.authrequestheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
@@ -35,6 +37,7 @@
 "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin": "foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist": "foobar, foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlistregex": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage": "42",
 "traefik.http.middlewares.middleware10.headers.addvaryheader": "true",
@@ -109,6 +112,7 @@
 "traefik.http.middlewares.middleware19.replacepathregex.regex": "foobar",
 "traefik.http.middlewares.middleware19.replacepathregex.replacement": "foobar",
 "traefik.http.middlewares.middleware20.retry.attempts": "42",
+"traefik.http.middlewares.middleware20.retry.initialinterval": "42",
 "traefik.http.middlewares.middleware21.stripprefix.forceslash": "true",
 "traefik.http.middlewares.middleware21.stripprefix.prefixes": "foobar, foobar",
 "traefik.http.middlewares.middleware22.stripprefixregex.regex": "foobar, foobar",
@@ -117,6 +121,7 @@
 "traefik.http.routers.router0.priority": "42",
 "traefik.http.routers.router0.rule": "foobar",
 "traefik.http.routers.router0.service": "foobar",
+"traefik.http.routers.router0.tls": "true",
 "traefik.http.routers.router0.tls.certresolver": "foobar",
 "traefik.http.routers.router0.tls.domains[0].main": "foobar",
 "traefik.http.routers.router0.tls.domains[0].sans": "foobar, foobar",
@@ -128,6 +133,7 @@
 "traefik.http.routers.router1.priority": "42",
 "traefik.http.routers.router1.rule": "foobar",
 "traefik.http.routers.router1.service": "foobar",
+"traefik.http.routers.router1.tls": "true",
 "traefik.http.routers.router1.tls.certresolver": "foobar",
 "traefik.http.routers.router1.tls.domains[0].main": "foobar",
 "traefik.http.routers.router1.tls.domains[0].sans": "foobar, foobar",
@@ -153,9 +159,11 @@
 "traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
 "traefik.http.services.service01.loadbalancer.server.port": "foobar",
 "traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
+"traefik.http.services.service01.loadbalancer.serverstransport": "foobar",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter0.rule": "foobar",
 "traefik.tcp.routers.tcprouter0.service": "foobar",
+"traefik.tcp.routers.tcprouter0.tls": "true",
 "traefik.tcp.routers.tcprouter0.tls.certresolver": "foobar",
 "traefik.tcp.routers.tcprouter0.tls.domains[0].main": "foobar",
 "traefik.tcp.routers.tcprouter0.tls.domains[0].sans": "foobar, foobar",
@@ -166,6 +174,7 @@
 "traefik.tcp.routers.tcprouter1.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter1.rule": "foobar",
 "traefik.tcp.routers.tcprouter1.service": "foobar",
+"traefik.tcp.routers.tcprouter1.tls": "true",
 "traefik.tcp.routers.tcprouter1.tls.certresolver": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.domains[0].main": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.domains[0].sans": "foobar, foobar",
@@ -174,6 +183,7 @@
 "traefik.tcp.routers.tcprouter1.tls.options": "foobar",
 "traefik.tcp.routers.tcprouter1.tls.passthrough": "true",
 "traefik.tcp.services.tcpservice01.loadbalancer.terminationdelay": "42",
+"traefik.tcp.services.tcpservice01.loadbalancer.proxyprotocol.version": "42",
 "traefik.tcp.services.tcpservice01.loadbalancer.server.port": "foobar",
 "traefik.udp.routers.udprouter0.entrypoints": "foobar, foobar",
 "traefik.udp.routers.udprouter0.service": "foobar",

docs/content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml

@@ -0,0 +1,146 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: gatewayclasses.networking.x-k8s.io
+spec:
+  group: networking.x-k8s.io
+  names:
+    kind: GatewayClass
+    listKind: GatewayClassList
+    plural: gatewayclasses
+    shortNames:
+    - gc
+    singular: gatewayclass
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.controller
+      name: Controller
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n GatewayClass is a Cluster level resource. \n Support: Core."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec for this GatewayClass.
+            properties:
+              controller:
+                description: "Controller is a domain/path string that indicates the controller that is managing Gateways of this class. \n Example: \"acme.io/gateway-controller\". \n This field is not mutable and cannot be empty. \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Support: Core"
+                maxLength: 253
+                type: string
+              parametersRef:
+                description: "ParametersRef is a controller-specific resource containing the configuration parameters corresponding to this class. This is optional if the controller does not require any additional configuration. \n Parameters resources are implementation specific custom resources. These resources must be cluster-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Custom"
+                properties:
+                  group:
+                    description: Group is the group of the referent.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  kind:
+                    description: Kind is kind of the referent.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  name:
+                    description: Name is the name of the referent.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - controller
+            type: object
+          status:
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: Waiting
+                status: Unknown
+                type: InvalidParameters
+            description: Status of the GatewayClass.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Waiting
+                  status: "False"
+                  type: Admitted
+                description: Conditions is the current status from the controller for this GatewayClass.
+                items:
+                  description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, type FooStatus struct{     // Represents the observations of a foo's current state.     // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type     // +patchStrategy=merge     // +listType=map     // +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n     // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

docs/content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml

@@ -0,0 +1,414 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: gateways.networking.x-k8s.io
+spec:
+  group: networking.x-k8s.io
+  names:
+    kind: Gateway
+    listKind: GatewayList
+    plural: gateways
+    shortNames:
+    - gtw
+    singular: gateway
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.gatewayClassName
+      name: Class
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: "Gateway represents an instantiation of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. \n Implementations should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer on the associated GatewayClass whenever Gateway(s) is running. This ensures that a GatewayClass associated with a Gateway(s) is not deleted while in use."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: "GatewaySpec defines the desired state of Gateway. \n Not all possible combinations of options specified in the Spec are valid. Some invalid configurations can be caught synchronously via a webhook, but there are many cases that will require asynchronous signaling via the GatewayStatus block."
+            properties:
+              addresses:
+                description: "Addresses requested for this gateway. This is optional and behavior can depend on the GatewayClass. If a value is set in the spec and the requested address is invalid, the GatewayClass MUST indicate this in the associated entry in GatewayStatus.Addresses. \n If no Addresses are specified, the GatewayClass may schedule the Gateway in an implementation-defined manner, assigning an appropriate set of Addresses. \n The GatewayClass MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway. \n Support: Core"
+                items:
+                  description: GatewayAddress describes an address that can be bound to a Gateway.
+                  properties:
+                    type:
+                      default: IPAddress
+                      description: "Type of the Address. This is either \"IPAddress\" or \"NamedAddress\". \n Support: Extended"
+                      enum:
+                      - IPAddress
+                      - NamedAddress
+                      type: string
+                    value:
+                      description: 'Value. Examples: "1.2.3.4", "128::1", "my-ip-address". Validity of the values will depend on `Type` and support by the controller.'
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                  required:
+                  - value
+                  type: object
+                maxItems: 16
+                type: array
+              gatewayClassName:
+                description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.
+                maxLength: 253
+                minLength: 1
+                type: string
+              listeners:
+                description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\"    Protocol or each Listener within the group specifies either    the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique    within the group. \n 3. As a special case, one Listener within a group may omit Hostname,    in which case this Listener matches when no other Listener    matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core"
+                items:
+                  description: Listener embodies the concept of a logical endpoint where a Gateway can accept network connections. Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. This will be enforced by a validating webhook.
+                  properties:
+                    hostname:
+                      description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified or \"*\", all hostnames are matched. This field can be omitted for protocols that don't require hostname based matching. \n Hostname is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: \n 1. IP literals are not allowed. 2. The `:` delimiter is not respected because ports are not allowed. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.example.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. \n Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    port:
+                      description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core"
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    protocol:
+                      description: "Protocol specifies the network protocol this listener expects to receive. The GatewayClass MUST apply the Hostname match appropriately for each protocol: \n * For the \"TLS\" protocol, the Hostname match MUST be   applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3)   server name offered by the client. * For the \"HTTP\" protocol, the Hostname match MUST be   applied to the host portion of the   [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)   or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3) * For the \"HTTPS\" protocol, the Hostname match MUST be   applied at both the TLS and HTTP protocol layers. \n Support: Core"
+                      type: string
+                    routes:
+                      description: "Routes specifies a schema for associating routes with the Listener using selectors. A Route is a resource capable of servicing a request and allows a cluster operator to expose a cluster resource (i.e. Service) by externally-reachable URL, load-balance traffic and terminate SSL/TLS.  Typically, a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\", however, an implementation may support other types of resources. \n The Routes selector MUST select a set of objects that are compatible with the application protocol specified in the Protocol field. \n Although a client request may technically match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match. For example, the most specific HTTPRoute match   is determined by the longest matching combination of hostname and path. * The oldest Route based on creation timestamp. For example, a Route with   a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over   a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in   alphabetical order (namespace/name) should be given precedence. For   example, foo/bar is given precedence over foo/baz. \n All valid portions of a Route selected by this field should be supported. Invalid portions of a Route can be ignored (sometimes that will mean the full Route). If a portion of a Route transitions from valid to invalid, support for that portion of the Route should be dropped to ensure consistency. For example, even if a filter specified by a Route is invalid, the rest of the Route should still be supported. \n Support: Core"
+                      properties:
+                        group:
+                          default: networking.x-k8s.io
+                          description: "Group is the group of the route resource to select. Omitting the value or specifying the empty string indicates the networking.x-k8s.io API group. For example, use the following to select an HTTPRoute: \n routes:   kind: HTTPRoute \n Otherwise, if an alternative API group is desired, specify the desired group: \n routes:   group: acme.io   kind: FooRoute \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        kind:
+                          description: "Kind is the kind of the route resource to select. \n Kind MUST correspond to kinds of routes that are compatible with the application protocol specified in the Listener's Protocol field. \n If an implementation does not support or recognize this resource type, it SHOULD raise a \"ConditionInvalidRoutes\" condition for the affected Listener. \n Support: Core"
+                          type: string
+                        namespaces:
+                          default:
+                            from: Same
+                          description: "Namespaces indicates in which namespaces Routes should be selected for this Gateway. This is restricted to the namespace of this Gateway by default. \n Support: Core"
+                          properties:
+                            from:
+                              description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by   this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core"
+                              enum:
+                              - All
+                              - Selector
+                              - Same
+                              type: string
+                            selector:
+                              description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core"
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the selector applies to.
+                                        type: string
+                                      operator:
+                                        description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                          type: object
+                        selector:
+                          description: "Selector specifies a set of route labels used for selecting routes to associate with the Gateway. If RouteSelector is defined, only routes matching the RouteSelector are associated with the Gateway. An empty RouteSelector matches all routes. \n Support: Core"
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                              items:
+                                description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector applies to.
+                                    type: string
+                                  operator:
+                                    description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                      required:
+                      - kind
+                      type: object
+                    tls:
+                      description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\" and ignored otherwise. \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core"
+                      properties:
+                        certificateRef:
+                          description: 'CertificateRef is the reference to Kubernetes object that contain a TLS certificate and private key. This certificate MUST be used for TLS handshakes for the domain this GatewayTLSConfig is associated with. If an entry in this list omits or specifies the empty string for both the group and the resource, the resource defaults to "secrets". An implementation may support other resources (for example, resource "mycertificates" in group "networking.acme.io"). Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)'
+                          properties:
+                            group:
+                              description: Group is the group of the referent.
+                              maxLength: 253
+                              minLength: 1
+                              type: string
+                            kind:
+                              description: Kind is kind of the referent.
+                              maxLength: 253
+                              minLength: 1
+                              type: string
+                            name:
+                              description: Name is the name of the referent.
+                              maxLength: 253
+                              minLength: 1
+                              type: string
+                          required:
+                          - group
+                          - kind
+                          - name
+                          type: object
+                        mode:
+                          description: 'Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: - Terminate: The TLS session between the downstream client   and the Gateway is terminated at the Gateway. - Passthrough: The TLS session is NOT terminated by the Gateway. This   implies that the Gateway can''t decipher the TLS stream except for   the ClientHello message of the TLS protocol.   CertificateRef field is ignored in this mode.'
+                          enum:
+                          - Terminate
+                          - Passthrough
+                          type: string
+                        options:
+                          additionalProperties:
+                            type: string
+                          description: "Options are a list of key/value pairs to give extended options to the provider. \n There variation among providers as to how ciphersuites are expressed. If there is a common subset for expressing ciphers then it will make sense to loft that as a core API construct. \n Support: Implementation-specific."
+                          type: object
+                        routeOverride:
+                          default:
+                            certificate: Deny
+                          description: "RouteOverride dictates if TLS settings can be configured via Routes or not. \n CertificateRef must be defined even if `routeOverride.certificate` is set to 'Allow' as it will be used as the default certificate for the listener."
+                          properties:
+                            certificate:
+                              default: Deny
+                              description: "Certificate dictates if TLS certificates can be configured via Routes. If set to 'Allow', a TLS certificate for a hostname defined in a Route takes precedence over the certificate defined in Gateway. \n Support: Core"
+                              enum:
+                              - Allow
+                              - Deny
+                              type: string
+                          required:
+                          - certificate
+                          type: object
+                      type: object
+                  required:
+                  - port
+                  - protocol
+                  - routes
+                  type: object
+                maxItems: 64
+                minItems: 1
+                type: array
+            required:
+            - gatewayClassName
+            - listeners
+            type: object
+          status:
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: NotReconciled
+                status: "False"
+                type: Scheduled
+            description: GatewayStatus defines the observed state of Gateway.
+            properties:
+              addresses:
+                description: "Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. \n These addresses should all be of type \"IPAddress\"."
+                items:
+                  description: GatewayAddress describes an address that can be bound to a Gateway.
+                  properties:
+                    type:
+                      default: IPAddress
+                      description: "Type of the Address. This is either \"IPAddress\" or \"NamedAddress\". \n Support: Extended"
+                      enum:
+                      - IPAddress
+                      - NamedAddress
+                      type: string
+                    value:
+                      description: 'Value. Examples: "1.2.3.4", "128::1", "my-ip-address". Validity of the values will depend on `Type` and support by the controller.'
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                  required:
+                  - value
+                  type: object
+                maxItems: 16
+                type: array
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: NotReconciled
+                  status: "False"
+                  type: Scheduled
+                description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Scheduled\" * \"Ready\""
+                items:
+                  description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, type FooStatus struct{     // Represents the observations of a foo's current state.     // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type     // +patchStrategy=merge     // +listType=map     // +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n     // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              listeners:
+                description: Listeners provide status for each unique listener port defined in the Spec.
+                items:
+                  description: ListenerStatus is the status associated with a Listener.
+                  properties:
+                    conditions:
+                      description: Conditions describe the current condition of this listener.
+                      items:
+                        description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, type FooStatus struct{     // Represents the observations of a foo's current state.     // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type     // +patchStrategy=merge     // +listType=map     // +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n     // other fields }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False, Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    hostname:
+                      description: Hostname is the Listener hostname value for which this message is reporting the status.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    port:
+                      description: Port is the unique Listener port value for which this message is reporting the status.
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    protocol:
+                      description: Protocol is the Listener protocol value for which this message is reporting the status.
+                      type: string
+                  required:
+                  - conditions
+                  - port
+                  - protocol
+                  type: object
+                maxItems: 64
+                type: array
+                x-kubernetes-list-map-keys:
+                - port
+                x-kubernetes-list-type: map
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

docs/content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml

@@ -0,0 +1,528 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: httproutes.networking.x-k8s.io
+spec:
+  group: networking.x-k8s.io
+  names:
+    kind: HTTPRoute
+    listKind: HTTPRouteList
+    plural: httproutes
+    singular: httproute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.hostnames
+      name: Hostnames
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: HTTPRoute is the Schema for the HTTPRoute resource.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: HTTPRouteSpec defines the desired state of HTTPRoute
+            properties:
+              gateways:
+                default:
+                  allow: SameNamespace
+                description: Gateways defines which Gateways can use this Route.
+                properties:
+                  allow:
+                    default: SameNamespace
+                    description: 'Allow indicates which Gateways will be allowed to use this route. Possible values are: * All: Gateways in any namespace can use this route. * FromList: Only Gateways specified in GatewayRefs may use this route. * SameNamespace: Only Gateways in the same namespace may use this route.'
+                    enum:
+                    - All
+                    - FromList
+                    - SameNamespace
+                    type: string
+                  gatewayRefs:
+                    description: GatewayRefs must be specified when Allow is set to "FromList". In that case, only Gateways referenced in this list will be allowed to use this route. This field is ignored for other values of "Allow".
+                    items:
+                      description: GatewayReference identifies a Gateway in a specified namespace.
+                      properties:
+                        name:
+                          description: Name is the name of the referent.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: Namespace is the namespace of the referent.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                      required:
+                      - name
+                      - namespace
+                      type: object
+                    type: array
+                type: object
+              hostnames:
+                description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. Hostname is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: \n 1. IPs are not allowed. 2. The `:` delimiter is not respected because ports are not allowed. \n Incoming requests are matched against the hostnames before the HTTPRoute rules. If no hostname is specified, traffic is routed based on the HTTPRouteRules. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.example.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following order: 1. If Host is precise, the request matches this rule if    the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if    the http host header is to equal to the suffix    (removing the first label) of the wildcard rule. \n Support: Core"
+                items:
+                  description: Hostname is used to specify a hostname that should be matched.
+                  maxLength: 253
+                  minLength: 1
+                  type: string
+                maxItems: 16
+                type: array
+              rules:
+                description: Rules are a list of HTTP matchers, filters and actions.
+                items:
+                  description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions, optionally executing additional processing steps, and forwarding the request to an API object.
+                  properties:
+                    filters:
+                      description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across   implementations. \n Specifying a core filter multiple times has unspecified or custom conformance. \n Support: core"
+                      items:
+                        description: 'HTTPRouteFilter defines additional processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express additional processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. TODO(hbagdi): re-render CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 - https://github.com/kubernetes-sigs/controller-tools/issues/461'
+                        properties:
+                          extensionRef:
+                            description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior.  For example, resource \"myroutefilter\" in group \"networking.acme.io\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific"
+                            properties:
+                              group:
+                                description: Group is the group of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              kind:
+                                description: Kind is kind of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              name:
+                                description: Name is the name of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                            required:
+                            - group
+                            - kind
+                            - name
+                            type: object
+                          requestHeaderModifier:
+                            description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core"
+                            properties:
+                              add:
+                                additionalProperties:
+                                  type: string
+                                description: "Add adds the given header (name, value) to the request before the action. \n Input:   GET /foo HTTP/1.1 \n Config:   add: {\"my-header\": \"foo\"} \n Output:   GET /foo HTTP/1.1   my-header: foo \n Support: Extended"
+                                type: object
+                              remove:
+                                description: "Remove the given header(s) from the HTTP request before the action. The value of RemoveHeader is a list of HTTP header names. Note that the header names are case-insensitive [RFC-2616 4.2]. \n Input:   GET /foo HTTP/1.1   My-Header1: ABC   My-Header2: DEF   My-Header2: GHI \n Config:   remove: [\"my-header1\", \"my-header3\"] \n Output:   GET /foo HTTP/1.1   My-Header2: DEF \n Support: Extended"
+                                items:
+                                  type: string
+                                maxItems: 16
+                                type: array
+                            type: object
+                          requestMirror:
+                            description: "RequestMirror defines a schema for a filter that mirrors requests. \n Support: Extended"
+                            properties:
+                              backendRef:
+                                description: "BackendRef is a local object reference to mirror matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
+                                properties:
+                                  group:
+                                    description: Group is the group of the referent.
+                                    maxLength: 253
+                                    minLength: 1
+                                    type: string
+                                  kind:
+                                    description: Kind is kind of the referent.
+                                    maxLength: 253
+                                    minLength: 1
+                                    type: string
+                                  name:
+                                    description: Name is the name of the referent.
+                                    maxLength: 253
+                                    minLength: 1
+                                    type: string
+                                required:
+                                - group
+                                - kind
+                                - name
+                                type: object
+                              port:
+                                description: Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field.
+                                format: int32
+                                maximum: 65535
+                                minimum: 1
+                                type: integer
+                              serviceName:
+                                description: "ServiceName refers to the name of the Service to mirror matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Core"
+                                maxLength: 253
+                                type: string
+                            required:
+                            - port
+                            type: object
+                          type:
+                            description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by   \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All   implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by   \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers   are encouraged to support extended filters. \n - Custom: Filters that are defined and supported by specific vendors.   In the future, filters showing convergence in behavior across multiple   implementations will be considered for inclusion in extended or core   conformance levels. Filter-specific configuration for such filters   is specified using the ExtensionRef field. `Type` should be set to   \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior."
+                            enum:
+                            - RequestHeaderModifier
+                            - RequestMirror
+                            - ExtensionRef
+                            type: string
+                        required:
+                        - type
+                        type: object
+                      maxItems: 16
+                      type: array
+                    forwardTo:
+                      description: ForwardTo defines the backend(s) where matching requests should be sent. If unspecified, the rule performs no forwarding. If unspecified and no filters are specified that would result in a response being sent, a 503 error code is returned.
+                      items:
+                        description: HTTPRouteForwardTo defines how a HTTPRoute should forward a request.
+                        properties:
+                          backendRef:
+                            description: "BackendRef is a reference to a backend to forward matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the route must be dropped from the Gateway. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DroppedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
+                            properties:
+                              group:
+                                description: Group is the group of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              kind:
+                                description: Kind is kind of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              name:
+                                description: Name is the name of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                            required:
+                            - group
+                            - kind
+                            - name
+                            type: object
+                          filters:
+                            description: "Filters defined at this-level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Custom (For broader support of filters, use the Filters field in HTTPRouteRule.)"
+                            items:
+                              description: 'HTTPRouteFilter defines additional processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express additional processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. TODO(hbagdi): re-render CRDs once controller-tools supports union tags: - https://github.com/kubernetes-sigs/controller-tools/pull/298 - https://github.com/kubernetes-sigs/controller-tools/issues/461'
+                              properties:
+                                extensionRef:
+                                  description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior.  For example, resource \"myroutefilter\" in group \"networking.acme.io\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific"
+                                  properties:
+                                    group:
+                                      description: Group is the group of the referent.
+                                      maxLength: 253
+                                      minLength: 1
+                                      type: string
+                                    kind:
+                                      description: Kind is kind of the referent.
+                                      maxLength: 253
+                                      minLength: 1
+                                      type: string
+                                    name:
+                                      description: Name is the name of the referent.
+                                      maxLength: 253
+                                      minLength: 1
+                                      type: string
+                                  required:
+                                  - group
+                                  - kind
+                                  - name
+                                  type: object
+                                requestHeaderModifier:
+                                  description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core"
+                                  properties:
+                                    add:
+                                      additionalProperties:
+                                        type: string
+                                      description: "Add adds the given header (name, value) to the request before the action. \n Input:   GET /foo HTTP/1.1 \n Config:   add: {\"my-header\": \"foo\"} \n Output:   GET /foo HTTP/1.1   my-header: foo \n Support: Extended"
+                                      type: object
+                                    remove:
+                                      description: "Remove the given header(s) from the HTTP request before the action. The value of RemoveHeader is a list of HTTP header names. Note that the header names are case-insensitive [RFC-2616 4.2]. \n Input:   GET /foo HTTP/1.1   My-Header1: ABC   My-Header2: DEF   My-Header2: GHI \n Config:   remove: [\"my-header1\", \"my-header3\"] \n Output:   GET /foo HTTP/1.1   My-Header2: DEF \n Support: Extended"
+                                      items:
+                                        type: string
+                                      maxItems: 16
+                                      type: array
+                                  type: object
+                                requestMirror:
+                                  description: "RequestMirror defines a schema for a filter that mirrors requests. \n Support: Extended"
+                                  properties:
+                                    backendRef:
+                                      description: "BackendRef is a local object reference to mirror matched requests to. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Custom"
+                                      properties:
+                                        group:
+                                          description: Group is the group of the referent.
+                                          maxLength: 253
+                                          minLength: 1
+                                          type: string
+                                        kind:
+                                          description: Kind is kind of the referent.
+                                          maxLength: 253
+                                          minLength: 1
+                                          type: string
+                                        name:
+                                          description: Name is the name of the referent.
+                                          maxLength: 253
+                                          minLength: 1
+                                          type: string
+                                      required:
+                                      - group
+                                      - kind
+                                      - name
+                                      type: object
+                                    port:
+                                      description: Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field.
+                                      format: int32
+                                      maximum: 65535
+                                      minimum: 1
+                                      type: integer
+                                    serviceName:
+                                      description: "ServiceName refers to the name of the Service to mirror matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: Core"
+                                      maxLength: 253
+                                      type: string
+                                  required:
+                                  - port
+                                  type: object
+                                type:
+                                  description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by   \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All   implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by   \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers   are encouraged to support extended filters. \n - Custom: Filters that are defined and supported by specific vendors.   In the future, filters showing convergence in behavior across multiple   implementations will be considered for inclusion in extended or core   conformance levels. Filter-specific configuration for such filters   is specified using the ExtensionRef field. `Type` should be set to   \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior."
+                                  enum:
+                                  - RequestHeaderModifier
+                                  - RequestMirror
+                                  - ExtensionRef
+                                  type: string
+                              required:
+                              - type
+                              type: object
+                            maxItems: 16
+                            type: array
+                          port:
+                            description: "Port specifies the destination port number to use for the backend referenced by the ServiceName or BackendRef field. \n Support: Core"
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          serviceName:
+                            description: "ServiceName refers to the name of the Service to forward matched requests to. When specified, this takes the place of BackendRef. If both BackendRef and ServiceName are specified, ServiceName will be given precedence. \n If the referent cannot be found, the route must be dropped from the Gateway. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DroppedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n The protocol to use should be specified with the AppProtocol field on Service resources. This field was introduced in Kubernetes 1.18. If using an earlier version of Kubernetes, a `networking.x-k8s.io/app-protocol` annotation on the BackendPolicy resource may be used to define the protocol. If the AppProtocol field is available, this annotation should not be used. The AppProtocol field, when populated, takes precedence over the annotation in the BackendPolicy resource. For custom backends, it is encouraged to add a semantically-equivalent field in the Custom Resource Definition. \n Support: Core"
+                            maxLength: 253
+                            type: string
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of HTTP requests forwarded to the backend referenced by the ServiceName or BackendRef field. This is computed as weight/(sum of all weights in this ForwardTo list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support: Core"
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - port
+                        type: object
+                      maxItems: 4
+                      type: array
+                    matches:
+                      default:
+                      - path:
+                          type: Prefix
+                          value: /
+                      description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path:     value: \"/foo\"   headers:     values:       version: \"2\" - path:     value: \"/v2/foo\" ``` \n For a request to match against this rule, a request should satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: \"2\"` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n A client request may match multiple HTTP route rules. Matching precedence MUST be determined in order of the following criteria, continuing on ties: * The longest matching hostname. * The longest matching path. * The largest number of header matches * The oldest Route based on creation timestamp. For example, a Route with   a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over   a Route with a creation timestamp of \"2020-09-08 01:02:04\". * The Route appearing first in alphabetical order (namespace/name) for   example, foo/bar is given precedence over foo/baz."
+                      items:
+                        description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: \"1\"` header: \n ``` match:   path:     value: \"/foo\"   headers:     values:       version: \"1\" ```"
+                        properties:
+                          extensionRef:
+                            description: "ExtensionRef is an optional, implementation-specific extension to the \"match\" behavior. For example, resource \"myroutematcher\" in group \"networking.acme.io\". If the referent cannot be found, the rule is not included in the route. The controller should raise the \"ResolvedRefs\" condition on the Gateway with the \"DegradedRoutes\" reason. The gateway status for this route should be updated with a condition that describes the error more specifically. \n Support: custom"
+                            properties:
+                              group:
+                                description: Group is the group of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              kind:
+                                description: Kind is kind of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              name:
+                                description: Name is the name of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                            required:
+                            - group
+                            - kind
+                            - name
+                            type: object
+                          headers:
+                            description: Headers specifies a HTTP request header matcher.
+                            properties:
+                              type:
+                                default: Exact
+                                description: "Type specifies how to match against the value of the header. \n Support: core (Exact) Support: custom (RegularExpression, ImplementationSpecific) \n Since RegularExpression PathType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect. \n HTTP Header name matching MUST be case-insensitive (RFC 2616 - section 4.2)."
+                                enum:
+                                - Exact
+                                - RegularExpression
+                                - ImplementationSpecific
+                                type: string
+                              values:
+                                additionalProperties:
+                                  type: string
+                                description: "Values is a map of HTTP Headers to be matched. It MUST contain at least one entry. \n The HTTP header field name to match is the map key, and the value of the HTTP header is the map value. HTTP header field name matching MUST be case-insensitive. \n Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route."
+                                type: object
+                            required:
+                            - values
+                            type: object
+                          path:
+                            default:
+                              type: Prefix
+                              value: /
+                            description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided.
+                            properties:
+                              type:
+                                default: Prefix
+                                description: "Type specifies how to match against the path Value. \n Support: core (Exact, Prefix) Support: custom (RegularExpression, ImplementationSpecific) \n Since RegularExpression PathType has custom conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect."
+                                enum:
+                                - Exact
+                                - Prefix
+                                - RegularExpression
+                                - ImplementationSpecific
+                                type: string
+                              value:
+                                description: Value of the HTTP path to match against.
+                                minLength: 1
+                                type: string
+                            required:
+                            - value
+                            type: object
+                        type: object
+                      maxItems: 8
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+              tls:
+                description: "TLS defines the TLS certificate to use for Hostnames defined in this Route. This configuration only takes effect if the AllowRouteOverride field is set to true in the associated Gateway resource. \n Collisions can happen if multiple HTTPRoutes define a TLS certificate for the same hostname. In such a case, conflict resolution guiding principles apply, specificallly, if hostnames are same and two different certificates are specified then the certificate in the oldest resource wins. \n Please note that HTTP Route-selection takes place after the TLS Handshake (ClientHello). Due to this, TLS certificate defined here will take precedence even if the request has the potential to match multiple routes (in case multiple HTTPRoutes share the same hostname). \n Support: Core"
+                properties:
+                  certificateRef:
+                    description: 'CertificateRef refers to a Kubernetes object that contains a TLS certificate and private key. This certificate MUST be used for TLS handshakes for the domain this RouteTLSConfig is associated with. If an entry in this list omits or specifies the empty string for both the group and kind, the resource defaults to "secrets". An implementation may support other resources (for example, resource "mycertificates" in group "networking.acme.io"). Support: Core (Kubernetes Secrets) Support: Implementation-specific (Other resource types)'
+                    properties:
+                      group:
+                        description: Group is the group of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      kind:
+                        description: Kind is kind of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      name:
+                        description: Name is the name of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                    required:
+                    - group
+                    - kind
+                    - name
+                    type: object
+                required:
+                - certificateRef
+                type: object
+            required:
+            - rules
+            type: object
+          status:
+            description: HTTPRouteStatus defines the observed state of HTTPRoute.
+            properties:
+              gateways:
+                description: "Gateways is a list of the Gateways that are associated with the route, and the status of the route with respect to each of these Gateways. When a Gateway selects this route, the controller that manages the Gateway should add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route is modified. \n A maximum of 100 Gateways will be represented in this list. If this list is full, there may be additional Gateways using this Route that are not included in the list."
+                items:
+                  description: RouteGatewayStatus describes the status of a route with respect to an associated Gateway.
+                  properties:
+                    conditions:
+                      description: Conditions describes the status of the route with respect to the Gateway.  For example, the "Admitted" condition indicates whether the route has been admitted or rejected by the Gateway, and why.  Note that the route's availability is also subject to the Gateway's own status conditions and listener status.
+                      items:
+                        description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions.  For example, type FooStatus struct{     // Represents the observations of a foo's current state.     // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"     // +patchMergeKey=type     // +patchStrategy=merge     // +listType=map     // +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n     // other fields }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False, Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    gatewayRef:
+                      description: GatewayRef is a reference to a Gateway object that is associated with the route.
+                      properties:
+                        name:
+                          description: Name is the name of the referent.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: Namespace is the namespace of the referent.
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                      required:
+                      - name
+                      - namespace
+                      type: object
+                  required:
+                  - gatewayRef
+                  type: object
+                maxItems: 100
+                type: array
+            required:
+            - gateways
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

docs/content/reference/static-configuration/cli-ref.md

@@ -69,6 +69,12 @@ Use a DNS-01 based challenge provider rather than HTTPS.
 `--certificatesresolvers.<name>.acme.dnschallenge.resolvers`:  
 Use following DNS servers to resolve the FQDN authority.
 
+`--certificatesresolvers.<name>.acme.eab.hmacencoded`:  
+Base64 encoded HMAC key from External CA.
+
+`--certificatesresolvers.<name>.acme.eab.kid`:  
+Key identifier from External CA.
+
 `--certificatesresolvers.<name>.acme.email`:  
 Email address used for registration.
 
@@ -168,6 +174,9 @@ plugin's GOPATH.
 `--experimental.devplugin.modulename`:  
 plugin's module name.
 
+`--experimental.kubernetesgateway`:  
+Allow the Kubernetes gateway api provider usage. (Default: ```false```)
+
 `--experimental.plugins.<name>.modulename`:  
 plugin's module name.
 
@@ -330,6 +339,9 @@ TLS key
 `--providers.consul.username`:  
 KV Username
 
+`--providers.consulcatalog`:  
+Enable ConsulCatalog backend with default settings. (Default: ```false```)
+
 `--providers.consulcatalog.cache`:  
 Use local agent caching for catalog reads. (Default: ```false```)
 
@@ -340,7 +352,7 @@ Constraints is an expression that Traefik matches against the container's labels
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
 
 `--providers.consulcatalog.endpoint.address`:  
-The address of the Consul server (Default: ```http://127.0.0.1:8500```)
+The address of the Consul server (Default: ```127.0.0.1:8500```)
 
 `--providers.consulcatalog.endpoint.datacenter`:  
 Data center to use. If not provided, the default agent data center is used
@@ -382,7 +394,7 @@ Expose containers by default. (Default: ```true```)
 Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)
 
 `--providers.consulcatalog.refreshinterval`:  
-Interval for check Consul API. Default 100ms (Default: ```15```)
+Interval for check Consul API. Default 15s (Default: ```15```)
 
 `--providers.consulcatalog.requireconsistent`:  
 Forces the read to be fully consistent. (Default: ```false```)
@@ -405,6 +417,9 @@ Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```uni
 `--providers.docker.exposedbydefault`:  
 Expose containers by default. (Default: ```true```)
 
+`--providers.docker.httpclienttimeout`:  
+Client timeout for HTTP connections. (Default: ```0```)
+
 `--providers.docker.network`:  
 Default Docker network used.
 
@@ -435,6 +450,9 @@ Use the ip address from the bound port, rather than from the inner network. (Def
 `--providers.docker.watch`:  
 Watch Docker Swarm events. (Default: ```true```)
 
+`--providers.ecs`:  
+Enable AWS ECS backend with default settings. (Default: ```false```)
+
 `--providers.ecs.accesskeyid`:  
 The AWS credentials access key to use for making requests
 
@@ -534,12 +552,12 @@ TLS key
 `--providers.kubernetescrd`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
+`--providers.kubernetescrd.allowcrossnamespace`:  
+Allow cross namespace resource reference. (Default: ```true```)
+
 `--providers.kubernetescrd.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
 
-`--providers.kubernetescrd.disablepasshostheaders`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
 `--providers.kubernetescrd.endpoint`:  
 Kubernetes server endpoint (required for external cluster client).
 
@@ -558,15 +576,33 @@ Ingress refresh throttle duration (Default: ```0```)
 `--providers.kubernetescrd.token`:  
 Kubernetes bearer token (not needed for in-cluster client).
 
+`--providers.kubernetesgateway`:  
+Enable Kubernetes gateway api provider with default settings. (Default: ```false```)
+
+`--providers.kubernetesgateway.certauthfilepath`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`--providers.kubernetesgateway.endpoint`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`--providers.kubernetesgateway.labelselector`:  
+Kubernetes label selector to select specific GatewayClasses.
+
+`--providers.kubernetesgateway.namespaces`:  
+Kubernetes namespaces.
+
+`--providers.kubernetesgateway.throttleduration`:  
+Kubernetes refresh throttle duration (Default: ```0```)
+
+`--providers.kubernetesgateway.token`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
 `--providers.kubernetesingress`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
 `--providers.kubernetesingress.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
 
-`--providers.kubernetesingress.disablepasshostheaders`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
 `--providers.kubernetesingress.endpoint`:  
 Kubernetes server endpoint (required for external cluster client).
 

docs/content/reference/static-configuration/env-ref.md

@@ -69,6 +69,12 @@ Use a DNS-01 based challenge provider rather than HTTPS.
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_RESOLVERS`:  
 Use following DNS servers to resolve the FQDN authority.
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EAB_HMACENCODED`:  
+Base64 encoded HMAC key from External CA.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EAB_KID`:  
+Key identifier from External CA.
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAIL`:  
 Email address used for registration.
 
@@ -168,6 +174,9 @@ plugin's GOPATH.
 `TRAEFIK_EXPERIMENTAL_DEVPLUGIN_MODULENAME`:  
 plugin's module name.
 
+`TRAEFIK_EXPERIMENTAL_KUBERNETESGATEWAY`:  
+Allow the Kubernetes gateway api provider usage. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_MODULENAME`:  
 plugin's module name.
 
@@ -303,6 +312,9 @@ Terminating status code (Default: ```503```)
 `TRAEFIK_PROVIDERS_CONSUL`:  
 Enable Consul backend with default settings. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_CONSULCATALOG`:  
+Enable ConsulCatalog backend with default settings. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_CONSULCATALOG_CACHE`:  
 Use local agent caching for catalog reads. (Default: ```false```)
 
@@ -313,7 +325,7 @@ Constraints is an expression that Traefik matches against the container's labels
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
 
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ADDRESS`:  
-The address of the Consul server (Default: ```http://127.0.0.1:8500```)
+The address of the Consul server (Default: ```127.0.0.1:8500```)
 
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_DATACENTER`:  
 Data center to use. If not provided, the default agent data center is used
@@ -355,7 +367,7 @@ Expose containers by default. (Default: ```true```)
 Prefix for consul service tags. Default 'traefik' (Default: ```traefik```)
 
 `TRAEFIK_PROVIDERS_CONSULCATALOG_REFRESHINTERVAL`:  
-Interval for check Consul API. Default 100ms (Default: ```15```)
+Interval for check Consul API. Default 15s (Default: ```15```)
 
 `TRAEFIK_PROVIDERS_CONSULCATALOG_REQUIRECONSISTENT`:  
 Forces the read to be fully consistent. (Default: ```false```)
@@ -405,6 +417,9 @@ Docker server endpoint. Can be a tcp or a unix socket endpoint. (Default: ```uni
 `TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT`:  
 Expose containers by default. (Default: ```true```)
 
+`TRAEFIK_PROVIDERS_DOCKER_HTTPCLIENTTIMEOUT`:  
+Client timeout for HTTP connections. (Default: ```0```)
+
 `TRAEFIK_PROVIDERS_DOCKER_NETWORK`:  
 Default Docker network used.
 
@@ -435,6 +450,9 @@ Use the ip address from the bound port, rather than from the inner network. (Def
 `TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
 Watch Docker Swarm events. (Default: ```true```)
 
+`TRAEFIK_PROVIDERS_ECS`:  
+Enable AWS ECS backend with default settings. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_ECS_ACCESSKEYID`:  
 The AWS credentials access key to use for making requests
 
@@ -534,12 +552,12 @@ TLS key
 `TRAEFIK_PROVIDERS_KUBERNETESCRD`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWCROSSNAMESPACE`:  
+Allow cross namespace resource reference. (Default: ```true```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
 
-`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLEPASSHOSTHEADERS`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:  
 Kubernetes server endpoint (required for external cluster client).
 
@@ -558,15 +576,33 @@ Ingress refresh throttle duration (Default: ```0```)
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_TOKEN`:  
 Kubernetes bearer token (not needed for in-cluster client).
 
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY`:  
+Enable Kubernetes gateway api provider with default settings. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY_CERTAUTHFILEPATH`:  
+Kubernetes certificate authority file path (not needed for in-cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY_ENDPOINT`:  
+Kubernetes server endpoint (required for external cluster client).
+
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY_LABELSELECTOR`:  
+Kubernetes label selector to select specific GatewayClasses.
+
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY_NAMESPACES`:  
+Kubernetes namespaces.
+
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY_THROTTLEDURATION`:  
+Kubernetes refresh throttle duration (Default: ```0```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESGATEWAY_TOKEN`:  
+Kubernetes bearer token (not needed for in-cluster client).
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
 
-`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_DISABLEPASSHOSTHEADERS`:  
-Kubernetes disable PassHost Headers. (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ENDPOINT`:  
 Kubernetes server endpoint (required for external cluster client).
 

docs/content/reference/static-configuration/file.toml

@@ -60,6 +60,7 @@
     swarmMode = true
     network = "foobar"
     swarmModeRefreshSeconds = 42
+    httpClientTimeout = 42
     [providers.docker.tls]
       ca = "foobar"
       caOptional = true
@@ -98,11 +99,10 @@
     endpoint = "foobar"
     token = "foobar"
     certAuthFilePath = "foobar"
-    disablePassHostHeaders = true
     namespaces = ["foobar", "foobar"]
     labelSelector = "foobar"
     ingressClass = "foobar"
-    throttleDuration = "10s"
+    throttleDuration = "42s"
     [providers.kubernetesIngress.ingressEndpoint]
       ip = "foobar"
       hostname = "foobar"
@@ -111,11 +111,18 @@
     endpoint = "foobar"
     token = "foobar"
     certAuthFilePath = "foobar"
-    disablePassHostHeaders = true
     namespaces = ["foobar", "foobar"]
+    allowCrossNamespace = true
     labelSelector = "foobar"
     ingressClass = "foobar"
     throttleDuration = 42
+  [providers.kubernetesGateway]
+    endpoint = "foobar"
+    token = "foobar"
+    certAuthFilePath = "foobar"
+    namespaces = ["foobar", "foobar"]
+    labelSelector = "foobar"
+    throttleDuration = 42
   [providers.rest]
     insecure = true
   [providers.rancher]
@@ -339,6 +346,9 @@
       preferredChain = "foobar"
       storage = "foobar"
       keyType = "foobar"
+      [certificatesResolvers.CertificateResolver0.acme.eab]
+        kid = "foobar"
+        hmacEncoded = "foobar"
       [certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
         provider = "foobar"
         delayBeforeCheck = 42
@@ -354,6 +364,9 @@
       preferredChain = "foobar"
       storage = "foobar"
       keyType = "foobar"
+      [certificatesResolvers.CertificateResolver1.acme.eab]
+        kid = "foobar"
+        hmacEncoded = "foobar"
       [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
         provider = "foobar"
         delayBeforeCheck = 42
@@ -363,9 +376,11 @@
         entryPoint = "foobar"
       [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
 
+[pilot]
+  token = "foobar"
+
 [experimental]
-  [experimental.pilot]
-    token = "foobar"
+  kubernetesGateway = true
   [experimental.plugins]
     [experimental.plugins.Descriptor0]
       moduleName = "foobar"

docs/content/reference/static-configuration/file.yaml

@@ -72,6 +72,7 @@ providers:
     swarmMode: true
     network: foobar
     swarmModeRefreshSeconds: 42
+    httpClientTimeout: 42
   file:
     directory: foobar
     watch: true
@@ -104,7 +105,6 @@ providers:
     endpoint: foobar
     token: foobar
     certAuthFilePath: foobar
-    disablePassHostHeaders: true
     namespaces:
     - foobar
     - foobar
@@ -119,12 +119,21 @@ providers:
     endpoint: foobar
     token: foobar
     certAuthFilePath: foobar
-    disablePassHostHeaders: true
+    namespaces:
+    - foobar
+    - foobar
+    allowCrossNamespace: true
+    labelSelector: foobar
+    ingressClass: foobar
+    throttleDuration: 42s
+  kubernetesGateway:
+    endpoint: foobar
+    token: foobar
+    certAuthFilePath: foobar
     namespaces:
     - foobar
     - foobar
     labelSelector: foobar
-    ingressClass: foobar
     throttleDuration: 42s
   rest:
     insecure: true
@@ -355,6 +364,9 @@ certificatesResolvers:
       preferredChain: foobar
       storage: foobar
       keyType: foobar
+      eab:
+        kid: foobar
+        hmacEncoded: foobar
       dnsChallenge:
         provider: foobar
         delayBeforeCheck: 42
@@ -372,6 +384,9 @@ certificatesResolvers:
       preferredChain: foobar
       storage: foobar
       keyType: foobar
+      eab:
+        kid: foobar
+        hmacEncoded: foobar
       dnsChallenge:
         provider: foobar
         delayBeforeCheck: 42
@@ -382,9 +397,10 @@ certificatesResolvers:
       httpChallenge:
         entryPoint: foobar
       tlsChallenge: {}
+pilot:
+  token: foobar
 experimental:
-  pilot:
-    token: foobar
+  kubernetesGateway: true
   plugins:
     Descriptor0:
       moduleName: foobar
@@ -395,3 +411,4 @@ experimental:
   devPlugin:
     goPath: foobar
     moduleName: foobar
+

docs/content/routing/entrypoints.md

@@ -212,8 +212,8 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
     ```
     
     ```bash tab="CLI"
-    entrypoints.specificIPv4.address=192.168.2.7:8888
-    entrypoints.specificIPv6.address=[2001:db8::1]:8888
+    --entrypoints.specificIPv4.address=192.168.2.7:8888
+    --entrypoints.specificIPv6.address=[2001:db8::1]:8888
     ```
     
     Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
@@ -745,8 +745,8 @@ entryPoints:
 ```
 
 ```bash tab="CLI"
-entrypoints.websecure.address=:443
-entrypoints.websecure.http.middlewares=auth@file,strip@file
+--entrypoints.websecure.address=:443
+--entrypoints.websecure.http.middlewares=auth@file,strip@file
 ```
 
 ### TLS
@@ -792,13 +792,13 @@ entryPoints:
 ```
 
 ```bash tab="CLI"
-entrypoints.websecure.address=:443
-entrypoints.websecure.http.tls.options=foobar
-entrypoints.websecure.http.tls.certResolver=leresolver
-entrypoints.websecure.http.tls.domains[0].main=example.com
-entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
-entrypoints.websecure.http.tls.domains[1].main=test.com
-entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
+--entrypoints.websecure.address=:443
+--entrypoints.websecure.http.tls.options=foobar
+--entrypoints.websecure.http.tls.certResolver=leresolver
+--entrypoints.websecure.http.tls.domains[0].main=example.com
+--entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
+--entrypoints.websecure.http.tls.domains[1].main=test.com
+--entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
 ```
 
 ??? example "Let's Encrypt"
@@ -821,6 +821,6 @@ entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
     ```
     
     ```bash tab="CLI"
-    entrypoints.websecure.address=:443
-    entrypoints.websecure.http.tls.certResolver=leresolver
+    --entrypoints.websecure.address=:443
+    --entrypoints.websecure.http.tls.certResolver=leresolver
     ```

docs/content/routing/overview.md

@@ -228,6 +228,7 @@ http:
             to-whoami-tcp:
               service: whoami-tcp
               rule: HostSNI(`whoami-tcp.example.com`)
+              tls: {}
 
           services:
             whoami-tcp:

docs/content/routing/providers/consul-catalog.md

@@ -381,6 +381,14 @@ You can declare TCP Routers and/or Services using tags.
     traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
     ```
 
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
+        
+    See [PROXY protocol](../services/index.md#proxy-protocol) for more information.
+    
+    ```yaml
+    traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
+    ```
+
 ### UDP
 
 You can declare UDP Routers and/or Services using tags.

docs/content/routing/providers/docker.md

@@ -58,6 +58,26 @@ Attach labels to your containers and let Traefik do the rest!
         Setting the label `traefik.http.services.xxx.loadbalancer.server.port`
         overrides that behavior.
 
+??? example "Specifying more than one router and service per container"
+
+    Forwarding requests to more than one port on a container requires referencing the service loadbalancer port definition using the service parameter on the router.
+
+    In this example, requests are forwarded for `http://example-a.com` to `http://<private IP of container>:8000` in addition to `http://example-b.com` forwarding to `http://<private IP of container>:9000`:
+
+    ```yaml
+    version: "3"
+    services:
+      my-container:
+        # ...
+        labels:
+          - traefik.http.routers.www-router.rule=Host(`example-a.com`)
+          - traefik.http.routers.www-router.service=www-service
+          - traefik.http.services.www-service.loadbalancer.server.port=8000
+          - traefik.http.routers.admin-router.rule=Host(`example-b.com`)
+          - traefik.http.routers.admin-router.service=admin-service
+          - traefik.http.services.admin-service.loadbalancer.server.port=9000
+    ```
+
 ??? example "Configuring Docker Swarm & Deploying / Exposing Services"
 
     Enabling the docker provider (Swarm Mode)
@@ -75,14 +95,17 @@ Attach labels to your containers and let Traefik do the rest!
     providers:
       docker:
         # swarm classic (1.12-)
-        # endpoint = "tcp://127.0.0.1:2375"
+        # endpoint: "tcp://127.0.0.1:2375"
         # docker swarm mode (1.12+)
-        endpoint: "tcp://127.0.0.1:2375"
+        endpoint: "tcp://127.0.0.1:2377"
         swarmMode: true
     ```
 
     ```bash tab="CLI"
-    --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # swarm classic (1.12-)
+    # --providers.docker.endpoint=tcp://127.0.0.1:2375
+    # docker swarm mode (1.12+)
+    --providers.docker.endpoint=tcp://127.0.0.1:2377
     --providers.docker.swarmMode=true
     ```
 
@@ -101,7 +124,7 @@ Attach labels to your containers and let Traefik do the rest!
     !!! important "Labels in Docker Swarm Mode"
         While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
         Therefore, if you use a compose file with Swarm Mode, labels should be defined in the `deploy` part of your service.
-        This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/#labels-1)).
+        This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-1)).
 
 ## Routing Configuration
 
@@ -262,6 +285,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.server.scheme=http"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.serverstransport`"
+
+    See [serverstransport](../services/index.md#serverstransport) for more information.
+
+    ```yaml
+    - "traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"
 
     See [pass Host header](../services/index.md#pass-host-header) for more information.
@@ -524,6 +555,14 @@ You can declare TCP Routers and/or Services using labels.
     - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
     ```
 
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
+
+    See [PROXY protocol](../services/index.md#proxy-protocol) for more information.
+
+    ```yaml
+    - "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
+    ```
+
 ### UDP
 
 You can declare UDP Routers and/or Services using labels.

docs/content/routing/providers/ecs.md

@@ -10,7 +10,7 @@ Attach labels to your containers and let Traefik do the rest!
 !!! info "labels"
     
     - labels are case insensitive.
-    - The complete list of labels can be found [the reference page](../../reference/dynamic-configuration/ecs.md)
+    - The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/ecs.md).
 
 ### General
 
@@ -388,6 +388,14 @@ You can declare TCP Routers and/or Services using labels.
     traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100
     ```
 
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
+        
+    See [PROXY protocol](../services/index.md#proxy-protocol) for more information.
+    
+    ```yaml
+    traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
+    ```
+
 ### UDP
 
 You can declare UDP Routers and/or Services using tags.

docs/content/routing/providers/kubernetes-crd.md

@@ -43,7 +43,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v2.3
+              image: traefik:v2.4
               args:
                 - --log.level=DEBUG
                 - --api
@@ -335,6 +335,7 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
           responseForwarding:
             flushInterval: 1ms
           scheme: https
+          serversTransport: transport
           sticky:
             cookie:
               httpOnly: true
@@ -619,7 +620,7 @@ Register the `Middleware` [kind](../../reference/dynamic-configuration/kubernete
 !!! important "Cross-provider namespace"
 
     As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource
-    (in the reference to the middleware) with the [provider namespace](../../middlewares/overview.md#provider-namespace),
+    (in the reference to the middleware) with the [provider namespace](../../providers/overview.md#provider-namespace),
     when the definition of the middleware comes from another provider.
     In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored.
     Additionally, when you want to reference a Middleware from the CRD Provider,
@@ -1090,40 +1091,44 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
           port: 8080                # [6]
           weight: 10                # [7]
           terminationDelay: 400     # [8]
-      tls:                          # [9]
-        secretName: supersecret     # [10]
-        options:                    # [11]
-          name: opt                 # [12]
-          namespace: default        # [13]
-        certResolver: foo           # [14]
-        domains:                    # [15]
-        - main: example.net         # [16]
-          sans:                     # [17]
+          proxyProtocol:            # [9]
+            version: 1              # [10]
+      tls:                          # [11]
+        secretName: supersecret     # [12]
+        options:                    # [13]
+          name: opt                 # [14]
+          namespace: default        # [15]
+        certResolver: foo           # [16]
+        domains:                    # [17]
+        - main: example.net         # [18]
+          sans:                     # [19]
           - a.example.net
           - b.example.net
-        passthrough: false          # [18]
+        passthrough: false          # [20]
     ```
 
-| Ref  | Attribute                      | Purpose                                                                                                                                                                                                                                                                                                                                                                                  |
-|------|--------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1]  | `entryPoints`                  | List of [entrypoints](../routers/index.md#entrypoints_1) names                                                                                                                                                                                                                                                                                                                           |
-| [2]  | `routes`                       | List of routes                                                                                                                                                                                                                                                                                                                                                                           |
-| [3]  | `routes[n].match`              | Defines the [rule](../routers/index.md#rule_1) corresponding to an underlying router                                                                                                                                                                                                                                                                                                     |
-| [4]  | `routes[n].services`           | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions  (See below for `ExternalName Service` setup)                                                                                                                                                                                                                                 |
-| [5]  | `services[n].name`             | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                                                                                                                                                                                                                                             |
-| [6]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                                                                                                                                                                                                                                             |
-| [7]  | `services[n].weight`           | Defines the weight to apply to the server load balancing                                                                                                                                                                                                                                                                                                                                 |
-| [8]  | `services[n].terminationDelay` | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection.<br/>It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
-| [9]  | `tls`                          | Defines [TLS](../routers/index.md#tls_1) certificate configuration                                                                                                                                                                                                                                                                                                                       |
-| [10] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                                                                                                                     |
-| [11] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                                                                                                                  |
-| [12] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                                                                                                            |
-| [13] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                                                                                                                       |
-| [14] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1)                                                                                                                                                                                                                                                                                                            |
-| [15] | `tls.domains`                  | List of [domains](../routers/index.md#domains_1)                                                                                                                                                                                                                                                                                                                                         |
-| [16] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                                                                                                             |
-| [17] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                                                                                                                       |
-| [18] | `tls.passthrough`              | If `true`, delegates the TLS termination to the backend                                                                                                                                                                                                                                                                                                                                  |
+| Ref  | Attribute                      | Purpose                                                                                                                                                                                                                                                                                                                                                                              |
+|------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `entryPoints`                  | List of [entrypoints](../routers/index.md#entrypoints_1) names                                                                                                                                                                                                                                                                                                                       |
+| [2]  | `routes`                       | List of routes                                                                                                                                                                                                                                                                                                                                                                       |
+| [3]  | `routes[n].match`              | Defines the [rule](../routers/index.md#rule_1) corresponding to an underlying router                                                                                                                                                                                                                                                                                                 |
+| [4]  | `routes[n].services`           | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions  (See below for `ExternalName Service` setup)                                                                                                                                                                                                                             |
+| [5]  | `services[n].name`             | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                                                                                                                                                                                                                                         |
+| [6]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                                                                                                                                                                                                                                         |
+| [7]  | `services[n].weight`           | Defines the weight to apply to the server load balancing                                                                                                                                                                                                                                                                                                                             |
+| [8]  | `services[n].terminationDelay` | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
+| [9]  | `proxyProtocol`                | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration                                                                                                                                                                                                                                                                                                      |
+| [10] | `version`                      | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version                                                                                                                                                                                                                                                                                                            |
+| [11] | `tls`                          | Defines [TLS](../routers/index.md#tls_1) certificate configuration                                                                                                                                                                                                                                                                                                                   |
+| [12] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                                                                                                                 |
+| [13] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                                                                                                              |
+| [14] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                                                                                                        |
+| [15] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                                                                                                                   |
+| [16] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1)                                                                                                                                                                                                                                                                                                        |
+| [17] | `tls.domains`                  | List of [domains](../routers/index.md#domains_1)                                                                                                                                                                                                                                                                                                                                     |
+| [18] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                                                                                                         |
+| [19] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                                                                                                                   |
+| [20] | `tls.passthrough`              | If `true`, delegates the TLS termination to the backend                                                                                                                                                                                                                                                                                                                              |
 
 ??? example "Declaring an IngressRouteTCP"
 
@@ -1456,8 +1461,7 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
     If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
 
 	Additionally, when the definition of the TLS option is from another provider,
-	the cross-provider syntax (`middlewarename@provider`) should be used to refer to the TLS option,
-	just as in the [middleware case](../../middlewares/overview.md#provider-namespace).
+	the cross-provider [syntax](../../providers/overview.md#provider-namespace) (`middlewarename@provider`) should be used to refer to the TLS option.
 	Specifying a namespace attribute in this case would not make any sense, and will be ignored.
 
 ### Kind: `TLSStore`
@@ -1488,9 +1492,9 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
         secretName: mySecret                      # [1]
     ```
 
-| Ref | Attribute                   | Purpose                                                                                                                                                                    |
-|-----|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1] | `secretName`                | The name of the referenced Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the default certificate for the store.                                                                             |
+| Ref | Attribute    | Purpose                                                                                                                                                     |
+|-----|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1] | `secretName` | The name of the referenced Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the default certificate for the store. |
 
 ??? example "Declaring and referencing a TLSStore"
    
@@ -1537,6 +1541,84 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
       tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
     ```
 
+### Kind: `ServersTransport`
+
+`ServersTransport` is the CRD implementation of a [ServersTransport](../services/index.md#serverstransport).
+
+!!! important "Default serversTransport"
+    If no `serversTransport` is specified, the `default@internal` will be used. 
+    The `default@internal` serversTransport is created from the [static configuration](../overview.md#transport-configuration). 
+
+!!! info "ServersTransport Attributes"
+   
+    ```yaml tab="TLSStore"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: ServersTransport
+    metadata:
+      name: mytransport
+      namespace: default
+    
+    spec:
+      serverName: foobar               # [1]
+      insecureSkipVerify: true         # [2]
+      rootCAsSecrets:                  # [3]
+        - foobar
+        - foobar
+      certificatesSecrets:             # [4]
+        - foobar
+        - foobar
+      maxIdleConnsPerHost: 1           # [5]
+      forwardingTimeouts:              # [6]
+        dialTimeout: 42s               # [7]
+        responseHeaderTimeout: 42s     # [8]
+        idleConnTimeout: 42s           # [9]
+    ```
+
+| Ref | Attribute               | Purpose                                                                                                                                              |
+|-----|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1] | `serverName`            | ServerName used to contact the server.                                                                                                               |
+| [2] | `insecureSkipVerify`    | Disable SSL certificate verification.                                                                                                                |
+| [3] | `rootCAsSecrets`        | Add cert file for self-signed certificate.                                                                                                           |
+| [4] | `certificatesSecrets`   | Certificates for mTLS.                                                                                                                               |
+| [5] | `maxIdleConnsPerHost`   | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used.                                 |
+| [6] | `forwardingTimeouts`    | Timeouts for requests forwarded to the backend servers.                                                                                              |
+| [7] | `dialTimeout`           | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists.                                    |
+| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
+| [9] | `idleConnTimeout`       | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.                                              |
+
+??? example "Declaring and referencing a ServersTransport"
+   
+    ```yaml tab="ServersTransport"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: ServersTransport
+    metadata:
+      name: mytransport
+      namespace: default
+    
+    spec:
+      serverName: example.org
+      insecureSkipVerify: true
+    ```
+    
+    ```yaml tab="IngressRoute"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: testroute
+      namespace: default
+    
+    spec:
+      entryPoints:
+        - web
+      routes:
+      - match: Host(`example.com`)
+        kind: Rule
+        services:
+        - name: whoami
+          port: 80
+          serversTransport: mytransport
+    ```
+
 ## Further
 
 Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.

docs/content/routing/providers/kubernetes-gateway.md

@@ -0,0 +1,161 @@
+# Traefik & Kubernetes
+
+The Kubernetes Gateway API, The Experimental Way.
+{: .subtitle }
+
+## Configuration Examples
+
+??? example "Configuring Kubernetes Gateway provider and Deploying/Exposing Services"
+
+    ```yaml tab="Gateway API"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml"
+    ```
+
+    ```yaml tab="Whoami Service"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-whoami-svc.yml"
+    ```
+    
+    ```yaml tab="Traefik Service"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml"
+    ```
+
+    ```yaml tab="RBAC"
+    --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
+    ```
+
+## Routing Configuration
+
+### Custom Resource Definition (CRD)
+
+* You can find an exhaustive list, of the custom resources and their attributes in
+[the reference page](../../reference/dynamic-configuration/kubernetes-gateway.md) or in the Kubernetes Sigs `Service APIs` [repository](https://github.com/kubernetes-sigs/service-apis/).
+* Validate that [the prerequisites](../../providers/kubernetes-gateway.md#configuration-requirements) are fulfilled before using the Traefik Kubernetes Gateway Provider.
+    
+You can find an excerpt of the supported Kubernetes Gateway API resources in the table below:
+
+| Kind                               | Purpose                                                                   | Concept Behind                                                                            |
+|------------------------------------|---------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|
+| [GatewayClass](#kind-gatewayclass) | Defines a set of Gateways that share a common configuration and behaviour | [GatewayClass](https://kubernetes-sigs.github.io/service-apis/api-overview/#gatewayclass) |
+| [Gateway](#kind-gateway)           | Describes how traffic can be translated to Services within the cluster    | [Gateway](https://kubernetes-sigs.github.io/service-apis/api-overview/#gateway)           |
+| [HTTPRoute](#kind-httproute)       | HTTP rules for mapping requests from a Gateway to Kubernetes Services     | [Route](https://kubernetes-sigs.github.io/service-apis/api-overview/#httptcpfooroute)     |
+
+### Kind: `GatewayClass`
+
+`GatewayClass` is cluster-scoped resource defined by the infrastructure provider. This resource represents a class of Gateways that can be instantiated.
+More details on the GatewayClass [official documentation](https://kubernetes-sigs.github.io/service-apis/gatewayclass/).
+
+The `GatewayClass` should be declared by the infrastructure provider, otherwise please register the `GatewayClass`
+[definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the Kubernetes cluster before 
+creating `GatewayClass` objects.
+
+!!! info "Declaring GatewayClass"
+
+    ```yaml
+    kind: GatewayClass
+    apiVersion: networking.x-k8s.io/v1alpha1
+    metadata:
+      name: my-gateway-class
+    spec:
+      # Controller is a domain/path string that indicates
+      # the controller that is managing Gateways of this class.
+      controller: traefik.io/gateway-controller
+    ```
+
+### Kind: `Gateway`
+
+A `Gateway` is 1:1 with the life cycle of the configuration of infrastructure. When a user creates a Gateway, 
+some load balancing infrastructure is provisioned or configured by the GatewayClass controller. 
+More details on the Gateway [official documentation](https://kubernetes-sigs.github.io/service-apis/gateway/).
+
+Register the `Gateway` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the
+Kubernetes cluster before creating `Gateway` objects.
+
+!!! info "Declaring Gateway"
+
+    ```
+    kind: Gateway
+    apiVersion: networking.x-k8s.io/v1alpha1
+    metadata:
+      name: my-gateway
+      namespace: default
+    spec:
+      gatewayClassName: my-gateway-class        # [1]
+      listeners:                                # [2]
+        - protocol: HTTPS                       # [3] 
+          port: 443                             # [4]
+          tls:                                  # [5]
+            certificateRef:                     # [6]
+              group: "core"
+              kind: "Secret"
+              name: "mysecret"
+          routes:                               # [7]
+            kind: HTTPRoute                     # [8]
+            selector:                           # [9]
+              matchLabels:                      # [10]
+                app: foo
+    ```
+
+| Ref  | Attribute          | Description                                                                                                                 |
+|------|--------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `gatewayClassName` | GatewayClassName used for this Gateway. This is the name of a GatewayClass resource.                                        |
+| [2]  | `listeners`        | Logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified.                      |
+| [3]  | `protocol`         | The network protocol this listener expects to receive (only HTTP and HTTPS are implemented).                                |
+| [4]  | `port`             | The network port.                                                                                                           |
+| [5]  | `tls`              | TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS" or "TLS" and ignored otherwise. |
+| [6]  | `certificateRef`   | The reference to Kubernetes object that contains a TLS certificate and private key.                                         |
+| [7]  | `routes`           | A schema for associating routes with the Listener using selectors.                                                          |
+| [8]  | `kind`             | The kind of the referent.                                                                                                   |
+| [9]  | `selector`         | Routes in namespaces selected by the selector may be used by this Gateway routes to associate with the Gateway.   |
+| [10] | `matchLabels`      | A set of route labels used for selecting routes to associate with the Gateway.                                              |
+
+### Kind: `HTTPRoute`
+
+`HTTPRoute` defines HTTP rules for mapping requests from a `Gateway` to Kubernetes Services. 
+
+Register the `HTTPRoute` [definition](../../reference/dynamic-configuration/kubernetes-gateway.md#definitions) in the
+Kubernetes cluster before creating `HTTPRoute` objects.
+
+!!! info "Declaring HTTPRoute"
+
+    ```yaml
+    kind: HTTPRoute
+    apiVersion: networking.x-k8s.io/v1alpha1
+    metadata:
+      name: http-app-1
+      namespace: default
+      labels:                       # [1]
+        app: foo
+    spec:
+      hostnames:                    # [2]
+        - "whoami"
+      rules:                        # [3]
+        - matches:                  # [4]
+            - path:                 # [5]
+                type: Exact         # [6]
+                value: /bar         # [7]
+            - headers:              # [8]
+                type: Exact         # [9]
+                values:             # [10]
+                  - foo: bar
+          forwardTo:                # [11]
+            - serviceName: whoami   # [12]
+              weight: 1             # [13]
+              port: 80              # [14]
+    ```
+
+| Ref  | Attribute     | Description                                                                                                                                                                 |
+|------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `labels`      | Labels to match with the `Gateway` labelselector.                                                                                                                           |
+| [2]  | `hostnames`   | A set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request.                                                              |
+| [3]  | `rules`       | A list of HTTP matchers, filters and actions.                                                                                                                               |
+| [4]  | `matches`     | Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. |
+| [5]  | `path`        | An HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided.                                                           |
+| [6]  | `type`        | Type of match against the path Value (supported types: `Exact`, `Prefix`).                                                                                                  |
+| [7]  | `value`       | The value of the HTTP path to match against.                                                                                                                                |
+| [8]  | `headers`     | Conditions to select a HTTP route by matching HTTP request headers.                                                                                                         |
+| [9]  | `type`        | Type of match for the HTTP request header match against the `values` (supported types: `Exact`).                                                                            |
+| [10] | `values`      | A map of HTTP Headers to be matched. It MUST contain at least one entry.                                                                                                    |
+| [11] | `forwardTo`   | The upstream target(s) where the request should be sent.                                                                                                                    |
+| [12] | `serviceName` | The name of the referent service.                                                                                                                                           |
+| [13] | `weight`      | The proportion of traffic forwarded to a targetRef, computed as weight/(sum of all weights in targetRefs).                                                                  |
+| [14] | `port`        | The port of the referent service.                                                                                                                                           |

docs/content/routing/providers/kubernetes-ingress.md

@@ -112,18 +112,13 @@ which in turn will create the resulting routers, services, handlers, etc.
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v2.3
+              image: traefik:v2.4
               args:
-                - --log.level=DEBUG
-                - --api
-                - --api.insecure
                 - --entrypoints.web.address=:80
                 - --providers.kubernetesingress
               ports:
                 - name: web
                   containerPort: 80
-                - name: admin
-                  containerPort: 8080
     
     ---
     apiVersion: v1
@@ -139,10 +134,6 @@ which in turn will create the resulting routers, services, handlers, etc.
           port: 80
           name: web
           targetPort: 80
-        - protocol: TCP
-          port: 8080
-          name: admin
-          targetPort: 8080
     ```
     
     ```yaml tab="Whoami"
@@ -340,27 +331,380 @@ Please see [this documentation](https://kubernetes.io/docs/concepts/services-net
 
 ## TLS
 
-### Communication Between Traefik and Pods
+### Enabling TLS via HTTP Options on Entrypoint
 
-Traefik automatically requests endpoint information based on the service provided in the ingress spec.
-Although Traefik will connect directly to the endpoints (pods),
-it still checks the service port to see if TLS communication is required.
+TLS can be enabled through the [HTTP options](../entrypoints.md#tls) of an Entrypoint:
 
-There are 3 ways to configure Traefik to use https to communicate with pods:
+```bash tab="CLI"
+# Static configuration
+--entrypoints.websecure.address=:443
+--entrypoints.websecure.http.tls
+```
 
-1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod).
-1. If the service port defined in the ingress spec has a name that starts with https (such as `https-api`, `https-web` or just `https`).
-1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`.
+```toml tab="File (TOML)"
+# Static configuration
+[entryPoints.websecure]
+  address = ":443"
 
-If either of those configuration options exist, then the backend communication protocol is assumed to be TLS,
-and will connect via TLS automatically.
+    [entryPoints.websecure.http.tls]
+```
 
-!!! info
+```yaml tab="File (YAML)"
+# Static configuration
+entryPoints:
+  websecure:
+    address: ':443'
+    http:
+      tls: {}
+```
+
+This way, any Ingress attached to this Entrypoint will have TLS termination by default.
+
+??? example "Configuring Kubernetes Ingress Controller with TLS on Entrypoint"
     
-    Please note that by enabling TLS communication between traefik and your pods,
-    you will have to have trusted certificates that have the proper trust chain and IP subject name.
-    If this is not an option, you may need to skip TLS certificate verification.
-    See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) setting for more details.
+    ```yaml tab="RBAC"
+    ---
+    kind: ClusterRole
+    apiVersion: rbac.authorization.k8s.io/v1beta1
+    metadata:
+      name: traefik-ingress-controller
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - services
+          - endpoints
+          - secrets
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - extensions
+          - networking.k8s.io
+        resources:
+          - ingresses
+          - ingressclasses
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - extensions
+        resources:
+          - ingresses/status
+        verbs:
+          - update
+    
+    ---
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1beta1
+    metadata:
+      name: traefik-ingress-controller
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: traefik-ingress-controller
+    subjects:
+      - kind: ServiceAccount
+        name: traefik-ingress-controller
+        namespace: default
+    ```
+    
+    ```yaml tab="Ingress"
+    kind: Ingress
+    apiVersion: networking.k8s.io/v1beta1
+    metadata:
+      name: myingress
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    
+    spec:
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - path: /bar
+                backend:
+                  serviceName: whoami
+                  servicePort: 80
+              - path: /foo
+                backend:
+                  serviceName: whoami
+                  servicePort: 80
+    ```
+    
+    ```yaml tab="Traefik"
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: traefik-ingress-controller
+    
+    ---
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: traefik
+      labels:
+        app: traefik
+    
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: traefik
+      template:
+        metadata:
+          labels:
+            app: traefik
+        spec:
+          serviceAccountName: traefik-ingress-controller
+          containers:
+            - name: traefik
+              image: traefik:v2.4
+              args:
+                - --entrypoints.websecure.address=:443
+                - --entrypoints.websecure.http.tls
+                - --providers.kubernetesingress
+              ports:
+                - name: websecure
+                  containerPort: 443
+    
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik
+    spec:
+      type: LoadBalancer
+      selector:
+        app: traefik
+      ports:
+        - protocol: TCP
+          port: 443
+          name: websecure
+          targetPort: 443
+    ```
+    
+    ```yaml tab="Whoami"
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: whoami
+      labels:
+        app: traefiklabs
+        name: whoami
+    
+    spec:
+      replicas: 2
+      selector:
+        matchLabels:
+          app: traefiklabs
+          task: whoami
+      template:
+        metadata:
+          labels:
+            app: traefiklabs
+            task: whoami
+        spec:
+          containers:
+            - name: whoami
+              image: traefik/whoami
+              ports:
+                - containerPort: 80
+    
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: whoami
+    
+    spec:
+      ports:
+        - name: http
+          port: 80
+      selector:
+        app: traefiklabs
+        task: whoami
+    ```
+
+### Enabling TLS via Annotations
+
+To enable TLS on the underlying router created from an Ingress, one should configure it through annotations:
+
+```yaml
+traefik.ingress.kubernetes.io/router.tls: "true"
+```
+    
+For more options, please refer to the available [annotations](#on-ingress).
+
+??? example "Configuring Kubernetes Ingress Controller with TLS"
+    
+    ```yaml tab="RBAC"
+    ---
+    kind: ClusterRole
+    apiVersion: rbac.authorization.k8s.io/v1beta1
+    metadata:
+      name: traefik-ingress-controller
+    rules:
+      - apiGroups:
+          - ""
+        resources:
+          - services
+          - endpoints
+          - secrets
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - extensions
+          - networking.k8s.io
+        resources:
+          - ingresses
+          - ingressclasses
+        verbs:
+          - get
+          - list
+          - watch
+      - apiGroups:
+          - extensions
+        resources:
+          - ingresses/status
+        verbs:
+          - update
+    
+    ---
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1beta1
+    metadata:
+      name: traefik-ingress-controller
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: traefik-ingress-controller
+    subjects:
+      - kind: ServiceAccount
+        name: traefik-ingress-controller
+        namespace: default
+    ```
+    
+    ```yaml tab="Ingress"
+    kind: Ingress
+    apiVersion: networking.k8s.io/v1beta1
+    metadata:
+      name: myingress
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: true
+    
+    spec:
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - path: /bar
+                backend:
+                  serviceName: whoami
+                  servicePort: 80
+              - path: /foo
+                backend:
+                  serviceName: whoami
+                  servicePort: 80
+    ```
+    
+    ```yaml tab="Traefik"
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: traefik-ingress-controller
+    
+    ---
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: traefik
+      labels:
+        app: traefik
+    
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: traefik
+      template:
+        metadata:
+          labels:
+            app: traefik
+        spec:
+          serviceAccountName: traefik-ingress-controller
+          containers:
+            - name: traefik
+              image: traefik:v2.4
+              args:
+                - --entrypoints.websecure.address=:443
+                - --providers.kubernetesingress
+              ports:
+                - name: websecure
+                  containerPort: 443
+    
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik
+    spec:
+      type: LoadBalancer
+      selector:
+        app: traefik
+      ports:
+        - protocol: TCP
+          port: 443
+          name: websecure
+          targetPort: 443
+    ```
+    
+    ```yaml tab="Whoami"
+    kind: Deployment
+    apiVersion: apps/v1
+    metadata:
+      name: whoami
+      labels:
+        app: traefiklabs
+        name: whoami
+    
+    spec:
+      replicas: 2
+      selector:
+        matchLabels:
+          app: traefiklabs
+          task: whoami
+      template:
+        metadata:
+          labels:
+            app: traefiklabs
+            task: whoami
+        spec:
+          containers:
+            - name: whoami
+              image: traefik/whoami
+              ports:
+                - containerPort: 80
+    
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: whoami
+    
+    spec:
+      ports:
+        - name: http
+          port: 80
+      selector:
+        app: traefiklabs
+        task: whoami
+    ```
 
 ### Certificates Management
 
@@ -382,7 +726,9 @@ and will connect via TLS automatically.
             backend:
               serviceName: service1
               servicePort: 80
-    
+      # Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS.
+      # Doesn't enable TLS for that ingress (hence for the underlying router).
+      # Please see the TLS annotations on ingress made for that purpose.
       tls:
       - secretName: supersecret
     ```
@@ -405,6 +751,28 @@ TLS certificates can be managed in Secrets objects.
     Only TLS certificates provided by users can be stored in Kubernetes Secrets.
     [Let's Encrypt](../../https/acme.md) certificates cannot be managed in Kubernetes Secrets yet.
 
+### Communication Between Traefik and Pods
+
+Traefik automatically requests endpoint information based on the service provided in the ingress spec.
+Although Traefik will connect directly to the endpoints (pods),
+it still checks the service port to see if TLS communication is required.
+
+There are 3 ways to configure Traefik to use https to communicate with pods:
+
+1. If the service port defined in the ingress spec is `443` (note that you can still use `targetPort` to use a different port on your pod).
+1. If the service port defined in the ingress spec has a name that starts with https (such as `https-api`, `https-web` or just `https`).
+1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/service.serversscheme: https`.
+
+If either of those configuration options exist, then the backend communication protocol is assumed to be TLS,
+and will connect via TLS automatically.
+
+!!! info
+    
+    Please note that by enabling TLS communication between traefik and your pods,
+    you will have to have trusted certificates that have the proper trust chain and IP subject name.
+    If this is not an option, you may need to skip TLS certificate verification.
+    See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) setting for more details.
+
 ## Global Default Backend Ingresses
 
 Ingresses can be created that look like the following:

docs/content/routing/providers/kv.md

@@ -384,6 +384,14 @@ You can declare TCP Routers and/or Services using KV.
     | Key (Path)                                                        | Value |
     |-------------------------------------------------------------------|-------|
     | `traefik/tcp/services/mytcpservice/loadbalancer/terminationdelay` | `100` |
+    
+??? info "`traefik/tcp/services/<service_name>/loadbalancer/proxyprotocol/version`"
+
+    See [PROXY protocol](../services/index.md#proxy-protocol) for more information.
+
+    | Key (Path)                                                             | Value |
+    |------------------------------------------------------------------------|-------|
+    | `traefik/tcp/services/mytcpservice/loadbalancer/proxyprotocol/version` | `1`   |
 
 ??? info "`traefik/tcp/services/<service_name>/weighted/services/<n>/name`"
 

docs/content/routing/providers/marathon.md

@@ -421,6 +421,14 @@ You can declare TCP Routers and/or Services using labels.
     "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay": "100"
     ```
 
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
+        
+    See [PROXY protocol](../services/index.md#proxy-protocol) for more information.
+    
+    ```json
+    "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version": "1"
+    ```
+
 ### UDP
 
 You can declare UDP Routers and/or Services using labels.

docs/content/routing/providers/rancher.md

@@ -424,6 +424,14 @@ You can declare TCP Routers and/or Services using labels.
     - "traefik.tcp.services.mytcpservice.loadbalancer.terminationdelay=100"
     ```
 
+??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
+        
+    See [PROXY protocol](../services/index.md#proxy-protocol) for more information.
+    
+    ```yaml
+    - "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
+    ```
+
 ### UDP
 
 You can declare UDP Routers and/or Services using labels.

docs/content/routing/services/index.md

@@ -460,6 +460,33 @@ By default, `passHostHeader` is true.
             passHostHeader: false
     ```
 
+#### ServersTransport
+
+`serversTransport` allows to reference a [ServersTransport](./index.md#serverstransport_1) configuration for the communication between Traefik and your servers.
+
+??? example "Specify a transport -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.Service01]
+        [http.services.Service01.loadBalancer]
+          serversTransport = "mytransport"
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        Service01:
+          loadBalancer:
+            serversTransport = "mytransport"
+    ```
+
+!!! info default serversTransport
+    If no serversTransport is specified, the `default@internal` will be used. 
+    The `default@internal` serversTransport is created from the [static configuration](../overview.md#transport-configuration). 
+
 #### Response Forwarding
 
 This section is about configuring how Traefik forwards the response from the backend server to the client.
@@ -492,6 +519,301 @@ Below are the available options for the Response Forwarding mechanism:
               flushInterval: 1s
     ```
 
+### ServersTransport
+
+ServersTransport allows to configure the transport between Traefik and your servers.
+
+#### `ServerName`
+
+_Optional_
+
+`serverName` configure the server name that will be used for SNI.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport]
+  serverName = "myhost"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      serverName: "myhost"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    serverName: "test"
+```
+
+#### `Certificates`
+
+_Optional_
+
+`certificates` is the list of certificates (as file paths, or data bytes)
+that will be set as client certificates for mTLS.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[[http.serversTransports.mytransport.certificates]]
+  certFile = "foo.crt"
+  keyFile = "bar.crt"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      certificates:
+        - certFile: foo.crt
+          keyFile: bar.crt
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    certificatesSecrets:
+    - mycert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mycert
+    
+  data:
+    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+#### `insecureSkipVerify`
+
+_Optional_
+
+`insecureSkipVerify` disables SSL certificate verification.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport]
+  insecureSkipVerify = true
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      insecureSkipVerify: true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    insecureSkipVerify: true
+```
+
+#### `rootCAs`
+
+_Optional_
+
+`rootCAs` is the list of certificates (as file paths, or data bytes)
+that will be set as Root Certificate Authorities when using a self-signed TLS certificate.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport]
+  rootCAs = ["foo.crt", "bar.crt"]
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      rootCAs:
+        - foo.crt
+        - bar.crt
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    rootCAsSecrets:
+    - myca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: myca
+    
+  data:
+    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+```
+
+#### `maxIdleConnsPerHost`
+
+_Optional, Default=2_
+
+If non-zero, `maxIdleConnsPerHost` controls the maximum idle (keep-alive) connections to keep per-host.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport]
+  maxIdleConnsPerHost = 7
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      maxIdleConnsPerHost: 7
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    maxIdleConnsPerHost: 7
+```
+
+#### `forwardingTimeouts`
+
+`forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.
+
+##### `forwardingTimeouts.dialTimeout`
+
+_Optional, Default=30s_
+
+`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
+Zero means no timeout.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport.forwardingTimeouts]
+  dialTimeout = "1s"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      forwardingTimeouts:
+        dialTimeout: "1s"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    forwardingTimeouts:
+      dialTimeout: "1s"
+```
+
+##### `forwardingTimeouts.responseHeaderTimeout`
+
+_Optional, Default=0s_
+
+`responseHeaderTimeout`, if non-zero, specifies the amount of time to wait for a server's response headers
+after fully writing the request (including its body, if any).
+This time does not include the time to read the response body.
+Zero means no timeout.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport.forwardingTimeouts]
+  responseHeaderTimeout = "1s"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      forwardingTimeouts:
+        responseHeaderTimeout: "1s"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    forwardingTimeouts:
+      responseHeaderTimeout: "1s"
+```
+
+##### `forwardingTimeouts.idleConnTimeout`
+
+_Optional, Default=90s_
+
+`idleConnTimeout`, is the maximum amount of time an idle (keep-alive) connection
+will remain idle before closing itself.
+Zero means no limit.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport.forwardingTimeouts]
+  idleConnTimeout = "1s"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      forwardingTimeouts:
+        idleConnTimeout: "1s"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    forwardingTimeouts:
+      idleConnTimeout: "1s"
+```
+
 ### Weighted Round Robin (service)
 
 The WRR is able to load balance the requests between multiple services based on weights.
@@ -592,7 +914,7 @@ http:
         # maxBodySize is the maximum size allowed for the body of the request.
         # If the body is larger, the request is not mirrored.
         # Default value is -1, which means unlimited size.
-        maxBodySize = 1024
+        maxBodySize: 1024
         mirrors:
         - name: appv2
           percent: 10
@@ -669,6 +991,39 @@ The `address` option (IP:Port) point to a specific instance.
               - address: "xx.xx.xx.xx:xx"
     ```
 
+#### PROXY Protocol
+
+Traefik supports [PROXY Protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2 on TCP Services.
+It can be enabled by setting `proxyProtocol` on the load balancer.
+
+Below are the available options for the PROXY protocol:
+
+- `version` specifies the version of the protocol to be used. Either `1` or `2`.
+
+!!! info "Version"
+
+    Specifying a version is optional. By default the version 2 will be used. 
+
+??? example "A Service with Proxy Protocol v1 -- Using the [File Provider](../../providers/file.md)"
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [tcp.services]
+      [tcp.services.my-service.loadBalancer]
+        [tcp.services.my-service.loadBalancer.proxyProtocol]
+          version = 1
+    ```
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    tcp:
+      services:
+        my-service:
+          loadBalancer:
+            proxyProtocol:
+              version: 1
+    ```
+
 #### Termination Delay
 
 As a proxy between a client and a server, it can happen that either side (e.g. client side) decides to terminate its writing capability on the connection (i.e. issuance of a FIN packet).

docs/content/user-guides/crd-acme/03-deployments.yml

@@ -26,7 +26,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       containers:
         - name: traefik
-          image: traefik:v2.3
+          image: traefik:v2.4
           args:
             - --api.insecure
             - --accesslog

docs/content/user-guides/crd-acme/k3s.yml

@@ -26,5 +26,5 @@ node:
     - K3S_CLUSTER_SECRET=somethingtotallyrandom
   volumes:
     # this is where you would place a alternative traefik image (saved as a .tar file with
-    # 'docker save'), if you want to use it, instead of the traefik:v2.3 image.
+    # 'docker save'), if you want to use it, instead of the traefik:v2.4 image.
     - /sowewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images

docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v2.3"
+    image: "traefik:v2.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"

docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml

@@ -13,7 +13,7 @@ secrets:
 services:
 
   traefik:
-    image: "traefik:v2.3"
+    image: "traefik:v2.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"