Prepare release v2.6.3

Return TLS unrecognized_name error when no certificate is available
fix: CI release
2025-09-16 17:44:30 +03:00 · 2022-03-29 15:00:09 +02:00 · 2022-03-28 18:18:08 +02:00 · 2022-03-28 17:36:07 +02:00 · 2022-03-28 16:22:10 +02:00 · 2022-03-28 15:24:08 +02:00
552 changed files with 22168 additions and 11433 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.5
+- for Traefik v2: use branch v2.6

 Bug fixes:
 - for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.5
+- for Traefik v2: use branch v2.6

 Enhancements:
 - for Traefik v1: we only accept bug fixes
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -8,7 +8,7 @@ on:
 env:
  GO_VERSION: 1.17
  CGO_ENABLED: 0
-  PRE_TARGET: ""
+  IN_DOCKER: ""

 jobs:

@@ -23,8 +23,8 @@ jobs:

      - name: Build webui
        run: |
-          make generate-webui
-          tar czvf webui.tar.gz ./static/
+          make clean-webui generate-webui
+          tar czvf webui.tar.gz ./webui/static/

      - name: Artifact webui
        uses: actions/upload-artifact@v2
@@ -66,9 +66,6 @@ jobs:
          key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-build-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
-
      - name: Artifact webui
        uses: actions/download-artifact@v2
        with:
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -44,7 +44,7 @@ jobs:
          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}

      - name: Apply seo
-        run: $HOME/bin/seo -path=./site
+        run: $HOME/bin/seo -path=./site -product=traefik

      - name: Publish documentation
        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -0,0 +1,37 @@
+name: Build experimental image on branch
+
+on:
+  push:
+    branches:
+      - master
+      - v*
+
+jobs:
+
+  experimental:
+    if: github.repository == 'traefik/traefik'
+    name: Build experimental image on branch
+    runs-on: ubuntu-20.04
+
+    steps:
+
+      # https://github.com/marketplace/actions/checkout
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Branch name
+        run: echo ${GITHUB_REF##*/}
+
+      - name: Build docker experimental image
+        run: docker build -t traefik/traefik:experimental-${GITHUB_REF##*/} -f exp.Dockerfile .
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Push to Docker Hub
+        run: docker push traefik/traefik:experimental-${GITHUB_REF##*/}
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -7,7 +7,7 @@ on:

 env:
  GO_VERSION: 1.17
-  PRE_TARGET: ""
+  IN_DOCKER: ""

 jobs:

@@ -39,8 +39,8 @@ jobs:
          key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-test-unit-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
+      - name: Avoid generating webui
+        run: touch webui/static/index.html

      - name: Tests
        run: make test-unit
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -7,9 +7,9 @@ on:

 env:
  GO_VERSION: 1.17
-  GOLANGCI_LINT_VERSION: v1.41.1
+  GOLANGCI_LINT_VERSION: v1.45.0
  MISSSPELL_VERSION: v0.3.4
-  PRE_TARGET: ""
+  IN_DOCKER: ""

 jobs:

@@ -41,15 +41,15 @@ jobs:
          key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-validate-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
-
      - name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}

      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}

+      - name: Avoid generating webui
+        run: touch webui/static/index.html
+
      - name: Validate
        run: make validate

@@ -81,9 +81,6 @@ jobs:
          key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
          restore-keys: ${{ runner.os }}-validate-generate-go-

-      - name: Installing dependencies
-        run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
-
      - name: go generate
        run: |
          go generate
--- a/.gitignore
+++ b/.gitignore
@@ -7,7 +7,6 @@
 /webui/.tmp/
 /site/
 /docs/site/
-/static/
 /autogen/
 /traefik
 /traefik.toml
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -16,9 +16,6 @@
  [linters-settings.gocyclo]
    min-complexity = 14.0

-  [linters-settings.maligned]
-    suggest-new = true
-
  [linters-settings.goconst]
    min-len = 3.0
    min-occurrences = 4.0
@@ -51,6 +48,59 @@
    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
+    composeapi = "github.com/docker/compose/v2/pkg/api"
+
+  [linters-settings.revive]
+    [[linters-settings.revive.rules]]
+      name = "struct-tag"
+    [[linters-settings.rules]]
+      name = "blank-imports"
+    [[linters-settings.rules]]
+      name = "context-as-argument"
+    [[linters-settings.rules]]
+      name = "context-keys-type"
+    [[linters-settings.rules]]
+      name = "dot-imports"
+    [[linters-settings.rules]]
+      name = "error-return"
+    [[linters-settings.rules]]
+      name = "error-strings"
+    [[linters-settings.rules]]
+      name = "error-naming"
+    [[linters-settings.rules]]
+      name = "exported"
+    [[linters-settings.rules]]
+      name = "if-return"
+    [[linters-settings.rules]]
+      name = "increment-decrement"
+    [[linters-settings.rules]]
+      name = "var-naming"
+    [[linters-settings.rules]]
+      name = "var-declaration"
+    [[linters-settings.rules]]
+      name = "package-comments"
+    [[linters-settings.rules]]
+      name = "range"
+    [[linters-settings.rules]]
+      name = "receiver-naming"
+    [[linters-settings.rules]]
+      name = "time-naming"
+    [[linters-settings.rules]]
+      name = "unexported-return"
+    [[linters-settings.rules]]
+      name = "indent-error-flow"
+    [[linters-settings.rules]]
+      name = "errorf"
+    [[linters-settings.rules]]
+      name = "empty-block"
+    [[linters-settings.rules]]
+      name = "superfluous-else"
+    [[linters-settings.rules]]
+      name = "unused-parameter"
+    [[linters-settings.rules]]
+      name = "unreachable-code"
+    [[linters-settings.rules]]
+      name = "redefines-builtin-id"

  [linters-settings.gomoddirectives]
    replace-allow-list = [
@@ -59,6 +109,7 @@
      "github.com/gorilla/mux",
      "github.com/mailgun/minheap",
      "github.com/mailgun/multibuf",
+      "github.com/jaguilar/vt100",
    ]

 [linters]
@@ -99,6 +150,12 @@
    "godox", # Too strict
    "forcetypeassert", # Too strict
    "tagliatelle", # Not compatible with current tags.
+    "varnamelen", # not relevant
+    "nilnil", # not relevant
+    "ireturn", # not relevant
+    "contextcheck", # too many false-positive
+    "containedctx", # too many false-positive
+    "maintidx", # kind of duplicate of gocyclo
  ]

 [issues]
@@ -154,3 +211,6 @@
 [[issues.exclude-rules]]
    path = "pkg/log/deprecated.go"
    linters = ["godot"]
+ [[issues.exclude-rules]]
+    path = "(.+)\\.go"
+    text = "struct-tag: unknown option 'inline' in JSON tag"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -12,7 +12,8 @@ builds:
      - CGO_ENABLED=0
    ldflags:
      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
-
+    flags:
+      - -trimpath
    goos:
      - linux
      - darwin
@@ -25,6 +26,7 @@ builds:
      - arm
      - arm64
      - ppc64le
+      - s390x
    goarm:
      - 7
      - 6
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -25,49 +25,30 @@ global_job_config:
      - export "PATH=${GOPATH}/bin:${PATH}"
      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.41.1
-      - curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
-      - go install github.com/containous/go-bindata/go-bindata@v1.0.0
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.45.0
+      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
      - checkout
      - cache restore traefik-$(checksum go.sum)

 blocks:
-  - name: Test Integration Container
+  - name: Test Integration
    dependencies: []
    run:
      when: "branch =~ '.*' OR pull_request =~'.*'"
    task:
      jobs:
-        - name: Test Integration Container
+        - name: Test Integration
          commands:
            - make pull-images
-            - mkdir -p static # Avoid to generate webui
-            - PRE_TARGET="" make binary
-            - make test-integration-container
+            - touch webui/static/index.html # Avoid generating webui
+            - IN_DOCKER="" make binary
+            - make test-integration
            - df -h
      epilogue:
        always:
          commands:
            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod

-  - name: Test Integration Host
-    dependencies: []
-    run:
-      when: "branch =~ '.*' OR pull_request =~'.*'"
-    task:
-      env_vars:
-        - name: PRE_TARGET
-          value: ""
-      jobs:
-        - name: Test Integration Host
-          commands:
-            - mkdir -p static # Avoid to generate webui
-            - make test-integration-host
-      epilogue:
-        always:
-          commands:
-            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
-
  - name: Release
    dependencies: []
    run:
@@ -83,8 +64,8 @@ blocks:
        - name: GH_VERSION
          value: 1.12.1
        - name: CODENAME
-          value: "livarot"
-        - name: PRE_TARGET
+          value: "rocamadour"
+        - name: IN_DOCKER
          value: ""
      prologue:
        commands:
@@ -92,6 +73,8 @@ blocks:
          - curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
          - tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
          - sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
+          - sudo rm -rf ~/.phpbrew ~/.kerl ~/.sbt ~/.nvm ~/.npm ~/.kiex /usr/lib/jvm /opt/az /opt/firefox # Remove unnecessary data.
+          - sudo service docker stop && sudo umount /var/lib/docker && sudo service docker start # Unmounts the docker disk and the whole system disk is usable.
      jobs:
        - name: Release
          commands:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,274 @@
+## [v2.6.3](https://github.com/traefik/traefik/tree/v2.6.3) (2022-03-28)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.2...v2.6.3)
+
+**Bug fixes:**
+- **[plugins]** Fix slice parsing for plugins ([#8886](https://github.com/traefik/traefik/pull/8886) by [ldez](https://github.com/ldez))
+- **[tls]** Return TLS unrecognized_name error when no certificate is available ([#8893](https://github.com/traefik/traefik/pull/8893) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.6.2](https://github.com/traefik/traefik/tree/v2.6.2) (2022-03-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.1...v2.6.2)
+
+**Bug fixes:**
+- **[file]** Bump paerser to v0.1.5 ([#8850](https://github.com/traefik/traefik/pull/8850) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Fix certificates resolver typo ([#8859](https://github.com/traefik/traefik/pull/8859) by [NReilingh](https://github.com/NReilingh))
+- **[docker]** doc: fix, docker uses Label(), not Tag() ([#8823](https://github.com/traefik/traefik/pull/8823) by [mpl](https://github.com/mpl))
+- **[http3]** Fix CLI syntax in HTTP/3 documentation ([#8864](https://github.com/traefik/traefik/pull/8864) by [nstankov-bg](https://github.com/nstankov-bg))
+- **[kv]** Fix small typo in Redis provider documentation ([#8858](https://github.com/traefik/traefik/pull/8858) by [lczw](https://github.com/lczw))
+- **[marathon]** Fix brand typo ([#8788](https://github.com/traefik/traefik/pull/8788) by [0xflotus](https://github.com/0xflotus))
+- **[middleware]** Fix fenced code block typo in Buffering middleware page ([#8855](https://github.com/traefik/traefik/pull/8855) by [Wingysam](https://github.com/Wingysam))
+- **[rules]** Adjust rule length in routers documentation ([#8819](https://github.com/traefik/traefik/pull/8819) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Fix HostRegexp examples ([#8817](https://github.com/traefik/traefik/pull/8817) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,k8s/crd,k8s]** Add default certificate definition example for Kubernetes ([#8863](https://github.com/traefik/traefik/pull/8863) by [jwausle](https://github.com/jwausle))
+- **[tls,k8s]** Clarify TLS Option documentation ([#8756](https://github.com/traefik/traefik/pull/8756) by [mloiseleur](https://github.com/mloiseleur))
+- Clarify concepts documentation page ([#8836](https://github.com/traefik/traefik/pull/8836) by [NReilingh](https://github.com/NReilingh))
+- Spelling ([#8791](https://github.com/traefik/traefik/pull/8791) by [jsoref](https://github.com/jsoref))
+- Fix routing overview examples ([#8840](https://github.com/traefik/traefik/pull/8840) by [NReilingh](https://github.com/NReilingh))
+- Add a deprecation notices section ([#8829](https://github.com/traefik/traefik/pull/8829) by [ddtmachado](https://github.com/ddtmachado))
+
+## [v2.6.1](https://github.com/traefik/traefik/tree/v2.6.1) (2022-02-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0...v2.6.1)
+
+**Bug fixes:**
+- **[acme]** Add domain to HTTP challenge errors ([#8740](https://github.com/traefik/traefik/pull/8740) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix metrics bucket key high cardinality ([#8761](https://github.com/traefik/traefik/pull/8761) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,tls]** Use CNAME for SNI check on host header ([#8773](https://github.com/traefik/traefik/pull/8773) by [ldez](https://github.com/ldez))
+- **[middleware,tracing]** Rename Datadog span tags ([#8323](https://github.com/traefik/traefik/pull/8323) by [luckielordie](https://github.com/luckielordie))
+- **[tls]** Apply the same approach as the rules system on the TLS configuration choice ([#8764](https://github.com/traefik/traefik/pull/8764) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Add Hurricane Electric to acme documentation ([#8746](https://github.com/traefik/traefik/pull/8746) by [vladshub](https://github.com/vladshub))
+- **[acme]** Clarify that ACME challenge is mandatory ([#8739](https://github.com/traefik/traefik/pull/8739) by [mpl](https://github.com/mpl))
+- **[http3]** Explain a bit more around enabling HTTP3 ([#8731](https://github.com/traefik/traefik/pull/8731) by [SantoDE](https://github.com/SantoDE))
+- **[metrics]** Fix mixups in metrics documentation ([#8752](https://github.com/traefik/traefik/pull/8752) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,k8s/crd]** Fix Kubernetes TCP examples ([#8759](https://github.com/traefik/traefik/pull/8759) by [sylr](https://github.com/sylr))
+
+## [v2.6.0](https://github.com/traefik/traefik/tree/v2.6.0) (2022-01-24)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc1...v2.6.0)
+
+**Enhancements:**
+- **[acme]** Allow configuration of ACME certificates duration ([#8046](https://github.com/traefik/traefik/pull/8046) by [pmontepagano](https://github.com/pmontepagano))
+- **[consul,consulcatalog]** Support consul enterprise namespaces in consul catalog provider ([#8592](https://github.com/traefik/traefik/pull/8592) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Update gateway api provider to v1alpha2 ([#8535](https://github.com/traefik/traefik/pull/8535) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support gateway api RouteNamespaces ([#8299](https://github.com/traefik/traefik/pull/8299) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s/crd]** Support Kubernetes basic-auth secrets ([#8189](https://github.com/traefik/traefik/pull/8189) by [dtomcej](https://github.com/dtomcej))
+- **[metrics]** Add configurable tags to influxdb metrics ([#8308](https://github.com/traefik/traefik/pull/8308) by [Tetha](https://github.com/Tetha))
+- **[metrics]** Add prefix to datadog metrics ([#8234](https://github.com/traefik/traefik/pull/8234) by [fredwangwang](https://github.com/fredwangwang))
+- **[middleware,tcp]** Add in flight connection middleware ([#8429](https://github.com/traefik/traefik/pull/8429) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Add Organizational Unit to passtlscert middleware ([#7958](https://github.com/traefik/traefik/pull/7958) by [FernFerret](https://github.com/FernFerret))
+- **[middleware]** Allow configuration of minimum body size for compress middleware ([#8239](https://github.com/traefik/traefik/pull/8239) by [lus](https://github.com/lus))
+- **[middleware]** Ceil Retry-After value in the rate-limit middleware ([#8581](https://github.com/traefik/traefik/pull/8581) by [pyaillet](https://github.com/pyaillet))
+- **[middleware]** Refactor Exponential Backoff ([#7519](https://github.com/traefik/traefik/pull/7519) by [danieladams456](https://github.com/danieladams456))
+- **[server,k8s/crd,k8s]** Allow configuration of HTTP/2 readIdleTimeout and pingTimeout ([#8539](https://github.com/traefik/traefik/pull/8539) by [tomMoulard](https://github.com/tomMoulard))
+- **[server]** Allow configuration of advertised port for HTTP/3 ([#8131](https://github.com/traefik/traefik/pull/8131) by [valerauko](https://github.com/valerauko))
+- **[tracing]** Upgrade Instana tracer and make process profiling configurable ([#8334](https://github.com/traefik/traefik/pull/8334) by [andriikushch](https://github.com/andriikushch))
+
+**Bug fixes:**
+- **[consul,kv]** Support Consul KV Enterprise namespaces ([#8692](https://github.com/traefik/traefik/pull/8692) by [kevinpollet](https://github.com/kevinpollet))
+- **[consul]** Support token authentication for Consul KV  ([#8712](https://github.com/traefik/traefik/pull/8712) by [kevinpollet](https://github.com/kevinpollet))
+- **[consulcatalog]** Configure Consul Catalog namespace at client level ([#8725](https://github.com/traefik/traefik/pull/8725) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Upgrade Instana tracer dependency ([#8687](https://github.com/traefik/traefik/pull/8687) by [andriikushch](https://github.com/andriikushch))
+- **[logs]** Redact credentials before logging ([#8699](https://github.com/traefik/traefik/pull/8699) by [ibrahimalihc](https://github.com/ibrahimalihc))
+
+**Misc:**
+- Merge current v2.5 into v2.6 ([#8720](https://github.com/traefik/traefik/pull/8720) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8717](https://github.com/traefik/traefik/pull/8717) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8714](https://github.com/traefik/traefik/pull/8714) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into v2.6 ([#8688](https://github.com/traefik/traefik/pull/8688) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8664](https://github.com/traefik/traefik/pull/8664) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8651](https://github.com/traefik/traefik/pull/8651) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8645](https://github.com/traefik/traefik/pull/8645) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8609](https://github.com/traefik/traefik/pull/8609) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8563](https://github.com/traefik/traefik/pull/8563) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8498](https://github.com/traefik/traefik/pull/8498) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8461](https://github.com/traefik/traefik/pull/8461) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8435](https://github.com/traefik/traefik/pull/8435) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.5 into master ([#8419](https://github.com/traefik/traefik/pull/8419) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8411](https://github.com/traefik/traefik/pull/8411) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8316](https://github.com/traefik/traefik/pull/8316) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8298](https://github.com/traefik/traefik/pull/8298) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8289](https://github.com/traefik/traefik/pull/8289) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8241](https://github.com/traefik/traefik/pull/8241) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.6.0-rc3](https://github.com/traefik/traefik/tree/v2.6.0-rc3) (2022-01-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0-rc2...v2.6.0-rc3)
+
+**Bug fixes:**
+- **[consul]** Support token authentication for Consul KV  ([#8712](https://github.com/traefik/traefik/pull/8712) by [kevinpollet](https://github.com/kevinpollet))
+
+**Misc:**
+- Merge current v2.5 into v2.6 ([#8717](https://github.com/traefik/traefik/pull/8717) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8714](https://github.com/traefik/traefik/pull/8714) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.5.7](https://github.com/traefik/traefik/tree/v2.5.7) (2022-01-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.6...v2.5.7)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.6.0 ([#8716](https://github.com/traefik/traefik/pull/8716) by [ldez](https://github.com/ldez))
+- **[logs]** Adjust log level from info to debug ([#8718](https://github.com/traefik/traefik/pull/8718) by [tomMoulard](https://github.com/tomMoulard))
+- **[plugins]** Fix middleware plugins memory leak ([#8702](https://github.com/traefik/traefik/pull/8702) by [ldez](https://github.com/ldez))
+- **[server]** Mitigate memory leak ([#8706](https://github.com/traefik/traefik/pull/8706) by [mpl](https://github.com/mpl))
+- **[webui,middleware]** Fix middleware regexp&#39;s display ([#8697](https://github.com/traefik/traefik/pull/8697) by [tomMoulard](https://github.com/tomMoulard))
+
+**Documentation:**
+- **[http]** Fix HTTP provider endpoint config example  ([#8715](https://github.com/traefik/traefik/pull/8715) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s]** Remove typo in Kubernetes providers labelSelector examples ([#8676](https://github.com/traefik/traefik/pull/8676) by [colinwilson](https://github.com/colinwilson))
+- **[rules]** Improve regexp matcher documentation ([#8686](https://github.com/traefik/traefik/pull/8686) by [Hades32](https://github.com/Hades32))
+- **[tracing]** Fix broken jaeger documentation link ([#8665](https://github.com/traefik/traefik/pull/8665) by [tomMoulard](https://github.com/tomMoulard))
+- Update copyright for 2022 ([#8679](https://github.com/traefik/traefik/pull/8679) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.6.0-rc2](https://github.com/traefik/traefik/tree/v2.6.0-rc2) (2022-01-12)
+[All Commits](https://github.com/traefik/traefik/compare/v2.6.0-rc1...v2.6.0-rc2)
+
+**Bug fixes:**
+- **[consul,kv]** Support Consul KV Enterprise namespaces ([#8692](https://github.com/traefik/traefik/pull/8692) by [kevinpollet](https://github.com/kevinpollet))
+- **[tracing]** Upgrade Instana tracer dependency ([#8687](https://github.com/traefik/traefik/pull/8687) by [andriikushch](https://github.com/andriikushch))
+
+**Misc:**
+- Merge current v2.5 into v2.6 ([#8688](https://github.com/traefik/traefik/pull/8688) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8664](https://github.com/traefik/traefik/pull/8664) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into v2.6 ([#8651](https://github.com/traefik/traefik/pull/8651) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.5.6](https://github.com/traefik/traefik/tree/v2.5.6) (2021-12-22)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.5...v2.5.6)
+
+**Bug fixes:**
+- **[middleware]** Process all X-Forwarded-For headers in the request ([#8596](https://github.com/traefik/traefik/pull/8596) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Update Yaegi to v0.11.2 ([#8650](https://github.com/traefik/traefik/pull/8650) by [ldez](https://github.com/ldez))
+- **[server]** Update golang.org/x/net dependency version ([#8635](https://github.com/traefik/traefik/pull/8635) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[api]** Add missing API endpoints documentation ([#8649](https://github.com/traefik/traefik/pull/8649) by [ichxxx](https://github.com/ichxxx))
+- **[middleware]** Fix passTLSClientCert CRD example name ([#8637](https://github.com/traefik/traefik/pull/8637) by [ddtmachado](https://github.com/ddtmachado))
+- **[middleware]** Correct documentation in middleware overview ([#8636](https://github.com/traefik/traefik/pull/8636) by [Alestrix](https://github.com/Alestrix))
+
+## [v2.6.0-rc1](https://github.com/traefik/traefik/tree/v2.6.0-rc1) (2021-12-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc1...v2.6.0-rc1)
+
+**Enhancements:**
+- **[acme]** Allow configuration of ACME certificates duration ([#8046](https://github.com/traefik/traefik/pull/8046) by [pmontepagano](https://github.com/pmontepagano))
+- **[consul,consulcatalog]** Support consul enterprise namespaces in consul catalog provider ([#8592](https://github.com/traefik/traefik/pull/8592) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Update gateway api provider to v1alpha2 ([#8535](https://github.com/traefik/traefik/pull/8535) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support gateway api RouteNamespaces ([#8299](https://github.com/traefik/traefik/pull/8299) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s/crd]** Support Kubernetes basic-auth secrets ([#8189](https://github.com/traefik/traefik/pull/8189) by [dtomcej](https://github.com/dtomcej))
+- **[metrics]** Add configurable tags to influxdb metrics ([#8308](https://github.com/traefik/traefik/pull/8308) by [Tetha](https://github.com/Tetha))
+- **[metrics]** Add prefix to datadog metrics ([#8234](https://github.com/traefik/traefik/pull/8234) by [fredwangwang](https://github.com/fredwangwang))
+- **[middleware,tcp]** Add in flight connection middleware ([#8429](https://github.com/traefik/traefik/pull/8429) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Add Organizational Unit to passtlscert middleware ([#7958](https://github.com/traefik/traefik/pull/7958) by [FernFerret](https://github.com/FernFerret))
+- **[middleware]** Allow configuration of minimum body size for compress middleware ([#8239](https://github.com/traefik/traefik/pull/8239) by [lus](https://github.com/lus))
+- **[middleware]** Ceil Retry-After value in the rate-limit middleware ([#8581](https://github.com/traefik/traefik/pull/8581) by [pyaillet](https://github.com/pyaillet))
+- **[middleware]** Refactor Exponential Backoff ([#7519](https://github.com/traefik/traefik/pull/7519) by [danieladams456](https://github.com/danieladams456))
+- **[server,k8s/crd,k8s]** Allow configuration of HTTP/2 readIdleTimeout and pingTimeout ([#8539](https://github.com/traefik/traefik/pull/8539) by [tomMoulard](https://github.com/tomMoulard))
+- **[server]** Allow configuration of advertised port for HTTP/3 ([#8131](https://github.com/traefik/traefik/pull/8131) by [valerauko](https://github.com/valerauko))
+- **[tracing]** Upgrade Instana tracer and make process profiling configurable ([#8334](https://github.com/traefik/traefik/pull/8334) by [andriikushch](https://github.com/andriikushch))
+
+**Misc:**
+- Merge current v2.5 into master ([#8609](https://github.com/traefik/traefik/pull/8609) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8563](https://github.com/traefik/traefik/pull/8563) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8498](https://github.com/traefik/traefik/pull/8498) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.5 into master ([#8461](https://github.com/traefik/traefik/pull/8461) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8435](https://github.com/traefik/traefik/pull/8435) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Merge current v2.5 into master ([#8419](https://github.com/traefik/traefik/pull/8419) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8411](https://github.com/traefik/traefik/pull/8411) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8316](https://github.com/traefik/traefik/pull/8316) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8298](https://github.com/traefik/traefik/pull/8298) by [tomMoulard](https://github.com/tomMoulard))
+- Merge current v2.5 into master ([#8289](https://github.com/traefik/traefik/pull/8289) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.5 into master ([#8241](https://github.com/traefik/traefik/pull/8241) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.5.5](https://github.com/traefik/traefik/tree/v2.5.5) (2021-12-09)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.4...v2.5.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.5.3 ([#8607](https://github.com/traefik/traefik/pull/8607) by [lippertmarkus](https://github.com/lippertmarkus))
+- **[k8s/crd,k8s]** fix: propagate source criterion config to RateLimit middleware in Kubernetes CRD ([#8591](https://github.com/traefik/traefik/pull/8591) by [rbailly-talend](https://github.com/rbailly-talend))
+- **[plugins]** plugins: start the go routine before calling Provide ([#8620](https://github.com/traefik/traefik/pull/8620) by [ldez](https://github.com/ldez))
+- **[plugins]** Update yaegi to v0.11.1 ([#8600](https://github.com/traefik/traefik/pull/8600) by [tomMoulard](https://github.com/tomMoulard))
+- **[plugins]** Update yaegi v0.11.0 ([#8564](https://github.com/traefik/traefik/pull/8564) by [ldez](https://github.com/ldez))
+- **[udp]** fix: increase UDP read buffer length to max datagram size ([#8560](https://github.com/traefik/traefik/pull/8560) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[consul]** docs: removing typo in consul-catalog provider doc ([#8603](https://github.com/traefik/traefik/pull/8603) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** docs: remove misleading metrics overview configuration ([#8579](https://github.com/traefik/traefik/pull/8579) by [gsilvapt](https://github.com/gsilvapt))
+- **[middleware]** docs: align docker configuration example notes in basicauth HTTP middleware ([#8615](https://github.com/traefik/traefik/pull/8615) by [tomMoulard](https://github.com/tomMoulard))
+- **[service]** docs: health check use readiness probe in k8s ([#8575](https://github.com/traefik/traefik/pull/8575) by [Vampouille](https://github.com/Vampouille))
+- **[tls]** docs: uniformize client TLS config documentation ([#8602](https://github.com/traefik/traefik/pull/8602) by [kevinpollet](https://github.com/kevinpollet))
+- Update CODE_OF_CONDUCT.md ([#8619](https://github.com/traefik/traefik/pull/8619) by [tfny](https://github.com/tfny))
+- fixed minor spelling error in Regexp Syntax section ([#8565](https://github.com/traefik/traefik/pull/8565) by [kerrsmith](https://github.com/kerrsmith))
+
+## [v2.5.4](https://github.com/traefik/traefik/tree/v2.5.4) (2021-11-08)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.3...v2.5.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.5.0 ([#8481](https://github.com/traefik/traefik/pull/8481) by [ldez](https://github.com/ldez))
+- **[k8s/crd,k8s]** fix: add missing RequireAnyClientCert value to TLSOption CRD ([#8464](https://github.com/traefik/traefik/pull/8464) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/crd,k8s]** fix: normalize middleware names in ingress route config ([#8484](https://github.com/traefik/traefik/pull/8484) by [aaronraff](https://github.com/aaronraff))
+- **[middleware,provider,tls]** fix: do not require a TLS client cert when InsecureSkipVerify is false ([#8525](https://github.com/traefik/traefik/pull/8525) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,tls]** fix: use host&#39;s root CA set if ClientTLS ca is not defined ([#8545](https://github.com/traefik/traefik/pull/8545) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** fix: forward request Host to errors middleware service ([#8460](https://github.com/traefik/traefik/pull/8460) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** fix: use EscapedPath as header value when RawPath is empty ([#8251](https://github.com/traefik/traefik/pull/8251) by [dtomcej](https://github.com/dtomcej))
+- **[tcp,udp]** fix: TCP/UDP wrr when all servers have a weight set to 0 ([#8553](https://github.com/traefik/traefik/pull/8553) by [tomMoulard](https://github.com/tomMoulard))
+- **[webui]** fix: bug parsing weighted service provider name ([#8522](https://github.com/traefik/traefik/pull/8522) by [cocoanton](https://github.com/cocoanton))
+
+**Documentation:**
+- **[acme]** docs: remove quotes in certificatesresolvers CLI examples ([#8544](https://github.com/traefik/traefik/pull/8544) by [rdxmb](https://github.com/rdxmb))
+- **[k8s/ingress,k8s]** docs: clarify usage for cross provider references in Kubernetes ingress annotations ([#8536](https://github.com/traefik/traefik/pull/8536) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** docs: networking.k8s.io/v1beta1 to networking.k8s.io/v1 ([#8523](https://github.com/traefik/traefik/pull/8523) by [pmareke](https://github.com/pmareke))
+- **[k8s]** docs: replace links to French translation of k8s docs with English ones ([#8457](https://github.com/traefik/traefik/pull/8457) by [FoseFx](https://github.com/FoseFx))
+- **[k8s]** docs: remove non-working kind config in IngressRouteTCP/UDP examples ([#8538](https://github.com/traefik/traefik/pull/8538) by [kevinpollet](https://github.com/kevinpollet))
+- **[kv]** docs: fix typo in KV providers documentation ([#8477](https://github.com/traefik/traefik/pull/8477) by [rondoe](https://github.com/rondoe))
+- **[metrics]** docs: fix typo in addRoutersLabels option title ([#8561](https://github.com/traefik/traefik/pull/8561) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** fix: sourceCriterion documentation for InFlightReq and RateLimit middlewares ([#8524](https://github.com/traefik/traefik/pull/8524) by [pmareke](https://github.com/pmareke))
+- **[middleware]** Mention escaping escape characters in YAML for regex usage ([#8496](https://github.com/traefik/traefik/pull/8496) by [JackMorganNZ](https://github.com/JackMorganNZ))
+- **[rules]** docs: add named groups details to Regexp Syntax section ([#8559](https://github.com/traefik/traefik/pull/8559) by [kerrsmith](https://github.com/kerrsmith))
+- **[tracing]** docs: reword tracing config descriptions to be consistent ([#8473](https://github.com/traefik/traefik/pull/8473) by [kevinpollet](https://github.com/kevinpollet))
+- docs: remove link to microbadger.com ([#8555](https://github.com/traefik/traefik/pull/8555) by [CrispyBaguette](https://github.com/CrispyBaguette))
+- docs: remove http scheme urls in documentation ([#8507](https://github.com/traefik/traefik/pull/8507) by [tomMoulard](https://github.com/tomMoulard))
+- docs: update traefik image version ([#8533](https://github.com/traefik/traefik/pull/8533) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.5.3](https://github.com/traefik/traefik/tree/v2.5.3) (2021-09-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.2...v2.5.3)
+
+**Bug fixes:**
+- **[consulcatalog]** Fix certChan defaulting on consul catalog provider ([#8439](https://github.com/traefik/traefik/pull/8439) by [tomMoulard](https://github.com/tomMoulard))
+- **[k8s/crd,k8s]** Fix peerCertURI config for k8s crd provider  ([#8454](https://github.com/traefik/traefik/pull/8454) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/crd,k8s]** Ensure disableHTTP2 works with k8s crd ([#8448](https://github.com/traefik/traefik/pull/8448) by [ssboisen](https://github.com/ssboisen))
+- **[k8s/crd,k8s]** Fix ServersTransport reference from IngressRoute service definition ([#8431](https://github.com/traefik/traefik/pull/8431) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/crd,k8s]** Add cross namespace verification in Kubernetes CRD ([#8422](https://github.com/traefik/traefik/pull/8422) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Fix Prometheus router&#39;s metrics ([#8425](https://github.com/traefik/traefik/pull/8425) by [tomMoulard](https://github.com/tomMoulard))
+- **[plugins]** Update yaegi to v0.10.0 ([#8452](https://github.com/traefik/traefik/pull/8452) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[middleware,file]** Fix TCP middleware whitelist example ([#8421](https://github.com/traefik/traefik/pull/8421) by [tribal2](https://github.com/tribal2))
+- **[middleware]** Add default proxy headers list ([#8418](https://github.com/traefik/traefik/pull/8418) by [aaronraff](https://github.com/aaronraff))
+- Add Tom Moulard in maintainers team ([#8442](https://github.com/traefik/traefik/pull/8442) by [jbdoumenjou](https://github.com/jbdoumenjou))
+- Fix golang doc URLs ([#8434](https://github.com/traefik/traefik/pull/8434) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.5.2](https://github.com/traefik/traefik/tree/v2.5.2) (2021-09-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.1...v2.5.2)
+
+**Bug fixes:**
+- **[http3]** Upgrade github.com/lucas-clemente/quic-go to v0.23.0 ([#8413](https://github.com/traefik/traefik/pull/8413) by [sylr](https://github.com/sylr))
+- **[middleware]** Fix empty body error for mirroring middleware ([#8381](https://github.com/traefik/traefik/pull/8381) by [antgubarev](https://github.com/antgubarev))
+- **[tracing]** Bump go.elastic.co/apm version to v1.13.1 ([#8399](https://github.com/traefik/traefik/pull/8399) by [rtribotte](https://github.com/rtribotte))
+- Update x/sys to support go 1.17 ([#8368](https://github.com/traefik/traefik/pull/8368) by [roopakv](https://github.com/roopakv))
+- Bump Alpine docker image version from 3.11 to 3.14 for official Traefik images
+
+**Documentation:**
+- **[k8s/ingress,k8s]** Adds pathType for v1 ingresses examples ([#8392](https://github.com/traefik/traefik/pull/8392) by [rtribotte](https://github.com/rtribotte))
+- Fix http scheme urls in documentation ([#8395](https://github.com/traefik/traefik/pull/8395) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.5.1](https://github.com/traefik/traefik/tree/v2.5.1) (2021-08-20)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.0...v2.5.1)
+
+**Bug fixes:**
+- **[middleware,http3]** Conditional CloseNotify in header middleware ([#8374](https://github.com/traefik/traefik/pull/8374) by [juliens](https://github.com/juliens))
+- **[tls,tcp,k8s/crd,k8s]** Makes ALPN protocols configurable ([#8383](https://github.com/traefik/traefik/pull/8383) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[k8s]** Adds MiddlewareTCP CRD documentation ([#8369](https://github.com/traefik/traefik/pull/8369) by [perosb](https://github.com/perosb))
+- **[middleware]** Adds ContentType to middleware&#39;s overview table ([#8350](https://github.com/traefik/traefik/pull/8350) by [euidong](https://github.com/euidong))
+
 ## [v2.5.0](https://github.com/traefik/traefik/tree/v2.5.0) (2021-08-17)
 [All Commits](https://github.com/traefik/traefik/compare/v2.4.0-rc1...v2.5.0)

@@ -1541,7 +1812,7 @@ Same changelog as v2.0.3.
 - fix: remove extra backtick from routers docs ([#5572](https://github.com/traefik/traefik/pull/5572) by [serpi90](https://github.com/serpi90))
 - document providersThrottleDuration ([#5519](https://github.com/traefik/traefik/pull/5519) by [mpl](https://github.com/mpl))
 - Add a response forwarding section to the service documentation  ([#5517](https://github.com/traefik/traefik/pull/5517) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Change instances of &#34;dymanic&#34; to &#34;dynamic&#34; ([#5504](https://github.com/traefik/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
+- Change instances of &#34;dynamic&#34; to &#34;dynamic&#34; ([#5504](https://github.com/traefik/traefik/pull/5504) by [dat-gitto-kid](https://github.com/dat-gitto-kid))
 - Add the pass host header section to the services documentation ([#5500](https://github.com/traefik/traefik/pull/5500) by [jbdoumenjou](https://github.com/jbdoumenjou))
 - fix misspelling on documentation landing page ([#5613](https://github.com/traefik/traefik/pull/5613) by [cthompson527](https://github.com/cthompson527))

@@ -2533,7 +2804,7 @@ Same changelog as v2.0.3.
 - **[healthcheck]** Query params in health check ([#4188](https://github.com/traefik/traefik/pull/4188) by [mmatur](https://github.com/mmatur))
 - **[metrics]** Upgraded DD APM library ([#4189](https://github.com/traefik/traefik/pull/4189) by [aantono](https://github.com/aantono))
 - **[middleware]** Fix ssl force host secure middleware ([#4138](https://github.com/traefik/traefik/pull/4138) by [mmatur](https://github.com/mmatur))
- **[oxy]** Fix unannonced trailers problem when body is empty ([#4258](https://github.com/traefik/traefik/pull/4258) by [juliens](https://github.com/juliens))
+- **[oxy]** Fix unannounced trailers problem when body is empty ([#4258](https://github.com/traefik/traefik/pull/4258) by [juliens](https://github.com/juliens))
 - **[provider,server]** Log configuration errors from providers and keeps listening ([#4230](https://github.com/traefik/traefik/pull/4230) by [geraldcroes](https://github.com/geraldcroes))
 - **[tls]** Implement Case-insensitive SNI matching ([#4132](https://github.com/traefik/traefik/pull/4132) by [dtomcej](https://github.com/dtomcej))
 - Use ParseInt instead of Atoi for parsing durations ([#4263](https://github.com/traefik/traefik/pull/4263) by [mmatur](https://github.com/mmatur))
@@ -3677,7 +3948,7 @@ Same changelog as v2.0.3.
 - **[etcd]** Fix typo in examples ([#2446](https://github.com/traefik/traefik/pull/2446) by [dahefanteng](https://github.com/dahefanteng))
 - **[k8s]** Add note to Kubernetes RBAC docs about RoleBindings and namespaces ([#2498](https://github.com/traefik/traefik/pull/2498) by [jmara](https://github.com/jmara))
 - **[k8s]** k8s guide: Leave note about assumed DaemonSet usage. ([#2634](https://github.com/traefik/traefik/pull/2634) by [timoreimann](https://github.com/timoreimann))
- **[k8s]** Apply various contentual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Apply various contextual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Document rewrite-target annotation. ([#2676](https://github.com/traefik/traefik/pull/2676) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Remove obsolete links in k8s docs ([#2465](https://github.com/traefik/traefik/pull/2465) by [marco-jantke](https://github.com/marco-jantke))
 - **[k8s]** Document filename parameter for Kubernetes. ([#2464](https://github.com/traefik/traefik/pull/2464) by [timoreimann](https://github.com/timoreimann))
@@ -3744,7 +4015,7 @@ Same changelog as v2.0.3.

 **Documentation:**
 - **[cluster]** Add a clustering example with Docker Swarm ([#2589](https://github.com/traefik/traefik/pull/2589) by [jmaitrehenry](https://github.com/jmaitrehenry))
- **[k8s]** Apply various contentual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
+- **[k8s]** Apply various contextual and stylish improvements to the k8s docs. ([#2677](https://github.com/traefik/traefik/pull/2677) by [timoreimann](https://github.com/timoreimann))
 - **[k8s]** Document rewrite-target annotation. ([#2676](https://github.com/traefik/traefik/pull/2676) by [timoreimann](https://github.com/timoreimann))
 - **[provider,webui]** Fix redirect problem on dashboard + docs/tests on [web] ([#2686](https://github.com/traefik/traefik/pull/2686) by [Juliens](https://github.com/Juliens))

@@ -4454,7 +4725,7 @@ Same changelog as v2.0.3.
 [All Commits](https://github.com/traefik/traefik/compare/v1.3.7...v1.3.8)

 **Bug fixes:**
- **[middleware]** Compress and Webscocket ([#2079](https://github.com/traefik/traefik/pull/2079) by [ldez](https://github.com/ldez))
+- **[middleware]** Compress and Websocket ([#2079](https://github.com/traefik/traefik/pull/2079) by [ldez](https://github.com/ldez))

 ## [v1.3.7](https://github.com/traefik/traefik/tree/v1.3.7) (2017-08-25)
 [All Commits](https://github.com/traefik/traefik/compare/v1.3.6...v1.3.7)
@@ -4637,7 +4908,7 @@ Same changelog as v2.0.3.

 **Documentation:**
 - [#1578](https://github.com/traefik/traefik/issues/1578) Add Marathon guide. ([Stibbons](https://github.com/Stibbons))
- [#1602](https://github.com/traefik/traefik/issues/1602) Re Orginise k8s docs to make 1.6 usage easier ([errm](https://github.com/errm))
+- [#1602](https://github.com/traefik/traefik/issues/1602) Re Organise k8s docs to make 1.6 usage easier ([errm](https://github.com/errm))
 - [#1642](https://github.com/traefik/traefik/issues/1642) Update changelog ([ldez](https://github.com/ldez))

 ## [v1.3.0-rc2](https://github.com/traefik/traefik/tree/v1.3.0-rc2) (2017-05-16)
@@ -4790,7 +5061,7 @@ Same changelog as v2.0.3.
 - Bump go-rancher version [\#1219](https://github.com/traefik/traefik/pull/1219) ([SantoDE](https://github.com/SantoDE))
 - Chunk taskArns into groups of 100 [\#1209](https://github.com/traefik/traefik/pull/1209) ([owen](https://github.com/owen))
 - Prepare release v1.2.0 rc2 [\#1204](https://github.com/traefik/traefik/pull/1204) ([emilevauge](https://github.com/emilevauge))
- Revert "Ensure that we don't add balancees with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
+- Revert "Ensure that we don't add balances with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
 - Small fixes and improvements [\#1173](https://github.com/traefik/traefik/pull/1173) ([SantoDE](https://github.com/SantoDE))
 - Fix docker issues with global and dead tasks [\#1167](https://github.com/traefik/traefik/pull/1167) ([christopherobin](https://github.com/christopherobin))
 - Better ECS error checking [\#1143](https://github.com/traefik/traefik/pull/1143) ([lpetre](https://github.com/lpetre))
@@ -4816,7 +5087,7 @@ Same changelog as v2.0.3.
 - Add an ECS provider [\#1088](https://github.com/traefik/traefik/pull/1088) ([lpetre](https://github.com/lpetre))
 - Update comment to reflect the code [\#1087](https://github.com/traefik/traefik/pull/1087) ([np](https://github.com/np))
 - update NYTimes/gziphandler fixes \#1059 [\#1084](https://github.com/traefik/traefik/pull/1084) ([JamesKyburz](https://github.com/JamesKyburz))
- Ensure that we don't add balancees with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
+- Ensure that we don't add balances with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
 - Add FreeBSD & OpenBSD to crossbinary [\#1078](https://github.com/traefik/traefik/pull/1078) ([geoffgarside](https://github.com/geoffgarside))
 - Fix metrics for multiple entry points [\#1071](https://github.com/traefik/traefik/pull/1071) ([matevzmihalic](https://github.com/matevzmihalic))
 - Allow setting load balancer method and sticky using service annotations [\#1068](https://github.com/traefik/traefik/pull/1068) ([bakins](https://github.com/bakins))
@@ -4872,7 +5143,7 @@ Same changelog as v2.0.3.
 - Bind to specific ip address [\#1193](https://github.com/traefik/traefik/issues/1193)
 - DNS01 challenge use the wrong zone through route53 [\#1192](https://github.com/traefik/traefik/issues/1192)
 - Reverse proxy https to http backends fails [\#1180](https://github.com/traefik/traefik/issues/1180)
- Swarm Mode + Letsecrypt + KV Store [\#1176](https://github.com/traefik/traefik/issues/1176)
+- Swarm Mode + Letsencrypt + KV Store [\#1176](https://github.com/traefik/traefik/issues/1176)
 - docker deploy -c example.yml    e [\#1169](https://github.com/traefik/traefik/issues/1169)
 - Traefik not finding dynamically added services \(Docker Swarm Mode\) [\#1168](https://github.com/traefik/traefik/issues/1168)
 - Traefik with Kubernetes backend - keep getting 401 on all GET requests to kube-apiserver [\#1166](https://github.com/traefik/traefik/issues/1166)
@@ -4890,7 +5161,7 @@ Same changelog as v2.0.3.

 **Merged pull requests:**

- Revert "Ensure that we don't add balancees with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
+- Revert "Ensure that we don't add balances with no health check runs … [\#1198](https://github.com/traefik/traefik/pull/1198) ([jangie](https://github.com/jangie))
 - Small fixes and improvements [\#1173](https://github.com/traefik/traefik/pull/1173) ([SantoDE](https://github.com/SantoDE))
 - Fix docker issues with global and dead tasks [\#1167](https://github.com/traefik/traefik/pull/1167) ([christopherobin](https://github.com/christopherobin))
 - Better ECS error checking [\#1143](https://github.com/traefik/traefik/pull/1143) ([lpetre](https://github.com/lpetre))
@@ -4961,7 +5232,7 @@ Same changelog as v2.0.3.
 - Add an ECS provider [\#1088](https://github.com/traefik/traefik/pull/1088) ([lpetre](https://github.com/lpetre))
 - Update comment to reflect the code [\#1087](https://github.com/traefik/traefik/pull/1087) ([np](https://github.com/np))
 - update NYTimes/gziphandler fixes \#1059 [\#1084](https://github.com/traefik/traefik/pull/1084) ([JamesKyburz](https://github.com/JamesKyburz))
- Ensure that we don't add balancees with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
+- Ensure that we don't add balances with no health check runs if there is a health check defined on it [\#1080](https://github.com/traefik/traefik/pull/1080) ([jangie](https://github.com/jangie))
 - Add FreeBSD & OpenBSD to crossbinary [\#1078](https://github.com/traefik/traefik/pull/1078) ([geoffgarside](https://github.com/geoffgarside))
 - Fix metrics for multiple entry points [\#1071](https://github.com/traefik/traefik/pull/1071) ([matevzmihalic](https://github.com/matevzmihalic))
 - Allow setting load balancer method and sticky using service annotations [\#1068](https://github.com/traefik/traefik/pull/1068) ([bakins](https://github.com/bakins))
@@ -5140,7 +5411,7 @@ Same changelog as v2.0.3.
 - Documented ProvidersThrottleDuration value is invalid [\#741](https://github.com/traefik/traefik/issues/741)
 - Sensible configuration for consulCatalog [\#737](https://github.com/traefik/traefik/issues/737)
 - Traefik ignoring container listening in more than one TCP port [\#734](https://github.com/traefik/traefik/issues/734)
- Loadbalaning issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
+- Loadbalancing issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
 - issues with marathon app ids containing a dot [\#726](https://github.com/traefik/traefik/issues/726)
 - Error when using HA acme in kubernetes with etcd [\#725](https://github.com/traefik/traefik/issues/725)
 - \[Docker swarm mode\] No round robin when using service [\#718](https://github.com/traefik/traefik/issues/718)
@@ -5179,7 +5450,7 @@ Same changelog as v2.0.3.
 - Update docs with new Mesos provider [\#548](https://github.com/traefik/traefik/issues/548)
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
 - docker run syntax in swarm example has changed [\#528](https://github.com/traefik/traefik/issues/528)
- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 - Secure WebSockets [\#467](https://github.com/traefik/traefik/issues/467)
 - Container IP Lost [\#375](https://github.com/traefik/traefik/issues/375)
@@ -5237,7 +5508,7 @@ Same changelog as v2.0.3.
 - Update marathon [\#648](https://github.com/traefik/traefik/pull/648) ([emilevauge](https://github.com/emilevauge))
 - Add backend features to docker [\#646](https://github.com/traefik/traefik/pull/646) ([jangie](https://github.com/jangie))
 - enable consul catalog to use maxconn [\#645](https://github.com/traefik/traefik/pull/645) ([jangie](https://github.com/jangie))
- Adopt the Code Of Coduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
+- Adopt the Code Of Conduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
 - Use secure mode 600 instead of 644 for acme.json [\#639](https://github.com/traefik/traefik/pull/639) ([discordianfish](https://github.com/discordianfish))
 - docker clarification, fix dead urls, misc typos [\#637](https://github.com/traefik/traefik/pull/637) ([djalal](https://github.com/djalal))
 - add PING handler to dashboard API [\#630](https://github.com/traefik/traefik/pull/630) ([jangie](https://github.com/jangie))
@@ -5326,7 +5597,7 @@ Same changelog as v2.0.3.
 - dependencies installation error [\#755](https://github.com/traefik/traefik/issues/755)
 - k8s provider w/ acme? [\#752](https://github.com/traefik/traefik/issues/752)
 - Documented ProvidersThrottleDuration value is invalid [\#741](https://github.com/traefik/traefik/issues/741)
- Loadbalaning issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
+- Loadbalancing issues with traefik and Docker Swarm cluster [\#730](https://github.com/traefik/traefik/issues/730)
 - issues with marathon app ids containing a dot [\#726](https://github.com/traefik/traefik/issues/726)
 - How Routing traffic depending on path not domain in docker [\#706](https://github.com/traefik/traefik/issues/706)
 - Traefik crashes when using Consul catalog [\#699](https://github.com/traefik/traefik/issues/699)
@@ -5435,7 +5706,7 @@ Same changelog as v2.0.3.
 - Traefik stuck when used as frontend for a streaming API [\#560](https://github.com/traefik/traefik/issues/560)
 - Exclude some frontends in consul catalog [\#555](https://github.com/traefik/traefik/issues/555)
 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)
 - Container IP Lost [\#375](https://github.com/traefik/traefik/issues/375)

@@ -5460,7 +5731,7 @@ Same changelog as v2.0.3.
 - Update marathon [\#648](https://github.com/traefik/traefik/pull/648) ([emilevauge](https://github.com/emilevauge))
 - Add backend features to docker [\#646](https://github.com/traefik/traefik/pull/646) ([jangie](https://github.com/jangie))
 - enable consul catalog to use maxconn [\#645](https://github.com/traefik/traefik/pull/645) ([jangie](https://github.com/jangie))
- Adopt the Code Of Coduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
+- Adopt the Code Of Conduct from http://contributor-covenant.org [\#641](https://github.com/traefik/traefik/pull/641) ([errm](https://github.com/errm))
 - Use secure mode 600 instead of 644 for acme.json [\#639](https://github.com/traefik/traefik/pull/639) ([discordianfish](https://github.com/discordianfish))
 - docker clarification, fix dead urls, misc typos [\#637](https://github.com/traefik/traefik/pull/637) ([djalal](https://github.com/djalal))
 - add PING handler to dashboard API [\#630](https://github.com/traefik/traefik/pull/630) ([jangie](https://github.com/jangie))
@@ -5536,7 +5807,7 @@ Same changelog as v2.0.3.
 **Closed issues:**

 - Can I use Traefik without a domain name? [\#539](https://github.com/traefik/traefik/issues/539)
- Priortities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
+- Priorities in 1.0.0 not behaving [\#506](https://github.com/traefik/traefik/issues/506)
 - Route by path [\#500](https://github.com/traefik/traefik/issues/500)

 **Merged pull requests:**
@@ -5636,7 +5907,7 @@ Same changelog as v2.0.3.
 - Traefik doesn't listen on IPv4 ports [\#434](https://github.com/traefik/traefik/issues/434)
 - Not listening on port 80 [\#432](https://github.com/traefik/traefik/issues/432)
 - docs need updating for new frontend rules format [\#423](https://github.com/traefik/traefik/issues/423)
- Does traefik supports for Mac? \(For devlelopment\)  [\#417](https://github.com/traefik/traefik/issues/417)
+- Does traefik supports for Mac? \(For development\)  [\#417](https://github.com/traefik/traefik/issues/417)

 **Merged pull requests:**

--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -2,7 +2,7 @@

 ## Our Pledge

-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.

 ## Our Standards

@@ -30,15 +30,19 @@ Project maintainers have the right and responsibility to remove, edit, or reject

 ## Scope

-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. 
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community. 
+
 Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
 Representation of a project may be further defined and clarified by project maintainers.

 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
+
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
+
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
+
 Further details of specific enforcement policies may be posted separately.

 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2022 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/101
+++ b/101
@@ -7,15 +7,13 @@ SHA := $(shell git rev-parse HEAD)
 VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
 VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))

-BIND_DIR := dist
-
 GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
 TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))

 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")

-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)",-v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)

 TRAEFIK_ENVS := \
@@ -29,13 +27,14 @@ TRAEFIK_ENVS := \
 	-e CI \
 	-e CONTAINER=DOCKER		# Indicator for integration tests that we are running inside a container.

-TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
+TRAEFIK_MOUNT := -v "$(CURDIR)/dist:/go/src/github.com/traefik/traefik/dist"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)

-PRE_TARGET ?= build-dev-image
+IN_DOCKER ?= true

 PLATFORM_URL := $(if $(PLATFORM_URL),$(PLATFORM_URL),"https://pilot.traefik.io")

@@ -43,7 +42,7 @@ default: binary

 ## Build Dev Docker image
 build-dev-image: dist
-	docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .
+	$(if $(IN_DOCKER),docker build $(DOCKER_BUILD_ARGS) -t "$(TRAEFIK_DEV_IMAGE)" -f build.Dockerfile .,)

 ## Build Dev Docker image without cache
 build-dev-image-no-cache: dist
@@ -51,25 +50,33 @@ build-dev-image-no-cache: dist

 ## Create the "dist" directory
 dist:
-	mkdir dist
+	mkdir -p dist

 ## Build WebUI Docker image
 build-webui-image:
 	docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui

-## Generate WebUI
-generate-webui:
-	if [ ! -d "static" ]; then \
-		$(MAKE) build-webui-image; \
-		mkdir -p static; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
-		docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
-		echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
-	fi
+## Clean WebUI static generated assets
+clean-webui:
+	rm -r webui/static
+	mkdir -p webui/static
+	echo 'For more information show `webui/readme.md`' > webui/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md

-## Build the linux binary
-binary: generate-webui $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+## Generate WebUI
+webui/static/index.html:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui npm run build:nc
+	docker run --rm -v "$$PWD/webui/static":'/src/webui/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ./static
+
+generate-webui: webui/static/index.html
+
+## Build the binary
+binary: generate-webui build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
+
+## Build the linux binary locally
+binary-debug: generate-webui
+	GOOS=linux ./script/make.sh binary

 ## Build the binary for the standard platforms (linux, darwin, windows)
 crossbinary-default: generate-webui build-dev-image
@@ -82,48 +89,48 @@ crossbinary-default-parallel:

 ## Run the unit and integration tests
 test: build-dev-image
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate test-unit binary test-integration

 ## Run the unit tests
-test-unit: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate test-unit
+test-unit: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
+
+## Run the integration tests
+test-integration: build-dev-image
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate binary test-integration

 ## Pull all images for integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull

-## Run the integration tests
-test-integration: $(PRE_TARGET) binary
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
-	TEST_HOST=1 ./script/make.sh test-integration
-
-## Run the container integration tests
-test-integration-container: $(PRE_TARGET) binary
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
-
-## Run the host integration tests
-test-integration-host: $(PRE_TARGET) binary
-	TEST_HOST=1 ./script/make.sh test-integration
-
 ## Validate code and docs
-validate-files: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
+validate-files: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
 	bash $(CURDIR)/script/validate-shell-script.sh

 ## Validate code, docs, and vendor
-validate: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
+validate: build-dev-image
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell validate-vendor
 	bash $(CURDIR)/script/validate-shell-script.sh

 ## Clean up static directory and build a Docker Traefik image
-build-image: binary
-	rm -rf static
+build-image: clean-webui binary
 	docker build -t $(TRAEFIK_IMAGE) .

 ## Build a Docker Traefik image
 build-image-dirty: binary
 	docker build -t $(TRAEFIK_IMAGE) .

+## Locally build traefik for linux, then shove it an alpine image, with basic tools.
+build-image-debug: binary-debug
+	docker build -t $(TRAEFIK_IMAGE) -f debug.Dockerfile .
+
 ## Start a shell inside the build env
 shell: build-dev-image
 	$(DOCKER_RUN_TRAEFIK) /bin/bash
@@ -140,7 +147,7 @@ docs-serve:
 docs-pull-images:
 	make -C ./docs docs-pull-images

-## Generate CRD clientset
+## Generate CRD clientset and CRD manifests
 generate-crd:
 	@$(CURDIR)/script/code-gen.sh

@@ -149,17 +156,17 @@ generate-genconf:
 	go run ./cmd/internal/gen/

 ## Create packages for the release
-release-packages: generate-webui $(PRE_TARGET)
+release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
 		--exclude .travis \
 		--exclude .semaphoreci \
 		--exclude .github \
 		--exclude dist .
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/

 ## Format the Code
 fmt:
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
- Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
+- Packaged as a single binary file (made with :heart: with go) and available as an [official](https://hub.docker.com/r/_/traefik/) docker image


 ## Supported Backends
@@ -88,8 +88,6 @@ You can access the simple HTML frontend of Traefik.

 You can find the complete documentation of Traefik v2 at [https://doc.traefik.io/traefik/](https://doc.traefik.io/traefik/).

-If you are using Traefik v1, you can find the complete documentation at [https://doc.traefik.io/traefik/v1.7/](https://doc.traefik.io/traefik/v1.7/).
-
 A collection of contributions around Traefik can be found at [https://awesome.traefik.io](https://awesome.traefik.io).

 ## Support
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,6 +1,6 @@
 # Security Policy

-We strongly advise you to register your Traefik instances to [Pilot](http://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
+We strongly advise you to register your Traefik instances to [Pilot](https://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
 You can also join our security mailing list to be aware of the latest announcements from our security team.
 You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,7 +1,6 @@
 FROM golang:1.17-alpine

-RUN apk --update upgrade \
-    && apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
+RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
    && update-ca-certificates \
    && rm -rf /var/cache/apk/*

@@ -13,19 +12,14 @@ RUN mkdir -p /usr/local/bin \
    && curl -fL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz \
    | tar -xzC /usr/local/bin --transform 's#^.+/##x'

-# Download go-bindata binary to bin folder in $GOPATH
-RUN mkdir -p /usr/local/bin \
-    && curl -fsSL -o /usr/local/bin/go-bindata https://github.com/containous/go-bindata/releases/download/v1.0.0/go-bindata \
-    && chmod +x /usr/local/bin/go-bindata
-
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.41.1
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.45.0

 # Download misspell binary to bin folder in $GOPATH
-RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
+RUN curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

 # Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
+RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh

 WORKDIR /go/src/github.com/traefik/traefik

--- a/cmd/internal/gen/centrifuge.go
+++ b/cmd/internal/gen/centrifuge.go
@@ -258,7 +258,7 @@ type fileWriter struct {
 }

 func (f fileWriter) Write(files map[string]*File) error {
-	err := os.MkdirAll(f.baseDir, 0755)
+	err := os.MkdirAll(f.baseDir, 0o755)
 	if err != nil {
 		return err
 	}
--- a/cmd/internal/gen/main.go
+++ b/cmd/internal/gen/main.go
@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"go/build"
 	"go/types"
-	"io/ioutil"
 	"log"
+	"os"
 	"path"
 	"path/filepath"
 	"strings"
@@ -83,7 +83,7 @@ func run(dest string) error {
 		return err
 	}

-	return ioutil.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0666)
+	return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
 }

 func cleanType(typ types.Type, base string) string {
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -16,12 +16,10 @@ import (
 	"time"

 	"github.com/coreos/go-systemd/daemon"
-	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
 	"github.com/sirupsen/logrus"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/autogen/genstatic"
 	"github.com/traefik/traefik/v2/cmd"
 	"github.com/traefik/traefik/v2/cmd/healthcheck"
 	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
@@ -109,10 +107,6 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
 	}

-	if staticConfiguration.API != nil && staticConfiguration.API.Dashboard {
-		staticConfiguration.API.DashboardAssets = &assetfs.AssetFS{Asset: genstatic.Asset, AssetInfo: genstatic.AssetInfo, AssetDir: genstatic.AssetDir, Prefix: "static"}
-	}
-
 	if staticConfiguration.Global.CheckNewVersion {
 		checkNewVersion()
 	}
@@ -197,7 +191,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	// Entrypoints

-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
 	if err != nil {
 		return nil, err
 	}
--- a/debug.Dockerfile
+++ b/debug.Dockerfile
@@ -0,0 +1,10 @@
+FROM alpine:3.14
+# Feel free to add below any helpful dependency for debugging.
+# iproute2 is for ss.
+RUN apk --no-cache --no-progress add bash curl ca-certificates tzdata lsof iproute2 \
+    && update-ca-certificates \
+    && rm -rf /var/cache/apk/*
+COPY dist/traefik /
+EXPOSE 80
+VOLUME ["/tmp"]
+ENTRYPOINT ["/traefik"]
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,5 +1,5 @@

-FROM alpine:3.13 as alpine
+FROM alpine:3.14 as alpine

 RUN apk --no-cache --no-progress add \
    libcurl \
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -45,7 +45,7 @@ $ ls dist/
 traefik*
 ```

-The following targets can be executed outside Docker by setting the variable `PRE_TARGET` to an empty string (we don't recommend that):
+The following targets can be executed outside Docker by setting the variable `IN_DOCKER` to an empty string (although be aware that some of the tests might fail in that context):

 - `test-unit`
 - `test-integration`
@@ -55,7 +55,7 @@ The following targets can be executed outside Docker by setting the variable `PR
 ex:

 ```bash
-PRE_TARGET= make test-unit
+IN_DOCKER= make test-unit
 ```

 ### Method 2: Using `go`
@@ -64,7 +64,6 @@ Requirements:

 - `go` v1.16+
 - environment variable `GO111MODULE=on`
- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`

 !!! tip "Source Directory"

@@ -101,18 +100,9 @@ Requirements:

 Once you've set up your go environment and cloned the source repository, you can build Traefik.

-Beforehand, you need to get [go-bindata](https://github.com/containous/go-bindata) (the first time) in order to be able to use the `go generate` command (which is part of the build process).
-
-```bash
-cd ~/go/src/github.com/traefik/traefik
-
-# Get go-bindata. (Important: the ellipses are required.)
-GO111MODULE=off go get github.com/containous/go-bindata/...
-```
-
 ```bash
 # Generate UI static files
-rm -rf static/ autogen/; make generate-webui
+make clean-webui generate-webui

 # required to merge non-code components into the final binary,
 # such as the web dashboard/UI
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -29,7 +29,7 @@ docker run  --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 tr

 !!! tip "Default URL"

-    Your local documentation server will run by default on [http://127.0.0.1:8000](http://127.0.0.1:8000).
+    Your local documentation server will run by default on <http://127.0.0.1:8000>.

 If you only want to build the documentation without serving it locally, you can use the following command:

--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -19,6 +19,7 @@
 * Romain Tribotté [@rtribotte](https://github.com/rtribotte)
 * Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
 * Harold Ozouf [@jspdown](https://github.com/jspdown)
+* Tom Moulard [@tommoulard](https://github.com/tommoulard)

 ## Maintainer's Guidelines

--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -0,0 +1,37 @@
+# Releases
+
+## Versions
+
+Below is a non-exhaustive list of versions and their maintenance status:
+
+| Version | Release Date | Active Support     | Security Support | 
+|---------|--------------|--------------------|------------------|
+| 2.6     | Jan 24, 2022 |      Yes           |       Yes        |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |       No         |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |       No         |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |       No         |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |       No         |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |       No         |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |       No         |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |  Contact Support |
+
+??? example "Active Support / Security Support"
+
+    **Active support**: receives any bug fixes.
+    **Security support**: receives only critical bug and security fixes.
+
+This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.
+
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+
+!!! important "All target dates for end of support or feature removal announcements may be subject to change."
+
+## Versioning Scheme
+
+The Traefik Proxy project follows the [semantic versioning](https://semver.org/) scheme and maintains a separate branch for each minor version. The main branch always represents the next upcoming minor or major version.
+
+And these are our guiding rules for version support:
+
+- **Only the latest `minor`** will be on active support at any given time
+- **The last `minor` after releasing a new `major`** will be supported for 1 year following the `major` release
+- **Previous rules are subject to change** and in such cases an announcement will be made publicly, [here](https://traefik.io/blog/traefik-2-1-in-the-wild/) is an example extending v1.x branch support.
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -19,7 +19,7 @@ Deploying your services, you attach information that tells Traefik the character
 ![Decentralized Configuration](../assets/img/traefik-concepts-2.png)

 It means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-The opposite is true: when you remove a service from your infrastructure, the route will disappear accordingly.
+Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.

 You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.

--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -51,7 +51,7 @@ Once positioned, this option sets (and resets) all the default values of the sub

 ### Configuration File

-At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
+At startup, Traefik searches for static configuration in a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:

 - `/etc/traefik/`
 - `$XDG_CONFIG_HOME/`
@@ -74,7 +74,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:2.1 --help
+# ex: docker run traefik:v2.6 --help
 ```

 All available arguments can also be found [here](../reference/static-configuration/cli.md).
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -125,7 +125,7 @@ http:
    the principle of the above example above (a catchall router) still stands,
    but the `unavailable` service should be adapted to fit such a need.

-## Why Is My TLS Certificate Not Reloaded When Its Contents Change ? 
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change? 

 With the file provider,
 a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
@@ -137,3 +137,18 @@ a configuration update is _not_ triggered.
 To take into account the new certificate contents, the update of the dynamic configuration must be forced.
 One way to achieve that, is to trigger a file notification,
 for example, by using the `touch` command on the configuration file.
+
+## What Are the Forwarded Headers When Proxying HTTP Requests?
+
+By default, the following headers are automatically added when proxying requests:
+
+| Property                  | HTTP Header                |
+|---------------------------|----------------------------|
+| Client's IP               | X-Forwarded-For, X-Real-Ip |
+| Host                      | X-Forwarded-Host           |
+| Port                      | X-Forwarded-Port           |
+| Protocol                  | X-Forwarded-Proto          |
+| Proxy Server's Hostname   | X-Forwarded-Server         |
+
+For more details,
+please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -11,12 +11,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.6/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.6/traefik.sample.toml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.5
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.6
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -24,7 +24,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.1.4`
+    ex: `traefik:v2.6`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -101,13 +101,13 @@ helm install traefik traefik/traefik

 This HelmChart does not expose the Traefik dashboard by default, for security concerns.
 Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward :
+For instance, the dashboard access could be achieved through a port-forward:

 ```shell
 kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
 ```

-Accessible with the url: http://127.0.0.1:9000/dashboard/
+It can then be reached at: `http://127.0.0.1:9000/dashboard/`

 Another way would be to apply your own configuration, for instance,
 by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -15,7 +15,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.5
+    image: traefik:v2.6
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -36,7 +36,7 @@ Start your `reverse-proxy` with the following command:
 docker-compose up -d reverse-proxy
 ```

-You can open a browser and go to [http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata) to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
+You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).

 ## Traefik Detects New Services and Creates the Route for You

@@ -61,7 +61,7 @@ Start the `whoami` service with the following command:
 docker-compose up -d whoami
 ```

-Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new container and updated its own configuration.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.

 When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)

@@ -85,7 +85,7 @@ Run more instances of your `whoami` service with the following command:
 docker-compose up -d --scale whoami=2
 ```

-Go back to your browser ([http://localhost:8080/api/rawdata](http://localhost:8080/api/rawdata)) and see that Traefik has automatically detected the new instance of the container.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.

 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:

--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -23,7 +23,9 @@ Certificates are requested for domain names retrieved from the router's [dynamic

 You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining an [ACME challenge type](#the-different-acme-challenges) is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? note "Configuration Reference"

@@ -114,7 +116,7 @@ Please check the [configuration examples below](#configuration-examples) for mor
    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    ```

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ??? example "Single Domain from Router's Rule Example"

@@ -140,7 +142,11 @@ Please check the [configuration examples below](#configuration-examples) for mor

 Traefik automatically tracks the expiry date of ACME certificates it generates.

-If there are less than 30 days remaining before the certificate expires, Traefik will attempt to renew it automatically.
+By default, Traefik manages 90 days certificates,
+and starts to renew certificates 30 days before their expiry.
+
+When using a certificate resolver that issues certificates with custom durations,
+one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.

 !!! info ""
    Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
@@ -154,7 +160,9 @@ When using LetsEncrypt with kubernetes, there are some known caveats with both t

 ## The Different ACME Challenges

-!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
+!!! warning "Defining one ACME challenge is a requirement for a certificate resolver to be functional."
+
+!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."

 ### `tlsChallenge`

@@ -284,6 +292,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
+| [all-inkl](https://all-inkl.com)                            | `allinkl`      | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)      |
 | [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
@@ -292,15 +301,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
 | [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
 | [CloudDNS](https://vshosting.eu/)                           | `clouddns`     | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)     |
-| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
 | [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
 | [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
 | [deSEC](https://desec.io)                                   | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
+| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
 | [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
 | [Domeneshop](https://domene.shop)                           | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
@@ -310,21 +319,26 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
 | [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
 | [EdgeDNS](https://www.akamai.com/)                          | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
+| [Epik](https://www.epik.com)                                | `epik`         | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
 | [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
+| [Freemyip.com](https://freemyip.com)                        | `freemyip`     | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)     |
+| [G-Core Lab](https://gcorelabs.com/dns/)                    | `gcore`        | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)        |
+| [Gandi v5](https://doc.livedns.gandi.net)                   | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
 | [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
-| [Gandi v5](http://doc.livedns.gandi.net)                    | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
 | [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
 | [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| [Hosttech](https://www.hosttech.eu)                         | `hosttech`     | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)     |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
+| [Hurricane Electric](https://dns.he.net)                    | `hurricane`    | `HURRICANE_TOKENS` [^6]                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane)    |
+| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)         | `ibmcloud`     | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
 | [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
+| [Internet.bs](https://internetbs.net)                       | `internetbs`   | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)   |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
 | [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
 | [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
@@ -333,28 +347,28 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
 | [Loopia](https://loopia.com/)                               | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
 | [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
-| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
 | [Mythic Beasts](https://www.mythic-beasts.com)              | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
+| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
 | [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
+| [Nicmanager](https://www.nicmanager.com)                    | `nicmanager`   | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)   |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
 | [Njalla](https://njal.la)                                   | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
 | [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
+| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Porkbun](https://porkbun.com/)                             | `porkbun`      | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)      |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
 | [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
 | [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
+| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
 | [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
@@ -362,7 +376,9 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Simply.com](https://www.simply.com/en/domains/)            | `simply`       | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/simply)       |
 | [Sonic](https://www.sonic.com/)                             | `sonic`        | `SONIC_USER_ID`, `SONIC_API_KEY`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/sonic)        |
 | [Stackpath](https://www.stackpath.com/)                     | `stackpath`    | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath)    |
+| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)  | `tencentcloud` | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud) |
 | [TransIP](https://www.transip.nl/)                          | `transip`      | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)      |
+| [UKFast SafeDNS](https://www.ukfast.co.uk/dns-hosting.html) | `safedns`      | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)      |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)             | `vegadns`      | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)      |
 | [Versio](https://www.versio.nl/domeinnamen)                 | `versio`       | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)       |
 | [VinylDNS](https://www.vinyldns.io)                         | `vinyldns`     | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)     |
@@ -372,12 +388,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
+| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
+| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |

-[^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
-[^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
+[^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
+[^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
 [^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
 [^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
 [^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
+[^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.

 !!! info "`delayBeforeCheck`"
    By default, the `provider` verifies the TXT record _before_ letting ACME verify.
@@ -525,6 +545,50 @@ docker run -v "/my/host/acme:/etc/traefik/acme" traefik
 !!! warning
    For concurrency reasons, this file cannot be shared across multiple instances of Traefik.

+### `certificatesDuration`
+
+_Optional, Default=2160_
+
+The `certificatesDuration` option defines the certificates' duration in hours.
+It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
+
+!!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      certificatesDuration: 72
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  certificatesDuration=72
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.certificatesduration=72
+# ...
+```
+
+`certificatesDuration` is used to calculate two durations:
+
+- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
+- `Renew Interval`: the interval between renew attempts.
+
+| Certificate Duration | Renew Period      | Renew Interval          |
+|----------------------|-------------------|-------------------------|
+| >= 1 year            | 4 months          | 1 week                  |
+| >= 90 days           | 30 days           | 1 day                   |
+| >= 7 days            | 1 day             | 1 hour                  |
+| >= 24 hours          | 6 hours           | 10 min                  |
+| < 24 hours           | 20 min            | 1 min                   |
+
 ### `preferredChain`

 _Optional, Default=""_
@@ -552,7 +616,7 @@ certificatesResolvers:

 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
+--certificatesresolvers.myresolver.acme.preferredChain=ISRG Root X1
 # ...
 ```

@@ -580,7 +644,7 @@ certificatesResolvers:

 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.keyType="RSA4096"
+--certificatesresolvers.myresolver.acme.keyType=RSA4096
 # ...
 ```

--- a/docs/content/https/ref-acme.toml
+++ b/docs/content/https/ref-acme.toml
@@ -22,6 +22,14 @@
  #
  # caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

+  # The certificates' duration in hours.
+  # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+  #
+  # Optional
+  # Default: 2160
+  #
+  # certificatesDuration=2160
+
  # Preferred chain to use.
  #
  # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.txt
+++ b/docs/content/https/ref-acme.txt
@@ -21,6 +21,14 @@
 #
 --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

+# The certificates' duration in hours.
+# It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+#
+# Optional
+# Default: 2160
+#
+--certificatesresolvers.myresolver.acme.certificatesDuration=2160
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/ref-acme.yaml
+++ b/docs/content/https/ref-acme.yaml
@@ -24,6 +24,14 @@ certificatesResolvers:
      #
      # caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"

+      # The certificates' duration in hours.
+      # It defaults to 2160 (90 days) to follow Let's Encrypt certificates' duration.
+      #
+      # Optional
+      # Default: 2160
+      #
+      # certificatesDuration: 2160
+
      # Preferred chain to use.
      #
      # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -128,6 +128,30 @@ tls:
      keyFile  = "path/to/cert.key"
 ```

+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultCertificate:
+    secretName: default-certificate
+    
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: default-certificate
+  namespace: default
+  
+type: Opaque
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
 If no default certificate is provided, Traefik generates and uses a self-signed certificate.

 ## TLS Options
@@ -143,11 +167,11 @@ The TLS options allow one to configure some parameters of the TLS connection.
    you must specify the provider namespace, for example:  
    `traefik.http.routers.myrouter.tls.options=myoptions@file`

-!!! important "TLSOptions in Kubernetes"
+!!! important "TLSOption in Kubernetes"

-    When using the TLSOptions-CRD in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../../routing/providers/kubernetes-crd#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
-    To achieve that, you'll have to create a TLSOptions CR with the name `default`.
+    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
    To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
    you'll have to add an annotation to the Ingress in the following form:
@@ -399,6 +423,47 @@ spec:
  preferServerCipherSuites: true
 ```

+### ALPN Protocols
+
+_Optional, Default="h2, http/1.1, acme-tls/1"_
+
+This option allows to specify the list of supported application level protocols for the TLS handshake,
+in order of preference.
+If the client supports ALPN, the selected protocol will be one from this list, 
+and the connection will fail if there is no mutually supported protocol.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      alpnProtocols:
+        - http/1.1
+        - h2
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    alpnProtocols = ["http/1.1", "h2"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  alpnProtocols:
+    - http/1.1
+    - h2
+```
+
 ### Client Authentication (mTLS)

 Traefik supports mutual authentication, through the `clientAuth` section.
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -88,12 +88,21 @@ The `users` option is an array of authorized users. Each user must be declared u
    - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
    - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

+!!! note "Kubernetes kubernetes.io/basic-auth secret type"
+    
+    Kubernetes supports a special `kubernetes.io/basic-auth` secret type.
+    This secret must contain two keys: `username` and `password`.
+    Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
+    You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
+
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
  - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
@@ -118,11 +127,24 @@ kind: Secret
 metadata:
  name: authsecret
  namespace: default
-
 data:
  users: |2
    dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
    aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
+
+---
+# This is an alternate auth secret that demonstrates the basic-auth secret type.
+# Note: the password is not hashed, and is merely base64 encoded.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authsecret2
+  namespace: default
+type: kubernetes.io/basic-auth
+data:
+  username: dXNlcg== # username: user
+  password: cGFzc3dvcmQ= # password: password
 ```

 ```yaml tab="Consul Catalog"
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -167,7 +167,7 @@ http:

 The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).

-If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
+If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413` (Request Entity Too Large) response instead.

 ```yaml tab="Docker"
 labels:
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -60,7 +60,7 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The response body is larger than `1400` bytes.
+    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
    * The `Accept-Encoding` request header contains `gzip`.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.

@@ -122,3 +122,55 @@ http:
  [http.middlewares.test-compress.compress]
    excludedContentTypes = ["text/event-stream"]
 ```
+
+### `minResponseBodyBytes`
+
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+
+The default value is `1024`, which should be a reasonable value for most cases.
+
+Responses smaller than the specified values will not be compressed.
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    minResponseBodyBytes: 1200
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        minResponseBodyBytes: 1200
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    minResponseBodyBytes = 1200
+```
--- a/docs/content/middlewares/http/errorpages.md
+++ b/docs/content/middlewares/http/errorpages.md
@@ -8,6 +8,7 @@ It Has Never Been Easier to Say That Something Went Wrong
 The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.

 !!! important
+
    The error page itself is _not_ hosted by Traefik.

 ## Configuration Examples
@@ -112,6 +113,11 @@ The service that will serve the new requested error page.

    In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.

+!!! info "Host Header"
+
+    By default, the client `Host` header value is forwarded to the configured error [service](#service).
+    To forward the `Host` value corresponding to the configured error service URL, the [passHostHeader](../../../routing/services/#pass-host-header) option must be set to `false`.     
+
 ### `query`

 The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -284,6 +284,12 @@ http:
    authResponseHeadersRegex = "^X-"
 ```

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
 ### `authRequestHeaders`

 The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
@@ -343,11 +349,16 @@ http:

 ### `tls`

-The `tls` option is the TLS configuration from Traefik to the authentication server.
+_Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the authentication server.

-Certificate Authority used for the secured connection to the authentication server.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secured connection to the authentication server,
+it defaults to the system bundle.

 ```yaml tab="Docker"
 labels:
@@ -410,13 +421,15 @@ http:
      ca = "path/to/local.crt"
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -472,9 +485,12 @@ http:
      caOptional = true
 ```

-#### `tls.cert`
+#### `cert`

-The public certificate used for the secure connection to the authentication server.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the authentication server.
+When using this option, setting the `key` option is required.

 ```yaml tab="Docker"
 labels:
@@ -547,9 +563,12 @@ http:

    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-#### `tls.key`
+#### `key`

-The private certificate used for the secure connection to the authentication server.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the authentication server.
+When using this option, setting the `cert` option is required.

 ```yaml tab="Docker"
 labels:
@@ -622,7 +641,9 @@ http:

    For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -7,6 +7,8 @@ Managing Request/Response headers

 The Headers middleware manages the headers of requests and responses.

+A set of forwarded headers are automatically added by default. See the [FAQ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests) for more information.
+
 ## Configuration Examples

 ### Adding Headers to the Request and the Response
@@ -331,7 +333,9 @@ It allows all origins that contain any match of a regular expression in the `acc

 !!! tip

-    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

 ### `accessControlExposeHeaders`

--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -115,7 +115,7 @@ http:
 ### `sourceCriterion`

 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If several strategies are defined at the same time, an error will be raised.
 If none are set, the default is to use the `requestHost`.

 #### `sourceCriterion.ipStrategy`
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -84,7 +84,7 @@ labels:
 # As TOML Configuration File
 [http.routers]
  [http.routers.router1]
-    service = "myService"
+    service = "service1"
    middlewares = ["foo-add-prefix"]
    rule = "Host(`example.com`)"

@@ -105,7 +105,7 @@ labels:
 http:
  routers:
    router1:
-      service: myService
+      service: service1
      middlewares:
        - "foo-add-prefix"
      rule: "Host(`example.com`)"
@@ -126,24 +126,25 @@ http:

 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
-| [AddPrefix](addprefix.md)                 | Add a Path Prefix                                 | Path Modifier               |
-| [BasicAuth](basicauth.md)                 | Basic auth mechanism                              | Security, Authentication    |
+| [AddPrefix](addprefix.md)                 | Adds a Path Prefix                                | Path Modifier               |
+| [BasicAuth](basicauth.md)                 | Adds Basic Authentication                         | Security, Authentication    |
 | [Buffering](buffering.md)                 | Buffers the request/response                      | Request Lifecycle           |
-| [Chain](chain.md)                         | Combine multiple pieces of middleware             | Middleware tool             |
-| [CircuitBreaker](circuitbreaker.md)       | Stop calling unhealthy services                   | Request Lifecycle           |
-| [Compress](compress.md)                   | Compress the response                             | Content Modifier            |
+| [Chain](chain.md)                         | Combines multiple pieces of middleware            | Misc                        |
+| [CircuitBreaker](circuitbreaker.md)       | Prevents calling unhealthy services               | Request Lifecycle           |
+| [Compress](compress.md)                   | Compresses the response                           | Content Modifier            |
+| [ContentType](contenttype.md)             | Handles Content-Type auto-detection               | Misc                        |
 | [DigestAuth](digestauth.md)               | Adds Digest Authentication                        | Security, Authentication    |
-| [Errors](errorpages.md)                   | Define custom error pages                         | Request Lifecycle           |
-| [ForwardAuth](forwardauth.md)             | Authentication delegation                         | Security, Authentication    |
-| [Headers](headers.md)                     | Add / Update headers                              | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
-| [InFlightReq](inflightreq.md)             | Limit the number of simultaneous connections      | Security, Request lifecycle |
-| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header            | Security                    |
-| [RateLimit](ratelimit.md)                 | Limit the call frequency                          | Security, Request lifecycle |
-| [RedirectScheme](redirectscheme.md)       | Redirect easily the client elsewhere              | Request lifecycle           |
-| [RedirectRegex](redirectregex.md)         | Redirect the client elsewhere                     | Request lifecycle           |
-| [ReplacePath](replacepath.md)             | Change the path of the request                    | Path Modifier               |
-| [ReplacePathRegex](replacepathregex.md)   | Change the path of the request                    | Path Modifier               |
-| [Retry](retry.md)                         | Automatically retry the request in case of errors | Request lifecycle           |
-| [StripPrefix](stripprefix.md)             | Change the path of the request                    | Path Modifier               |
-| [StripPrefixRegex](stripprefixregex.md)   | Change the path of the request                    | Path Modifier               |
+| [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
+| [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
+| [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
+| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
+| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
+| [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
+| [RedirectScheme](redirectscheme.md)       | Redirects based on scheme                         | Request lifecycle           |
+| [RedirectRegex](redirectregex.md)         | Redirects based on regex                          | Request lifecycle           |
+| [ReplacePath](replacepath.md)             | Changes the path of the request                   | Path Modifier               |
+| [ReplacePathRegex](replacepathregex.md)   | Changes the path of the request                   | Path Modifier               |
+| [Retry](retry.md)                         | Automatically retries in case of error            | Request lifecycle           |
+| [StripPrefix](stripprefix.md)             | Changes the path of the request                   | Path Modifier               |
+| [StripPrefixRegex](stripprefixregex.md)   | Changes the path of the request                   | Path Modifier               |
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: addprefix
+  name: test-passtlsclientcert
 spec:
  passTLSClientCert:
    pem: true
@@ -76,6 +76,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -104,6 +105,7 @@ http:
            province: true
            locality: true
            organization: true
+            organizationalUnit: true
            commonName: true
            serialNumber: true
            domainComponent: true
@@ -127,6 +129,7 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -148,6 +151,7 @@ http:
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
+      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
@@ -171,6 +175,7 @@ http:
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
@@ -197,6 +202,7 @@ http:
                province: true
                locality: true
                organization: true
+                organizationalUnit: true
                commonName: true
                serialNumber: true
                domainComponent: true
@@ -223,6 +229,7 @@ http:
            province = true
            locality = true
            organization = true
+            organizationalUnit = true
            commonName = true
            serialNumber = true
            domainComponent = true
@@ -247,7 +254,7 @@ PassTLSClientCert can add two headers to the request:

 !!! info

-    * The headers are filled with escaped string so it can be safely placed inside a URL query.
+    * Each header value is a string that has been escaped in order to be a valid URL query.
    * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

@@ -412,15 +419,18 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
 !!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"

    The header size limit of web servers is commonly between 4kb and 8kb.
-    You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
+    If that turns out to be a problem, and if reconfiguring the server to allow larger headers is not an option,
+    one can alleviate the problem by selecting only the interesting parts of the cert,
+    through the use of the `info` options described below. (And by setting `pem` to false).

 ### `info`

 The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.

 The value of the header is an escaped concatenation of all the selected certificate details.
+But in the following, unless specified otherwise, all the header values examples are shown unescaped, for readability.

-The following example shows an unescaped result that uses all the available fields:
+The following example shows such a concatenation, when all the available fields are selected:

 ```text
 Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -441,7 +451,7 @@ The data is taken from the following certificate part:
        Not After : Dec  5 11:10:16 2020 GMT
 ```

-The escaped `notAfter` info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 NA="1607166616"
@@ -458,7 +468,7 @@ Validity
    Not Before: Dec  6 11:10:16 2018 GMT
 ```

-The escaped `notBefore` info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 NB="1544094616"
@@ -475,7 +485,7 @@ The data is taken from the following certificate part:
    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
 ```

-The escape SANs info part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -501,7 +511,7 @@ Set the `info.subject.country` option to `true` to add the `country` information

 The data is taken from the subject part with the `C` key.

-The escape country info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 C=FR,C=US
@@ -513,7 +523,7 @@ Set the `info.subject.province` option to `true` to add the `province` informati

 The data is taken from the subject part with the `ST` key.

-The escape province info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 ST=Cheese org state,ST=Cheese com state
@@ -525,7 +535,7 @@ Set the `info.subject.locality` option to `true` to add the `locality` informati

 The data is taken from the subject part with the `L` key.

-The escape locality info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 L=TOULOUSE,L=LYON
@@ -537,19 +547,31 @@ Set the `info.subject.organization` option to `true` to add the `organization` i

 The data is taken from the subject part with the `O` key.

-The escape organization info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 O=Cheese,O=Cheese 2
 ```

+##### `info.subject.organizationalUnit`
+
+Set the `info.subject.organizationalUnit` option to `true` to add the `organizationalUnit` information into the subject.
+
+The data is taken from the subject part with the `OU` key.
+
+And it is formatted as follows in the header:
+
+```text
+OU=Cheese Section,OU=Cheese Section 2
+```
+
 ##### `info.subject.commonName`

 Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.

 The data is taken from the subject part with the `CN` key.

-The escape common name info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 CN=*.example.com
@@ -561,7 +583,7 @@ Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` i

 The data is taken from the subject part with the `SN` key.

-The escape serial number info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SN=1234567890
@@ -573,7 +595,7 @@ Set the `info.subject.domainComponent` option to `true` to add the `domainCompon

 The data is taken from the subject part with the `DC` key.

-The escape domain component info in the subject part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 DC=org,DC=cheese
@@ -595,7 +617,7 @@ Set the `info.issuer.country` option to `true` to add the `country` information

 The data is taken from the issuer part with the `C` key.

-The escape country info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 C=FR,C=US
@@ -607,7 +629,7 @@ Set the `info.issuer.province` option to `true` to add the `province` informatio

 The data is taken from the issuer part with the `ST` key.

-The escape province info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 ST=Signing State,ST=Signing State 2
@@ -619,7 +641,7 @@ Set the `info.issuer.locality` option to `true` to add the `locality` informatio

 The data is taken from the issuer part with the `L` key.

-The escape locality info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 L=TOULOUSE,L=LYON
@@ -631,7 +653,7 @@ Set the `info.issuer.organization` option to `true` to add the `organization` in

 The data is taken from the issuer part with the `O` key.

-The escape organization info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 O=Cheese,O=Cheese 2
@@ -643,7 +665,7 @@ Set the `info.issuer.commonName` option to `true` to add the `commonName` inform

 The data is taken from the issuer part with the `CN` key.

-The escape common name info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 CN=Simple Signing CA 2
@@ -655,7 +677,7 @@ Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` in

 The data is taken from the issuer part with the `SN` key.

-The escape serial number info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 SN=1234567890
@@ -667,7 +689,7 @@ Set the `info.issuer.domainComponent` option to `true` to add the `domainCompone

 The data is taken from the issuer part with the `DC` key.

-The escape domain component info in the issuer part is formatted as below:
+And it is formatted as follows in the header:

 ```text
 DC=org,DC=cheese
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -250,7 +250,7 @@ http:
 ### `sourceCriterion`

 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If several strategies are defined at the same time, an error will be raised.
 If none are set, the default is to use the request's remote address field (as an `ipStrategy`).

 #### `sourceCriterion.ipStrategy`
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -73,10 +73,6 @@ http:

 ## Configuration Options

-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
 ### `permanent`

 Set the `permanent` option to `true` to apply a permanent redirection.
@@ -85,6 +81,12 @@ Set the `permanent` option to `true` to apply a permanent redirection.

 The `regex` option is the regular expression to match and capture elements from the request URL.

+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
 ### `replacement`

 The `replacement` option defines how to modify the URL to have the new target URL.
--- a/docs/content/middlewares/http/replacepathregex.md
+++ b/docs/content/middlewares/http/replacepathregex.md
@@ -79,7 +79,9 @@ The ReplacePathRegex middleware will:

 !!! tip

-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

 ### `regex`

--- a/docs/content/middlewares/http/stripprefixregex.md
+++ b/docs/content/middlewares/http/stripprefixregex.md
@@ -67,11 +67,13 @@ The StripPrefixRegex middleware strips the matching path prefix and stores it in

 The `regex` option is the regular expression to match the path prefix from the request URL.

-!!! tip
-
-    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
 For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
--- a/docs/content/middlewares/tcp/inflightconn.md
+++ b/docs/content/middlewares/tcp/inflightconn.md
@@ -0,0 +1,63 @@
+# InFlightConn
+
+Limiting the Number of Simultaneous connections.
+{: .subtitle }
+
+To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous connections by IP can be limited.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: test-inflightconn
+spec:
+  inFlightConn:
+    amount: 10
+```
+
+```yaml tab="Consul Catalog"
+# Limiting to 10 simultaneous connections
+- "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount": "10"
+}
+```
+
+```yaml tab="Rancher"
+# Limiting to 10 simultaneous connections.
+labels:
+  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
+```
+
+```yaml tab="File (YAML)"
+# Limiting to 10 simultaneous connections.
+tcp:
+  middlewares:
+    test-inflightconn:
+      inFlightConn:
+        amount: 10
+```
+
+```toml tab="File (TOML)"
+# Limiting to 10 simultaneous connections
+[tcp.middlewares]
+  [tcp.middlewares.test-inflightconn.inFlightConn]
+    amount = 10
+```
+
+## Configuration Options
+
+### `amount`
+
+The `amount` option defines the maximum amount of allowed simultaneous connections.
+The middleware closes the connection if there are already `amount` connections opened.
--- a/docs/content/middlewares/tcp/ipwhitelist.md
+++ b/docs/content/middlewares/tcp/ipwhitelist.md
@@ -51,7 +51,7 @@ labels:

 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
-http:
+tcp:
  middlewares:
    test-ipwhitelist:
      ipWhiteList:
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -36,7 +36,7 @@ spec:

 ---
 apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
+kind: MiddlewareTCP
 metadata:
  name: foo-ip-whitelist
 spec:
@@ -47,7 +47,7 @@ spec:

 ---
 apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
+kind: IngressRouteTCP
 metadata:
  name: ingressroute
 spec:
@@ -131,4 +131,5 @@ tcp:

 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs                      | Security, Request lifecycle |
+| [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
+| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -104,7 +104,7 @@ Then any router can refer to an instance of the wanted middleware.

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.6/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
@@ -275,7 +275,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/v2.6/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: TLSOption
    metadata:
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -179,7 +179,7 @@ To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in t

 #### Expose an Ingress on 80 and 443

-Define the default TLS configuration on the HTTPS entry point. 
+Define the default TLS configuration on the HTTPS entry point.

 ```yaml tab="Ingress"
 kind: Ingress
@@ -335,7 +335,7 @@ The file parser has been changed, since v2.3 the unknown options/fields in a dyn
 ### IngressClass

 In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
-In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. 
+In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.

 ## v2.3 to v2.4

@@ -350,7 +350,7 @@ It is therefore necessary to update [RBAC](../reference/dynamic-configuration/ku

 In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
 and in TCP router rule `HostSNI` expression.
-This check ensures that provided domain names don't contain non-ASCII characters. 
+This check ensures that provided domain names don't contain non-ASCII characters.
 If not, an error is raised, and the associated router will be shown as invalid in the dashboard.

 This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
@@ -380,8 +380,8 @@ To allow it, the `allowExternalNameServices` option should be set to `true`.

 ### Kubernetes CRD

-In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`. 
-As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema. 
+In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
+As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.

 After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.

@@ -415,3 +415,40 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](
 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
 the legacy behavior related to the CommonName field can not be enabled at all anymore.
+
+## v2.5.3 to v2.5.4
+
+### Errors middleware
+
+In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
+the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
+Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.
+
+## v2.5 to v2.6
+
+### HTTP/3
+
+Traefik v2.6 introduces the `AdvertisedPort` option,
+which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
+By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
+To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](../routing/entrypoints.md#http3) documentation.
+
+### Kubernetes Gateway API Provider
+
+In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) of the specification and 
+[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
+Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.
+
+## v2.6.0 to v2.6.1
+
+### Metrics
+
+In `v2.6.1`, the metrics system does not support any more custom HTTP method verbs to prevent potential metrics cardinality overhead.
+In consequence, for metrics having the method label,
+if the HTTP method verb of a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+the value for the method label becomes `EXTENSION_METHOD`, instead of the request's one.
+
+### Tracing
+
+In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `traefik.service.name` and from `router.name` to `traefik.router.name`.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -247,7 +247,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v2.2
+    image: traefik:v2.6
    environment:
      - TZ=US/Alaska
    command:
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -59,7 +59,7 @@ metrics:
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
-#### `AddRoutersLabels`
+#### `addRoutersLabels`

 _Optional, Default=false_

@@ -118,10 +118,31 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.datadog]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```

 ```bash tab="CLI"
 --metrics.datadog.pushInterval=10s
 ```

+#### `prefix`
+
+_Optional, Default="traefik"_
+
+The prefix to use for metrics collection.
+
+```yaml tab="File (YAML)"
+metrics:
+  datadog:
+    prefix: traefik
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.datadog]
+    prefix = "traefik"
+```
+
+```bash tab="CLI"
+--metrics.datadog.prefix=traefik
+```
--- a/docs/content/observability/metrics/influxdb.md
+++ b/docs/content/observability/metrics/influxdb.md
@@ -69,7 +69,7 @@ InfluxDB database used when protocol is http.
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    database: "db"
+    database: db
 ```

 ```toml tab="File (TOML)"
@@ -91,7 +91,7 @@ InfluxDB retention policy used when protocol is http.
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    retentionPolicy: "two_hours"
+    retentionPolicy: two_hours
 ```

 ```toml tab="File (TOML)"
@@ -113,7 +113,7 @@ InfluxDB username (only with http).
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    username: "john"
+    username: john
 ```

 ```toml tab="File (TOML)"
@@ -135,7 +135,7 @@ InfluxDB password (only with http).
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
-    password: "secret"
+    password: secret
 ```

 ```toml tab="File (TOML)"
@@ -170,24 +170,24 @@ metrics:
 --metrics.influxdb.addEntryPointsLabels=true
 ```

-#### `AddRoutersLabels`
+#### `addRoutersLabels`

 _Optional, Default=false_

 Enable metrics on routers.

-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
  influxDB:
    addRoutersLabels: true
 ```

+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.influxdb.addrouterslabels=true
 ```
@@ -229,9 +229,35 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.influxDB]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```

 ```bash tab="CLI"
 --metrics.influxdb.pushInterval=10s
 ```
+
+#### `additionalLabels`
+
+_Optional, Default={}_
+
+Additional labels (influxdb tags) on all metrics.
+
+```yaml tab="File (YAML)"
+metrics:
+  influxDB:
+    additionalLabels:
+      host: example.com
+      environment: production
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.influxDB]
+    [metrics.influxDB.additionalLabels]
+      host = "example.com"
+      environment = "production"
+```
+
+```bash tab="CLI"
+--metrics.influxdb.additionallabels.host=example.com --metrics.influxdb.additionallabels.environment=production
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -7,39 +7,23 @@ Traefik supports 4 metrics backends:
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)

-## Configuration
-
-To enable metrics:
-
-```yaml tab="File (YAML)"
-metrics: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
-```
-
-```bash tab="CLI"
--metrics=true
-```
-
-## Server Metrics
+## Global Metrics

 | Metric                                                                  | DataDog | InfluxDB | Prometheus | StatsD |
 |-------------------------------------------------------------------------|---------|----------|------------|--------|
 | [Configuration reloads](#configuration-reloads)                         | ✓       | ✓        | ✓          | ✓      |
-| [Configuration reload failures](#configuration-reload-failures)         | ✓       | ✓        | ✓          | ✓      |
 | [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓        | ✓          | ✓      |
-| [Last Configuration Reload Failure](#last-configuration-reload-failure) | ✓       | ✓        | ✓          | ✓      |
+| [TLS certificates expiration](#tls-certificates-expiration)             | ✓       | ✓        | ✓          | ✓      |

 ### Configuration Reloads
+
 The total count of configuration reloads.

 ```dd tab="Datadog"
 config.reload.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.config.reload.total
 ```

@@ -52,34 +36,15 @@ traefik_config_reloads_total
 {prefix}.config.reload.total
 ```

-### Configuration Reload Failures
-The total count of configuration reload failures.
-
-```dd tab="Datadog"
-config.reload.total (with tag "failure" to true)
-```
-
-```influxdb tab="InfluDB"
-traefik.config.reload.total.failure
-```
-
-```prom tab="Prometheus"
-traefik_config_reloads_failure_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.config.reload.total.failure
-```
-
 ### Last Configuration Reload Success
+
 The timestamp of the last configuration reload success.

 ```dd tab="Datadog"
 config.reload.lastSuccessTimestamp
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.config.reload.lastSuccessTimestamp
 ```

@@ -92,24 +57,27 @@ traefik_config_last_reload_success
 {prefix}.config.reload.lastSuccessTimestamp
 ```

-### Last Configuration Reload Failure
-The timestamp of the last configuration reload failure.
+### TLS certificates expiration
+
+The expiration date of certificates.
+
+[Labels](#labels): `cn`, `sans`, `serial`.

 ```dd tab="Datadog"
-config.reload.lastFailureTimestamp
+tls.certs.notAfterTimestamp
 ```

-```influxdb tab="InfluDB"
-traefik.config.reload.lastFailureTimestamp
+```influxdb tab="InfluxDB"
+traefik.tls.certs.notAfterTimestamp
 ```

 ```prom tab="Prometheus"
-traefik_config_last_reload_failure
+traefik_tls_certs_not_after
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
-{prefix}.config.reload.lastFailureTimestamp
+{prefix}.tls.certs.notAfterTimestamp
 ```

 ## EntryPoint Metrics
@@ -117,20 +85,21 @@ traefik_config_last_reload_failure
 | Metric                                                    | DataDog | InfluxDB | Prometheus | StatsD |
 |-----------------------------------------------------------|---------|----------|------------|--------|
 | [HTTP Requests Count](#http-requests-count)               | ✓       | ✓        | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count)             |         |          | ✓          |        |
+| [HTTPS Requests Count](#https-requests-count)             | ✓       | ✓        | ✓          | ✓      |
 | [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓        | ✓          | ✓      |
 | [Open Connections Count](#open-connections-count)         | ✓       | ✓        | ✓          | ✓      |

 ### HTTP Requests Count
-The total count of HTTP requests processed on an entrypoint.

-Available labels: `code`, `method`, `protocol`, `entrypoint`.
+The total count of HTTP requests received by an entrypoint.
+
+[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.

 ```dd tab="Datadog"
 entrypoint.request.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.entrypoint.requests.total
 ```

@@ -144,24 +113,39 @@ traefik_entrypoint_requests_total
 ```

 ### HTTPS Requests Count
-The total count of HTTPS requests processed on an entrypoint.

-Available labels: `tls_version`, `tls_cipher`, `entrypoint`.
+The total count of HTTPS requests received by an entrypoint.
+
+[Labels](#labels): `tls_version`, `tls_cipher`, `entrypoint`.
+
+```dd tab="Datadog"
+entrypoint.request.tls.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.entrypoint.requests.tls.total
+```

 ```prom tab="Prometheus"
 traefik_entrypoint_requests_tls_total
 ```

-### Request Duration Histogram
-Request process time duration histogram on an entrypoint.
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.tls.total
+```

-Available labels: `code`, `method`, `protocol`, `entrypoint`.
+### Request Duration Histogram
+
+Request processing duration histogram on an entrypoint.
+
+[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.

 ```dd tab="Datadog"
 entrypoint.request.duration
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.entrypoint.request.duration
 ```

@@ -175,15 +159,16 @@ traefik_entrypoint_request_duration_seconds
 ```

 ### Open Connections Count
+
 The current count of open connections on an entrypoint.

-Available labels: `method`, `protocol`, `entrypoint`.
+[Labels](#labels): `method`, `protocol`, `entrypoint`.

 ```dd tab="Datadog"
 entrypoint.connections.open
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.entrypoint.connections.open
 ```

@@ -196,27 +181,129 @@ traefik_entrypoint_open_connections
 {prefix}.entrypoint.connections.open
 ```

-## Service Metrics
+## Router Metrics

 | Metric                                                      | DataDog | InfluxDB | Prometheus | StatsD |
 |-------------------------------------------------------------|---------|----------|------------|--------|
 | [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓        | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_1)             |         |          | ✓          |        |
+| [HTTPS Requests Count](#https-requests-count_1)             | ✓       | ✓        | ✓          | ✓      |
 | [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓        | ✓          | ✓      |
 | [Open Connections Count](#open-connections-count_1)         | ✓       | ✓        | ✓          | ✓      |
+
+### HTTP Requests Count
+
+The total count of HTTP requests handled by a router.
+
+[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.requests.total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.total
+```
+
+### HTTPS Requests Count
+
+The total count of HTTPS requests handled by a router.
+
+[Labels](#labels): `tls_version`, `tls_cipher`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.tls.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.requests.tls.total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_tls_total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.tls.total
+```
+
+### Request Duration Histogram
+
+Request processing duration histogram on a router.
+
+[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.request.duration
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.request.duration
+```
+
+```prom tab="Prometheus"
+traefik_router_request_duration_seconds
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.duration
+```
+
+### Open Connections Count
+
+The current count of open connections on a router.
+
+[Labels](#labels): `method`, `protocol`, `router`, `service`.
+
+```dd tab="Datadog"
+router.connections.open
+```
+
+```influxdb tab="InfluxDB"
+traefik.router.connections.open
+```
+
+```prom tab="Prometheus"
+traefik_router_open_connections
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.connections.open
+```
+
+## Service Metrics
+
+| Metric                                                      | DataDog | InfluxDB | Prometheus | StatsD |
+|-------------------------------------------------------------|---------|----------|------------|--------|
+| [HTTP Requests Count](#http-requests-count_2)               | ✓       | ✓        | ✓          | ✓      |
+| [HTTPS Requests Count](#https-requests-count_2)             | ✓       | ✓        | ✓          | ✓      |
+| [Request Duration Histogram](#request-duration-histogram_2) | ✓       | ✓        | ✓          | ✓      |
+| [Open Connections Count](#open-connections-count_2)         | ✓       | ✓        | ✓          | ✓      |
 | [Requests Retries Count](#requests-retries-count)           | ✓       | ✓        | ✓          | ✓      |
 | [Service Server UP](#service-server-up)                     | ✓       | ✓        | ✓          | ✓      |

 ### HTTP Requests Count
+
 The total count of HTTP requests processed on a service.

-Available labels: `code`, `method`, `protocol`, `service`.
+[Labels](#labels): `code`, `method`, `protocol`, `service`.

 ```dd tab="Datadog"
 service.request.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.service.requests.total
 ```

@@ -230,24 +317,39 @@ traefik_service_requests_total
 ```

 ### HTTPS Requests Count
+
 The total count of HTTPS requests processed on a service.

-Available labels: `tls_version`, `tls_cipher`, `service`.
+[Labels](#labels): `tls_version`, `tls_cipher`, `service`.
+
+```dd tab="Datadog"
+router.service.tls.total
+```
+
+```influxdb tab="InfluxDB"
+traefik.service.requests.tls.total
+```

 ```prom tab="Prometheus"
 traefik_service_requests_tls_total
 ```

-### Request Duration Histogram
-Request process time duration histogram on a service.
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.tls.total
+```

-Available labels: `code`, `method`, `protocol`, `service`.
+### Request Duration Histogram
+
+Request processing duration histogram on a service.
+
+[Labels](#labels): `code`, `method`, `protocol`, `service`.

 ```dd tab="Datadog"
 service.request.duration
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.service.request.duration
 ```

@@ -261,15 +363,16 @@ traefik_service_request_duration_seconds
 ```

 ### Open Connections Count
+
 The current count of open connections on a service.

-Available labels: `method`, `protocol`, `service`.
+[Labels](#labels): `method`, `protocol`, `service`.

 ```dd tab="Datadog"
 service.connections.open
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.service.connections.open
 ```

@@ -283,15 +386,16 @@ traefik_service_open_connections
 ```

 ### Requests Retries Count
+
 The count of requests retries on a service.

-Available labels: `service`.
+[Labels](#labels): `service`.

 ```dd tab="Datadog"
 service.retries.total
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.service.retries.total
 ```

@@ -305,15 +409,16 @@ traefik_service_retries_total
 ```

 ### Service Server UP
+
 Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.

-Available labels: `service`, `url`.
+[Labels](#labels): `service`, `url`.

 ```dd tab="Datadog"
 service.server.up
 ```

-```influxdb tab="InfluDB"
+```influxdb tab="InfluxDB"
 traefik.service.server.up
 ```

@@ -325,3 +430,28 @@ traefik_service_server_up
 # Default prefix: "traefik"
 {prefix}.service.server.up
 ```
+
+## Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label         | Description                           | example                    |
+|---------------|---------------------------------------|----------------------------|
+| `cn`          | Certificate Common Name               | "example.com"              |
+| `code`        | Request code                          | "200"                      |
+| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
+| `method`      | Request Method                        | "GET"                      |
+| `protocol`    | Request protocol                      | "http"                     |
+| `router`      | Router that handled the request       | "example_router"           |
+| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
+| `serial`      | Certificate Serial Number             | "123..."                   |
+| `service`     | Service that handled the request      | "example_service@provider" |
+| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
+| `tls_version` | TLS version used for the request      | "1.0"                      |
+| `url`         | Service server url                    | "http://example.com"       |
+
+!!! info "`method` label value"
+
+    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+    then the value for the method label becomes `EXTENSION_METHOD`.
--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -39,7 +39,7 @@ metrics:
 ```

 ```bash tab="CLI"
--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
+--metrics.prometheus.buckets=0.1,0.3,1.2,5.0
 ```

 #### `addEntryPointsLabels`
@@ -64,24 +64,24 @@ metrics:
 --metrics.prometheus.addEntryPointsLabels=true
 ```

-#### `AddRoutersLabels`
+#### `addRoutersLabels`

 _Optional, Default=false_

 Enable metrics on routers.

-```toml tab="File (TOML)"
-[metrics]
-  [metrics.prometheus]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
  prometheus:
    addRoutersLabels: true
 ```

+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.prometheus.addrouterslabels=true
 ```
@@ -117,7 +117,7 @@ Entry point used to expose metrics.
 ```yaml tab="File (YAML)"
 entryPoints:
  metrics:
-    address: ":8082"
+    address: :8082

 metrics:
  prometheus:
--- a/docs/content/observability/metrics/statsd.md
+++ b/docs/content/observability/metrics/statsd.md
@@ -60,24 +60,24 @@ metrics:
 --metrics.statsd.addEntryPointsLabels=true
 ```

-#### `AddRoutersLabels`
+#### `addRoutersLabels`

 _Optional, Default=false_

 Enable metrics on entry points.

-```toml tab="File (TOML)"
-[metrics]
-  [metrics.statsD]
-    addRoutersLabels = true
-```
-
 ```yaml tab="File (YAML)"
 metrics:
  statsD:
    addRoutersLabels: true
 ```

+```toml tab="File (TOML)"
+[metrics]
+  [metrics.statsD]
+    addRoutersLabels = true
+```
+
 ```bash tab="CLI"
 --metrics.statsd.addrouterslabels=true
 ```
@@ -119,7 +119,7 @@ metrics:
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.statsD]
-    pushInterval = 10s
+    pushInterval = "10s"
 ```

 ```bash tab="CLI"
@@ -145,5 +145,5 @@ metrics:
 ```

 ```bash tab="CLI"
--metrics.statsd.prefix="traefik"
+--metrics.statsd.prefix=traefik
 ```
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -1,6 +1,6 @@
 # Datadog

-To enable the Datadog:
+To enable the Datadog tracer:

 ```yaml tab="File (YAML)"
 tracing:
@@ -20,7 +20,7 @@ tracing:

 _Required, Default="127.0.0.1:8126"_

-Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.
+Local Agent Host Port instructs the reporter to send spans to the Datadog Agent at this address (host:port).

 ```yaml tab="File (YAML)"
 tracing:
@@ -42,7 +42,7 @@ tracing:

 _Optional, Default=false_

-Enable Datadog debug.
+Enables Datadog debug.

 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:

 _Optional, Default=empty_

-Apply shared tag in a form of Key:Value to all the traces.
+Applies a shared key:value tag on all spans.

 ```yaml tab="File (YAML)"
 tracing:
@@ -86,7 +86,8 @@ tracing:

 _Optional, Default=false_

-Enable priority sampling. When using distributed tracing,
+Enables priority sampling.
+When using distributed tracing, 
 this option must be enabled in order to get all the parts of a distributed trace sampled.

 ```yaml tab="File (YAML)"
--- a/docs/content/observability/tracing/elastic.md
+++ b/docs/content/observability/tracing/elastic.md
@@ -1,6 +1,6 @@
 # Elastic

-To enable the Elastic:
+To enable the Elastic tracer:

 ```yaml tab="File (YAML)"
 tracing:
@@ -20,7 +20,7 @@ tracing:

 _Optional, Default="http://localhost:8200"_

-APM ServerURL is the URL of the Elastic APM server.
+URL of the Elastic APM server.

 ```yaml tab="File (YAML)"
 tracing:
@@ -42,7 +42,7 @@ tracing:

 _Optional, Default=""_

-APM Secret Token is the token used to connect to Elastic APM Server.
+Token used to connect to Elastic APM Server.

 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:

 _Optional, Default=""_

-APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
+Environment's name where Traefik is deployed in, e.g. `production` or `staging`.

 ```yaml tab="File (YAML)"
 tracing:
--- a/docs/content/observability/tracing/haystack.md
+++ b/docs/content/observability/tracing/haystack.md
@@ -1,6 +1,6 @@
 # Haystack

-To enable the Haystack:
+To enable the Haystack tracer:

 ```yaml tab="File (YAML)"
 tracing:
@@ -18,9 +18,9 @@ tracing:

 #### `localAgentHost`

-_Require, Default="127.0.0.1"_
+_Required, Default="127.0.0.1"_

-Local Agent Host instructs reporter to send spans to haystack-agent at this address.
+Local Agent Host instructs reporter to send spans to the Haystack Agent at this address.

 ```yaml tab="File (YAML)"
 tracing:
@@ -40,9 +40,9 @@ tracing:

 #### `localAgentPort`

-_Require, Default=35000_
+_Required, Default=35000_

-Local Agent port instructs reporter to send spans to the haystack-agent at this port.
+Local Agent Port instructs reporter to send spans to the Haystack Agent at this port.

 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:

 _Optional, Default=empty_

-Apply shared tag in a form of Key:Value to all the traces.
+Applies shared key:value tag on all spans.

 ```yaml tab="File (YAML)"
 tracing:
@@ -86,7 +86,7 @@ tracing:

 _Optional, Default=empty_

-Specifies the header name that will be used to store the trace ID.
+Sets the header name used to store the trace ID.

 ```yaml tab="File (YAML)"
 tracing:
@@ -108,7 +108,7 @@ tracing:

 _Optional, Default=empty_

-Specifies the header name that will be used to store the parent ID.
+Sets the header name used to store the parent ID.

 ```yaml tab="File (YAML)"
 tracing:
@@ -130,7 +130,7 @@ tracing:

 _Optional, Default=empty_

-Specifies the header name that will be used to store the span ID.
+Sets the header name used to store the span ID.

 ```yaml tab="File (YAML)"
 tracing:
@@ -152,7 +152,7 @@ tracing:

 _Optional, Default=empty_

-Specifies the header name prefix that will be used to store baggage items in a map.
+Sets the header name prefix used to store baggage items in a map.

 ```yaml tab="File (YAML)"
 tracing:
@@ -166,7 +166,6 @@ tracing:
    baggagePrefixHeaderName = "sample"
 ```

-
 ```bash tab="CLI"
 --tracing.haystack.baggagePrefixHeaderName=sample
 ```
--- a/docs/content/observability/tracing/instana.md
+++ b/docs/content/observability/tracing/instana.md
@@ -1,6 +1,6 @@
 # Instana

-To enable the Instana:
+To enable the Instana tracer:

 ```yaml tab="File (YAML)"
 tracing:
@@ -18,9 +18,9 @@ tracing:

 #### `localAgentHost`

-_Require, Default="127.0.0.1"_
+_Required, Default="127.0.0.1"_

-Local Agent Host instructs reporter to send spans to instana-agent at this address.
+Local Agent Host instructs reporter to send spans to the Instana Agent at this address.

 ```yaml tab="File (YAML)"
 tracing:
@@ -40,9 +40,9 @@ tracing:

 #### `localAgentPort`

-_Require, Default=42699_
+_Required, Default=42699_

-Local Agent port instructs reporter to send spans to the instana-agent at this port.
+Local Agent port instructs reporter to send spans to the Instana Agent listening on this port.

 ```yaml tab="File (YAML)"
 tracing:
@@ -62,11 +62,11 @@ tracing:

 #### `logLevel`

-_Require, Default="info"_
+_Required, Default="info"_

-Set Instana tracer log level.
+Sets Instana tracer log level.

-Valid values for logLevel field are:
+Valid values are:

 - `error`
 - `warn`
@@ -88,3 +88,25 @@ tracing:
 ```bash tab="CLI"
 --tracing.instana.logLevel=info
 ```
+
+#### `enableAutoProfile`
+
+_Required, Default=false_
+
+Enables [automatic profiling](https://www.ibm.com/docs/en/obi/current?topic=instana-profile-processes) for the Traefik process.
+
+```yaml tab="File (YAML)"
+tracing:
+  instana:
+    enableAutoProfile: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.instana]
+    enableAutoProfile = true
+```
+
+```bash tab="CLI"
+--tracing.instana.enableAutoProfile=true
+```
--- a/docs/content/observability/tracing/jaeger.md
+++ b/docs/content/observability/tracing/jaeger.md
@@ -1,6 +1,6 @@
 # Jaeger

-To enable the Jaeger:
+To enable the Jaeger tracer:

 ```yaml tab="File (YAML)"
 tracing:
@@ -18,7 +18,7 @@ tracing:

 !!! warning
    Traefik is able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent)
-    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collectors).
+    or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collector).

 !!! info
    All Jaeger configuration can be overridden by [environment variables](https://github.com/jaegertracing/jaeger-client-go#environment-variables)
@@ -27,7 +27,7 @@ tracing:

 _Required, Default="http://localhost:5778/sampling"_

-Sampling Server URL is the address of jaeger-agent's HTTP sampling server.
+Address of the Jaeger Agent HTTP sampling server.

 ```yaml tab="File (YAML)"
 tracing:
@@ -49,7 +49,13 @@ tracing:

 _Required, Default="const"_

-Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.
+Type of the sampler.
+
+Valid values are:
+
+- `const`
+- `probabilistic`
+- `rateLimiting`

 ```yaml tab="File (YAML)"
 tracing:
@@ -71,9 +77,9 @@ tracing:

 _Required, Default=1.0_

-Sampling Param is a value passed to the sampler.
+Value passed to the sampler.

-Valid values for Param field are:
+Valid values are:

 - for `const` sampler, 0 or 1 for always false/true respectively
 - for `probabilistic` sampler, a probability between 0 and 1
@@ -99,7 +105,7 @@ tracing:

 _Required, Default="127.0.0.1:6831"_

-Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.
+Local Agent Host Port instructs the reporter to send spans to the Jaeger Agent at this address (host:port).

 ```yaml tab="File (YAML)"
 tracing:
@@ -121,7 +127,7 @@ tracing:

 _Optional, Default=false_

-Generate 128-bit trace IDs, compatible with OpenCensus.
+Generates 128 bits trace IDs, compatible with OpenCensus.

 ```yaml tab="File (YAML)"
 tracing:
@@ -143,8 +149,9 @@ tracing:

 _Required, Default="jaeger"_

-Set the propagation header type.
-This can be either:
+Sets the propagation header type.
+
+Valid values are:

 - `jaeger`, jaeger's default trace header.
 - `b3`, compatible with OpenZipkin
@@ -169,7 +176,7 @@ tracing:

 _Required, Default="uber-trace-id"_

-Trace Context Header Name is the http header name used to propagate tracing context.
+HTTP header name used to propagate tracing context.
 This must be in lower-case to avoid mismatches when decoding incoming headers.

 ```yaml tab="File (YAML)"
@@ -192,7 +199,7 @@ tracing:

 _Optional, Default=true_

-Disable the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
+Disables the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
 Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.

 ```yaml tab="File (YAML)"
@@ -216,7 +223,7 @@ tracing:

 _Optional, Default=""_

-Collector Endpoint instructs reporter to send spans to jaeger-collector at this URL.
+Collector Endpoint instructs the reporter to send spans to the Jaeger Collector at this URL.

 ```yaml tab="File (YAML)"
 tracing:
@@ -239,7 +246,7 @@ tracing:

 _Optional, Default=""_

-User instructs reporter to include a user for basic http authentication when sending spans to jaeger-collector.
+User instructs the reporter to include a user for basic HTTP authentication when sending spans to the Jaeger Collector.

 ```yaml tab="File (YAML)"
 tracing:
@@ -262,7 +269,7 @@ tracing:

 _Optional, Default=""_

-Password instructs reporter to include a password for basic http authentication when sending spans to jaeger-collector.
+Password instructs the reporter to include a password for basic HTTP authentication when sending spans to the Jaeger Collector.

 ```yaml tab="File (YAML)"
 tracing:
--- a/docs/content/observability/tracing/zipkin.md
+++ b/docs/content/observability/tracing/zipkin.md
@@ -1,6 +1,6 @@
 # Zipkin

-To enable the Zipkin:
+To enable the Zipkin tracer:

 ```yaml tab="File (YAML)"
 tracing:
@@ -20,7 +20,7 @@ tracing:

 _Required, Default="http://localhost:9411/api/v2/spans"_

-Zipkin HTTP endpoint used to send data.
+HTTP endpoint used to send data.

 ```yaml tab="File (YAML)"
 tracing:
@@ -42,7 +42,7 @@ tracing:

 _Optional, Default=false_

-Use Zipkin SameSpan RPC style traces.
+Uses SameSpan RPC style traces.

 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:

 _Optional, Default=true_

-Use Zipkin 128 bit trace IDs.
+Uses 128 bits trace IDs.

 ```yaml tab="File (YAML)"
 tracing:
@@ -86,7 +86,7 @@ tracing:

 _Required, Default=1.0_

-The rate between 0.0 and 1.0 of requests to trace.
+The proportion of requests to trace, specified between 0.0 and 1.0.

 ```yaml tab="File (YAML)"
 tracing:
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -147,9 +147,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
 | `/api/tcp/services`            | Lists all the TCP services information.                                                     |
 | `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
+| `/api/udp/services`            | Lists all the UDP services information.                                                     |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
 | `/api/entrypoints`             | Lists all the entry points information.                                                     |
 | `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
 | `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
 | `/api/version`                 | Returns information about Traefik version.                                                  |
 | `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
 | `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -362,13 +362,14 @@ providers:

 _Optional_

-Defines TLS options for Consul server endpoint.
+Defines the TLS configuration used for the secure connection to Consul Catalog.

 ##### `ca`

 _Optional_

-`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
+`ca` is the path to the certificate authority used for the secure connection to Consul Catalog,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -391,11 +392,11 @@ providers:

 _Optional_

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul Catalog.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -422,8 +423,7 @@ providers:

 _Optional_

-`cert` is the path to the public certificate to use for Consul communication.
-
+`cert` is the path to the public certificate used for the secure connection to Consul Catalog.
 When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
@@ -450,8 +450,7 @@ providers:

 _Optional_

-`key` is the path to the private key for Consul communication.
-
+`key` is the path to the private key used for the secure connection to Consul Catalog.
 When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
@@ -476,7 +475,7 @@ providers:

 ##### `insecureSkipVerify`

-_Optional_
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

@@ -531,8 +530,8 @@ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
 The default host rule for all services.

 For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
-The `defaultRule` must be set to a valid [Go template](https://golang.org/pkg/text/template/),
-and can include [sprig template functions](http://masterminds.github.io/sprig/).
+The `defaultRule` must be set to a valid [Go template](https://pkg.go.dev/text/template/),
+and can include [sprig template functions](https://masterminds.github.io/sprig/).
 The service name can be accessed with the `Name` identifier,
 and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.

@@ -693,3 +692,32 @@ providers:
 ```

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+### `namespace`
+
+_Optional, Default=""_
+
+The `namespace` option defines the namespace in which the consul catalog services will be discovered.
+
+!!! warning
+
+    The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
+    which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    namespace: "production" 
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  namespace = "production"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.namespace=production
+# ...
+```
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:8500"_

-Defines how to access to Consul.
+Defines how to access Consul.

 ```yaml tab="File (YAML)"
 providers:
@@ -54,6 +54,34 @@ providers:
 --providers.consul.rootkey=traefik
 ```

+### `namespace`
+
+_Optional, Default=""_
+
+The `namespace` option defines the namespace to query.
+
+!!! warning
+
+    The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
+    which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    namespace: "production"
+```
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  namespace = "production"
+```
+
+```bash tab="CLI"
+--providers.consul.namespace=production
+```
+
 ### `username`

 _Optional, Default=""_
@@ -64,7 +92,7 @@ Defines a username to connect to Consul with.
 providers:
  consul:
    # ...
-    usename: "foo"
+    username: "foo"
 ```

 ```toml tab="File (TOML)"
@@ -97,16 +125,44 @@ providers:
 ```

 ```bash tab="CLI"
--providers.consul.password=foo
+--providers.consul.password=bar
+```
+
+### `token`
+
+_Optional, Default=""_
+
+Defines a token with which to connect to Consul.
+
+```yaml tab="File (YAML)"
+providers:
+  consul:
+    # ...
+    token: "bar"
+```
+
+```toml tab="File (TOML)"
+[providers.consul]
+  # ...
+  token = "bar"
+```
+
+```bash tab="CLI"
+--providers.consul.token=bar
 ```

 ### `tls`

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Consul.

-Certificate Authority used for the secure connection to Consul.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Consul,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +180,15 @@ providers:
 --providers.consul.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -152,9 +210,12 @@ providers:
 --providers.consul.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Consul.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Consul.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +236,12 @@ providers:
 --providers.consul.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Consul.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Consul.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +262,9 @@ providers:
 --providers.consul.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -252,7 +252,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A

    services:
      traefik:
-         image: traefik:v2.5 # The official v2 Traefik docker image
+         image: traefik:v2.6 # The official v2 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -427,8 +427,8 @@ _Optional, Default=```Host(`{{ normalize .Name }}`)```_

 The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.

-It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
-[sprig template functions](http://masterminds.github.io/sprig/).
+It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
+[sprig template functions](https://masterminds.github.io/sprig/).
 The container service name can be accessed with the `Name` identifier,
 and the template has access to all the labels defined on this container.

@@ -550,11 +550,11 @@ providers:

 _Optional, Default=""_

-The `constraints` option can be set to an expression that Traefik matches against the container tags to determine whether
-to create any route for that container. If none of the container tags match the expression, no route for that container is
+The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
+to create any route for that container. If none of the container labels match the expression, no route for that container is
 created. If the expression is empty, all detected containers are included.

-The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
 as well as the usual boolean logic, as shown in examples below.

 ??? example "Constraints Expression Examples"
@@ -613,9 +613,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Docker.

-Certificate Authority used for the secure connection to Docker.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Docker,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -633,13 +638,15 @@ providers:
 --providers.docker.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -661,9 +668,10 @@ providers:
 --providers.docker.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Docker.
+`cert` is the path to the public certificate used for the secure connection to Docker.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -684,9 +692,12 @@ providers:
 --providers.docker.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Docker.
+_Optional_
+
+`key` is the path to the private key used for the secure connection Docker.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -707,7 +718,9 @@ providers:
 --providers.docker.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -138,8 +138,8 @@ _Optional, Default=```Host(`{{ normalize .Name }}`)```_

 The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.

-It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
-[sprig template functions](http://masterminds.github.io/sprig/).
+It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
+[sprig template functions](https://masterminds.github.io/sprig/).
 The container service name can be accessed with the `Name` identifier,
 and the template has access to all the labels defined on this container.

--- a/docs/content/providers/etcd.md
+++ b/docs/content/providers/etcd.md
@@ -64,7 +64,7 @@ Defines a username with which to connect to etcd.
 providers:
  etcd:
    # ...
-    usename: "foo"
+    username: "foo"
 ```

 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to etcd.

-Certificate Authority used for the secure connection to etcd.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to etcd,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.etcd.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -152,9 +159,12 @@ providers:
 --providers.etcd.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to etcd.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to etcd.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.etcd.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to etcd.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to etcd.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.etcd.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -198,8 +198,8 @@ providers:
    Templating does not work in the Traefik main static configuration file.

 Traefik supports using Go templating to automatically generate repetitive sections of configuration files.
-These sections must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
-[sprig template functions](http://masterminds.github.io/sprig/).
+These sections must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
+[sprig template functions](https://masterminds.github.io/sprig/).

 To illustrate, it is possible to easily define multiple routers, services, and TLS certificates as described in the following examples:

--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -17,8 +17,7 @@ Defines the HTTP(S) endpoint to poll.
 ```yaml tab="File (YAML)"
 providers:
  http:
-    endpoint:
-      - "http://127.0.0.1:9000/api"
+    endpoint: "http://127.0.0.1:9000/api"
 ```

 ```toml tab="File (TOML)"
@@ -55,7 +54,7 @@ providers:

 _Optional, Default="5s"_

-Defines the polling timeout when connecting to the configured endpoint.
+Defines the polling timeout when connecting to the endpoint.

 ```yaml tab="File (YAML)"
 providers:
@@ -76,9 +75,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the endpoint.

-Certificate Authority used for the secure connection to the configured endpoint.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the endpoint,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -96,13 +100,15 @@ providers:
 --providers.http.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the endpoint.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -124,9 +130,12 @@ providers:
 --providers.http.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to the configured endpoint.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the endpoint.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -147,9 +156,12 @@ providers:
 --providers.http.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to the configured endpoint.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the endpoint.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -170,7 +182,9 @@ providers:
 --providers.http.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -62,7 +62,7 @@ Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1

 If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.

-If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
 When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
 A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
@@ -195,13 +195,13 @@ See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-
 ```yaml tab="File (YAML)"
 providers:
  kubernetesCRD:
-    labelselector: "app=traefik"
+    labelSelector: "app=traefik"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  labelselector = "app=traefik"
+  labelSelector = "app=traefik"
  # ...
 ```

--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -9,7 +9,7 @@ The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specifications from the Kubernetes Special Interest Groups (SIGs).

-This provider is proposed as an experimental feature and partially supports the Gateway API [v0.3.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.3.0) specification.
+This provider is proposed as an experimental feature and partially supports the Gateway API [v0.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v0.4.0) specification.

 !!! warning "Enabling The Experimental Kubernetes Gateway Provider"

@@ -41,7 +41,7 @@ This provider is proposed as an experimental feature and partially supports the
 !!! tip "All Steps for a Successful Deployment"

    * Add/update the Kubernetes Gateway API [definitions](../reference/dynamic-configuration/kubernetes-gateway.md#definitions).
-    * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources.
+    * Add/update the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) for the Traefik custom resources.
    * Add all needed Kubernetes Gateway API [resources](../reference/dynamic-configuration/kubernetes-gateway.md#resources).

 ## Examples
@@ -62,9 +62,9 @@ This provider is proposed as an experimental feature and partially supports the

    ```yaml tab="Gateway API CRDs"
    # All resources definition must be declared
-    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
-    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
-    --8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
+    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml"
+    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml"
+    --8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml"
    ```

    ```yaml tab="RBAC"
@@ -73,17 +73,17 @@ This provider is proposed as an experimental feature and partially supports the

 The Kubernetes Gateway API project provides several guides on how to use the APIs.
 These guides can help you to go further than the example above.
-The [getting started guide](https://gateway-api.sigs.k8s.io/guides/getting-started/) details how to install the CRDs from their repository.
+The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) details how to install the CRDs from their repository.

 !!! note ""

-    Keep in mind that the Traefik Gateway provider only supports the `v0.3.0`.
+    Keep in mind that the Traefik Gateway provider only supports the `v0.4.0` (v1alpha2).

 For now, the Traefik Gateway Provider can be used while following the below guides:

-* [Simple Gateway](https://gateway-api.sigs.k8s.io/guides/simple-gateway/)
-* [HTTP routing](https://gateway-api.sigs.k8s.io/guides/http-routing/)
-* [TLS](https://gateway-api.sigs.k8s.io/guides/tls/)
+* [Simple Gateway](https://gateway-api.sigs.k8s.io/v1alpha2/guides/simple-gateway/)
+* [HTTP routing](https://gateway-api.sigs.k8s.io/v1alpha2/guides/http-routing/)
+* [TLS](https://gateway-api.sigs.k8s.io/v1alpha2/guides/tls/)

 ## Resource Configuration

--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -36,10 +36,10 @@ and derives the corresponding dynamic configuration from it,
 which in turn creates the resulting routers, services, handlers, etc.

 ```yaml tab="Ingress"
+apiVersion: networking.k8s.io/v1
 kind: Ingress
-apiVersion: networking.k8s.io/v1beta1
 metadata:
-  name: "foo"
+  name: foo
  namespace: production

 spec:
@@ -48,20 +48,26 @@ spec:
      http:
        paths:
          - path: /bar
+            pathType: Exact
            backend:
-              serviceName: service1
-              servicePort: 80
+              service:
+                name:  service1
+                port:
+                  number: 80
          - path: /foo
+            pathType: Exact
            backend:
-              serviceName: service1
-              servicePort: 80
+              service:
+                name:  service1
+                port:
+                  number: 80
 ```

-```yaml tab="Ingress Kubernetes v1.19+"
+```yaml tab="Ingress v1beta1 (deprecated)"
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
-apiVersion: networking.k8s.io/v1
 metadata:
-  name: "foo"
+  name: foo
  namespace: production

 spec:
@@ -71,16 +77,12 @@ spec:
        paths:
          - path: /bar
            backend:
-              service:
-                name:  service1
-                port:
-                  number: 80
+              serviceName: service1
+              servicePort: 80
          - path: /foo
            backend:
-              service:
-                name:  service1
-                port:
-                  number: 80
+              serviceName: service1
+              servicePort: 80
 ```

 ## LetsEncrypt Support with the Ingress Provider
@@ -102,7 +104,7 @@ If you need Let's Encrypt with high availability in a Kubernetes environment,
 we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.

 If you want to keep using Traefik Proxy,
-LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
 When using Cert-Manager to manage certificates,
 it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).

@@ -227,7 +229,7 @@ See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-
 ```yaml tab="File (YAML)"
 providers:
  kubernetesIngress:
-    labelselector: "app=traefik"
+    labelSelector: "app=traefik"
    # ...
 ```

@@ -270,19 +272,19 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value
    ```

    ```yaml tab="Ingress"
-    apiVersion: "networking.k8s.io/v1beta1"
-    kind: "Ingress"
+    apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
    metadata:
-      name: "example-ingress"
+      name: example-ingress
    spec:
-      ingressClassName: "traefik-lb"
+      ingressClassName: traefik-lb
      rules:
      - host: "*.example.com"
        http:
          paths:
-          - path: "/example"
+          - path: /example
            backend:
-              serviceName: "example-service"
+              serviceName: example-service
              servicePort: 80
    ```

@@ -301,20 +303,21 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value
    ```

    ```yaml tab="Ingress"
-    apiVersion: "networking.k8s.io/v1"
-    kind: "Ingress"
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
    metadata:
-      name: "example-ingress"
+      name: example-ingress
    spec:
-      ingressClassName: "traefik-lb"
+      ingressClassName: traefik-lb
      rules:
      - host: "*.example.com"
        http:
          paths:
-          - path: "/example"
+          - path: /example
+            pathType: Exact
            backend:
              service:
-                name: "example-service"
+                name: example-service
                port:
                    number: 80
    ```
@@ -490,4 +493,4 @@ providers:
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.5/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.6/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -113,8 +113,8 @@ The default host rule for all services.

 For a given application, if no routing rule was defined by a label, it is defined by this `defaultRule` instead.

-It must be a valid [Go template](https://golang.org/pkg/text/template/),
-and can include [sprig template functions](http://masterminds.github.io/sprig/).
+It must be a valid [Go template](https://pkg.go.dev/text/template/),
+and can include [sprig template functions](https://masterminds.github.io/sprig/).

 The app ID can be accessed with the `Name` identifier,
 and the template has access to all the labels defined on this Marathon application.
@@ -404,9 +404,12 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Marathon.

-Certificate Authority used for the secure connection to Marathon.
+#### `ca`
+
+`ca` is the path to the certificate authority used for the secure connection to Marathon,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -424,13 +427,15 @@ providers:
 --providers.marathon.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -452,9 +457,12 @@ providers:
 --providers.marathon.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Marathon.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Marathon.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -475,9 +483,12 @@ providers:
 --providers.marathon.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Marathon.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Marathon.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -498,7 +509,9 @@ providers:
 --providers.marathon.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.

@@ -531,18 +544,18 @@ see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 ```yaml tab="File (YAML)"
 providers:
  marathon:
-    responseHeaderTimeout: "10s"
+    tlsHandshakeTimeout: "10s"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.marathon]
-  responseHeaderTimeout = "10s"
+  tlsHandshakeTimeout = "10s"
  # ...
 ```

 ```bash tab="CLI"
--providers.marathon.responseHeaderTimeout=10s
+--providers.marathon.tlsHandshakeTimeout=10s
 # ...
 ```

--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -95,8 +95,8 @@ The default host rule for all services.

 The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.

-It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
-[sprig template functions](http://masterminds.github.io/sprig/).
+It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
+[sprig template functions](https://masterminds.github.io/sprig/).
 The service name can be accessed with the `Name` identifier,
 and the template has access to all the labels defined on this container.

--- a/docs/content/providers/redis.md
+++ b/docs/content/providers/redis.md
@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:6379"_

-Defines how to access to Redis.
+Defines how to access Redis.

 ```yaml tab="File (YAML)"
 providers:
@@ -64,7 +64,7 @@ Defines a username to connect with Redis.
 providers:
  redis:
    # ...
-    usename: "foo"
+    username: "foo"
 ```

 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Redis.

-Certificate Authority used for the secure connection to Redis.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Redis,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.redis.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -152,9 +159,12 @@ providers:
 --providers.redis.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to Redis.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Redis.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.redis.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to Redis.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Redis.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.redis.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/providers/zookeeper.md
+++ b/docs/content/providers/zookeeper.md
@@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).

 _Required, Default="127.0.0.1:2181"_

-Defines how to access to ZooKeeper.
+Defines how to access ZooKeeper.

 ```yaml tab="File (YAML)"
 providers:
@@ -64,7 +64,7 @@ Defines a username to connect with ZooKeeper.
 providers:
  zooKeeper:
    # ...
-    usename: "foo"
+    username: "foo"
 ```

 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:

 _Optional_

-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to ZooKeeper.

-Certificate Authority used for the secure connection to ZooKeeper.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to ZooKeeper,
+it defaults to the system bundle.

 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.zookeeper.tls.ca=path/to/ca.crt
 ```

-#### `tls.caOptional`
+#### `caOptional`

-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.

 !!! warning ""

-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.

 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.

@@ -152,9 +159,12 @@ providers:
 --providers.zookeeper.tls.caOptional=true
 ```

-#### `tls.cert`
+#### `cert`

-Public certificate used for the secure connection to ZooKeeper.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to ZooKeeper.
+When using this option, setting the `key` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.zookeeper.tls.key=path/to/foo.key
 ```

-#### `tls.key`
+#### `key`

-Private certificate used for the secure connection to ZooKeeper.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to ZooKeeper.
+When using this option, setting the `cert` option is required.

 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.zookeeper.tls.key=path/to/foo.key
 ```

-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_

 If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.

--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -13,6 +13,7 @@
 - "traefik.http.middlewares.middleware04.circuitbreaker.expression=foobar"
 - "traefik.http.middlewares.middleware05.compress=true"
 - "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
+- "traefik.http.middlewares.middleware05.compress.minresponsebodybytes=42"
 - "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
 - "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
@@ -90,6 +91,7 @@
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization=true"
+- "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organizationalunit=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber=true"
 - "traefik.http.middlewares.middleware13.passtlsclientcert.pem=true"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -122,6 +122,7 @@
    [http.middlewares.Middleware05]
      [http.middlewares.Middleware05.compress]
        excludedContentTypes = ["foobar", "foobar"]
+        minResponseBodyBytes = 42
    [http.middlewares.Middleware06]
      [http.middlewares.Middleware06.contentType]
        autoDetect = true
@@ -217,6 +218,7 @@
            province = true
            locality = true
            organization = true
+            organizationalUnit = true
            commonName = true
            serialNumber = true
            domainComponent = true
@@ -421,6 +423,7 @@
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
      preferServerCipherSuites = true
+      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options0.clientAuth]
        caFiles = ["foobar", "foobar"]
        clientAuthType = "foobar"
@@ -431,6 +434,7 @@
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
      preferServerCipherSuites = true
+      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options1.clientAuth]
        caFiles = ["foobar", "foobar"]
        clientAuthType = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -128,6 +128,7 @@ http:
        excludedContentTypes:
        - foobar
        - foobar
+        minResponseBodyBytes: 42
    Middleware06:
      contentType:
        autoDetect: true
@@ -250,6 +251,7 @@ http:
            province: true
            locality: true
            organization: true
+            organizationalUnit: true
            commonName: true
            serialNumber: true
            domainComponent: true
@@ -470,6 +472,9 @@ tls:
        clientAuthType: foobar
      sniStrict: true
      preferServerCipherSuites: true
+      alpnProtocols:
+        - foobar
+        - foobar
    Options1:
      minVersion: foobar
      maxVersion: foobar
@@ -486,6 +491,9 @@ tls:
        clientAuthType: foobar
      sniStrict: true
      preferServerCipherSuites: true
+      alpnProtocols:
+        - foobar
+        - foobar
  stores:
    Store0:
      defaultCertificate:
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml
@@ -4,11 +4,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
  creationTimestamp: null
-  name: gatewayclasses.networking.x-k8s.io
+  name: gatewayclasses.gateway.networking.k8s.io
 spec:
-  group: networking.x-k8s.io
+  group: gateway.networking.k8s.io
  names:
    categories:
    - gateway-api
@@ -27,12 +27,26 @@ spec:
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
-    name: v1alpha1
+    - jsonPath: .spec.description
+      name: Description
+      priority: 1
+      type: string
+    name: v1alpha2
    schema:
      openAPIV3Schema:
        description: "GatewayClass describes a class of Gateways available to the
-          user for creating Gateway resources. \n GatewayClass is a Cluster level
-          resource."
+          user for creating Gateway resources. \n It is recommended that this resource
+          be used as a template for Gateways. This means that a Gateway is based on
+          the state of the GatewayClass at the time it was created and changes to
+          the GatewayClass or associated parameters are not propagated down to existing
+          Gateways. This recommendation is intended to limit the blast radius of changes
+          to GatewayClass or associated parameters. If implementations choose to propagate
+          GatewayClass changes to existing Gateways, that MUST be clearly documented
+          by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
+          implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io`
+          finalizer on the associated GatewayClass. This ensures that a GatewayClass
+          associated with a Gateway is not deleted while in use. \n GatewayClass is
+          a Cluster level resource."
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -49,14 +63,18 @@ spec:
          spec:
            description: Spec defines the desired state of GatewayClass.
            properties:
-              controller:
-                description: "Controller is a domain/path string that indicates the
-                  controller that is managing Gateways of this class. \n Example:
-                  \"acme.io/gateway-controller\". \n This field is not mutable and
-                  cannot be empty. \n The format of this field is DOMAIN \"/\" PATH,
-                  where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
-                  \n Support: Core"
+              controllerName:
+                description: "ControllerName is the name of the controller that is
+                  managing Gateways of this class. The value of this field MUST be
+                  a domain prefixed path. \n Example: \"example.net/gateway-controller\".
+                  \n This field is not mutable and cannot be empty. \n Support: Core"
                maxLength: 253
+                minLength: 1
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                type: string
+              description:
+                description: Description helps describe a GatewayClass with more details.
+                maxLength: 64
                type: string
              parametersRef:
                description: "ParametersRef is a reference to a resource that contains
@@ -71,12 +89,13 @@ spec:
                  group:
                    description: Group is the group of the referent.
                    maxLength: 253
-                    minLength: 1
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                    type: string
                  kind:
                    description: Kind is kind of the referent.
-                    maxLength: 253
+                    maxLength: 63
                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
                    type: string
                  name:
                    description: Name is the name of the referent.
@@ -85,18 +104,11 @@ spec:
                    type: string
                  namespace:
                    description: Namespace is the namespace of the referent. This
-                      field is required when scope is set to "Namespace" and ignored
-                      when scope is set to "Cluster".
-                    maxLength: 253
+                      field is required when referring to a Namespace-scoped resource
+                      and MUST be unset when referring to a Cluster-scoped resource.
+                    maxLength: 63
                    minLength: 1
-                    type: string
-                  scope:
-                    default: Cluster
-                    description: Scope represents if the referent is a Cluster or
-                      Namespace scoped resource. This may be set to "Cluster" or "Namespace".
-                    enum:
-                    - Cluster
-                    - Namespace
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                    type: string
                required:
                - group
@@ -104,7 +116,7 @@ spec:
                - name
                type: object
            required:
-            - controller
+            - controllerName
            type: object
          status:
            default:
@@ -112,8 +124,8 @@ spec:
              - lastTransitionTime: "1970-01-01T00:00:00Z"
                message: Waiting for controller
                reason: Waiting
-                status: "False"
-                type: Admitted
+                status: Unknown
+                type: Accepted
            description: Status defines the current state of GatewayClass.
            properties:
              conditions:
@@ -121,8 +133,8 @@ spec:
                - lastTransitionTime: "1970-01-01T00:00:00Z"
                  message: Waiting for controller
                  reason: Waiting
-                  status: "False"
-                  type: Admitted
+                  status: Unknown
+                  type: Accepted
                description: "Conditions is the current status from the controller
                  for this GatewayClass. \n Controllers should prefer to publish conditions
                  using values of GatewayClassConditionType for the type of each Condition."
@@ -199,6 +211,8 @@ spec:
                - type
                x-kubernetes-list-type: map
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml
@@ -4,11 +4,11 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
  creationTimestamp: null
-  name: gateways.networking.x-k8s.io
+  name: gateways.gateway.networking.k8s.io
 spec:
-  group: networking.x-k8s.io
+  group: gateway.networking.k8s.io
  names:
    categories:
    - gateway-api
@@ -24,18 +24,20 @@ spec:
    - jsonPath: .spec.gatewayClassName
      name: Class
      type: string
+    - jsonPath: .status.addresses[*].value
+      name: Address
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
-    name: v1alpha1
+    name: v1alpha2
    schema:
      openAPIV3Schema:
-        description: "Gateway represents an instantiation of a service-traffic handling
-          infrastructure by binding Listeners to a set of IP addresses. \n Implementations
-          should add the `gateway-exists-finalizer.networking.x-k8s.io` finalizer
-          on the associated GatewayClass whenever Gateway(s) is running. This ensures
-          that a GatewayClass associated with a Gateway(s) is not deleted while in
-          use."
+        description: Gateway represents an instance of a service-traffic handling
+          infrastructure by binding Listeners to a set of IP addresses.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -53,24 +55,32 @@ spec:
            description: Spec defines the desired state of Gateway.
            properties:
              addresses:
-                description: "Addresses requested for this gateway. This is optional
-                  and behavior can depend on the GatewayClass. If a value is set in
-                  the spec and the requested address is invalid, the GatewayClass
-                  MUST indicate this in the associated entry in GatewayStatus.Addresses.
-                  \n If no Addresses are specified, the GatewayClass may schedule
-                  the Gateway in an implementation-defined manner, assigning an appropriate
-                  set of Addresses. \n The GatewayClass MUST bind all Listeners to
-                  every GatewayAddress that it assigns to the Gateway. \n Support:
-                  Core"
+                description: "Addresses requested for this Gateway. This is optional
+                  and behavior can depend on the implementation. If a value is set
+                  in the spec and the requested address is invalid or unavailable,
+                  the implementation MUST indicate this in the associated entry in
+                  GatewayStatus.Addresses. \n The Addresses field represents a request
+                  for the address(es) on the \"outside of the Gateway\", that traffic
+                  bound for this Gateway will use. This could be the IP address or
+                  hostname of an external load balancer or other networking infrastructure,
+                  or some other address that traffic will be sent to. \n The .listener.hostname
+                  field is used to route traffic that has already arrived at the Gateway
+                  to the correct in-cluster destination. \n If no Addresses are specified,
+                  the implementation MAY schedule the Gateway in an implementation-specific
+                  manner, assigning an appropriate set of Addresses. \n The implementation
+                  MUST bind all Listeners to every GatewayAddress that it assigns
+                  to the Gateway and add a corresponding entry in GatewayStatus.Addresses.
+                  \n Support: Core"
                items:
                  description: GatewayAddress describes an address that can be bound
                    to a Gateway.
                  properties:
                    type:
                      default: IPAddress
-                      description: "Type of the address. \n Support: Extended"
+                      description: Type of the address.
                      enum:
                      - IPAddress
+                      - Hostname
                      - NamedAddress
                      type: string
                    value:
@@ -94,130 +104,96 @@ spec:
              listeners:
                description: "Listeners associated with this Gateway. Listeners define
                  logical endpoints that are bound on this Gateway's addresses. At
-                  least one Listener MUST be specified. \n An implementation MAY group
-                  Listeners by Port and then collapse each group of Listeners into
-                  a single Listener if the implementation determines that the Listeners
-                  in the group are \"compatible\". An implementation MAY also group
-                  together and collapse compatible Listeners belonging to different
-                  Gateways. \n For example, an implementation might consider Listeners
-                  to be compatible with each other if all of the following conditions
-                  are met: \n 1. Either each Listener within the group specifies the
-                  \"HTTP\"    Protocol or each Listener within the group specifies
-                  either    the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener
-                  within the group specifies a Hostname that is unique    within the
-                  group. \n 3. As a special case, one Listener within a group may
-                  omit Hostname,    in which case this Listener matches when no other
-                  Listener    matches. \n If the implementation does collapse compatible
-                  Listeners, the hostname provided in the incoming client request
-                  MUST be matched to a Listener to find the correct set of Routes.
-                  The incoming hostname MUST be matched using the Hostname field for
-                  each Listener in order of most to least specific. That is, exact
-                  matches must be processed before wildcard matches. \n If this field
-                  specifies multiple Listeners that have the same Port value but are
-                  not compatible, the implementation must raise a \"Conflicted\" condition
-                  in the Listener status. \n Support: Core"
+                  least one Listener MUST be specified. \n Each listener in a Gateway
+                  must have a unique combination of Hostname, Port, and Protocol.
+                  \n An implementation MAY group Listeners by Port and then collapse
+                  each group of Listeners into a single Listener if the implementation
+                  determines that the Listeners in the group are \"compatible\". An
+                  implementation MAY also group together and collapse compatible Listeners
+                  belonging to different Gateways. \n For example, an implementation
+                  might consider Listeners to be compatible with each other if all
+                  of the following conditions are met: \n 1. Either each Listener
+                  within the group specifies the \"HTTP\"    Protocol or each Listener
+                  within the group specifies either    the \"HTTPS\" or \"TLS\" Protocol.
+                  \n 2. Each Listener within the group specifies a Hostname that is
+                  unique    within the group. \n 3. As a special case, one Listener
+                  within a group may omit Hostname,    in which case this Listener
+                  matches when no other Listener    matches. \n If the implementation
+                  does collapse compatible Listeners, the hostname provided in the
+                  incoming client request MUST be matched to a Listener to find the
+                  correct set of Routes. The incoming hostname MUST be matched using
+                  the Hostname field for each Listener in order of most to least specific.
+                  That is, exact matches must be processed before wildcard matches.
+                  \n If this field specifies multiple Listeners that have the same
+                  Port value but are not compatible, the implementation must raise
+                  a \"Conflicted\" condition in the Listener status. \n Support: Core"
                items:
                  description: Listener embodies the concept of a logical endpoint
-                    where a Gateway can accept network connections. Each listener
-                    in a Gateway must have a unique combination of Hostname, Port,
-                    and Protocol. This will be enforced by a validating webhook.
+                    where a Gateway accepts network connections.
                  properties:
-                    hostname:
-                      description: "Hostname specifies the virtual hostname to match
-                        for protocol types that define this concept. When unspecified,
-                        \"\", or `*`, all hostnames are matched. This field can be
-                        omitted for protocols that don't require hostname based matching.
-                        \n Hostname is the fully qualified domain name of a network
-                        host, as defined by RFC 3986. Note the following deviations
-                        from the \"host\" part of the URI as defined in the RFC: \n
-                        1. IP literals are not allowed. 2. The `:` delimiter is not
-                        respected because ports are not allowed. \n Hostname can be
-                        \"precise\" which is a domain name without the terminating
-                        dot of a network host (e.g. \"foo.example.com\") or \"wildcard\",
-                        which is a domain name prefixed with a single wildcard label
-                        (e.g. `*.example.com`). The wildcard character `*` must appear
-                        by itself as the first DNS label and matches only a single
-                        label. \n Support: Core"
-                      maxLength: 253
-                      minLength: 1
-                      type: string
-                    port:
-                      description: "Port is the network port. Multiple listeners may
-                        use the same port, subject to the Listener compatibility rules.
+                    allowedRoutes:
+                      default:
+                        namespaces:
+                          from: Same
+                      description: "AllowedRoutes defines the types of routes that
+                        MAY be attached to a Listener and the trusted namespaces where
+                        those Route resources MAY be present. \n Although a client
+                        request may match multiple route rules, only one rule may
+                        ultimately receive the request. Matching precedence MUST be
+                        determined in order of the following criteria: \n * The most
+                        specific match as defined by the Route type. * The oldest
+                        Route based on creation timestamp. For example, a Route with
+                        \  a creation timestamp of \"2020-09-08 01:02:03\" is given
+                        precedence over   a Route with a creation timestamp of \"2020-09-08
+                        01:02:04\". * If everything else is equivalent, the Route
+                        appearing first in   alphabetical order (namespace/name) should
+                        be given precedence. For   example, foo/bar is given precedence
+                        over foo/baz. \n All valid rules within a Route attached to
+                        this Listener should be implemented. Invalid Route rules can
+                        be ignored (sometimes that will mean the full Route). If a
+                        Route rule transitions from valid to invalid, support for
+                        that Route rule should be dropped to ensure consistency. For
+                        example, even if a filter specified by a Route rule is invalid,
+                        the rest of the rules within that Route should still be supported.
                        \n Support: Core"
-                      format: int32
-                      maximum: 65535
-                      minimum: 1
-                      type: integer
-                    protocol:
-                      description: "Protocol specifies the network protocol this listener
-                        expects to receive. The GatewayClass MUST apply the Hostname
-                        match appropriately for each protocol: \n * For the \"TLS\"
-                        protocol, the Hostname match MUST be   applied to the [SNI](https://tools.ietf.org/html/rfc6066#section-3)
-                        \  server name offered by the client. * For the \"HTTP\" protocol,
-                        the Hostname match MUST be   applied to the host portion of
-                        the   [effective request URI](https://tools.ietf.org/html/rfc7230#section-5.5)
-                        \  or the [:authority pseudo-header](https://tools.ietf.org/html/rfc7540#section-8.1.2.3)
-                        * For the \"HTTPS\" protocol, the Hostname match MUST be   applied
-                        at both the TLS and HTTP protocol layers. \n Support: Core"
-                      type: string
-                    routes:
-                      description: "Routes specifies a schema for associating routes
-                        with the Listener using selectors. A Route is a resource capable
-                        of servicing a request and allows a cluster operator to expose
-                        a cluster resource (i.e. Service) by externally-reachable
-                        URL, load-balance traffic and terminate SSL/TLS.  Typically,
-                        a route is a \"HTTPRoute\" or \"TCPRoute\" in group \"networking.x-k8s.io\",
-                        however, an implementation may support other types of resources.
-                        \n The Routes selector MUST select a set of objects that are
-                        compatible with the application protocol specified in the
-                        Protocol field. \n Although a client request may technically
-                        match multiple route rules, only one rule may ultimately receive
-                        the request. Matching precedence MUST be determined in order
-                        of the following criteria: \n * The most specific match. For
-                        example, the most specific HTTPRoute match   is determined
-                        by the longest matching combination of hostname and path.
-                        * The oldest Route based on creation timestamp. For example,
-                        a Route with   a creation timestamp of \"2020-09-08 01:02:03\"
-                        is given precedence over   a Route with a creation timestamp
-                        of \"2020-09-08 01:02:04\". * If everything else is equivalent,
-                        the Route appearing first in   alphabetical order (namespace/name)
-                        should be given precedence. For   example, foo/bar is given
-                        precedence over foo/baz. \n All valid portions of a Route
-                        selected by this field should be supported. Invalid portions
-                        of a Route can be ignored (sometimes that will mean the full
-                        Route). If a portion of a Route transitions from valid to
-                        invalid, support for that portion of the Route should be dropped
-                        to ensure consistency. For example, even if a filter specified
-                        by a Route is invalid, the rest of the Route should still
-                        be supported. \n Support: Core"
                      properties:
-                        group:
-                          default: networking.x-k8s.io
-                          description: "Group is the group of the route resource to
-                            select. Omitting the value or specifying the empty string
-                            indicates the networking.x-k8s.io API group. For example,
-                            use the following to select an HTTPRoute: \n routes:   kind:
-                            HTTPRoute \n Otherwise, if an alternative API group is
-                            desired, specify the desired group: \n routes:   group:
-                            acme.io   kind: FooRoute \n Support: Core"
-                          maxLength: 253
-                          minLength: 1
-                          type: string
-                        kind:
-                          description: "Kind is the kind of the route resource to
-                            select. \n Kind MUST correspond to kinds of routes that
-                            are compatible with the application protocol specified
-                            in the Listener's Protocol field. \n If an implementation
-                            does not support or recognize this resource type, it SHOULD
-                            set the \"ResolvedRefs\" condition to false for this listener
-                            with the \"InvalidRoutesRef\" reason. \n Support: Core"
-                          type: string
+                        kinds:
+                          description: "Kinds specifies the groups and kinds of Routes
+                            that are allowed to bind to this Gateway Listener. When
+                            unspecified or empty, the kinds of Routes selected are
+                            determined using the Listener protocol. \n A RouteGroupKind
+                            MUST correspond to kinds of Routes that are compatible
+                            with the application protocol specified in the Listener's
+                            Protocol field. If an implementation does not support
+                            or recognize this resource type, it MUST set the \"ResolvedRefs\"
+                            condition to False for this Listener with the \"InvalidRoutesRef\"
+                            reason. \n Support: Core"
+                          items:
+                            description: RouteGroupKind indicates the group and kind
+                              of a Route resource.
+                            properties:
+                              group:
+                                default: gateway.networking.k8s.io
+                                description: Group is the group of the Route.
+                                maxLength: 253
+                                pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                type: string
+                              kind:
+                                description: Kind is the kind of the Route.
+                                maxLength: 63
+                                minLength: 1
+                                pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                type: string
+                            required:
+                            - kind
+                            type: object
+                          maxItems: 8
+                          type: array
                        namespaces:
                          default:
                            from: Same
-                          description: "Namespaces indicates in which namespaces Routes
-                            should be selected for this Gateway. This is restricted
+                          description: "Namespaces indicates namespaces from which
+                            Routes may be attached to this Listener. This is restricted
                            to the namespace of this Gateway by default. \n Support:
                            Core"
                          properties:
@@ -286,156 +262,180 @@ spec:
                                  type: object
                              type: object
                          type: object
-                        selector:
-                          description: "Selector specifies a set of route labels used
-                            for selecting routes to associate with the Gateway. If
-                            this Selector is defined, only routes matching the Selector
-                            are associated with the Gateway. An empty Selector matches
-                            all routes. \n Support: Core"
-                          properties:
-                            matchExpressions:
-                              description: matchExpressions is a list of label selector
-                                requirements. The requirements are ANDed.
-                              items:
-                                description: A label selector requirement is a selector
-                                  that contains values, a key, and an operator that
-                                  relates the key and values.
-                                properties:
-                                  key:
-                                    description: key is the label key that the selector
-                                      applies to.
-                                    type: string
-                                  operator:
-                                    description: operator represents a key's relationship
-                                      to a set of values. Valid operators are In,
-                                      NotIn, Exists and DoesNotExist.
-                                    type: string
-                                  values:
-                                    description: values is an array of string values.
-                                      If the operator is In or NotIn, the values array
-                                      must be non-empty. If the operator is Exists
-                                      or DoesNotExist, the values array must be empty.
-                                      This array is replaced during a strategic merge
-                                      patch.
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - key
-                                - operator
-                                type: object
-                              type: array
-                            matchLabels:
-                              additionalProperties:
-                                type: string
-                              description: matchLabels is a map of {key,value} pairs.
-                                A single {key,value} in the matchLabels map is equivalent
-                                to an element of matchExpressions, whose key field
-                                is "key", the operator is "In", and the values array
-                                contains only "value". The requirements are ANDed.
-                              type: object
-                          type: object
-                      required:
-                      - kind
                      type: object
+                    hostname:
+                      description: "Hostname specifies the virtual hostname to match
+                        for protocol types that define this concept. When unspecified,
+                        all hostnames are matched. This field is ignored for protocols
+                        that don't require hostname based matching. \n Implementations
+                        MUST apply Hostname matching appropriately for each of the
+                        following protocols: \n * TLS: The Listener Hostname MUST
+                        match the SNI. * HTTP: The Listener Hostname MUST match the
+                        Host header of the request. * HTTPS: The Listener Hostname
+                        SHOULD match at both the TLS and HTTP   protocol layers as
+                        described above. If an implementation does not   ensure that
+                        both the SNI and Host header match the Listener hostname,
+                        \  it MUST clearly document that. \n For HTTPRoute and TLSRoute
+                        resources, there is an interaction with the `spec.hostnames`
+                        array. When both listener and route specify hostnames, there
+                        MUST be an intersection between the values for a Route to
+                        be accepted. For more information, refer to the Route specific
+                        Hostnames documentation. \n Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    name:
+                      description: "Name is the name of the Listener. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    port:
+                      description: "Port is the network port. Multiple listeners may
+                        use the same port, subject to the Listener compatibility rules.
+                        \n Support: Core"
+                      format: int32
+                      maximum: 65535
+                      minimum: 1
+                      type: integer
+                    protocol:
+                      description: "Protocol specifies the network protocol this listener
+                        expects to receive. \n Support: Core"
+                      maxLength: 255
+                      minLength: 1
+                      pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+                      type: string
                    tls:
                      description: "TLS is the TLS configuration for the Listener.
                        This field is required if the Protocol field is \"HTTPS\"
-                        or \"TLS\" and ignored otherwise. \n The association of SNIs
-                        to Certificate defined in GatewayTLSConfig is defined based
-                        on the Hostname field for this listener. \n The GatewayClass
+                        or \"TLS\". It is invalid to set this field if the Protocol
+                        field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
+                        of SNIs to Certificate defined in GatewayTLSConfig is defined
+                        based on the Hostname field for this listener. \n The GatewayClass
                        MUST use the longest matching SNI out of all available certificates
                        for any TLS handshake. \n Support: Core"
                      properties:
-                        certificateRef:
-                          description: "CertificateRef is a reference to a Kubernetes
-                            object that contains a TLS certificate and private key.
-                            This certificate is used to establish a TLS handshake
-                            for requests that match the hostname of the associated
-                            listener. The referenced object MUST reside in the same
-                            namespace as Gateway. \n This field is required when mode
-                            is set to \"Terminate\" (default) and optional otherwise.
-                            \n CertificateRef can reference a standard Kubernetes
-                            resource, i.e. Secret, or an implementation-specific custom
-                            resource. \n Support: Core (Kubernetes Secrets) \n Support:
-                            Implementation-specific (Other resource types)"
-                          properties:
-                            group:
-                              description: Group is the group of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                            kind:
-                              description: Kind is kind of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                            name:
-                              description: Name is the name of the referent.
-                              maxLength: 253
-                              minLength: 1
-                              type: string
-                          required:
-                          - group
-                          - kind
-                          - name
-                          type: object
+                        certificateRefs:
+                          description: "CertificateRefs contains a series of references
+                            to Kubernetes objects that contains TLS certificates and
+                            private keys. These certificates are used to establish
+                            a TLS handshake for requests that match the hostname of
+                            the associated listener. \n A single CertificateRef to
+                            a Kubernetes Secret has \"Core\" support. Implementations
+                            MAY choose to support attaching multiple certificates
+                            to a Listener, but this behavior is implementation-specific.
+                            \n References to a resource in different namespace are
+                            invalid UNLESS there is a ReferencePolicy in the target
+                            namespace that allows the certificate to be attached.
+                            If a ReferencePolicy does not allow this reference, the
+                            \"ResolvedRefs\" condition MUST be set to False for this
+                            listener with the \"InvalidCertificateRef\" reason. \n
+                            This field is required to have at least one element when
+                            the mode is set to \"Terminate\" (default) and is optional
+                            otherwise. \n CertificateRefs can reference to standard
+                            Kubernetes resources, i.e. Secret, or implementation-specific
+                            custom resources. \n Support: Core - A single reference
+                            to a Kubernetes Secret \n Support: Implementation-specific
+                            (More than one reference or other resource types)"
+                          items:
+                            description: "SecretObjectReference identifies an API
+                              object including its namespace, defaulting to Secret.
+                              \n The API object must be valid in the cluster; the
+                              Group and Kind must be registered in the cluster for
+                              this reference to be valid. \n References to objects
+                              with invalid Group and Kind are not valid, and must
+                              be rejected by the implementation, with appropriate
+                              Conditions set on the containing object."
+                            properties:
+                              group:
+                                default: ""
+                                description: Group is the group of the referent. For
+                                  example, "networking.k8s.io". When unspecified (empty
+                                  string), core API group is inferred.
+                                maxLength: 253
+                                pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                type: string
+                              kind:
+                                default: Secret
+                                description: Kind is kind of the referent. For example
+                                  "HTTPRoute" or "Service".
+                                maxLength: 63
+                                minLength: 1
+                                pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                                type: string
+                              name:
+                                description: Name is the name of the referent.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
+                              namespace:
+                                description: "Namespace is the namespace of the backend.
+                                  When unspecified, the local namespace is inferred.
+                                  \n Note that when a namespace is specified, a ReferencePolicy
+                                  object is required in the referent namespace to
+                                  allow that namespace's owner to accept the reference.
+                                  See the ReferencePolicy documentation for details.
+                                  \n Support: Core"
+                                maxLength: 63
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          maxItems: 64
+                          type: array
                        mode:
                          default: Terminate
                          description: "Mode defines the TLS behavior for the TLS
                            session initiated by the client. There are two possible
-                            modes: - Terminate: The TLS session between the downstream
+                            modes: \n - Terminate: The TLS session between the downstream
                            client   and the Gateway is terminated at the Gateway.
-                            This mode requires   certificateRef to be set. - Passthrough:
-                            The TLS session is NOT terminated by the Gateway. This
-                            \  implies that the Gateway can't decipher the TLS stream
-                            except for   the ClientHello message of the TLS protocol.
-                            \  CertificateRef field is ignored in this mode. \n Support:
-                            Core"
+                            This mode requires   certificateRefs to be set and contain
+                            at least one element. - Passthrough: The TLS session is
+                            NOT terminated by the Gateway. This   implies that the
+                            Gateway can't decipher the TLS stream except for   the
+                            ClientHello message of the TLS protocol.   CertificateRefs
+                            field is ignored in this mode. \n Support: Core"
                          enum:
                          - Terminate
                          - Passthrough
                          type: string
                        options:
                          additionalProperties:
+                            description: AnnotationValue is the value of an annotation
+                              in Gateway API. This is used for validation of maps
+                              such as TLS options. This roughly matches Kubernetes
+                              annotation validation, although the length validation
+                              in that case is based on the entire size of the annotations
+                              struct.
+                            maxLength: 4096
+                            minLength: 0
                            type: string
-                          description: "Options are a list of key/value pairs to give
-                            extended options to the provider. \n There variation among
-                            providers as to how ciphersuites are expressed. If there
-                            is a common subset for expressing ciphers then it will
-                            make sense to loft that as a core API construct. \n Support:
-                            Implementation-specific"
-                          type: object
-                        routeOverride:
-                          default:
-                            certificate: Deny
-                          description: "RouteOverride dictates if TLS settings can
-                            be configured via Routes or not. \n CertificateRef must
-                            be defined even if `routeOverride.certificate` is set
-                            to 'Allow' as it will be used as the default certificate
-                            for the listener. \n Support: Core"
-                          properties:
-                            certificate:
-                              default: Deny
-                              description: "Certificate dictates if TLS certificates
-                                can be configured via Routes. If set to 'Allow', a
-                                TLS certificate for a hostname defined in a Route
-                                takes precedence over the certificate defined in Gateway.
-                                \n Support: Core"
-                              enum:
-                              - Allow
-                              - Deny
-                              type: string
+                          description: "Options are a list of key/value pairs to enable
+                            extended TLS configuration for each implementation. For
+                            example, configuring the minimum TLS version or supported
+                            cipher suites. \n A set of common keys MAY be defined
+                            by the API in the future. To avoid any ambiguity, implementation-specific
+                            definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
+                            Un-prefixed names are reserved for key names defined by
+                            Gateway API. \n Support: Implementation-specific"
+                          maxProperties: 16
                          type: object
                      type: object
                  required:
+                  - name
                  - port
                  - protocol
-                  - routes
                  type: object
                maxItems: 64
                minItems: 1
                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
            required:
            - gatewayClassName
            - listeners
@@ -446,24 +446,25 @@ spec:
              - lastTransitionTime: "1970-01-01T00:00:00Z"
                message: Waiting for controller
                reason: NotReconciled
-                status: "False"
+                status: Unknown
                type: Scheduled
            description: Status defines the current state of Gateway.
            properties:
              addresses:
-                description: "Addresses lists the IP addresses that have actually
-                  been bound to the Gateway. These addresses may differ from the addresses
+                description: Addresses lists the IP addresses that have actually been
+                  bound to the Gateway. These addresses may differ from the addresses
                  in the Spec, e.g. if the Gateway automatically assigns an address
-                  from a reserved pool. \n These addresses should all be of type \"IPAddress\"."
+                  from a reserved pool.
                items:
                  description: GatewayAddress describes an address that can be bound
                    to a Gateway.
                  properties:
                    type:
                      default: IPAddress
-                      description: "Type of the address. \n Support: Extended"
+                      description: Type of the address.
                      enum:
                      - IPAddress
+                      - Hostname
                      - NamedAddress
                      type: string
                    value:
@@ -483,7 +484,7 @@ spec:
                - lastTransitionTime: "1970-01-01T00:00:00Z"
                  message: Waiting for controller
                  reason: NotReconciled
-                  status: "False"
+                  status: Unknown
                  type: Scheduled
                description: "Conditions describe the current conditions of the Gateway.
                  \n Implementations should prefer to express Gateway conditions using
@@ -569,6 +570,11 @@ spec:
                items:
                  description: ListenerStatus is the status associated with a Listener.
                  properties:
+                    attachedRoutes:
+                      description: AttachedRoutes represents the total number of Routes
+                        that have been successfully attached to this Listener.
+                      format: int32
+                      type: integer
                    conditions:
                      description: Conditions describe the current condition of this
                        listener.
@@ -648,34 +654,58 @@ spec:
                      x-kubernetes-list-map-keys:
                      - type
                      x-kubernetes-list-type: map
-                    hostname:
-                      description: Hostname is the Listener hostname value for which
-                        this message is reporting the status.
+                    name:
+                      description: Name is the name of the Listener that this status
+                        corresponds to.
                      maxLength: 253
                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                      type: string
-                    port:
-                      description: Port is the unique Listener port value for which
-                        this message is reporting the status.
-                      format: int32
-                      maximum: 65535
-                      minimum: 1
-                      type: integer
-                    protocol:
-                      description: Protocol is the Listener protocol value for which
-                        this message is reporting the status.
-                      type: string
+                    supportedKinds:
+                      description: "SupportedKinds is the list indicating the Kinds
+                        supported by this listener. This MUST represent the kinds
+                        an implementation supports for that Listener configuration.
+                        \n If kinds are specified in Spec that are not supported,
+                        they MUST NOT appear in this list and an implementation MUST
+                        set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
+                        reason. If both valid and invalid Route kinds are specified,
+                        the implementation MUST reference the valid Route kinds that
+                        have been specified."
+                      items:
+                        description: RouteGroupKind indicates the group and kind of
+                          a Route resource.
+                        properties:
+                          group:
+                            default: gateway.networking.k8s.io
+                            description: Group is the group of the Route.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            description: Kind is the kind of the Route.
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                        required:
+                        - kind
+                        type: object
+                      maxItems: 8
+                      type: array
                  required:
+                  - attachedRoutes
                  - conditions
-                  - port
-                  - protocol
+                  - name
+                  - supportedKinds
                  type: object
                maxItems: 64
                type: array
                x-kubernetes-list-map-keys:
-                - port
+                - name
                x-kubernetes-list-type: map
            type: object
+        required:
+        - spec
        type: object
    served: true
    storage: true
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tcproutes.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tcproutes.yaml
@@ -0,0 +1,431 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
+  creationTimestamp: null
+  name: tcproutes.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: TCPRoute
+    listKind: TCPRouteList
+    plural: tcproutes
+    singular: tcproute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: TCPRoute provides a way to route TCP requests. When combined
+          with a Gateway listener, it can be used to forward connections on the port
+          specified by the listener to a set of backends specified by the TCPRoute.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of TCPRoute.
+            properties:
+              parentRefs:
+                description: "ParentRefs references the resources (usually Gateways)
+                  that a Route wants to be attached to. Note that the referenced parent
+                  resource needs to allow this for the attachment to be complete.
+                  For Gateways, that means the Gateway needs to allow attachment from
+                  Routes of this kind and namespace. \n The only kind of parent resource
+                  with \"Core\" support is Gateway. This API may be extended in the
+                  future to support additional kinds of parent resources such as one
+                  of the route kinds. \n It is invalid to reference an identical parent
+                  more than once. It is valid to reference multiple distinct sections
+                  within the same parent resource, such as 2 Listeners within a Gateway.
+                  \n It is possible to separately reference multiple distinct objects
+                  that may be collapsed by an implementation. For example, some implementations
+                  may choose to merge compatible Gateway Listeners together. If that
+                  is the case, the list of routes attached to those resources should
+                  also be merged."
+                items:
+                  description: "ParentRef identifies an API object (usually a Gateway)
+                    that can be considered a parent of this resource (usually a route).
+                    The only kind of parent resource with \"Core\" support is Gateway.
+                    This API may be extended in the future to support additional kinds
+                    of parent resources, such as HTTPRoute. \n The API object must
+                    be valid in the cluster; the Group and Kind must be registered
+                    in the cluster for this reference to be valid. \n References to
+                    objects with invalid Group and Kind are not valid, and must be
+                    rejected by the implementation, with appropriate Conditions set
+                    on the containing object."
+                  properties:
+                    group:
+                      default: gateway.networking.k8s.io
+                      description: "Group is the group of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Gateway
+                      description: "Kind is kind of the referent. \n Support: Core
+                        (Gateway) Support: Custom (Other Resources)"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: "Name is the name of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: "Namespace is the namespace of the referent. When
+                        unspecified (or empty string), this refers to the local namespace
+                        of the Route. \n Support: Core"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    sectionName:
+                      description: "SectionName is the name of a section within the
+                        target resource. In the following resources, SectionName is
+                        interpreted as the following: \n * Gateway: Listener Name
+                        \n Implementations MAY choose to support attaching Routes
+                        to other resources. If that is the case, they MUST clearly
+                        document how SectionName is interpreted. \n When unspecified
+                        (empty string), this will reference the entire resource. For
+                        the purpose of status, an attachment is considered successful
+                        if at least one section in the parent resource accepts it.
+                        For example, Gateway listeners can restrict which Routes can
+                        attach to them by Route kind, namespace, or hostname. If 1
+                        of 2 Gateway listeners accept attachment from the referencing
+                        Route, the Route MUST be considered successfully attached.
+                        If no Gateway listeners accept attachment from this Route,
+                        the Route MUST be considered detached from the Gateway. \n
+                        Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 32
+                type: array
+              rules:
+                description: Rules are a list of TCP matchers and actions.
+                items:
+                  description: TCPRouteRule is the configuration for a given rule.
+                  properties:
+                    backendRefs:
+                      description: "BackendRefs defines the backend(s) where matching
+                        requests should be sent. If unspecified or invalid (refers
+                        to a non-existent resource or a Service with no endpoints),
+                        the underlying implementation MUST actively reject connection
+                        attempts to this backend. Connection rejections must respect
+                        weight; if an invalid backend is requested to have 80% of
+                        connections, then 80% of connections must be rejected instead.
+                        \n Support: Core for Kubernetes Service Support: Custom for
+                        any other resource \n Support for weight: Extended"
+                      items:
+                        description: "BackendRef defines how a Route should forward
+                          a request to a Kubernetes resource. \n Note that when a
+                          namespace is specified, a ReferencePolicy object is required
+                          in the referent namespace to allow that namespace's owner
+                          to accept the reference. See the ReferencePolicy documentation
+                          for details."
+                        properties:
+                          group:
+                            default: ""
+                            description: Group is the group of the referent. For example,
+                              "networking.k8s.io". When unspecified (empty string),
+                              core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: Kind is kind of the referent. For example
+                              "HTTPRoute" or "Service".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: "Namespace is the namespace of the backend.
+                              When unspecified, the local namespace is inferred. \n
+                              Note that when a namespace is specified, a ReferencePolicy
+                              object is required in the referent namespace to allow
+                              that namespace's owner to accept the reference. See
+                              the ReferencePolicy documentation for details. \n Support:
+                              Core"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: Port specifies the destination port number
+                              to use for this resource. Port is required when the
+                              referent is a Kubernetes Service. For other resources,
+                              destination port might be derived from the referent
+                              resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of requests
+                              forwarded to the referenced backend. This is computed
+                              as weight/(sum of all weights in this BackendRefs list).
+                              For non-zero values, there may be some epsilon from
+                              the exact proportion defined here depending on the precision
+                              an implementation supports. Weight is not a percentage
+                              and the sum of weights does not need to equal 100. \n
+                              If only one backend is specified and it has a weight
+                              greater than 0, 100% of the traffic is forwarded to
+                              that backend. If weight is set to 0, no traffic should
+                              be forwarded for this entry. If unspecified, weight
+                              defaults to 1. \n Support for this field varies based
+                              on the context where used."
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      maxItems: 16
+                      minItems: 1
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - rules
+            type: object
+          status:
+            description: Status defines the current state of TCPRoute.
+            properties:
+              parents:
+                description: "Parents is a list of parent resources (usually Gateways)
+                  that are associated with the route, and the status of the route
+                  with respect to each parent. When this route attaches to a parent,
+                  the controller that manages the parent must add an entry to this
+                  list when the controller first sees the route and should update
+                  the entry as appropriate when the route or gateway is modified.
+                  \n Note that parent references that cannot be resolved by an implementation
+                  of this API will not be added to this list. Implementations of this
+                  API can only populate Route status for the Gateways/parent resources
+                  they are responsible for. \n A maximum of 32 Gateways will be represented
+                  in this list. An empty list means the route has not been attached
+                  to any Gateway."
+                items:
+                  description: RouteParentStatus describes the status of a route with
+                    respect to an associated Parent.
+                  properties:
+                    conditions:
+                      description: "Conditions describes the status of the route with
+                        respect to the Gateway. Note that the route's availability
+                        is also subject to the Gateway's own status conditions and
+                        listener status. \n If the Route's ParentRef specifies an
+                        existing Gateway that supports Routes of this kind AND that
+                        Gateway's controller has sufficient access, then that Gateway's
+                        controller MUST set the \"Accepted\" condition on the Route,
+                        to indicate whether the route has been accepted or rejected
+                        by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+                        if at least one of the Route's rules is implemented by the
+                        Gateway. \n There are a number of cases where the \"Accepted\"
+                        condition may not be set due to lack of controller visibility,
+                        that includes when: \n * The Route refers to a non-existent
+                        parent. * The Route is of a type that the controller does
+                        not support. * The Route is in a namespace the the controller
+                        does not have access to."
+                      items:
+                        description: "Condition contains details for one aspect of
+                          the current state of this API Resource. --- This struct
+                          is intended for direct use as an array at the field path
+                          .status.conditions.  For example, type FooStatus struct{
+                          \    // Represents the observations of a foo's current state.
+                          \    // Known .status.conditions.type are: \"Available\",
+                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
+                          \    // +patchStrategy=merge     // +listType=map     //
+                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
+                          \n     // other fields }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition
+                              transitioned from one status to another. This should
+                              be when the underlying condition changed.  If that is
+                              not known, then using the time when the API field changed
+                              is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating
+                              details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation
+                              that the condition was set based upon. For instance,
+                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+                              is 9, the condition is out of date with respect to the
+                              current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier
+                              indicating the reason for the condition's last transition.
+                              Producers of specific condition types may define expected
+                              values and meanings for this field, and whether the
+                              values are considered a guaranteed API. The value should
+                              be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False,
+                              Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                              --- Many .condition.type values are consistent across
+                              resources like Available, but because arbitrary conditions
+                              can be useful (see .node.status.conditions), the ability
+                              to deconflict is important. The regex it matches is
+                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    controllerName:
+                      description: "ControllerName is a domain/path string that indicates
+                        the name of the controller that wrote this status. This corresponds
+                        with the controllerName field on GatewayClass. \n Example:
+                        \"example.net/gateway-controller\". \n The format of this
+                        field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+                        Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                      type: string
+                    parentRef:
+                      description: ParentRef corresponds with a ParentRef in the spec
+                        that this RouteParentStatus struct describes the status of.
+                      properties:
+                        group:
+                          default: gateway.networking.k8s.io
+                          description: "Group is the group of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Gateway
+                          description: "Kind is kind of the referent. \n Support:
+                            Core (Gateway) Support: Custom (Other Resources)"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: "Name is the name of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: "Namespace is the namespace of the referent.
+                            When unspecified (or empty string), this refers to the
+                            local namespace of the Route. \n Support: Core"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        sectionName:
+                          description: "SectionName is the name of a section within
+                            the target resource. In the following resources, SectionName
+                            is interpreted as the following: \n * Gateway: Listener
+                            Name \n Implementations MAY choose to support attaching
+                            Routes to other resources. If that is the case, they MUST
+                            clearly document how SectionName is interpreted. \n When
+                            unspecified (empty string), this will reference the entire
+                            resource. For the purpose of status, an attachment is
+                            considered successful if at least one section in the parent
+                            resource accepts it. For example, Gateway listeners can
+                            restrict which Routes can attach to them by Route kind,
+                            namespace, or hostname. If 1 of 2 Gateway listeners accept
+                            attachment from the referencing Route, the Route MUST
+                            be considered successfully attached. If no Gateway listeners
+                            accept attachment from this Route, the Route MUST be considered
+                            detached from the Gateway. \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  required:
+                  - controllerName
+                  - parentRef
+                  type: object
+                maxItems: 32
+                type: array
+            required:
+            - parents
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tlsroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/gateway.networking.k8s.io_tlsroutes.yaml
@@ -0,0 +1,480 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/891
+  creationTimestamp: null
+  name: tlsroutes.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: TLSRoute
+    listKind: TLSRouteList
+    plural: tlsroutes
+    singular: tlsroute
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: "The TLSRoute resource is similar to TCPRoute, but can be configured
+          to match against TLS-specific metadata. This allows more flexibility in
+          matching streams for a given TLS listener. \n If you need to forward traffic
+          to a single target for a TLS listener, you could choose to use a TCPRoute
+          with a TLS listener."
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of TLSRoute.
+            properties:
+              hostnames:
+                description: "Hostnames defines a set of SNI names that should match
+                  against the SNI attribute of TLS ClientHello message in TLS handshake.
+                  This matches the RFC 1123 definition of a hostname with 2 notable
+                  exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066.
+                  2. A hostname may be prefixed with a wildcard label (`*.`). The
+                  wildcard    label must appear by itself as the first label. \n If
+                  a hostname is specified by both the Listener and TLSRoute, there
+                  must be at least one intersecting hostname for the TLSRoute to be
+                  attached to the Listener. For example: \n * A Listener with `test.example.com`
+                  as the hostname matches TLSRoutes   that have either not specified
+                  any hostnames, or have specified at   least one of `test.example.com`
+                  or `*.example.com`. * A Listener with `*.example.com` as the hostname
+                  matches TLSRoutes   that have either not specified any hostnames
+                  or have specified at least   one hostname that matches the Listener
+                  hostname. For example,   `test.example.com` and `*.example.com`
+                  would both match. On the other   hand, `example.com` and `test.example.net`
+                  would not match. \n If both the Listener and TLSRoute have specified
+                  hostnames, any TLSRoute hostnames that do not match the Listener
+                  hostname MUST be ignored. For example, if a Listener specified `*.example.com`,
+                  and the TLSRoute specified `test.example.com` and `test.example.net`,
+                  `test.example.net` must not be considered for a match. \n If both
+                  the Listener and TLSRoute have specified hostnames, and none match
+                  with the criteria above, then the TLSRoute is not accepted. The
+                  implementation must raise an 'Accepted' Condition with a status
+                  of `False` in the corresponding RouteParentStatus. \n Support: Core"
+                items:
+                  description: "Hostname is the fully qualified domain name of a network
+                    host. This matches the RFC 1123 definition of a hostname with
+                    2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
+                    may be prefixed with a wildcard label (`*.`). The wildcard    label
+                    must appear by itself as the first label. \n Hostname can be \"precise\"
+                    which is a domain name without the terminating dot of a network
+                    host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
+                    name prefixed with a single wildcard label (e.g. `*.example.com`).
+                    \n Note that as per RFC1035 and RFC1123, a *label* must consist
+                    of lower case alphanumeric characters or '-', and must start and
+                    end with an alphanumeric character. No other punctuation is allowed."
+                  maxLength: 253
+                  minLength: 1
+                  pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                  type: string
+                maxItems: 16
+                type: array
+              parentRefs:
+                description: "ParentRefs references the resources (usually Gateways)
+                  that a Route wants to be attached to. Note that the referenced parent
+                  resource needs to allow this for the attachment to be complete.
+                  For Gateways, that means the Gateway needs to allow attachment from
+                  Routes of this kind and namespace. \n The only kind of parent resource
+                  with \"Core\" support is Gateway. This API may be extended in the
+                  future to support additional kinds of parent resources such as one
+                  of the route kinds. \n It is invalid to reference an identical parent
+                  more than once. It is valid to reference multiple distinct sections
+                  within the same parent resource, such as 2 Listeners within a Gateway.
+                  \n It is possible to separately reference multiple distinct objects
+                  that may be collapsed by an implementation. For example, some implementations
+                  may choose to merge compatible Gateway Listeners together. If that
+                  is the case, the list of routes attached to those resources should
+                  also be merged."
+                items:
+                  description: "ParentRef identifies an API object (usually a Gateway)
+                    that can be considered a parent of this resource (usually a route).
+                    The only kind of parent resource with \"Core\" support is Gateway.
+                    This API may be extended in the future to support additional kinds
+                    of parent resources, such as HTTPRoute. \n The API object must
+                    be valid in the cluster; the Group and Kind must be registered
+                    in the cluster for this reference to be valid. \n References to
+                    objects with invalid Group and Kind are not valid, and must be
+                    rejected by the implementation, with appropriate Conditions set
+                    on the containing object."
+                  properties:
+                    group:
+                      default: gateway.networking.k8s.io
+                      description: "Group is the group of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      default: Gateway
+                      description: "Kind is kind of the referent. \n Support: Core
+                        (Gateway) Support: Custom (Other Resources)"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: "Name is the name of the referent. \n Support:
+                        Core"
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: "Namespace is the namespace of the referent. When
+                        unspecified (or empty string), this refers to the local namespace
+                        of the Route. \n Support: Core"
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                    sectionName:
+                      description: "SectionName is the name of a section within the
+                        target resource. In the following resources, SectionName is
+                        interpreted as the following: \n * Gateway: Listener Name
+                        \n Implementations MAY choose to support attaching Routes
+                        to other resources. If that is the case, they MUST clearly
+                        document how SectionName is interpreted. \n When unspecified
+                        (empty string), this will reference the entire resource. For
+                        the purpose of status, an attachment is considered successful
+                        if at least one section in the parent resource accepts it.
+                        For example, Gateway listeners can restrict which Routes can
+                        attach to them by Route kind, namespace, or hostname. If 1
+                        of 2 Gateway listeners accept attachment from the referencing
+                        Route, the Route MUST be considered successfully attached.
+                        If no Gateway listeners accept attachment from this Route,
+                        the Route MUST be considered detached from the Gateway. \n
+                        Support: Core"
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 32
+                type: array
+              rules:
+                description: Rules are a list of TLS matchers and actions.
+                items:
+                  description: TLSRouteRule is the configuration for a given rule.
+                  properties:
+                    backendRefs:
+                      description: "BackendRefs defines the backend(s) where matching
+                        requests should be sent. If unspecified or invalid (refers
+                        to a non-existent resource or a Service with no endpoints),
+                        the rule performs no forwarding; if no filters are specified
+                        that would result in a response being sent, the underlying
+                        implementation must actively reject request attempts to this
+                        backend, by rejecting the connection or returning a 503 status
+                        code. Request rejections must respect weight; if an invalid
+                        backend is requested to have 80% of requests, then 80% of
+                        requests must be rejected instead. \n Support: Core for Kubernetes
+                        Service Support: Custom for any other resource \n Support
+                        for weight: Extended"
+                      items:
+                        description: "BackendRef defines how a Route should forward
+                          a request to a Kubernetes resource. \n Note that when a
+                          namespace is specified, a ReferencePolicy object is required
+                          in the referent namespace to allow that namespace's owner
+                          to accept the reference. See the ReferencePolicy documentation
+                          for details."
+                        properties:
+                          group:
+                            default: ""
+                            description: Group is the group of the referent. For example,
+                              "networking.k8s.io". When unspecified (empty string),
+                              core API group is inferred.
+                            maxLength: 253
+                            pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                            type: string
+                          kind:
+                            default: Service
+                            description: Kind is kind of the referent. For example
+                              "HTTPRoute" or "Service".
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                            type: string
+                          name:
+                            description: Name is the name of the referent.
+                            maxLength: 253
+                            minLength: 1
+                            type: string
+                          namespace:
+                            description: "Namespace is the namespace of the backend.
+                              When unspecified, the local namespace is inferred. \n
+                              Note that when a namespace is specified, a ReferencePolicy
+                              object is required in the referent namespace to allow
+                              that namespace's owner to accept the reference. See
+                              the ReferencePolicy documentation for details. \n Support:
+                              Core"
+                            maxLength: 63
+                            minLength: 1
+                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                            type: string
+                          port:
+                            description: Port specifies the destination port number
+                              to use for this resource. Port is required when the
+                              referent is a Kubernetes Service. For other resources,
+                              destination port might be derived from the referent
+                              resource or this field.
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
+                            type: integer
+                          weight:
+                            default: 1
+                            description: "Weight specifies the proportion of requests
+                              forwarded to the referenced backend. This is computed
+                              as weight/(sum of all weights in this BackendRefs list).
+                              For non-zero values, there may be some epsilon from
+                              the exact proportion defined here depending on the precision
+                              an implementation supports. Weight is not a percentage
+                              and the sum of weights does not need to equal 100. \n
+                              If only one backend is specified and it has a weight
+                              greater than 0, 100% of the traffic is forwarded to
+                              that backend. If weight is set to 0, no traffic should
+                              be forwarded for this entry. If unspecified, weight
+                              defaults to 1. \n Support for this field varies based
+                              on the context where used."
+                            format: int32
+                            maximum: 1000000
+                            minimum: 0
+                            type: integer
+                        required:
+                        - name
+                        type: object
+                      maxItems: 16
+                      minItems: 1
+                      type: array
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - rules
+            type: object
+          status:
+            description: Status defines the current state of TLSRoute.
+            properties:
+              parents:
+                description: "Parents is a list of parent resources (usually Gateways)
+                  that are associated with the route, and the status of the route
+                  with respect to each parent. When this route attaches to a parent,
+                  the controller that manages the parent must add an entry to this
+                  list when the controller first sees the route and should update
+                  the entry as appropriate when the route or gateway is modified.
+                  \n Note that parent references that cannot be resolved by an implementation
+                  of this API will not be added to this list. Implementations of this
+                  API can only populate Route status for the Gateways/parent resources
+                  they are responsible for. \n A maximum of 32 Gateways will be represented
+                  in this list. An empty list means the route has not been attached
+                  to any Gateway."
+                items:
+                  description: RouteParentStatus describes the status of a route with
+                    respect to an associated Parent.
+                  properties:
+                    conditions:
+                      description: "Conditions describes the status of the route with
+                        respect to the Gateway. Note that the route's availability
+                        is also subject to the Gateway's own status conditions and
+                        listener status. \n If the Route's ParentRef specifies an
+                        existing Gateway that supports Routes of this kind AND that
+                        Gateway's controller has sufficient access, then that Gateway's
+                        controller MUST set the \"Accepted\" condition on the Route,
+                        to indicate whether the route has been accepted or rejected
+                        by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
+                        if at least one of the Route's rules is implemented by the
+                        Gateway. \n There are a number of cases where the \"Accepted\"
+                        condition may not be set due to lack of controller visibility,
+                        that includes when: \n * The Route refers to a non-existent
+                        parent. * The Route is of a type that the controller does
+                        not support. * The Route is in a namespace the the controller
+                        does not have access to."
+                      items:
+                        description: "Condition contains details for one aspect of
+                          the current state of this API Resource. --- This struct
+                          is intended for direct use as an array at the field path
+                          .status.conditions.  For example, type FooStatus struct{
+                          \    // Represents the observations of a foo's current state.
+                          \    // Known .status.conditions.type are: \"Available\",
+                          \"Progressing\", and \"Degraded\"     // +patchMergeKey=type
+                          \    // +patchStrategy=merge     // +listType=map     //
+                          +listMapKey=type     Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                          patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`
+                          \n     // other fields }"
+                        properties:
+                          lastTransitionTime:
+                            description: lastTransitionTime is the last time the condition
+                              transitioned from one status to another. This should
+                              be when the underlying condition changed.  If that is
+                              not known, then using the time when the API field changed
+                              is acceptable.
+                            format: date-time
+                            type: string
+                          message:
+                            description: message is a human readable message indicating
+                              details about the transition. This may be an empty string.
+                            maxLength: 32768
+                            type: string
+                          observedGeneration:
+                            description: observedGeneration represents the .metadata.generation
+                              that the condition was set based upon. For instance,
+                              if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
+                              is 9, the condition is out of date with respect to the
+                              current state of the instance.
+                            format: int64
+                            minimum: 0
+                            type: integer
+                          reason:
+                            description: reason contains a programmatic identifier
+                              indicating the reason for the condition's last transition.
+                              Producers of specific condition types may define expected
+                              values and meanings for this field, and whether the
+                              values are considered a guaranteed API. The value should
+                              be a CamelCase string. This field may not be empty.
+                            maxLength: 1024
+                            minLength: 1
+                            pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                            type: string
+                          status:
+                            description: status of the condition, one of True, False,
+                              Unknown.
+                            enum:
+                            - "True"
+                            - "False"
+                            - Unknown
+                            type: string
+                          type:
+                            description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                              --- Many .condition.type values are consistent across
+                              resources like Available, but because arbitrary conditions
+                              can be useful (see .node.status.conditions), the ability
+                              to deconflict is important. The regex it matches is
+                              (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                            maxLength: 316
+                            pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                            type: string
+                        required:
+                        - lastTransitionTime
+                        - message
+                        - reason
+                        - status
+                        - type
+                        type: object
+                      maxItems: 8
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - type
+                      x-kubernetes-list-type: map
+                    controllerName:
+                      description: "ControllerName is a domain/path string that indicates
+                        the name of the controller that wrote this status. This corresponds
+                        with the controllerName field on GatewayClass. \n Example:
+                        \"example.net/gateway-controller\". \n The format of this
+                        field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
+                        Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names)."
+                      maxLength: 253
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                      type: string
+                    parentRef:
+                      description: ParentRef corresponds with a ParentRef in the spec
+                        that this RouteParentStatus struct describes the status of.
+                      properties:
+                        group:
+                          default: gateway.networking.k8s.io
+                          description: "Group is the group of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                        kind:
+                          default: Gateway
+                          description: "Kind is kind of the referent. \n Support:
+                            Core (Gateway) Support: Custom (Other Resources)"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                          type: string
+                        name:
+                          description: "Name is the name of the referent. \n Support:
+                            Core"
+                          maxLength: 253
+                          minLength: 1
+                          type: string
+                        namespace:
+                          description: "Namespace is the namespace of the referent.
+                            When unspecified (or empty string), this refers to the
+                            local namespace of the Route. \n Support: Core"
+                          maxLength: 63
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                          type: string
+                        sectionName:
+                          description: "SectionName is the name of a section within
+                            the target resource. In the following resources, SectionName
+                            is interpreted as the following: \n * Gateway: Listener
+                            Name \n Implementations MAY choose to support attaching
+                            Routes to other resources. If that is the case, they MUST
+                            clearly document how SectionName is interpreted. \n When
+                            unspecified (empty string), this will reference the entire
+                            resource. For the purpose of status, an attachment is
+                            considered successful if at least one section in the parent
+                            resource accepts it. For example, Gateway listeners can
+                            restrict which Routes can attach to them by Route kind,
+                            namespace, or hostname. If 1 of 2 Gateway listeners accept
+                            attachment from the referencing Route, the Route MUST
+                            be considered successfully attached. If no Gateway listeners
+                            accept attachment from this Route, the Route MUST be considered
+                            detached from the Gateway. \n Support: Core"
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                          type: string
+                      required:
+                      - name
+                      type: object
+                  required:
+                  - controllerName
+                  - parentRef
+                  type: object
+                maxItems: 32
+                type: array
+            required:
+            - parents
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -2,6 +2,7 @@
 --8<-- "content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml"
 --8<-- "content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml"
 --8<-- "content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml"
+--8<-- "content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml"
 --8<-- "content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml"
 --8<-- "content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml"
 --8<-- "content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml"
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
@@ -1,5 +1,5 @@
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: traefik-ingress-controller

@@ -48,8 +48,8 @@ rules:
      - watch

 ---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: traefik-ingress-controller

--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
@@ -194,6 +194,9 @@ spec:
    clientAuthType: RequireAndVerifyClientCert
  sniStrict: true
  preferServerCipherSuites: true
+  alpnProtocols:
+    - foobar
+    - foobar

 ---
 apiVersion: traefik.containo.us/v1alpha1
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@@ -4,6 +4,13 @@ kind: ClusterRole
 metadata:
  name: gateway-role
 rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - ""
    resources:
@@ -15,7 +22,7 @@ rules:
      - list
      - watch
  - apiGroups:
-      - networking.x-k8s.io
+      - gateway.networking.k8s.io
    resources:
      - gatewayclasses
      - gateways
@@ -27,7 +34,7 @@ rules:
      - list
      - watch
  - apiGroups:
-      - networking.x-k8s.io
+      - gateway.networking.k8s.io
    resources:
      - gatewayclasses/status
      - gateways/status
@@ -38,11 +45,10 @@ rules:
      - update

 ---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: gateway-controller
-
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
@@ -1,124 +1,116 @@
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: GatewayClass
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway-class
 spec:
-  controller: traefik.io/gateway-controller
+  controllerName: traefik.io/gateway-controller

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: Gateway
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway
  namespace: default
 spec:
  gatewayClassName: my-gateway-class
-  listeners:  # Use GatewayClass defaults for listener definition.
-    - protocol: HTTP
+  listeners: # Use GatewayClass defaults for listener definition.
+    - name: http
+      protocol: HTTP
      port: 80
-      routes:
-        kind: HTTPRoute
-        namespaces:
-          from: Same
-        selector:
-          matchLabels:
-            app: foo
-     - protocol: HTTPS
-       port: 443
-       tls:
-         certificateRef:
-           group: "core"
-           kind: "Secret"
-           name: "mysecret"
-       routes:
-         kind: HTTPRoute
-         selector:
-           matchLabels:
-             app: foo
-    - protocol: TCP
+
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: mysecret
+
+    - name: tcp
+      protocol: TCP
      port: 9000
-      routes:
-        kind: TCPRoute
-        namespaces:
-          from: Same
-        selector:
-          matchLabels:
-            app: footcp
-    - protocol: TLS
+      allowedRoutes:
+        kinds:
+          - kind: TCPRoute
+
+    - name: tls
+      protocol: TLS
      port: 9443
      hostname: example.com
      tls:
-        certificateRef:
-          group: "core"
-          kind: "Secret"
-          name: "mysecret"
-      routes:
-        kind: TLSRoute
-        namespaces:
-          from: Same
-        selector:
-          matchLabels:
-            app: footls
+        - certificateRefs:
+            - kind: Secret
+              name: mysecret

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: HTTPRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: http-app-1
+  name: http-app
  namespace: default
-  labels:
-    app: foo
+
 spec:
+  parentRefs:
+    - name: my-gateway
+
  hostnames:
-    - "foo.com"
+    - foo.com
+
  rules:
    - matches:
        - path:
            type: Exact
            value: /bar
-      forwardTo:
-        - serviceName: whoami
+
+      backendRefs:
+        - name: whoami
          port: 80
          weight: 1
+
    - matches:
        - path:
-            type: Prefix
+            type: PathPrefix
            value: /foo
-      forwardTo:
-        - backendRef:
-            group: traefik.containo.us
-            kind: TraefikService
-            name: myservice@file
+
+      backendRefs:
+        - group: traefik.containo.us
+          kind: TraefikService
+          name: myservice@file
          weight: 1
          port: 80

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: TCPRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: tcp-app-1
+  name: tcp-app
  namespace: default
-  labels:
-    app: footcp
+
 spec:
+  parentRefs:
+    - name: my-gateway
+
  rules:
-     - forwardTo:
-        - serviceName: whoamitcp
+    - backendRefs:
+        - name: whoamitcp
          port: 9000
          weight: 1

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: TLSRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: tls-app-1
+  name: tls-app
  namespace: default
-  labels:
-    app: footls
+
 spec:
+  parentRefs:
+    - name: my-gateway
+      sectionName: tls
+
  rules:
-    - forwardTo:
-        - serviceName: whoamitcp
+    - backendRefs:
+        - name: whoamitcp
          port: 9000
          weight: 1
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
@@ -1,48 +1,50 @@
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: GatewayClass
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway-class
+
 spec:
-  controller: traefik.io/gateway-controller
+  controllerName: traefik.io/gateway-controller

 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: Gateway
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
  name: my-gateway
+
 spec:
  gatewayClassName: my-gateway-class
  listeners:
-    - protocol: HTTPS
+    - name: https
+      protocol: HTTPS
      port: 443
      tls:
-        certificateRef:
-          group: "core"
-          kind: "Secret"
-          name: "mysecret"
-      routes:
-        kind: HTTPRoute
-        selector:
-          matchLabels:
-            app: foo
+        certificateRefs:
+          - kind: Secret
+            name: mysecret
+
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: HTTPRoute
-apiVersion: networking.x-k8s.io/v1alpha1
 metadata:
-  name: http-app-1
+  name: http-app
  namespace: default
-  labels:
-    app: foo
+
 spec:
+  parentRefs:
+    - name: my-gateway
+
  hostnames:
-    - "whoami"
+    - whoami
+
  rules:
    - matches:
        - path:
            type: Exact
            value: /foo
-      forwardTo:
-        - serviceName: whoami
+
+      backendRefs:
+        - name: whoami
          port: 80
          weight: 1
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -5,8 +5,8 @@ metadata:
  name: traefik-controller

 ---
-kind: Deployment
 apiVersion: apps/v1
+kind: Deployment
 metadata:
  name: traefik

@@ -15,24 +15,27 @@ spec:
  selector:
    matchLabels:
      app: traefik-lb
+
  template:
    metadata:
      labels:
        app: traefik-lb
+
    spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik/traefik:latest
-          imagePullPolicy: IfNotPresent
+          image: traefik:v2.6
          args:
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
            - --experimental.kubernetesgateway
            - --providers.kubernetesgateway
+
          ports:
            - name: web
              containerPort: 80
+
            - name: websecure
              containerPort: 443

@@ -41,16 +44,19 @@ apiVersion: v1
 kind: Service
 metadata:
  name: traefik
+
 spec:
+  type: LoadBalancer
  selector:
    app: traefik-lb
+
  ports:
    - protocol: TCP
      port: 80
      targetPort: web
      name: web
+
    - protocol: TCP
      port: 443
      targetPort: websecure
      name: websecure
-  type: LoadBalancer
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway.md
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway.md
@@ -6,11 +6,11 @@ Dynamic configuration with Kubernetes Gateway provider.
 ## Definitions

 ```yaml
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gatewayclasses.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_gateways.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_httproutes.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_tcproutes.yaml"
--8<-- "content/reference/dynamic-configuration/networking.x-k8s.io_tlsroutes.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gatewayclasses.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_gateways.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_httproutes.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_tcproutes.yaml"
+--8<-- "content/reference/dynamic-configuration/gateway.networking.k8s.io_tlsroutes.yaml"
 ```

 ## Resources
--- a/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
@@ -1,6 +1,6 @@
 ---
-kind: Deployment
 apiVersion: apps/v1
+kind: Deployment
 metadata:
  name: whoami

@@ -9,10 +9,12 @@ spec:
  selector:
    matchLabels:
      app: whoami
+
  template:
    metadata:
      labels:
        app: whoami
+
    spec:
      containers:
        - name: whoami
@@ -25,8 +27,9 @@ metadata:
  name: whoami

 spec:
+  selector:
+    app: whoami
+
  ports:
    - protocol: TCP
      port: 80
-  selector:
-    app: whoami
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -15,6 +15,7 @@
 | `traefik/http/middlewares/Middleware04/circuitBreaker/expression` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/1` | `foobar` |
+| `traefik/http/middlewares/Middleware05/compress/minResponseBodyBytes` | `42` |
 | `traefik/http/middlewares/Middleware06/contentType/autoDetect` | `true` |
 | `traefik/http/middlewares/Middleware07/digestAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware07/digestAuth/realm` | `foobar` |
@@ -106,6 +107,7 @@
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/domainComponent` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/locality` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/organization` | `true` |
+| `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/organizationalUnit` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/province` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/info/subject/serialNumber` | `true` |
 | `traefik/http/middlewares/Middleware13/passTLSClientCert/pem` | `true` |
@@ -274,6 +276,8 @@
 | `traefik/tls/certificates/1/keyFile` | `foobar` |
 | `traefik/tls/certificates/1/stores/0` | `foobar` |
 | `traefik/tls/certificates/1/stores/1` | `foobar` |
+| `traefik/tls/options/Options0/alpnProtocols/0` | `foobar` |
+| `traefik/tls/options/Options0/alpnProtocols/1` | `foobar` |
 | `traefik/tls/options/Options0/cipherSuites/0` | `foobar` |
 | `traefik/tls/options/Options0/cipherSuites/1` | `foobar` |
 | `traefik/tls/options/Options0/clientAuth/caFiles/0` | `foobar` |
@@ -285,6 +289,8 @@
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
 | `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
+| `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
+| `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
 | `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
 | `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
 | `traefik/tls/options/Options1/clientAuth/caFiles/0` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@@ -13,6 +13,7 @@
 "traefik.http.middlewares.middleware04.circuitbreaker.expression": "foobar",
 "traefik.http.middlewares.middleware05.compress": "true",
 "traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
+"traefik.http.middlewares.middleware05.compress.minresponsebodybytes": "42",
 "traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
 "traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
 "traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
@@ -90,6 +91,7 @@
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.domaincomponent": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.locality": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organization": "true",
+"traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.organizationalunit": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.province": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.info.subject.serialnumber": "true",
 "traefik.http.middlewares.middleware13.passtlsclientcert.pem": "true",
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Moulard	4b755dc58d	Prepare release v2.6.3	2022-03-29 15:00:09 +02:00
Romain	0f29e893f4	Return TLS unrecognized_name error when no certificate is available	2022-03-28 18:18:08 +02:00
Michael	e3adf93a74	fix: CI release	2022-03-28 17:36:07 +02:00
Tom Moulard	81f88dd998	Freeze python dependencies	2022-03-28 16:22:10 +02:00
Ludovic Fernandez	b6bfa905db	Fix slice parsing for plugins	2022-03-28 15:24:08 +02:00
Tom Moulard	16d7b89cb1	Fixing dependency to build doc	2022-03-24 21:40:08 +01:00
Romain	9398222db7	Prepare release v2.6.2	2022-03-24 17:14:57 +01:00
Nikolay Stankov	ba2d09f6fb	Update entrypoint.md to add consistent CLI syntax	2022-03-23 10:38:09 +01:00
Nick Reilingh	7243e65b51	Fix certificates resolver typo	2022-03-23 09:26:08 +01:00
Ludovic Fernandez	23a6602cbf	Bump paerser to v0.1.5	2022-03-22 11:04:08 +01:00
J.Winter	822b94c45d	Add default certificate definition example for Kubernetes	2022-03-22 09:56:07 +01:00
lczw	0a776c3fd5	Fix small typo in Redis provider documentation	2022-03-21 17:32:07 +01:00
Tom Moulard	d7378a96ad	chore: update linter	2022-03-21 10:42:08 +01:00
Wingy	db4c6111fd	Fix fenced code block typo in Buffering middleware page	2022-03-21 10:10:08 +01:00
Douglas De Toni Machado	b02c651961	Add a deprecation notices section	2022-03-17 10:28:09 +01:00
Nick Reilingh	0617a1b0e0	Fix routing overview examples	2022-03-16 15:00:08 +01:00
Nick Reilingh	06749e71f2	Clarify concepts documentation page	2022-03-15 15:38:08 +01:00
mpl	a1e766e180	doc: fix, docker uses Label(), not Tag()	2022-03-07 11:48:09 +01:00
Tom Moulard	b3de9a040b	Add a target that is a real resource to generate-webui	2022-03-04 15:28:07 +01:00
Romain	a59dbc4c79	Adjust rule length in routers documentation	2022-03-04 11:24:07 +01:00
Kevin Pollet	40deefa868	Fix HostRegexp examples	2022-03-04 10:50:07 +01:00
mloiseleur	491de0cf64	Enhance doc on static vs dynamic configuration	2022-03-03 20:18:07 +01:00
mpl	27a7563e33	Add simpler and faster debug Makefile target	2022-03-03 15:42:08 +01:00
Josh Soref	819de02101	Spelling	2022-02-21 12:40:09 +01:00
Tom Moulard	ce851a5929	Fix struct tag typo	2022-02-21 12:10:08 +01:00
0xflotus	7e390ef516	Fix brand typo	2022-02-21 10:50:08 +01:00
Romain	fb23bd5d26	Fix empty WebUI static assets directory	2022-02-18 15:44:08 +01:00
Ludovic Fernandez	6974f54bfd	docs: fix product name	2022-02-15 17:04:34 +01:00
Ludovic Fernandez	371b6e3c86	chore: update linter	2022-02-15 14:56:53 +01:00
Sakala Venkata Krishna Rohit	9e96089da6	Add s390x arch support	2022-02-15 10:08:08 +01:00
Tom Moulard	84a0810546	Prepare release v2.6.1	2022-02-14 17:44:08 +01:00
Ludovic Fernandez	d9fbb5e25c	Use CNAME for SNI check on host header Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-02-14 17:18:08 +01:00
Ludovic Fernandez	e97aa6515b	Update test certificates	2022-02-14 14:08:07 +01:00
luckielordie	6bcfba43c8	Rename Datadog span tags	2022-02-10 16:00:09 +01:00
Ludovic Fernandez	0c83ee736c	Apply the same approach as the rules system on the TLS configuration choice Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-02-10 10:42:07 +01:00
Tom Moulard	4da33c2bc2	Fix metrics bucket key high cardinality	2022-02-09 09:58:08 +01:00
Sylvain Rabot	2d56be0ebb	Fix Kubernetes TCP examples	2022-02-07 15:22:07 +01:00
Tom Moulard	6742dd8454	Fix mixups in metrics documentation	2022-02-03 15:16:12 +01:00
Vladislav Shub	3ac755bd2f	Add Hurricane Electric to acme documentation	2022-01-31 13:30:05 +01:00
Ludovic Fernandez	3ed72c4e46	Add domain to HTTP challenge errors	2022-01-27 10:58:04 +01:00
mpl	477fa15859	Clarify that ACME challenge is mandatory	2022-01-26 18:10:05 +01:00
Manuel Zapf	390eb9cb61	Explain a bit more around enabling HTTP3	2022-01-25 10:48:05 +01:00
Romain	5a1c936ede	Prepare release v2.6.0	2022-01-24 17:58:04 +01:00
romain	47ad6538f1	Merge current v2.5 into v2.6	2022-01-24 15:42:27 +01:00
Kevin Pollet	9be44d8330	Configure Consul Catalog namespace at client level Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-01-24 15:30:05 +01:00
Ali	a4b354b33f	Redact credentials before logging Co-authored-by: Tom Moulard <tom.moulard@traefik.io> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-01-24 11:08:05 +01:00
Philippos Slicher	a70b864c55	Fix typo in metrics overview page	2022-01-21 09:54:07 +01:00
Romain	3bd5fc0f90	Prepare release v2.6.0-rc3	2022-01-20 18:58:07 +01:00
Tom Moulard	aabfb792af	Merge current v2.5 into v2.6	2022-01-20 17:44:55 +01:00
Romain	e5e48d1cc1	Prepare release v2.5.7	2022-01-20 17:08:07 +01:00
Tom Moulard	42a110dd69	Adjust log level from info to debug Co-authored-by: rhtenhove <rhtenhove@users.noreply.github.com>	2022-01-20 12:36:08 +01:00
Tom Moulard	64af364b02	Merge current v2.5 into v2.6	2022-01-20 09:48:51 +01:00
Ludovic Fernandez	cf14b8fa92	Update go-acme/lego to v4.6.0	2022-01-20 09:38:07 +01:00
Kevin Pollet	e7dc6ec025	Fix HTTP provider endpoint config example	2022-01-19 19:50:05 +01:00
Kevin Pollet	f29e311b73	Support token authentication for Consul KV	2022-01-19 17:46:11 +01:00
romain	a914ce2bd2	docs: fix instana tracer documentation link	2022-01-19 16:35:06 +01:00
romain	b42a7c89e7	Merge current v2.5 into v2.6	2022-01-19 16:16:18 +01:00
Romain	67483c1b17	Exclude www.cloudxns.net from documentation verification	2022-01-19 16:10:08 +01:00
mpl	4071f1e7f2	Mitigate memory leak	2022-01-17 14:28:05 +01:00
Ludovic Fernandez	577709fff3	fix: middleware plugins memory leak Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-01-14 12:22:06 +01:00
Tom Moulard	8cd45476ac	Fix middleware regexp's display	2022-01-13 18:38:06 +01:00
Tom Moulard	cf14504fd5	Prepare release v2.6.0-rc2	2022-01-12 16:40:06 +01:00
Kevin Pollet	b84829336d	Support Consul KV Enterprise namespaces Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-01-12 14:42:21 +01:00
Andrii Kushch	d969e59911	Upgrade Instana tracer dependency	2022-01-10 16:08:20 +01:00
Tom Moulard	936b6148ff	Merge current v2.5 into v2.6	2022-01-10 14:43:25 +01:00
Martin Rauscher	a9776ceafc	Improve regexp matcher documentation	2022-01-10 14:32:04 +01:00
Colin Wilson	e471239955	Remove typo in Kubernetes providers labelSelector examples	2022-01-06 11:58:07 +01:00
Kevin Pollet	2e8156bfaa	Update copyright for 2022	2022-01-06 11:34:05 +01:00
Tom Moulard	48ce6c32c1	Remove go-bindata from semaphore	2021-12-29 17:32:06 +01:00
Tom Moulard	4990239855	Merge current v2.5 into v2.6	2021-12-29 15:08:51 +01:00
Tom Moulard	5e2c929322	Fix broken jaeger documentation link	2021-12-29 15:06:04 +01:00
Tom Moulard	2b5355c849	Update golangci-lint install script	2021-12-23 15:44:05 +01:00
Romain	f21f71786a	Prepare release v2.5.6	2021-12-22 17:22:04 +01:00
Tom Moulard	fc7f109cb2	Merge current v2.5 into v2.6	2021-12-22 15:02:51 +01:00
Tom Moulard	a711f0d037	fix: update goreleaser install link to use gist	2021-12-22 14:12:04 +01:00
Ludovic Fernandez	98fc6ca441	Update Yaegi to v0.11.2	2021-12-22 09:24:05 +01:00
ichx	c10f1a3a36	Add missing API endpoints documentation	2021-12-21 14:48:05 +01:00
Tom Moulard	da092e653d	Prepare release v2.6.0-rc1	2021-12-20 17:02:06 +01:00
Tom Moulard	bf29417136	Merge current v2.5 into master	2021-12-20 14:43:35 +01:00
Douglas De Toni Machado	79a14ce992	Fix passTLSClientCert CRD example name	2021-12-18 00:52:04 +01:00
Alestrix	99ce26f7b1	Correct documentation in middleware overview	2021-12-17 16:24:06 +01:00
Kevin Pollet	16250361c3	chore: update golang.org/x/net dependency version	2021-12-16 11:52:04 +01:00
Kevin Pollet	be44385b42	fix: process all X-Forwarded-For headers in the request	2021-12-14 15:36:07 +01:00
Tom Moulard	54c77ecb54	Prepare release v2.5.5	2021-12-10 17:52:04 +01:00
tfny	a30f0dcabd	Update CODE_OF_CONDUCT.md	2021-12-09 11:00:06 +01:00
Ludovic Fernandez	efef7dce4f	plugins: start the go routine before calling Provide	2021-12-08 17:08:05 +01:00
Tom Moulard	1c9e4c6050	doc: align docker configuration example notes in basicauth HTTP middleware	2021-12-07 10:04:05 +01:00
Tom Moulard	89cd9e8ddd	Merge current v2.5 into master	2021-12-06 17:39:06 +01:00
Markus Lippert	92093a8c09	Update go-acme/lego to v4.5.3	2021-12-06 15:44:04 +01:00
Kevin Pollet	d970813c20	Support consul enterprise namespaces in consul catalog provider Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2021-12-03 19:30:07 +01:00
Kevin Pollet	f69982aa9d	docs: uniformize client TLS config documentation	2021-12-02 15:42:06 +01:00
Tom Moulard	82fdc569c2	docs: removing typo in consul-catalog provider doc	2021-12-01 15:58:05 +01:00
Tom Moulard	def0c1a526	Update yaegi to v0.11.1	2021-11-30 17:36:06 +01:00
Tom Moulard	93de7cf0c0	feat: add in flight connection middleware	2021-11-29 17:12:06 +01:00
Romain Bailly	ef2d03d96e	fix: propagate source criterion config to RateLimit middleware in Kubernetes CRD	2021-11-26 12:10:11 +01:00
Kevin Pollet	321c9421ea	chore: update docker/cli and containerd dependency versions	2021-11-25 15:34:06 +01:00
Charlie Haley	5a225b4196	test: upgrade docker-compose Co-authored-by: Rémi Buisson <remi.buisson@traefik.io>	2021-11-25 11:10:06 +01:00
Pierre-Yves Aillet	95fabeae73	feat: rate-limit ceil Retry-After to superior integer	2021-11-16 16:38:11 +01:00
Gustavo Silva	525a6cf5b2	docs: remove misleading metrics overview configuration	2021-11-16 09:38:12 +01:00
Julien Acroute	27ec0912d5	docs: health check use readiness probe in k8s	2021-11-15 11:14:06 +01:00
Daniel Adams	83a7f10c75	Refactor Exponential Backoff	2021-11-10 15:34:10 +01:00
Pablo Montepagano	0a5c9095ac	feat: allow configuration of ACME certificates duration	2021-11-10 12:06:09 +01:00
kerrsmith	0a31225e65	fixed minor spelling error in Regexp Syntax section	2021-11-09 16:50:11 +01:00
Kevin Pollet	db4a92d877	fix: increase UDP read buffer length to max datagram size Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2021-11-09 15:12:07 +01:00
Ludovic Fernandez	9df053e3f5	Update yaegi v0.11.0	2021-11-09 14:30:09 +01:00
Tom Moulard	1f17731369	feat: add readIdleTimeout and pingTimeout config options to ServersTransport Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2021-11-09 12:16:08 +01:00
Kevin Pollet	8e32d1913b	Update gateway api provider to v1alpha2 Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2021-11-09 11:34:06 +01:00
Tom Moulard	e10a82a501	fix: git ignore autogen/	2021-11-09 03:48:13 +01:00
kevinpollet	ce47f200d5	Merge branch v2.5 into master	2021-11-08 22:41:43 +01:00
Romain	95dc43ce4a	Prepare release v2.5.4	2021-11-08 18:36:13 +01:00
Tom Moulard	d91eefa74f	fix: TCP/UDP wrr when all servers have a weight set to 0 Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2021-11-08 17:58:12 +01:00
Kevin Pollet	ffdfc13461	docs: fix typo in addRoutersLabels option title	2021-11-08 13:32:10 +01:00
kerrsmith	a13b03ef3d	docs: add named groups details to Regexp Syntax section	2021-11-08 10:06:05 +01:00
Tom Moulard	69d504c905	fix: git ignore webui/static/	2021-11-05 18:02:05 +01:00
CrispyBaguette	bda7e025a2	docs: remove link to microbadger.com	2021-11-05 17:28:06 +01:00
Ludovic Fernandez	596f04eae8	chore: update linter	2021-11-04 09:50:11 +01:00
Kevin Pollet	b39d226fb8	fix: use host's root CA set if ClientTLS ca is not defined Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2021-11-03 17:38:07 +01:00
Marc Bihlmaier	20dfb91948	docs: remove quotes in certificatesresolvers CLI examples	2021-10-28 18:14:14 +02:00
Tom Moulard	e033355225	fix: do not validate shell script in node-modules folder	2021-10-27 10:34:05 +02:00
Kevin Pollet	56ed45ae70	docs: remove non-working kind config in IngressRouteTCP/UDP examples	2021-10-26 12:08:12 +02:00
Kevin Pollet	d3ff0c2cd4	fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2021-10-26 10:54:11 +02:00
Romain	566b205758	Clarify usage for cross provider references in Kubernetes ingress annotations	2021-10-26 10:30:13 +02:00
Tom Moulard	b537ccdb0c	doc: update traefik image version	2021-10-25 17:18:12 +02:00
Pedro López Mareque	d9b8435a7d	feat: rename networking.k8s.io/v1beta1 to networking.k8s.io/v1	2021-10-21 09:44:12 +02:00
Pedro López Mareque	c0ba4d177f	fix: sourceCriterion documentation for InFlightReq and RateLimit middlewares	2021-10-19 14:40:06 +02:00
Anton Kindblad	7377ab7b95	fix(ui): bug parsing weighted service provider name	2021-10-18 14:52:14 +02:00
Tom Moulard	207ac94ed0	Fix remove http scheme urls in documentation	2021-10-08 11:52:05 +02:00
Daniel Tomcej	fe32a7e584	fix: use EscapedPath as header value when RawPath is empty	2021-10-08 11:32:08 +02:00
Aaron Raff	25e12aee14	kubernetes: normalize middleware names in ingress route config	2021-10-07 15:40:05 +02:00
Huan Wang	85dd45cb81	Add prefix to datadog metrics	2021-10-06 17:34:07 +02:00
kevinpollet	32340252b2	Merge branch v2.5 into master	2021-10-06 11:55:12 +02:00
Jack Morgan	5d716f0149	Mention escaping escape characters in YAML for regex usage	2021-10-06 11:36:11 +02:00
Ludovic Fernandez	918a343557	chore: update proxyprotocol and consul	2021-10-04 17:54:10 +02:00
Tom Moulard	969dd088a2	gateway api: support RouteNamespaces Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>	2021-10-04 15:46:08 +02:00
Ludovic Fernandez	89001ae9a4	Update go-acme/lego to v4.5.0	2021-10-01 09:20:08 +02:00
Roman Mahrer	c99221fa34	Fix typo in KV providers documentation	2021-09-29 13:22:12 +02:00
Andrii Kushch	9ef3fc84f9	Upgrade Instana tracer and make process profiling configurable	2021-09-29 11:52:08 +02:00
Kevin Pollet	d28bcf24e5	docs: reword tracing config descriptions to be consistent	2021-09-29 10:40:14 +02:00
KallyDev	8d739c411b	Move from deprecated ioutil to os and io packages	2021-09-28 15:30:14 +02:00
Kevin Pollet	46c1600ada	fix: forward request Host to errors middleware service Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2021-09-27 17:40:13 +02:00
Kevin Pollet	126b32c579	fix: add missing RequireAnyClientCert value to TLSOption CRD	2021-09-24 11:32:07 +02:00
Tom Moulard	380514941c	Merge current v2.5 into master	2021-09-23 16:10:03 +02:00
Max Baumann	61ceb7a32c	docs: replace links to French translation of k8s docs with English ones	2021-09-21 16:28:11 +02:00
Lukas Schulte Pelkum	07a3c37a23	Implement customizable minimum body size for compress middleware	2021-09-20 18:00:08 +02:00
Romain	c7e13eb082	Prepare release v2.5.3	2021-09-20 17:30:06 +02:00
Tom Moulard	6906a022ca	Add cross namespace verification in Kubernetes CRD	2021-09-20 12:54:05 +02:00
Harald Kraemer	8f0832d340	Add configurable tags to influxdb metrics	2021-09-17 09:08:07 +02:00
Kevin Pollet	bda0dba131	fix: add peerCertURI config to k8s crd provider Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>	2021-09-17 08:56:07 +02:00
Romain	76867e39ea	Fix ServersTransport reference from IngressRoute service definition Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>	2021-09-16 15:12:13 +02:00
Simon Stender Boisen	6f8e8ea252	Ensure disableHTTP2 works with k8s crd	2021-09-16 12:18:08 +02:00
Aaron Raff	8e7881094f	docs: add default proxy headers	2021-09-16 11:18:12 +02:00
Ludovic Fernandez	7d09132a5c	Update yaegi to v0.10.0	2021-09-16 10:20:07 +02:00
Ludovic Fernandez	6f4a7fb604	chore: upgrade linter	2021-09-16 09:16:07 +02:00
Tom Moulard	6e28db513c	Metrics router fix Co-authored-by: Michael <michael.matur@gmail.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2021-09-15 17:26:06 +02:00
Kevin Pollet	2084201c8f	fix: experimental image build Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>	2021-09-15 12:10:06 +02:00
Antoine	70359e5d27	Replace go-bindata with Go embed Co-authored-by: nrwiersma <nick@wiersma.co.za>	2021-09-15 10:36:14 +02:00
Tom Moulard	a72d124551	Fix certChan defaulting on consul catalog provider	2021-09-14 17:12:12 +02:00
Daniel Tomcej	7ff13c3e3e	Support Kubernetes basic-auth secrets Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2021-09-14 15:16:11 +02:00
Jean-Baptiste Doumenjou	55360c1eaf	Add Tom Moulard in maintainers team	2021-09-14 10:42:14 +02:00
valerauko	60ff50a675	Add HTTP3Config	2021-09-10 14:58:13 +02:00
Jean-Baptiste Doumenjou	ba3967aa16	Merge current v2.5 into master	2021-09-10 12:00:24 +02:00
Jean-Baptiste Doumenjou	fffa413121	Fix golang doc URLs	2021-09-10 11:42:07 +02:00
Ricardo Tribaldos	c011bdfdd8	docs: fix error in example (YAML) for TCP middleware whitelist	2021-09-06 09:30:09 +02:00
romain	4235cef1b2	Merge current v2.5 into master	2021-09-03 09:13:34 +02:00
Romain	871e04cb12	Prepare release v2.5.2	2021-09-02 16:46:11 +02:00
Romain	287cebb498	Fix CRDs code and manifests generation	2021-09-02 14:40:08 +02:00
Sylvain Rabot	6c8d200373	Upgrade github.com/lucas-clemente/quic-go to v0.23.0	2021-09-02 12:06:10 +02:00
Anton Gubarev	0ac6f80b50	Fix empty body error in mirror	2021-09-02 10:46:13 +02:00
Romain	2b73860ea5	Adds pathType for v1 ingresses examples	2021-09-02 10:20:12 +02:00
Romain	ddcb003b3b	Bump go.elastic.co/apm version to v1.13.1	2021-09-02 09:56:11 +02:00
Romain	be52c5abb1	Fix http scheme urls in documentation	2021-08-31 18:54:06 +02:00
romain	f81ceaef8a	Merge current v2.5 into master	2021-08-30 14:51:57 +02:00
Romain	eb6c5fc34d	Fix experimental images workflow	2021-08-30 14:24:12 +02:00
Romain	4fc16f26a3	Build experimental images	2021-08-30 12:20:14 +02:00
Romain	234d35f592	Fix alpine docker image to version 3.14	2021-08-30 11:38:12 +02:00
Roopak Venkatakrishnan	352a72a5d7	Update x/sys to support go 1.17	2021-08-25 21:00:11 +02:00
Romain	4d1ce986a6	Bumps alpine docker images to v1.14.1	2021-08-25 11:14:10 +02:00
Romain	531a8ff248	Prepare release v2.5.1	2021-08-20 18:27:12 +02:00
Romain	2644c1f598	Makes ALPN protocols configurable	2021-08-20 18:20:06 +02:00
Julien Salleyron	fa53f7ec85	Conditional CloseNotify in header middleware	2021-08-19 18:02:07 +02:00
Per Osbäck	e05574af58	Adds MiddlewareTCP CRD documentation	2021-08-19 17:00:14 +02:00
euidong	fcfc976b13	Adds ContentType to middleware's overview table	2021-08-19 15:00:11 +02:00
romain	78180a5fa7	Merge current v2.4 into v2.5	2021-08-19 11:45:19 +02:00
Romain	3445abe7ac	Fix Kubernetes Gateway API documentation links	2021-08-19 11:18:11 +02:00
Eric	817ac8f256	Add organizationalUnit to passtlscert middleware	2021-07-28 17:42:09 +02:00
romain	c76d58d532	Merge current v2.5 into master	2021-07-28 15:21:46 +02:00
Tom Moulard	f25139424a	Merge remote-tracking branch 'origin/v2.5' into merge-back-v2.5-into-master	2021-07-23 13:14:26 +02:00
romain	36ffdf548d	Merge v2.5 into master	2021-07-20 15:38:53 +02:00
romain	ca2ff214c4	Merge current v2.5 into master	2021-06-30 11:56:49 +02:00