Prepare release v2.5.6

Co-authored-by: Rémi Buisson <remi.buisson@traefik.io>

.github/workflows/validate.yaml

@@ -7,7 +7,7 @@ on:
 
 env:
   GO_VERSION: 1.17
-  GOLANGCI_LINT_VERSION: v1.42.1
+  GOLANGCI_LINT_VERSION: v1.43.0
   MISSSPELL_VERSION: v0.3.4
   PRE_TARGET: ""
 

.gitignore

@@ -5,6 +5,7 @@
 .DS_Store
 /dist
 /webui/.tmp/
+/webui/static/
 /site/
 /docs/site/
 /static/

.golangci.toml

@@ -48,6 +48,7 @@
     extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
     metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
     kubeerror = "k8s.io/apimachinery/pkg/api/errors"
+    composeapi = "github.com/docker/compose/v2/pkg/api"
 
   [linters-settings.gomoddirectives]
     replace-allow-list = [
@@ -56,6 +57,7 @@
       "github.com/gorilla/mux",
       "github.com/mailgun/minheap",
       "github.com/mailgun/multibuf",
+      "github.com/jaguilar/vt100",
     ]
 
 [linters]
@@ -96,6 +98,10 @@
     "godox", # Too strict
     "forcetypeassert", # Too strict
     "tagliatelle", # Not compatible with current tags.
+    "varnamelen", # not relevant
+    "nilnil", # not relevant
+    "ireturn", # not relevant
+    "contextcheck", # too many false-positive
   ]
 
 [issues]

.semaphore/semaphore.yml

@@ -25,49 +25,31 @@ global_job_config:
       - export "PATH=${GOPATH}/bin:${PATH}"
       - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
       - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.42.1
-      - curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.43.0
+      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
       - go install github.com/containous/go-bindata/go-bindata@v1.0.0
       - checkout
       - cache restore traefik-$(checksum go.sum)
 
 blocks:
-  - name: Test Integration Container
+  - name: Test Integration
     dependencies: []
     run:
       when: "branch =~ '.*' OR pull_request =~'.*'"
     task:
       jobs:
-        - name: Test Integration Container
+        - name: Test Integration
           commands:
             - make pull-images
             - mkdir -p static # Avoid to generate webui
             - PRE_TARGET="" make binary
-            - make test-integration-container
+            - make test-integration
             - df -h
       epilogue:
         always:
           commands:
             - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
 
-  - name: Test Integration Host
-    dependencies: []
-    run:
-      when: "branch =~ '.*' OR pull_request =~'.*'"
-    task:
-      env_vars:
-        - name: PRE_TARGET
-          value: ""
-      jobs:
-        - name: Test Integration Host
-          commands:
-            - mkdir -p static # Avoid to generate webui
-            - make test-integration-host
-      epilogue:
-        always:
-          commands:
-            - cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
-
   - name: Release
     dependencies: []
     run:
@@ -83,7 +65,7 @@ blocks:
         - name: GH_VERSION
           value: 1.12.1
         - name: CODENAME
-          value: "livarot"
+          value: "brie"
         - name: PRE_TARGET
           value: ""
       prologue:

CHANGELOG.md

@@ -1,3 +1,66 @@
+## [v2.5.6](https://github.com/traefik/traefik/tree/v2.5.6) (2021-12-22)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.5...v2.5.6)
+
+**Bug fixes:**
+- **[middleware]** Process all X-Forwarded-For headers in the request ([#8596](https://github.com/traefik/traefik/pull/8596) by [kevinpollet](https://github.com/kevinpollet))
+- **[plugins]** Update Yaegi to v0.11.2 ([#8650](https://github.com/traefik/traefik/pull/8650) by [ldez](https://github.com/ldez))
+- **[server]** Update golang.org/x/net dependency version ([#8635](https://github.com/traefik/traefik/pull/8635) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[api]** Add missing API endpoints documentation ([#8649](https://github.com/traefik/traefik/pull/8649) by [ichxxx](https://github.com/ichxxx))
+- **[middleware]** Fix passTLSClientCert CRD example name ([#8637](https://github.com/traefik/traefik/pull/8637) by [ddtmachado](https://github.com/ddtmachado))
+- **[middleware]** Correct documentation in middleware overview ([#8636](https://github.com/traefik/traefik/pull/8636) by [Alestrix](https://github.com/Alestrix))
+
+## [v2.5.5](https://github.com/traefik/traefik/tree/v2.5.5) (2021-12-09)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.4...v2.5.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.5.3 ([#8607](https://github.com/traefik/traefik/pull/8607) by [lippertmarkus](https://github.com/lippertmarkus))
+- **[k8s/crd,k8s]** fix: propagate source criterion config to RateLimit middleware in Kubernetes CRD ([#8591](https://github.com/traefik/traefik/pull/8591) by [rbailly-talend](https://github.com/rbailly-talend))
+- **[plugins]** plugins: start the go routine before calling Provide ([#8620](https://github.com/traefik/traefik/pull/8620) by [ldez](https://github.com/ldez))
+- **[plugins]** Update yaegi to v0.11.1 ([#8600](https://github.com/traefik/traefik/pull/8600) by [tomMoulard](https://github.com/tomMoulard))
+- **[plugins]** Update yaegi v0.11.0 ([#8564](https://github.com/traefik/traefik/pull/8564) by [ldez](https://github.com/ldez))
+- **[udp]** fix: increase UDP read buffer length to max datagram size ([#8560](https://github.com/traefik/traefik/pull/8560) by [kevinpollet](https://github.com/kevinpollet))
+
+**Documentation:**
+- **[consul]** docs: removing typo in consul-catalog provider doc ([#8603](https://github.com/traefik/traefik/pull/8603) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** docs: remove misleading metrics overview configuration ([#8579](https://github.com/traefik/traefik/pull/8579) by [gsilvapt](https://github.com/gsilvapt))
+- **[middleware]** docs: align docker configuration example notes in basicauth HTTP middleware ([#8615](https://github.com/traefik/traefik/pull/8615) by [tomMoulard](https://github.com/tomMoulard))
+- **[service]** docs: health check use readiness probe in k8s ([#8575](https://github.com/traefik/traefik/pull/8575) by [Vampouille](https://github.com/Vampouille))
+- **[tls]** docs: uniformize client TLS config documentation ([#8602](https://github.com/traefik/traefik/pull/8602) by [kevinpollet](https://github.com/kevinpollet))
+- Update CODE_OF_CONDUCT.md ([#8619](https://github.com/traefik/traefik/pull/8619) by [tfny](https://github.com/tfny))
+- fixed minor spelling error in Regexp Syntax section ([#8565](https://github.com/traefik/traefik/pull/8565) by [kerrsmith](https://github.com/kerrsmith))
+
+## [v2.5.4](https://github.com/traefik/traefik/tree/v2.5.4) (2021-11-08)
+[All Commits](https://github.com/traefik/traefik/compare/v2.5.3...v2.5.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.5.0 ([#8481](https://github.com/traefik/traefik/pull/8481) by [ldez](https://github.com/ldez))
+- **[k8s/crd,k8s]** fix: add missing RequireAnyClientCert value to TLSOption CRD ([#8464](https://github.com/traefik/traefik/pull/8464) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/crd,k8s]** fix: normalize middleware names in ingress route config ([#8484](https://github.com/traefik/traefik/pull/8484) by [aaronraff](https://github.com/aaronraff))
+- **[middleware,provider,tls]** fix: do not require a TLS client cert when InsecureSkipVerify is false ([#8525](https://github.com/traefik/traefik/pull/8525) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,tls]** fix: use host's root CA set if ClientTLS ca is not defined ([#8545](https://github.com/traefik/traefik/pull/8545) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** fix: forward request Host to errors middleware service ([#8460](https://github.com/traefik/traefik/pull/8460) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** fix: use EscapedPath as header value when RawPath is empty ([#8251](https://github.com/traefik/traefik/pull/8251) by [dtomcej](https://github.com/dtomcej))
+- **[tcp,udp]** fix: TCP/UDP wrr when all servers have a weight set to 0 ([#8553](https://github.com/traefik/traefik/pull/8553) by [tomMoulard](https://github.com/tomMoulard))
+- **[webui]** fix: bug parsing weighted service provider name ([#8522](https://github.com/traefik/traefik/pull/8522) by [cocoanton](https://github.com/cocoanton))
+
+**Documentation:**
+- **[acme]** docs: remove quotes in certificatesresolvers CLI examples ([#8544](https://github.com/traefik/traefik/pull/8544) by [rdxmb](https://github.com/rdxmb))
+- **[k8s/ingress,k8s]** docs: clarify usage for cross provider references in Kubernetes ingress annotations ([#8536](https://github.com/traefik/traefik/pull/8536) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** docs: networking.k8s.io/v1beta1 to networking.k8s.io/v1 ([#8523](https://github.com/traefik/traefik/pull/8523) by [pmareke](https://github.com/pmareke))
+- **[k8s]** docs: replace links to French translation of k8s docs with English ones ([#8457](https://github.com/traefik/traefik/pull/8457) by [FoseFx](https://github.com/FoseFx))
+- **[k8s]** docs: remove non-working kind config in IngressRouteTCP/UDP examples ([#8538](https://github.com/traefik/traefik/pull/8538) by [kevinpollet](https://github.com/kevinpollet))
+- **[kv]** docs: fix typo in KV providers documentation ([#8477](https://github.com/traefik/traefik/pull/8477) by [rondoe](https://github.com/rondoe))
+- **[metrics]** docs: fix typo in addRoutersLabels option title ([#8561](https://github.com/traefik/traefik/pull/8561) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware]** fix: sourceCriterion documentation for InFlightReq and RateLimit middlewares ([#8524](https://github.com/traefik/traefik/pull/8524) by [pmareke](https://github.com/pmareke))
+- **[middleware]** Mention escaping escape characters in YAML for regex usage ([#8496](https://github.com/traefik/traefik/pull/8496) by [JackMorganNZ](https://github.com/JackMorganNZ))
+- **[rules]** docs: add named groups details to Regexp Syntax section ([#8559](https://github.com/traefik/traefik/pull/8559) by [kerrsmith](https://github.com/kerrsmith))
+- **[tracing]** docs: reword tracing config descriptions to be consistent ([#8473](https://github.com/traefik/traefik/pull/8473) by [kevinpollet](https://github.com/kevinpollet))
+- docs: remove link to microbadger.com ([#8555](https://github.com/traefik/traefik/pull/8555) by [CrispyBaguette](https://github.com/CrispyBaguette))
+- docs: remove http scheme urls in documentation ([#8507](https://github.com/traefik/traefik/pull/8507) by [tomMoulard](https://github.com/tomMoulard))
+- docs: update traefik image version ([#8533](https://github.com/traefik/traefik/pull/8533) by [tomMoulard](https://github.com/tomMoulard))
+
 ## [v2.5.3](https://github.com/traefik/traefik/tree/v2.5.3) (2021-09-20)
 [All Commits](https://github.com/traefik/traefik/compare/v2.5.2...v2.5.3)
 

CODE_OF_CONDUCT.md

@@ -2,7 +2,7 @@
 
 ## Our Pledge
 
-In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience,nationality, personal appearance, race, religion, or sexual identity and orientation.
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
 
 ## Our Standards
 
@@ -30,15 +30,19 @@ Project maintainers have the right and responsibility to remove, edit, or reject
 
 ## Scope
 
-This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. 
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or our community. 
+
 Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. 
 Representation of a project may be further defined and clarified by project maintainers.
 
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at contact@traefik.io
+
 All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. 
+
 The project team is obligated to maintain confidentiality with regard to the reporter of an incident. 
+
 Further details of specific enforcement policies may be posted separately.
 
 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.

Makefile

@@ -15,7 +15,7 @@ TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
 REPONAME := $(shell echo $(REPO) | tr '[:upper:]' '[:lower:]')
 TRAEFIK_IMAGE := $(if $(REPONAME),$(REPONAME),"traefik/traefik")
 
-INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)", -e "TEST_CONTAINER=1" -v "/var/run/docker.sock:/var/run/docker.sock")
+INTEGRATION_OPTS := $(if $(MAKE_DOCKER_HOST),-e "DOCKER_HOST=$(MAKE_DOCKER_HOST)",-v "/var/run/docker.sock:/var/run/docker.sock")
 DOCKER_BUILD_ARGS := $(if $(DOCKER_VERSION), "--build-arg=DOCKER_VERSION=$(DOCKER_VERSION)",)
 
 TRAEFIK_ENVS := \
@@ -32,7 +32,8 @@ TRAEFIK_ENVS := \
 TRAEFIK_MOUNT := -v "$(CURDIR)/$(BIND_DIR):/go/src/github.com/traefik/traefik/$(BIND_DIR)"
 DOCKER_RUN_OPTS := $(TRAEFIK_ENVS) $(TRAEFIK_MOUNT) "$(TRAEFIK_DEV_IMAGE)"
 DOCKER_NON_INTERACTIVE ?= false
-DOCKER_RUN_TRAEFIK := docker run --add-host=host.docker.internal:127.0.0.1 $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
+DOCKER_RUN_TRAEFIK_TEST := docker run --add-host=host.docker.internal:127.0.0.1 --rm --name=traefik --network traefik-test-network -v $(PWD):$(PWD) -w $(PWD) $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -it) $(DOCKER_RUN_OPTS)
 DOCKER_RUN_TRAEFIK_NOTTY := docker run $(INTEGRATION_OPTS) $(if $(DOCKER_NON_INTERACTIVE), , -i) $(DOCKER_RUN_OPTS)
 
 PRE_TARGET ?= build-dev-image
@@ -81,30 +82,27 @@ crossbinary-default-parallel:
 	$(MAKE) build-dev-image crossbinary-default
 
 ## Run the unit and integration tests
-test: build-dev-image
-	$(DOCKER_RUN_TRAEFIK) ./script/make.sh generate test-unit binary test-integration
+test: $(PRE_TARGET)
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate test-unit binary test-integration
 
 ## Run the unit tests
 test-unit: $(PRE_TARGET)
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate test-unit
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_TEST)) ./script/make.sh generate test-unit
+
+## Run the integration tests
+test-integration: $(PRE_TARGET)
+	-docker network create traefik-test-network --driver bridge --subnet 172.31.42.0/24
+	trap 'docker network rm traefik-test-network' EXIT; \
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_TEST),) ./script/make.sh generate binary test-integration
 
 ## Pull all images for integration tests
 pull-images:
 	grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
 
-## Run the integration tests
-test-integration: $(PRE_TARGET) binary
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
-	TEST_HOST=1 ./script/make.sh test-integration
-
-## Run the container integration tests
-test-integration-container: $(PRE_TARGET) binary
-	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
-
-## Run the host integration tests
-test-integration-host: $(PRE_TARGET) binary
-	TEST_HOST=1 ./script/make.sh test-integration
-
 ## Validate code and docs
 validate-files: $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell

README.md

@@ -63,7 +63,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
-- Packaged as a single binary file (made with :heart: with go) and available as a [tiny](https://microbadger.com/images/traefik) [official](https://hub.docker.com/r/_/traefik/) docker image
+- Packaged as a single binary file (made with :heart: with go) and available as an [official](https://hub.docker.com/r/_/traefik/) docker image
 
 
 ## Supported Backends

build.Dockerfile

@@ -19,13 +19,13 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.42.1
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.43.0
 
 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
 
 # Download goreleaser binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sh
+RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh
 
 WORKDIR /go/src/github.com/traefik/traefik
 

cmd/internal/gen/main.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"go/build"
 	"go/types"
-	"io/ioutil"
 	"log"
+	"os"
 	"path"
 	"path/filepath"
 	"strings"
@@ -83,7 +83,7 @@ func run(dest string) error {
 		return err
 	}
 
-	return ioutil.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
+	return os.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0o666)
 }
 
 func cleanType(typ types.Type, base string) string {

docs/content/getting-started/install-traefik.md

@@ -24,7 +24,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.1.4`
+    ex: `traefik:v2.5`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 
@@ -101,13 +101,13 @@ helm install traefik traefik/traefik
 
 This HelmChart does not expose the Traefik dashboard by default, for security concerns.
 Thus, there are multiple ways to expose the dashboard.
-For instance, the dashboard access could be achieved through a port-forward :
+For instance, the dashboard access could be achieved through a port-forward:
 
 ```shell
 kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
 ```
 
-Accessible with the url: http://127.0.0.1:9000/dashboard/
+It can then be reached at: `http://127.0.0.1:9000/dashboard/`
 
 Another way would be to apply your own configuration, for instance,
 by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):

docs/content/getting-started/quick-start.md

@@ -36,7 +36,7 @@ Start your `reverse-proxy` with the following command:
 docker-compose up -d reverse-proxy
 ```
 
-You can open a browser and go to <http://localhost:8080/api/rawdata> to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
+You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
 
 ## Traefik Detects New Services and Creates the Route for You
 
@@ -61,7 +61,7 @@ Start the `whoami` service with the following command:
 docker-compose up -d whoami
 ```
 
-Go back to your browser (<http://localhost:8080/api/rawdata>) and see that Traefik has automatically detected the new container and updated its own configuration.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.
 
 When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)
 
@@ -85,7 +85,7 @@ Run more instances of your `whoami` service with the following command:
 docker-compose up -d --scale whoami=2
 ```
 
-Go back to your browser (<http://localhost:8080/api/rawdata>) and see that Traefik has automatically detected the new instance of the container.
+Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
 
 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:
 

docs/content/https/acme.md

@@ -284,6 +284,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 |-------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)              | `acme-dns`     | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)     |
 | [Alibaba Cloud](https://www.alibabacloud.com)               | `alidns`       | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)       |
+| [all-inkl](https://all-inkl.com)                            | `allinkl`      | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)      |
 | [ArvanCloud](https://www.arvancloud.com/en)                 | `arvancloud`   | `ARVANCLOUD_API_KEY`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud)   |
 | [Auroradns](https://www.pcextreme.com/dns-health-checks)    | `auroradns`    | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns)    |
 | [Autodns](https://www.internetx.com/domains/autodns/)       | `autodns`      | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/autodns)      |
@@ -292,15 +293,15 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Blue Cat](https://www.bluecatnetworks.com/)                | `bluecat`      | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)      |
 | [Checkdomain](https://www.checkdomain.de/)                  | `checkdomain`  | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
 | [CloudDNS](https://vshosting.eu/)                           | `clouddns`     | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)     |
-| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
 | [Cloudflare](https://www.cloudflare.com)                    | `cloudflare`   | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)   |
+| [ClouDNS](https://www.cloudns.net/)                         | `cloudns`      | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)      |
 | [CloudXNS](https://www.cloudxns.net)                        | `cloudxns`     | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns)     |
 | [ConoHa](https://www.conoha.jp)                             | `conoha`       | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD`                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/conoha)       |
 | [Constellix](https://constellix.com)                        | `constellix`   | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/constellix)   |
 | [deSEC](https://desec.io)                                   | `desec`        | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)        |
 | [DigitalOcean](https://www.digitalocean.com)                | `digitalocean` | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
-| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                    | `dnsmadeeasy`  | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)  |
+| [DNSimple](https://dnsimple.com)                            | `dnsimple`     | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)     |
 | [DNSPod](https://www.dnspod.com/)                           | `dnspod`       | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)       |
 | [Domain Offensive (do.de)](https://www.do.de/)              | `dode`         | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)         |
 | [Domeneshop](https://domene.shop)                           | `domeneshop`   | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop)   |
@@ -310,21 +311,25 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Dynu](https://www.dynu.com)                                | `dynu`         | `DYNU_API_KEY`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/dynu)         |
 | [EasyDNS](https://easydns.com/)                             | `easydns`      | `EASYDNS_TOKEN`, `EASYDNS_KEY`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/easydns)      |
 | [EdgeDNS](https://www.akamai.com/)                          | `edgedns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
+| [Epik](https://www.epik.com)                                | `epik`         | `EPIK_SIGNATURE`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/epik)         |
 | [Exoscale](https://www.exoscale.com)                        | `exoscale`     | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT`                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale)     |
 | [Fast DNS](https://www.akamai.com/)                         | `fastdns`      | `AKAMAI_CLIENT_TOKEN`,  `AKAMAI_CLIENT_SECRET`,  `AKAMAI_ACCESS_TOKEN`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns)      |
-| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
+| [Freemyip.com](https://freemyip.com)                        | `freemyip`     | `FREEMYIP_TOKEN`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip)     |
+| [G-Core Lab](https://gcorelabs.com/dns/)                    | `gcore`        | `GCORE_PERMANENT_API_TOKEN`                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/gcore)        |
 | [Gandi v5](https://doc.livedns.gandi.net)                   | `gandiv5`      | `GANDIV5_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5)      |
+| [Gandi](https://www.gandi.net)                              | `gandi`        | `GANDI_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/gandi)        |
 | [Glesys](https://glesys.com/)                               | `glesys`       | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/glesys)       |
 | [GoDaddy](https://godaddy.com/)                             | `godaddy`      | `GODADDY_API_KEY`, `GODADDY_API_SECRET`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy)      |
 | [Google Cloud DNS](https://cloud.google.com/dns/docs/)      | `gcloud`       | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`]                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud)       |
 | [Hetzner](https://hetzner.com)                              | `hetzner`      | `HETZNER_API_KEY`                                                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner)      |
 | [hosting.de](https://www.hosting.de)                        | `hostingde`    | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde)    |
-| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| [Hosttech](https://www.hosttech.eu)                         | `hosttech`     | `HOSTTECH_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech)     |
 | [HyperOne](https://www.hyperone.com)                        | `hyperone`     | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone)     |
+| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)         | `ibmcloud`     | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)     |
 | [IIJ](https://www.iij.ad.jp/)                               | `iij`          | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)          |
 | [Infoblox](https://www.infoblox.com/)                       | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
 | [Infomaniak](https://www.infomaniak.com)                    | `infomaniak`   | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)   |
+| [Internet.bs](https://internetbs.net)                       | `internetbs`   | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)   |
 | [INWX](https://www.inwx.de/en)                              | `inwx`         | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)         |
 | [ionos](https://ionos.com/)                                 | `ionos`        | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)        |
 | [Joker.com](https://joker.com)                              | `joker`        | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)        |
@@ -333,28 +338,28 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Liquid Web](https://www.liquidweb.com/)                    | `liquidweb`    | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)    |
 | [Loopia](https://loopia.com/)                               | `loopia`       | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/loopia)       |
 | [LuaDNS](https://luadns.com)                                | `luadns`       | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/luadns)       |
-| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 | [MyDNS.jp](https://www.mydns.jp/)                           | `mydnsjp`      | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp)      |
 | [Mythic Beasts](https://www.mythic-beasts.com)              | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
-| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [name.com](https://www.name.com/)                           | `namedotcom`   | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)   |
+| [Namecheap](https://www.namecheap.com)                      | `namecheap`    | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)    |
 | [Namesilo](https://www.namesilo.com/)                       | `namesilo`     | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)     |
 | [Netcup](https://www.netcup.eu/)                            | `netcup`       | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)       |
 | [Netlify](https://www.netlify.com)                          | `netlify`      | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)      |
+| [Nicmanager](https://www.nicmanager.com)                    | `nicmanager`   | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)   |
 | [NIFCloud](https://cloud.nifty.com/service/dns.htm)         | `nifcloud`     | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY`                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud)     |
 | [Njalla](https://njal.la)                                   | `njalla`       | `NJALLA_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/njalla)       |
 | [NS1](https://ns1.com/)                                     | `ns1`          | `NS1_API_KEY`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/ns1)          |
 | [Open Telekom Cloud](https://cloud.telekom.de)              | `otc`          | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                             | [Additional configuration](https://go-acme.github.io/lego/dns/otc)          |
-| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Openstack Designate](https://docs.openstack.org/designate) | `designate`    | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/designate)    |
 | [Oracle Cloud](https://cloud.oracle.com/home)               | `oraclecloud`  | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)  |
+| [OVH](https://www.ovh.com)                                  | `ovh`          | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)          |
 | [Porkbun](https://porkbun.com/)                             | `porkbun`      | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)      |
 | [PowerDNS](https://www.powerdns.com)                        | `pdns`         | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)         |
 | [Rackspace](https://www.rackspace.com/cloud/dns)            | `rackspace`    | `RACKSPACE_USER`, `RACKSPACE_API_KEY`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace)    |
 | [reg.ru](https://www.reg.ru)                                | `regru`        | `REGRU_USERNAME`, `REGRU_PASSWORD`                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/regru)        |
 | [RFC2136](https://tools.ietf.org/html/rfc2136)              | `rfc2136`      | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER`                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136)      |
-| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
 | [RimuHosting](https://rimuhosting.com)                      | `rimuhosting`  | `RIMUHOSTING_API_KEY`                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)  |
+| [Route 53](https://aws.amazon.com/route53/)                 | `route53`      | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.             | [Additional configuration](https://go-acme.github.io/lego/dns/route53)      |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                 | `sakuracloud`  | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)  |
 | [Scaleway](https://www.scaleway.com)                        | `scaleway`     | `SCALEWAY_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)     |
 | [Selectel](https://selectel.ru/en/)                         | `selectel`     | `SELECTEL_API_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)     |
@@ -372,6 +377,9 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Yandex](https://yandex.com)                                | `yandex`       | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)       |
 | [Zone.ee](https://www.zone.ee)                              | `zoneee`       | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)       |
 | [Zonomi](https://zonomi.com)                                | `zonomi`       | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)       |
+| External Program                                            | `exec`         | `EXEC_PATH`                                                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/exec)         |
+| HTTP request                                                | `httpreq`      | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1]                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq)      |
+| manual                                                      | `manual`       | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press <kbd>Enter</kbd>.                     |                                                                             |
 
 [^1]: more information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/)
 [^2]: [providing_credentials_to_your_application](https://cloud.google.com/docs/authentication/production)
@@ -552,7 +560,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
+--certificatesresolvers.myresolver.acme.preferredChain=ISRG Root X1
 # ...
 ```
 
@@ -580,7 +588,7 @@ certificatesResolvers:
 
 ```bash tab="CLI"
 # ...
---certificatesresolvers.myresolver.acme.keyType="RSA4096"
+--certificatesresolvers.myresolver.acme.keyType=RSA4096
 # ...
 ```
 

docs/content/middlewares/http/basicauth.md

@@ -91,9 +91,11 @@ The `users` option is an array of authorized users. Each user must be declared u
 ```yaml tab="Docker"
 # Declaring the user list
 #
-# Note: all dollar signs in the hash need to be doubled for escaping.
+# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
 # To create a user:password pair, the following command can be used:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+#
+# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
 labels:
   - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

docs/content/middlewares/http/errorpages.md

@@ -8,6 +8,7 @@ It Has Never Been Easier to Say That Something Went Wrong
 The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
 
 !!! important
+
     The error page itself is _not_ hosted by Traefik.
 
 ## Configuration Examples
@@ -112,6 +113,11 @@ The service that will serve the new requested error page.
 
     In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.
 
+!!! info "Host Header"
+
+    By default, the client `Host` header value is forwarded to the configured error [service](#service).
+    To forward the `Host` value corresponding to the configured error service URL, the [passHostHeader](../../../routing/services/#pass-host-header) option must be set to `false`.     
+
 ### `query`
 
 The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.

docs/content/middlewares/http/forwardauth.md

@@ -284,6 +284,12 @@ http:
     authResponseHeadersRegex = "^X-"
 ```
 
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
 ### `authRequestHeaders`
 
 The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
@@ -343,11 +349,16 @@ http:
 
 ### `tls`
 
-The `tls` option is the TLS configuration from Traefik to the authentication server.
+_Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the authentication server.
 
-Certificate Authority used for the secured connection to the authentication server.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secured connection to the authentication server,
+it defaults to the system bundle.
 
 ```yaml tab="Docker"
 labels:
@@ -410,13 +421,15 @@ http:
       ca = "path/to/local.crt"
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -472,9 +485,12 @@ http:
       caOptional = true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-The public certificate used for the secure connection to the authentication server.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the authentication server.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="Docker"
 labels:
@@ -547,9 +563,12 @@ http:
 
     For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-#### `tls.key`
+#### `key`
 
-The private certificate used for the secure connection to the authentication server.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the authentication server.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="Docker"
 labels:
@@ -622,7 +641,9 @@ http:
 
     For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/middlewares/http/headers.md

@@ -333,7 +333,9 @@ It allows all origins that contain any match of a regular expression in the `acc
 
 !!! tip
 
-    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
 
 ### `accessControlExposeHeaders`
 

docs/content/middlewares/http/inflightreq.md

@@ -115,7 +115,7 @@ http:
 ### `sourceCriterion`
 
 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If several strategies are defined at the same time, an error will be raised.
 If none are set, the default is to use the `requestHost`.
 
 #### `sourceCriterion.ipStrategy`

docs/content/middlewares/http/overview.md

@@ -84,7 +84,7 @@ labels:
 # As TOML Configuration File
 [http.routers]
   [http.routers.router1]
-    service = "myService"
+    service = "service1"
     middlewares = ["foo-add-prefix"]
     rule = "Host(`example.com`)"
 
@@ -105,7 +105,7 @@ labels:
 http:
   routers:
     router1:
-      service: myService
+      service: service1
       middlewares:
         - "foo-add-prefix"
       rule: "Host(`example.com`)"

docs/content/middlewares/http/passtlsclientcert.md

@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: addprefix
+  name: test-passtlsclientcert
 spec:
   passTLSClientCert:
     pem: true

docs/content/middlewares/http/ratelimit.md

@@ -250,7 +250,7 @@ http:
 ### `sourceCriterion`
 
 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
+If several strategies are defined at the same time, an error will be raised.
 If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
 
 #### `sourceCriterion.ipStrategy`

docs/content/middlewares/http/redirectregex.md

@@ -73,10 +73,6 @@ http:
 
 ## Configuration Options
 
-!!! tip
-
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
 ### `permanent`
 
 Set the `permanent` option to `true` to apply a permanent redirection.
@@ -85,6 +81,12 @@ Set the `permanent` option to `true` to apply a permanent redirection.
 
 The `regex` option is the regular expression to match and capture elements from the request URL.
 
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
+
 ### `replacement`
 
 The `replacement` option defines how to modify the URL to have the new target URL.

docs/content/middlewares/http/replacepathregex.md

@@ -79,7 +79,9 @@ The ReplacePathRegex middleware will:
 
 !!! tip
 
-    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
 
 ### `regex`
 

docs/content/middlewares/http/stripprefixregex.md

@@ -67,11 +67,13 @@ The StripPrefixRegex middleware strips the matching path prefix and stores it in
 
 The `regex` option is the regular expression to match the path prefix from the request URL.
 
-!!! tip
-
-    Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
 For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 
 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
+
+!!! tip
+
+    Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
+
+    When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.

docs/content/migration/v2.md

@@ -179,7 +179,7 @@ To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in t
 
 #### Expose an Ingress on 80 and 443
 
-Define the default TLS configuration on the HTTPS entry point. 
+Define the default TLS configuration on the HTTPS entry point.
 
 ```yaml tab="Ingress"
 kind: Ingress
@@ -335,7 +335,7 @@ The file parser has been changed, since v2.3 the unknown options/fields in a dyn
 ### IngressClass
 
 In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
-In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated. 
+In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
 
 ## v2.3 to v2.4
 
@@ -350,7 +350,7 @@ It is therefore necessary to update [RBAC](../reference/dynamic-configuration/ku
 
 In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
 and in TCP router rule `HostSNI` expression.
-This check ensures that provided domain names don't contain non-ASCII characters. 
+This check ensures that provided domain names don't contain non-ASCII characters.
 If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
 
 This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
@@ -380,8 +380,8 @@ To allow it, the `allowExternalNameServices` option should be set to `true`.
 
 ### Kubernetes CRD
 
-In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`. 
-As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema. 
+In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
+As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
 
 After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.
 
@@ -415,3 +415,11 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](
 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
 the legacy behavior related to the CommonName field can not be enabled at all anymore.
+
+## v2.5.3 to v2.5.4
+
+### Errors middleware
+
+In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
+the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
+Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.

docs/content/observability/access-logs.md

@@ -247,7 +247,7 @@ version: "3.7"
 
 services:
   traefik:
-    image: traefik:v2.2
+    image: traefik:v2.5
     environment:
       - TZ=US/Alaska
     command:

docs/content/observability/metrics/datadog.md

@@ -59,7 +59,7 @@ metrics:
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
-#### `AddRoutersLabels`
+#### `addRoutersLabels`
 
 _Optional, Default=false_
 

docs/content/observability/metrics/influxdb.md

@@ -170,7 +170,7 @@ metrics:
 --metrics.influxdb.addEntryPointsLabels=true
 ```
 
-#### `AddRoutersLabels`
+#### `addRoutersLabels`
 
 _Optional, Default=false_
 

docs/content/observability/metrics/overview.md

@@ -7,22 +7,6 @@ Traefik supports 4 metrics backends:
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)
 
-## Configuration
-
-To enable metrics:
-
-```yaml tab="File (YAML)"
-metrics: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
-```
-
-```bash tab="CLI"
---metrics=true
-```
-
 ## Server Metrics
 
 | Metric                                                                  | DataDog | InfluxDB | Prometheus | StatsD |

docs/content/observability/metrics/prometheus.md

@@ -64,7 +64,7 @@ metrics:
 --metrics.prometheus.addEntryPointsLabels=true
 ```
 
-#### `AddRoutersLabels`
+#### `addRoutersLabels`
 
 _Optional, Default=false_
 

docs/content/observability/metrics/statsd.md

@@ -60,7 +60,7 @@ metrics:
 --metrics.statsd.addEntryPointsLabels=true
 ```
 
-#### `AddRoutersLabels`
+#### `addRoutersLabels`
 
 _Optional, Default=false_
 

docs/content/observability/tracing/datadog.md

@@ -1,6 +1,6 @@
 # Datadog
 
-To enable the Datadog:
+To enable the Datadog tracer:
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -20,7 +20,7 @@ tracing:
 
 _Required, Default="127.0.0.1:8126"_
 
-Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.
+Local Agent Host Port instructs the reporter to send spans to the Datadog Agent at this address (host:port).
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -42,7 +42,7 @@ tracing:
 
 _Optional, Default=false_
 
-Enable Datadog debug.
+Enables Datadog debug.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:
 
 _Optional, Default=empty_
 
-Apply shared tag in a form of Key:Value to all the traces.
+Applies a shared key:value tag on all spans.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -86,7 +86,8 @@ tracing:
 
 _Optional, Default=false_
 
-Enable priority sampling. When using distributed tracing,
+Enables priority sampling.
+When using distributed tracing, 
 this option must be enabled in order to get all the parts of a distributed trace sampled.
 
 ```yaml tab="File (YAML)"

docs/content/observability/tracing/elastic.md

@@ -1,6 +1,6 @@
 # Elastic
 
-To enable the Elastic:
+To enable the Elastic tracer:
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -20,7 +20,7 @@ tracing:
 
 _Optional, Default="http://localhost:8200"_
 
-APM ServerURL is the URL of the Elastic APM server.
+URL of the Elastic APM server.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -42,7 +42,7 @@ tracing:
 
 _Optional, Default=""_
 
-APM Secret Token is the token used to connect to Elastic APM Server.
+Token used to connect to Elastic APM Server.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:
 
 _Optional, Default=""_
 
-APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
+Environment's name where Traefik is deployed in, e.g. `production` or `staging`.
 
 ```yaml tab="File (YAML)"
 tracing:

docs/content/observability/tracing/haystack.md

@@ -1,6 +1,6 @@
 # Haystack
 
-To enable the Haystack:
+To enable the Haystack tracer:
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -18,9 +18,9 @@ tracing:
 
 #### `localAgentHost`
 
-_Require, Default="127.0.0.1"_
+_Required, Default="127.0.0.1"_
 
-Local Agent Host instructs reporter to send spans to haystack-agent at this address.
+Local Agent Host instructs reporter to send spans to the Haystack Agent at this address.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -40,9 +40,9 @@ tracing:
 
 #### `localAgentPort`
 
-_Require, Default=35000_
+_Required, Default=35000_
 
-Local Agent port instructs reporter to send spans to the haystack-agent at this port.
+Local Agent Port instructs reporter to send spans to the Haystack Agent at this port.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:
 
 _Optional, Default=empty_
 
-Apply shared tag in a form of Key:Value to all the traces.
+Applies shared key:value tag on all spans.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -86,7 +86,7 @@ tracing:
 
 _Optional, Default=empty_
 
-Specifies the header name that will be used to store the trace ID.
+Sets the header name used to store the trace ID.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -108,7 +108,7 @@ tracing:
 
 _Optional, Default=empty_
 
-Specifies the header name that will be used to store the parent ID.
+Sets the header name used to store the parent ID.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -130,7 +130,7 @@ tracing:
 
 _Optional, Default=empty_
 
-Specifies the header name that will be used to store the span ID.
+Sets the header name used to store the span ID.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -152,7 +152,7 @@ tracing:
 
 _Optional, Default=empty_
 
-Specifies the header name prefix that will be used to store baggage items in a map.
+Sets the header name prefix used to store baggage items in a map.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -166,7 +166,6 @@ tracing:
     baggagePrefixHeaderName = "sample"
 ```
 
-
 ```bash tab="CLI"
 --tracing.haystack.baggagePrefixHeaderName=sample
 ```

docs/content/observability/tracing/instana.md

@@ -1,6 +1,6 @@
 # Instana
 
-To enable the Instana:
+To enable the Instana tracer:
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -18,9 +18,9 @@ tracing:
 
 #### `localAgentHost`
 
-_Require, Default="127.0.0.1"_
+_Required, Default="127.0.0.1"_
 
-Local Agent Host instructs reporter to send spans to instana-agent at this address.
+Local Agent Host instructs reporter to send spans to the Instana Agent at this address.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -40,9 +40,9 @@ tracing:
 
 #### `localAgentPort`
 
-_Require, Default=42699_
+_Required, Default=42699_
 
-Local Agent port instructs reporter to send spans to the instana-agent at this port.
+Local Agent port instructs reporter to send spans to the Instana Agent listening on this port.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -62,11 +62,11 @@ tracing:
 
 #### `logLevel`
 
-_Require, Default="info"_
+_Required, Default="info"_
 
-Set Instana tracer log level.
+Sets Instana tracer log level.
 
-Valid values for logLevel field are:
+Valid values are:
 
 - `error`
 - `warn`

docs/content/observability/tracing/jaeger.md

@@ -1,6 +1,6 @@
 # Jaeger
 
-To enable the Jaeger:
+To enable the Jaeger tracer:
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -27,7 +27,7 @@ tracing:
 
 _Required, Default="http://localhost:5778/sampling"_
 
-Sampling Server URL is the address of jaeger-agent's HTTP sampling server.
+Address of the Jaeger Agent HTTP sampling server.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -49,7 +49,13 @@ tracing:
 
 _Required, Default="const"_
 
-Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.
+Type of the sampler.
+
+Valid values are:
+
+- `const`
+- `probabilistic`
+- `rateLimiting`
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -71,9 +77,9 @@ tracing:
 
 _Required, Default=1.0_
 
-Sampling Param is a value passed to the sampler.
+Value passed to the sampler.
 
-Valid values for Param field are:
+Valid values are:
 
 - for `const` sampler, 0 or 1 for always false/true respectively
 - for `probabilistic` sampler, a probability between 0 and 1
@@ -99,7 +105,7 @@ tracing:
 
 _Required, Default="127.0.0.1:6831"_
 
-Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.
+Local Agent Host Port instructs the reporter to send spans to the Jaeger Agent at this address (host:port).
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -121,7 +127,7 @@ tracing:
 
 _Optional, Default=false_
 
-Generate 128-bit trace IDs, compatible with OpenCensus.
+Generates 128 bits trace IDs, compatible with OpenCensus.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -143,8 +149,9 @@ tracing:
 
 _Required, Default="jaeger"_
 
-Set the propagation header type.
-This can be either:
+Sets the propagation header type.
+
+Valid values are:
 
 - `jaeger`, jaeger's default trace header.
 - `b3`, compatible with OpenZipkin
@@ -169,7 +176,7 @@ tracing:
 
 _Required, Default="uber-trace-id"_
 
-Trace Context Header Name is the http header name used to propagate tracing context.
+HTTP header name used to propagate tracing context.
 This must be in lower-case to avoid mismatches when decoding incoming headers.
 
 ```yaml tab="File (YAML)"
@@ -192,7 +199,7 @@ tracing:
 
 _Optional, Default=true_
 
-Disable the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
+Disables the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
 Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.
 
 ```yaml tab="File (YAML)"
@@ -216,7 +223,7 @@ tracing:
 
 _Optional, Default=""_
 
-Collector Endpoint instructs reporter to send spans to jaeger-collector at this URL.
+Collector Endpoint instructs the reporter to send spans to the Jaeger Collector at this URL.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -239,7 +246,7 @@ tracing:
 
 _Optional, Default=""_
 
-User instructs reporter to include a user for basic http authentication when sending spans to jaeger-collector.
+User instructs the reporter to include a user for basic HTTP authentication when sending spans to the Jaeger Collector.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -262,7 +269,7 @@ tracing:
 
 _Optional, Default=""_
 
-Password instructs reporter to include a password for basic http authentication when sending spans to jaeger-collector.
+Password instructs the reporter to include a password for basic HTTP authentication when sending spans to the Jaeger Collector.
 
 ```yaml tab="File (YAML)"
 tracing:

docs/content/observability/tracing/zipkin.md

@@ -1,6 +1,6 @@
 # Zipkin
 
-To enable the Zipkin:
+To enable the Zipkin tracer:
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -20,7 +20,7 @@ tracing:
 
 _Required, Default="http://localhost:9411/api/v2/spans"_
 
-Zipkin HTTP endpoint used to send data.
+HTTP endpoint used to send data.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -42,7 +42,7 @@ tracing:
 
 _Optional, Default=false_
 
-Use Zipkin SameSpan RPC style traces.
+Uses SameSpan RPC style traces.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -64,7 +64,7 @@ tracing:
 
 _Optional, Default=true_
 
-Use Zipkin 128 bit trace IDs.
+Uses 128 bits trace IDs.
 
 ```yaml tab="File (YAML)"
 tracing:
@@ -86,7 +86,7 @@ tracing:
 
 _Required, Default=1.0_
 
-The rate between 0.0 and 1.0 of requests to trace.
+The proportion of requests to trace, specified between 0.0 and 1.0.
 
 ```yaml tab="File (YAML)"
 tracing:

docs/content/operations/api.md

@@ -147,9 +147,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.
 | `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
 | `/api/tcp/services`            | Lists all the TCP services information.                                                     |
 | `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
+| `/api/udp/services`            | Lists all the UDP services information.                                                     |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
 | `/api/entrypoints`             | Lists all the entry points information.                                                     |
 | `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
 | `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
 | `/api/version`                 | Returns information about Traefik version.                                                  |
 | `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
 | `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |

docs/content/providers/consul-catalog.md

@@ -362,13 +362,14 @@ providers:
 
 _Optional_
 
-Defines TLS options for Consul server endpoint.
+Defines the TLS configuration used for the secure connection to Consul Catalog.
 
 ##### `ca`
 
 _Optional_
 
-`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
+`ca` is the path to the certificate authority used for the secure connection to Consul Catalog,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -391,11 +392,11 @@ providers:
 
 _Optional_
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul Catalog.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -422,8 +423,7 @@ providers:
 
 _Optional_
 
-`cert` is the path to the public certificate to use for Consul communication.
-
+`cert` is the path to the public certificate used for the secure connection to Consul Catalog.
 When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
@@ -450,8 +450,7 @@ providers:
 
 _Optional_
 
-`key` is the path to the private key for Consul communication.
-
+`key` is the path to the private key used for the secure connection to Consul Catalog.
 When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
@@ -476,7 +475,7 @@ providers:
 
 ##### `insecureSkipVerify`
 
-_Optional_
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/providers/consul.md

@@ -64,7 +64,7 @@ Defines a username to connect to Consul with.
 providers:
   consul:
     # ...
-    usename: "foo"
+    username: "foo"
 ```
 
 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Consul.
 
-Certificate Authority used for the secure connection to Consul.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Consul,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.consul.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -152,9 +159,12 @@ providers:
 --providers.consul.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to Consul.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Consul.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.consul.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to Consul.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Consul.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.consul.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/providers/docker.md

@@ -613,9 +613,14 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Docker.
 
-Certificate Authority used for the secure connection to Docker.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Docker,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -633,13 +638,15 @@ providers:
 --providers.docker.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -661,9 +668,10 @@ providers:
 --providers.docker.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to Docker.
+`cert` is the path to the public certificate used for the secure connection to Docker.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -684,9 +692,12 @@ providers:
 --providers.docker.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to Docker.
+_Optional_
+
+`key` is the path to the private key used for the secure connection Docker.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -707,7 +718,9 @@ providers:
 --providers.docker.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/providers/etcd.md

@@ -64,7 +64,7 @@ Defines a username with which to connect to etcd.
 providers:
   etcd:
     # ...
-    usename: "foo"
+    username: "foo"
 ```
 
 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to etcd.
 
-Certificate Authority used for the secure connection to etcd.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to etcd,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.etcd.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -152,9 +159,12 @@ providers:
 --providers.etcd.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to etcd.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to etcd.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.etcd.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to etcd.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to etcd.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.etcd.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/providers/http.md

@@ -55,7 +55,7 @@ providers:
 
 _Optional, Default="5s"_
 
-Defines the polling timeout when connecting to the configured endpoint.
+Defines the polling timeout when connecting to the endpoint.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -76,9 +76,14 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to the endpoint.
 
-Certificate Authority used for the secure connection to the configured endpoint.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the endpoint,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -96,13 +101,15 @@ providers:
 --providers.http.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the endpoint.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -124,9 +131,12 @@ providers:
 --providers.http.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to the configured endpoint.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the endpoint.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -147,9 +157,12 @@ providers:
 --providers.http.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to the configured endpoint.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the endpoint.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -170,7 +183,9 @@ providers:
 --providers.http.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/providers/kubernetes-crd.md

@@ -62,7 +62,7 @@ Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1
 
 If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.
 
-If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
 When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
 A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.

docs/content/providers/kubernetes-ingress.md

@@ -36,10 +36,10 @@ and derives the corresponding dynamic configuration from it,
 which in turn creates the resulting routers, services, handlers, etc.
 
 ```yaml tab="Ingress"
+apiVersion: networking.k8s.io/v1
 kind: Ingress
-apiVersion: networking.k8s.io/v1beta1
 metadata:
-  name: "foo"
+  name: foo
   namespace: production
 
 spec:
@@ -48,20 +48,26 @@ spec:
       http:
         paths:
           - path: /bar
+            pathType: Exact
             backend:
-              serviceName: service1
-              servicePort: 80
+              service:
+                name:  service1
+                port:
+                  number: 80
           - path: /foo
+            pathType: Exact
             backend:
-              serviceName: service1
-              servicePort: 80
+              service:
+                name:  service1
+                port:
+                  number: 80
 ```
 
-```yaml tab="Ingress Kubernetes v1.19+"
+```yaml tab="Ingress v1beta1 (deprecated)"
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
-apiVersion: networking.k8s.io/v1
 metadata:
-  name: "foo"
+  name: foo
   namespace: production
 
 spec:
@@ -70,19 +76,13 @@ spec:
       http:
         paths:
           - path: /bar
-            pathType: Exact
             backend:
-              service:
-                name:  service1
-                port:
-                  number: 80
+              serviceName: service1
+              servicePort: 80
           - path: /foo
-            pathType: Exact
             backend:
-              service:
-                name:  service1
-                port:
-                  number: 80
+              serviceName: service1
+              servicePort: 80
 ```
 
 ## LetsEncrypt Support with the Ingress Provider
@@ -104,7 +104,7 @@ If you need Let's Encrypt with high availability in a Kubernetes environment,
 we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.
 
 If you want to keep using Traefik Proxy,
-LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
 When using Cert-Manager to manage certificates,
 it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 
@@ -272,19 +272,19 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value
     ```
 
     ```yaml tab="Ingress"
-    apiVersion: "networking.k8s.io/v1beta1"
-    kind: "Ingress"
+    apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
     metadata:
-      name: "example-ingress"
+      name: example-ingress
     spec:
-      ingressClassName: "traefik-lb"
+      ingressClassName: traefik-lb
       rules:
       - host: "*.example.com"
         http:
           paths:
-          - path: "/example"
+          - path: /example
             backend:
-              serviceName: "example-service"
+              serviceName: example-service
               servicePort: 80
     ```
 
@@ -303,21 +303,21 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value
     ```
 
     ```yaml tab="Ingress"
-    apiVersion: "networking.k8s.io/v1"
-    kind: "Ingress"
+    apiVersion: networking.k8s.io/v1
+    kind: Ingress
     metadata:
-      name: "example-ingress"
+      name: example-ingress
     spec:
-      ingressClassName: "traefik-lb"
+      ingressClassName: traefik-lb
       rules:
       - host: "*.example.com"
         http:
           paths:
-          - path: "/example"
+          - path: /example
             pathType: Exact
             backend:
               service:
-                name: "example-service"
+                name: example-service
                 port:
                     number: 80
     ```

docs/content/providers/marathon.md

@@ -404,9 +404,12 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Marathon.
 
-Certificate Authority used for the secure connection to Marathon.
+#### `ca`
+
+`ca` is the path to the certificate authority used for the secure connection to Marathon,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -424,13 +427,15 @@ providers:
 --providers.marathon.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -452,9 +457,12 @@ providers:
 --providers.marathon.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to Marathon.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Marathon.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -475,9 +483,12 @@ providers:
 --providers.marathon.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to Marathon.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Marathon.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -498,7 +509,9 @@ providers:
 --providers.marathon.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.
 
@@ -531,18 +544,18 @@ see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 ```yaml tab="File (YAML)"
 providers:
   marathon:
-    responseHeaderTimeout: "10s"
+    tlsHandshakeTimeout: "10s"
     # ...
 ```
 
 ```toml tab="File (TOML)"
 [providers.marathon]
-  responseHeaderTimeout = "10s"
+  tlsHandshakeTimeout = "10s"
   # ...
 ```
 
 ```bash tab="CLI"
---providers.marathon.responseHeaderTimeout=10s
+--providers.marathon.tlsHandshakeTimeout=10s
 # ...
 ```
 

docs/content/providers/redis.md

@@ -64,7 +64,7 @@ Defines a username to connect with Redis.
 providers:
   redis:
     # ...
-    usename: "foo"
+    username: "foo"
 ```
 
 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to Redis.
 
-Certificate Authority used for the secure connection to Redis.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Redis,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.redis.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -152,9 +159,12 @@ providers:
 --providers.redis.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to Redis.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Redis.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.redis.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to Redis.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Redis.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.redis.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/providers/zookeeper.md

@@ -64,7 +64,7 @@ Defines a username to connect with ZooKeeper.
 providers:
   zooKeeper:
     # ...
-    usename: "foo"
+    username: "foo"
 ```
 
 ```toml tab="File (TOML)"
@@ -104,9 +104,14 @@ providers:
 
 _Optional_
 
-#### `tls.ca`
+Defines the TLS configuration used for the secure connection to ZooKeeper.
 
-Certificate Authority used for the secure connection to ZooKeeper.
+#### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to ZooKeeper,
+it defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -124,13 +129,15 @@ providers:
 --providers.zookeeper.tls.ca=path/to/ca.crt
 ```
 
-#### `tls.caOptional`
+#### `caOptional`
 
-The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
+_Optional_
+
+The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
 
 !!! warning ""
 
-    If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
+    If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
 
 When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
 
@@ -152,9 +159,12 @@ providers:
 --providers.zookeeper.tls.caOptional=true
 ```
 
-#### `tls.cert`
+#### `cert`
 
-Public certificate used for the secure connection to ZooKeeper.
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to ZooKeeper.
+When using this option, setting the `key` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -175,9 +185,12 @@ providers:
 --providers.zookeeper.tls.key=path/to/foo.key
 ```
 
-#### `tls.key`
+#### `key`
 
-Private certificate used for the secure connection to ZooKeeper.
+_Optional_
+
+`key` is the path to the private key used for the secure connection to ZooKeeper.
+When using this option, setting the `cert` option is required.
 
 ```yaml tab="File (YAML)"
 providers:
@@ -198,7 +211,9 @@ providers:
 --providers.zookeeper.tls.key=path/to/foo.key
 ```
 
-#### `tls.insecureSkipVerify`
+#### `insecureSkipVerify`
+
+_Optional, Default=false_
 
 If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.
 

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -1,5 +1,5 @@
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: traefik-ingress-controller
 
@@ -48,8 +48,8 @@ rules:
       - watch
 
 ---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: traefik-ingress-controller
 

docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml

@@ -38,8 +38,8 @@ rules:
       - update
 
 ---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: gateway-controller
 

docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml

@@ -398,7 +398,7 @@ spec:
                       info configuration.
                     properties:
                       issuer:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:
@@ -425,7 +425,7 @@ spec:
                       serialNumber:
                         type: boolean
                       subject:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:

docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml

@@ -54,6 +54,7 @@ spec:
                     enum:
                     - NoClientCert
                     - RequestClientCert
+                    - RequireAnyClientCert
                     - VerifyClientCertIfGiven
                     - RequireAndVerifyClientCert
                     type: string

docs/content/reference/static-configuration/cli-ref.md

@@ -859,76 +859,76 @@ OpenTracing configuration. (Default: ```false```)
 Settings for Datadog. (Default: ```false```)
 
 `--tracing.datadog.bagageprefixheadername`:  
-Specifies the header name prefix that will be used to store baggage items in a map.
+Sets the header name prefix used to store baggage items in a map.
 
 `--tracing.datadog.debug`:  
-Enable Datadog debug. (Default: ```false```)
+Enables Datadog debug. (Default: ```false```)
 
 `--tracing.datadog.globaltag`:  
-Key:Value tag to be set on all the spans.
+Sets a key:value tag on all spans.
 
 `--tracing.datadog.localagenthostport`:  
-Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+Sets the Datadog Agent host:port. (Default: ```localhost:8126```)
 
 `--tracing.datadog.parentidheadername`:  
-Specifies the header name that will be used to store the parent ID.
+Sets the header name used to store the parent ID.
 
 `--tracing.datadog.prioritysampling`:  
-Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+Enables priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
 
 `--tracing.datadog.samplingpriorityheadername`:  
-Specifies the header name that will be used to store the sampling priority.
+Sets the header name used to store the sampling priority.
 
 `--tracing.datadog.traceidheadername`:  
-Specifies the header name that will be used to store the trace ID.
+Sets the header name used to store the trace ID.
 
 `--tracing.elastic`:  
 Settings for Elastic. (Default: ```false```)
 
 `--tracing.elastic.secrettoken`:  
-Set the token used to connect to Elastic APM Server.
+Sets the token used to connect to Elastic APM Server.
 
 `--tracing.elastic.serverurl`:  
-Set the URL of the Elastic APM server.
+Sets the URL of the Elastic APM server.
 
 `--tracing.elastic.serviceenvironment`:  
-Set the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
+Sets the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
 
 `--tracing.haystack`:  
 Settings for Haystack. (Default: ```false```)
 
 `--tracing.haystack.baggageprefixheadername`:  
-Specifies the header name prefix that will be used to store baggage items in a map.
+Sets the header name prefix used to store baggage items in a map.
 
 `--tracing.haystack.globaltag`:  
-Key:Value tag to be set on all the spans.
+Sets a key:value tag on all spans.
 
 `--tracing.haystack.localagenthost`:  
-Set haystack-agent's host that the reporter will used. (Default: ```127.0.0.1```)
+Sets the Haystack Agent host. (Default: ```127.0.0.1```)
 
 `--tracing.haystack.localagentport`:  
-Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+Sets the Haystack Agent port. (Default: ```35000```)
 
 `--tracing.haystack.parentidheadername`:  
-Specifies the header name that will be used to store the parent ID.
+Sets the header name used to store the parent ID.
 
 `--tracing.haystack.spanidheadername`:  
-Specifies the header name that will be used to store the span ID.
+Sets the header name used to store the span ID.
 
 `--tracing.haystack.traceidheadername`:  
-Specifies the header name that will be used to store the trace ID.
+Sets the header name used to store the trace ID.
 
 `--tracing.instana`:  
 Settings for Instana. (Default: ```false```)
 
 `--tracing.instana.localagenthost`:  
-Set instana-agent's host that the reporter will used.
+Sets the Instana Agent host.
 
 `--tracing.instana.localagentport`:  
-Set instana-agent's port that the reporter will used. (Default: ```42699```)
+Sets the Instana Agent port used. (Default: ```42699```)
 
 `--tracing.instana.loglevel`:  
-Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+Sets the log level for the Instana tracer. ('error','warn','info','debug') (Default: ```info```)
 
 `--tracing.jaeger`:  
 Settings for Jaeger. (Default: ```false```)
@@ -943,28 +943,28 @@ Password for basic http authentication when sending spans to jaeger-collector.
 User for basic http authentication when sending spans to jaeger-collector.
 
 `--tracing.jaeger.disableattemptreconnecting`:  
-Disable the periodic re-resolution of the agent's hostname and reconnection if there was a change. (Default: ```true```)
+Disables the periodic re-resolution of the agent's hostname and reconnection if there was a change. (Default: ```true```)
 
 `--tracing.jaeger.gen128bit`:  
-Generate 128 bit span IDs. (Default: ```false```)
+Generates 128 bits span IDs. (Default: ```false```)
 
 `--tracing.jaeger.localagenthostport`:  
-Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+Sets the Jaeger Agent host:port. (Default: ```127.0.0.1:6831```)
 
 `--tracing.jaeger.propagation`:  
-Which propagation format to use (jaeger/b3). (Default: ```jaeger```)
+Sets the propagation format (jaeger/b3). (Default: ```jaeger```)
 
 `--tracing.jaeger.samplingparam`:  
-Set the sampling parameter. (Default: ```1.000000```)
+Sets the sampling parameter. (Default: ```1.000000```)
 
 `--tracing.jaeger.samplingserverurl`:  
-Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+Sets the sampling server URL. (Default: ```http://localhost:5778/sampling```)
 
 `--tracing.jaeger.samplingtype`:  
-Set the sampling type. (Default: ```const```)
+Sets the sampling type. (Default: ```const```)
 
 `--tracing.jaeger.tracecontextheadername`:  
-Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+Sets the header name used to store the trace ID. (Default: ```uber-trace-id```)
 
 `--tracing.servicename`:  
 Set the name for this service. (Default: ```traefik```)
@@ -976,13 +976,13 @@ Set the maximum character limit for Span names (default 0 = no limit). (Default:
 Settings for Zipkin. (Default: ```false```)
 
 `--tracing.zipkin.httpendpoint`:  
-HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v2/spans```)
+Sets the HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v2/spans```)
 
 `--tracing.zipkin.id128bit`:  
-Use Zipkin 128 bit root span IDs. (Default: ```true```)
+Uses 128 bits root span IDs. (Default: ```true```)
 
 `--tracing.zipkin.samespan`:  
-Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+Uses SameSpan RPC style traces. (Default: ```false```)
 
 `--tracing.zipkin.samplerate`:  
-The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
+Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)

docs/content/reference/static-configuration/env-ref.md

@@ -859,76 +859,76 @@ OpenTracing configuration. (Default: ```false```)
 Settings for Datadog. (Default: ```false```)
 
 `TRAEFIK_TRACING_DATADOG_BAGAGEPREFIXHEADERNAME`:  
-Specifies the header name prefix that will be used to store baggage items in a map.
+Sets the header name prefix used to store baggage items in a map.
 
 `TRAEFIK_TRACING_DATADOG_DEBUG`:  
-Enable Datadog debug. (Default: ```false```)
+Enables Datadog debug. (Default: ```false```)
 
 `TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
-Key:Value tag to be set on all the spans.
+Sets a key:value tag on all spans.
 
 `TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:  
-Set datadog-agent's host:port that the reporter will used. (Default: ```localhost:8126```)
+Sets the Datadog Agent host:port. (Default: ```localhost:8126```)
 
 `TRAEFIK_TRACING_DATADOG_PARENTIDHEADERNAME`:  
-Specifies the header name that will be used to store the parent ID.
+Sets the header name used to store the parent ID.
 
 `TRAEFIK_TRACING_DATADOG_PRIORITYSAMPLING`:  
-Enable priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
+Enables priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled. (Default: ```false```)
 
 `TRAEFIK_TRACING_DATADOG_SAMPLINGPRIORITYHEADERNAME`:  
-Specifies the header name that will be used to store the sampling priority.
+Sets the header name used to store the sampling priority.
 
 `TRAEFIK_TRACING_DATADOG_TRACEIDHEADERNAME`:  
-Specifies the header name that will be used to store the trace ID.
+Sets the header name used to store the trace ID.
 
 `TRAEFIK_TRACING_ELASTIC`:  
 Settings for Elastic. (Default: ```false```)
 
 `TRAEFIK_TRACING_ELASTIC_SECRETTOKEN`:  
-Set the token used to connect to Elastic APM Server.
+Sets the token used to connect to Elastic APM Server.
 
 `TRAEFIK_TRACING_ELASTIC_SERVERURL`:  
-Set the URL of the Elastic APM server.
+Sets the URL of the Elastic APM server.
 
 `TRAEFIK_TRACING_ELASTIC_SERVICEENVIRONMENT`:  
-Set the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
+Sets the name of the environment Traefik is deployed in, e.g. 'production' or 'staging'.
 
 `TRAEFIK_TRACING_HAYSTACK`:  
 Settings for Haystack. (Default: ```false```)
 
 `TRAEFIK_TRACING_HAYSTACK_BAGGAGEPREFIXHEADERNAME`:  
-Specifies the header name prefix that will be used to store baggage items in a map.
+Sets the header name prefix used to store baggage items in a map.
 
 `TRAEFIK_TRACING_HAYSTACK_GLOBALTAG`:  
-Key:Value tag to be set on all the spans.
+Sets a key:value tag on all spans.
 
 `TRAEFIK_TRACING_HAYSTACK_LOCALAGENTHOST`:  
-Set haystack-agent's host that the reporter will used. (Default: ```127.0.0.1```)
+Sets the Haystack Agent host. (Default: ```127.0.0.1```)
 
 `TRAEFIK_TRACING_HAYSTACK_LOCALAGENTPORT`:  
-Set haystack-agent's port that the reporter will used. (Default: ```35000```)
+Sets the Haystack Agent port. (Default: ```35000```)
 
 `TRAEFIK_TRACING_HAYSTACK_PARENTIDHEADERNAME`:  
-Specifies the header name that will be used to store the parent ID.
+Sets the header name used to store the parent ID.
 
 `TRAEFIK_TRACING_HAYSTACK_SPANIDHEADERNAME`:  
-Specifies the header name that will be used to store the span ID.
+Sets the header name used to store the span ID.
 
 `TRAEFIK_TRACING_HAYSTACK_TRACEIDHEADERNAME`:  
-Specifies the header name that will be used to store the trace ID.
+Sets the header name used to store the trace ID.
 
 `TRAEFIK_TRACING_INSTANA`:  
 Settings for Instana. (Default: ```false```)
 
 `TRAEFIK_TRACING_INSTANA_LOCALAGENTHOST`:  
-Set instana-agent's host that the reporter will used.
+Sets the Instana Agent host.
 
 `TRAEFIK_TRACING_INSTANA_LOCALAGENTPORT`:  
-Set instana-agent's port that the reporter will used. (Default: ```42699```)
+Sets the Instana Agent port used. (Default: ```42699```)
 
 `TRAEFIK_TRACING_INSTANA_LOGLEVEL`:  
-Set instana-agent's log level. ('error','warn','info','debug') (Default: ```info```)
+Sets the log level for the Instana tracer. ('error','warn','info','debug') (Default: ```info```)
 
 `TRAEFIK_TRACING_JAEGER`:  
 Settings for Jaeger. (Default: ```false```)
@@ -943,28 +943,28 @@ Password for basic http authentication when sending spans to jaeger-collector.
 User for basic http authentication when sending spans to jaeger-collector.
 
 `TRAEFIK_TRACING_JAEGER_DISABLEATTEMPTRECONNECTING`:  
-Disable the periodic re-resolution of the agent's hostname and reconnection if there was a change. (Default: ```true```)
+Disables the periodic re-resolution of the agent's hostname and reconnection if there was a change. (Default: ```true```)
 
 `TRAEFIK_TRACING_JAEGER_GEN128BIT`:  
-Generate 128 bit span IDs. (Default: ```false```)
+Generates 128 bits span IDs. (Default: ```false```)
 
 `TRAEFIK_TRACING_JAEGER_LOCALAGENTHOSTPORT`:  
-Set jaeger-agent's host:port that the reporter will used. (Default: ```127.0.0.1:6831```)
+Sets the Jaeger Agent host:port. (Default: ```127.0.0.1:6831```)
 
 `TRAEFIK_TRACING_JAEGER_PROPAGATION`:  
-Which propagation format to use (jaeger/b3). (Default: ```jaeger```)
+Sets the propagation format (jaeger/b3). (Default: ```jaeger```)
 
 `TRAEFIK_TRACING_JAEGER_SAMPLINGPARAM`:  
-Set the sampling parameter. (Default: ```1.000000```)
+Sets the sampling parameter. (Default: ```1.000000```)
 
 `TRAEFIK_TRACING_JAEGER_SAMPLINGSERVERURL`:  
-Set the sampling server url. (Default: ```http://localhost:5778/sampling```)
+Sets the sampling server URL. (Default: ```http://localhost:5778/sampling```)
 
 `TRAEFIK_TRACING_JAEGER_SAMPLINGTYPE`:  
-Set the sampling type. (Default: ```const```)
+Sets the sampling type. (Default: ```const```)
 
 `TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
-Set the header to use for the trace-id. (Default: ```uber-trace-id```)
+Sets the header name used to store the trace ID. (Default: ```uber-trace-id```)
 
 `TRAEFIK_TRACING_SERVICENAME`:  
 Set the name for this service. (Default: ```traefik```)
@@ -976,13 +976,13 @@ Set the maximum character limit for Span names (default 0 = no limit). (Default:
 Settings for Zipkin. (Default: ```false```)
 
 `TRAEFIK_TRACING_ZIPKIN_HTTPENDPOINT`:  
-HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v2/spans```)
+Sets the HTTP Endpoint to report traces to. (Default: ```http://localhost:9411/api/v2/spans```)
 
 `TRAEFIK_TRACING_ZIPKIN_ID128BIT`:  
-Use Zipkin 128 bit root span IDs. (Default: ```true```)
+Uses 128 bits root span IDs. (Default: ```true```)
 
 `TRAEFIK_TRACING_ZIPKIN_SAMESPAN`:  
-Use Zipkin SameSpan RPC style traces. (Default: ```false```)
+Uses SameSpan RPC style traces. (Default: ```false```)
 
 `TRAEFIK_TRACING_ZIPKIN_SAMPLERATE`:  
-The rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
+Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)

docs/content/routing/providers/consul-catalog.md

@@ -63,7 +63,7 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
     See [tls](../routers/index.md#tls) for more information.
     
     ```yaml
-    traefik.http.routers.myrouter>.tls=true
+    traefik.http.routers.myrouter.tls=true
     ```
 
 ??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
@@ -136,7 +136,7 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     See [serverstransport](../services/index.md#serverstransport) for more information.
     
     ```yaml
-    traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file
+    traefik.http.services.myservice.loadbalancer.serverstransport=foobar@file
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"

docs/content/routing/providers/kubernetes-crd.md

@@ -131,7 +131,6 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
         - tcpep
       routes:
       - match: HostSNI(`bar`)
-        kind: Rule
         services:
           - name: whoamitcp
             port: 8080
@@ -147,8 +146,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
       entryPoints:
         - udpep
       routes:
-      - kind: Rule
-        services:
+      - services:
           - name: whoamiudp
             port: 8080
     ```
@@ -477,7 +475,7 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
 
 !!! important "Using Kubernetes ExternalName Service"
 
-    Traefik backends creation needs a port to be set, however Kubernetes [ExternalName Service](https://kubernetes.io/fr/docs/concepts/services-networking/service/#externalname) could be defined without any port.
+    Traefik backends creation needs a port to be set, however Kubernetes [ExternalName Service](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) could be defined without any port.
     Accordingly, Traefik supports defining a port in two ways:
     
     - only on `IngressRoute` service
@@ -1200,7 +1198,7 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
 
 !!! important "Using Kubernetes ExternalName Service"
 
-    Traefik backends creation needs a port to be set, however Kubernetes [ExternalName Service](https://kubernetes.io/fr/docs/concepts/services-networking/service/#externalname) could be defined without any port.
+    Traefik backends creation needs a port to be set, however Kubernetes [ExternalName Service](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) could be defined without any port.
     Accordingly, Traefik supports defining a port in two ways:
     
     - only on `IngressRouteTCP` service
@@ -1224,7 +1222,6 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
         
           routes:
           - match: HostSNI(`*`)
-            kind: Rule
             services:
             - name: external-svc
               port: 80
@@ -1254,7 +1251,6 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
         
           routes:
           - match: HostSNI(`*`)
-            kind: Rule
             services:
             - name: external-svc
               port: 80
@@ -1379,7 +1375,7 @@ Register the `IngressRouteUDP` [kind](../../reference/dynamic-configuration/kube
 
 !!! important "Using Kubernetes ExternalName Service"
 
-    Traefik backends creation needs a port to be set, however Kubernetes [ExternalName Service](https://kubernetes.io/fr/docs/concepts/services-networking/service/#externalname) could be defined without any port.
+    Traefik backends creation needs a port to be set, however Kubernetes [ExternalName Service](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) could be defined without any port.
     Accordingly, Traefik supports defining a port in two ways:
     
     - only on `IngressRouteUDP` service

docs/content/routing/providers/kubernetes-ingress.md

@@ -15,8 +15,8 @@ which in turn will create the resulting routers, services, handlers, etc.
 
     ```yaml tab="RBAC"
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
-    apiVersion: rbac.authorization.k8s.io/v1beta1
     metadata:
       name: traefik-ingress-controller
     rules:
@@ -48,8 +48,8 @@ which in turn will create the resulting routers, services, handlers, etc.
           - update
 
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
-    apiVersion: rbac.authorization.k8s.io/v1beta1
     metadata:
       name: traefik-ingress-controller
     roleRef:
@@ -63,8 +63,37 @@ which in turn will create the resulting routers, services, handlers, etc.
     ```
 
     ```yaml tab="Ingress"
+    apiVersion: networking.k8s.io/v1
     kind: Ingress
+    metadata:
+      name: myingress
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: web
+
+    spec:
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - path: /bar
+                pathType: Exact
+                backend:
+                  service:
+                    name:  whoami
+                    port:
+                      number: 80
+              - path: /foo
+                pathType: Exact
+                backend:
+                  service:
+                    name:  whoami
+                    port:
+                      number: 80
+    ```
+
+    ```yaml tab="Ingress v1beta1 (deprecated)"
     apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
     metadata:
       name: myingress
       annotations:
@@ -84,36 +113,7 @@ which in turn will create the resulting routers, services, handlers, etc.
                   serviceName: whoami
                   servicePort: 80
     ```
-    
-    ```yaml tab="Ingress Kubernetes v1.19+"
-    kind: Ingress
-    apiVersion: networking.k8s.io/v1
-    metadata:
-      name: myingress
-      annotations:
-        traefik.ingress.kubernetes.io/router.entrypoints: web
-    
-    spec:
-      rules:
-        - host: example.com
-          http:
-            paths:
-              - path: /bar
-                pathType: Exact
-                backend:
-                  service:
-                    name:  whoami
-                    port:
-                      number: 80
-              - path: /foo
-                pathType: Exact
-                backend:
-                  service:
-                    name:  whoami
-                    port:
-                      number: 80
-    ```
-    
+
     ```yaml tab="Traefik"
     apiVersion: v1
     kind: ServiceAccount
@@ -121,8 +121,8 @@ which in turn will create the resulting routers, services, handlers, etc.
       name: traefik-ingress-controller
 
     ---
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     metadata:
       name: traefik
       labels:
@@ -166,8 +166,8 @@ which in turn will create the resulting routers, services, handlers, etc.
     ```
 
     ```yaml tab="Whoami"
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     metadata:
       name: whoami
       labels:
@@ -209,6 +209,11 @@ which in turn will create the resulting routers, services, handlers, etc.
 
 ## Annotations
 
+!!! warning "Referencing resources in annotations"
+    
+    In an annotation, when referencing a resource defined by another provider,
+    the [provider namespace syntax](../../providers/overview.md#provider-namespace) must be used.
+
 #### On Ingress
 
 ??? info "`traefik.ingress.kubernetes.io/router.entrypoints`"
@@ -224,7 +229,7 @@ which in turn will create the resulting routers, services, handlers, etc.
     See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
 
     ```yaml
-    traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kubernetescrd,cb@file
+    traefik.ingress.kubernetes.io/router.middlewares: auth@file,default-prefix@kubernetescrd
     ```
 
 ??? info "`traefik.ingress.kubernetes.io/router.priority`"
@@ -237,7 +242,7 @@ which in turn will create the resulting routers, services, handlers, etc.
 
 ??? info "`traefik.ingress.kubernetes.io/router.pathmatcher`"
 
-    Overrides the default router rule type used for a path.  
+    Overrides the default router rule type used for a path.
     Only path-related matcher name can be specified: `Path`, `PathPrefix`.
 
     Default `PathPrefix`
@@ -283,7 +288,7 @@ which in turn will create the resulting routers, services, handlers, etc.
     See [options](../routers/index.md#options) for more information.
 
     ```yaml
-    traefik.ingress.kubernetes.io/router.tls.options: foobar
+    traefik.ingress.kubernetes.io/router.tls.options: foobar@file
     ```
 
 #### On Service
@@ -401,8 +406,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
 
     ```yaml tab="RBAC"
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
-    apiVersion: rbac.authorization.k8s.io/v1beta1
     metadata:
       name: traefik-ingress-controller
     rules:
@@ -434,8 +439,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
           - update
 
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
-    apiVersion: rbac.authorization.k8s.io/v1beta1
     metadata:
       name: traefik-ingress-controller
     roleRef:
@@ -449,8 +454,37 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
     ```
 
     ```yaml tab="Ingress"
+    apiVersion: networking.k8s.io/v1
     kind: Ingress
+    metadata:
+      name: myingress
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+
+    spec:
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - path: /bar
+                pathType: Exact
+                backend:
+                  service:
+                    name:  whoami
+                    port:
+                      number: 80
+              - path: /foo
+                pathType: Exact
+                backend:
+                  service:
+                    name:  whoami
+                    port:
+                      number: 80
+    ```
+
+    ```yaml tab="Ingress v1beta1 (deprecated)"
     apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
     metadata:
       name: myingress
       annotations:
@@ -470,36 +504,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
                   serviceName: whoami
                   servicePort: 80
     ```
-    
-    ```yaml tab="Ingress Kubernetes v1.19+"
-    kind: Ingress
-    apiVersion: networking.k8s.io/v1
-    metadata:
-      name: myingress
-      annotations:
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    
-    spec:
-      rules:
-        - host: example.com
-          http:
-            paths:
-              - path: /bar
-                pathType: Exact
-                backend:
-                  service:
-                    name:  whoami
-                    port:
-                      number: 80
-              - path: /foo
-                pathType: Exact
-                backend:
-                  service:
-                    name:  whoami
-                    port:
-                      number: 80
-    ```
-    
+
     ```yaml tab="Traefik"
     apiVersion: v1
     kind: ServiceAccount
@@ -507,8 +512,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
       name: traefik-ingress-controller
 
     ---
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     metadata:
       name: traefik
       labels:
@@ -553,8 +558,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
     ```
 
     ```yaml tab="Whoami"
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     metadata:
       name: whoami
       labels:
@@ -608,8 +613,8 @@ For more options, please refer to the available [annotations](#on-ingress).
 
     ```yaml tab="RBAC"
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
-    apiVersion: rbac.authorization.k8s.io/v1beta1
     metadata:
       name: traefik-ingress-controller
     rules:
@@ -641,8 +646,8 @@ For more options, please refer to the available [annotations](#on-ingress).
           - update
 
     ---
+    apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
-    apiVersion: rbac.authorization.k8s.io/v1beta1
     metadata:
       name: traefik-ingress-controller
     roleRef:
@@ -656,8 +661,38 @@ For more options, please refer to the available [annotations](#on-ingress).
     ```
 
     ```yaml tab="Ingress"
+    apiVersion: networking.k8s.io/v1
     kind: Ingress
+    metadata:
+      name: myingress
+      annotations:
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: true
+
+    spec:
+      rules:
+        - host: example.com
+          http:
+            paths:
+              - path: /bar
+                pathType: Exact
+                backend:
+                  service:
+                    name:  whoami
+                    port:
+                      number: 80
+              - path: /foo
+                pathType: Exact
+                backend:
+                  service:
+                    name:  whoami
+                    port:
+                      number: 80
+    ```
+
+    ```yaml tab="Ingress v1beta1 (deprecated)"
     apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
     metadata:
       name: myingress
       annotations:
@@ -678,37 +713,7 @@ For more options, please refer to the available [annotations](#on-ingress).
                   serviceName: whoami
                   servicePort: 80
     ```
-    
-    ```yaml tab="Ingress Kubernetes v1.19+"
-    kind: Ingress
-    apiVersion: networking.k8s.io/v1
-    metadata:
-      name: myingress
-      annotations:
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        traefik.ingress.kubernetes.io/router.tls: true
-    
-    spec:
-      rules:
-        - host: example.com
-          http:
-            paths:
-              - path: /bar
-                pathType: Exact
-                backend:
-                  service:
-                    name:  whoami
-                    port:
-                      number: 80
-              - path: /foo
-                pathType: Exact
-                backend:
-                  service:
-                    name:  whoami
-                    port:
-                      number: 80
-    ```
-    
+
     ```yaml tab="Traefik"
     apiVersion: v1
     kind: ServiceAccount
@@ -716,8 +721,8 @@ For more options, please refer to the available [annotations](#on-ingress).
       name: traefik-ingress-controller
 
     ---
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     metadata:
       name: traefik
       labels:
@@ -761,8 +766,8 @@ For more options, please refer to the available [annotations](#on-ingress).
     ```
 
     ```yaml tab="Whoami"
-    kind: Deployment
     apiVersion: apps/v1
+    kind: Deployment
     metadata:
       name: whoami
       labels:
@@ -807,8 +812,34 @@ For more options, please refer to the available [annotations](#on-ingress).
 ??? example "Using a secret"
 
     ```yaml tab="Ingress"
+    apiVersion: networking.k8s.io/v1
     kind: Ingress
+    metadata:
+      name: foo
+      namespace: production
+
+    spec:
+      rules:
+      - host: example.net
+        http:
+          paths:
+          - path: /bar
+            pathType: Exact
+            backend:
+              service:
+                name:  service1
+                port:
+                  number: 80
+      # Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS.
+      # Doesn't enable TLS for that ingress (hence for the underlying router).
+      # Please see the TLS annotations on ingress made for that purpose.
+      tls:
+      - secretName: supersecret
+    ```
+
+    ```yaml tab="Ingress v1beta1 (deprecated)"
     apiVersion: networking.k8s.io/v1beta1
+    kind: Ingress
     metadata:
       name: foo
       namespace: production
@@ -829,32 +860,6 @@ For more options, please refer to the available [annotations](#on-ingress).
       - secretName: supersecret
     ```
 
-    ```yaml tab="Ingress Kubernetes v1.19+"
-    kind: Ingress
-    apiVersion: networking.k8s.io/v1
-    metadata:
-      name: foo
-      namespace: production
-    
-    spec:
-      rules:
-      - host: example.net
-        http:
-          paths:
-          - path: /bar
-            pathType: Exact
-            backend:
-              service:
-                name:  service1
-                port:
-                  number: 80
-      # Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS.
-      # Doesn't enable TLS for that ingress (hence for the underlying router).
-      # Please see the TLS annotations on ingress made for that purpose.
-      tls:
-      - secretName: supersecret
-    ```
-      
     ```yaml tab="Secret"
     apiVersion: v1
     kind: Secret
@@ -900,18 +905,6 @@ and will connect via TLS automatically.
 Ingresses can be created that look like the following:
 
 ```yaml tab="Ingress"
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
- name: cheese
-
-spec:
-  defaultBackend:
-    serviceName: stilton
-    serverPort: 80
-```
-
-```yaml tab="Ingress Kubernetes v1.19+"
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -925,6 +918,18 @@ spec:
         number: 80
 ```
 
+```yaml tab="Ingress v1beta1 (deprecated)"
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+ name: cheese
+
+spec:
+  defaultBackend:
+    serviceName: stilton
+    serverPort: 80
+```
+
 This ingress follows the Global Default Backend property of ingresses.
 This will allow users to create a "default router" that will match all unmatched requests.
 

docs/content/routing/routers/index.md

@@ -251,6 +251,7 @@ The table below lists all the available matchers:
 
     `HostRegexp` and `Path` accept an expression with zero or more groups enclosed by curly braces.
     Named groups can be like `{name:pattern}` that matches the given regexp pattern or like `{name}` that matches anything until the next dot.
+    The group name (`name` in the above examples) is an arbitrary value.
     Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `{subdomain:[a-z]+}.{domain}.com`).
 
 !!! info "Combining Matchers Using Operators and Parenthesis"

docs/content/routing/services/index.md

@@ -336,11 +336,11 @@ Below are the available options for the health check mechanism:
     Traefik keeps monitoring the health of unhealthy servers.
     If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balancer rotation pool.
 
-!!! warning "Health check in Kubernetes"
+!!! warning "Health check with Kubernetes"
 
-    The Traefik health check is not available for `kubernetesCRD` and `kubernetesIngress` providers because Kubernetes
-    already has a health check mechanism.
-    Unhealthy pods will be removed by kubernetes. (cf [liveness documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request))
+    Kubernetes has an health check mechanism to remove unhealthy pods from Kubernetes services (cf [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)).
+    As unhealthy pods have no Kubernetes endpoints, Traefik will not forward traffic to them.
+    Therefore, Traefik health check is not available for `kubernetesCRD` and `kubernetesIngress` providers.
 
 ??? example "Custom Interval & Timeout -- Using the [File Provider](../../providers/file.md)"
 

docs/content/user-guides/grpc.md

@@ -224,8 +224,8 @@ So we modify the "gRPC server example" to use our own self-signed certificate:
 // ...
 
 // Read cert and key file
-backendCert, _ := ioutil.ReadFile("./backend.cert")
-backendKey, _ := ioutil.ReadFile("./backend.key")
+backendCert, _ := os.ReadFile("./backend.cert")
+backendKey, _ := os.ReadFile("./backend.key")
 
 // Generate Certificate struct
 cert, err := tls.X509KeyPair(backendCert, backendKey)
@@ -253,7 +253,7 @@ Next we will modify gRPC Client to use our Traefik self-signed certificate:
 // ...
 
 // Read cert file
-frontendCert, _ := ioutil.ReadFile("./frontend.cert")
+frontendCert, _ := os.ReadFile("./frontend.cert")
 
 // Create CertPool
 roots := x509.NewCertPool()

go.mod

@@ -7,73 +7,62 @@ require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/ExpediaDotCom/haystack-client-go v0.0.0-20190315171017-e7edbdf53a61
 	github.com/Masterminds/sprig/v3 v3.2.2
-	github.com/Microsoft/hcsshim v0.8.7 // indirect
 	github.com/Shopify/sarama v1.23.1 // indirect
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
-	github.com/abronan/valkeyrie v0.0.0-20200127174252-ef4277a138cd
-	github.com/aws/aws-sdk-go v1.37.27
-	github.com/cenkalti/backoff/v4 v4.1.0
-	github.com/containerd/containerd v1.3.2 // indirect
+	github.com/abronan/valkeyrie v0.2.0
+	github.com/aws/aws-sdk-go v1.39.0
+	github.com/cenkalti/backoff/v4 v4.1.1
+	github.com/compose-spec/compose-go v1.0.3
+	github.com/containerd/containerd v1.5.8 // indirect
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/davecgh/go-spew v1.1.1
-	github.com/docker/cli v0.0.0-20200221155518-740919cc7fc0
-	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v17.12.0-ce-rc1.0.20200204220554-5f6d6f3f2203+incompatible
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
+	github.com/docker/cli v20.10.11+incompatible
+	github.com/docker/compose/v2 v2.0.1
+	github.com/docker/docker v20.10.7+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 // indirect
-	github.com/docker/libcompose v0.0.0-20190805081528-eac9fe1b8b03 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/donovanhide/eventsource v0.0.0-20170630084216-b8f31a59085e // indirect
 	github.com/eapache/channels v1.1.0
 	github.com/elazarl/go-bindata-assetfs v1.0.0
 	github.com/fatih/structs v1.1.0
 	github.com/gambol99/go-marathon v0.0.0-20180614232016-99a156b96fb2
-	github.com/go-acme/lego/v4 v4.4.0
+	github.com/go-acme/lego/v4 v4.5.3
 	github.com/go-check/check v0.0.0-00010101000000-000000000000
 	github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-github/v28 v28.1.1
-	github.com/gorilla/mux v1.7.3
+	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.4.2
-	github.com/hashicorp/consul v1.10.0
-	github.com/hashicorp/consul/api v1.9.1
+	github.com/hashicorp/consul v1.10.3
+	github.com/hashicorp/consul/api v1.10.0
 	github.com/hashicorp/go-hclog v0.16.1
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-version v1.2.1
+	github.com/hashicorp/go-version v1.3.0
 	github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d
 	github.com/instana/go-sensor v1.5.1
 	github.com/klauspost/compress v1.13.0
-	github.com/libkermit/compose v0.0.0-20171122111507-c04e39c026ad
-	github.com/libkermit/docker v0.0.0-20171122101128-e6674d32b807
-	github.com/libkermit/docker-check v0.0.0-20171122104347-1113af38e591
 	github.com/lucas-clemente/quic-go v0.23.0
 	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/copystructure v1.0.0
 	github.com/mitchellh/hashstructure v1.0.0
-	github.com/mitchellh/mapstructure v1.4.1
-	github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c // indirect
-	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
-	github.com/opencontainers/runc v1.0.0-rc10 // indirect
-	github.com/opentracing/opentracing-go v1.1.0
+	github.com/mitchellh/mapstructure v1.4.2
+	github.com/opentracing/opentracing-go v1.2.0
 	github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5
 	github.com/openzipkin/zipkin-go v0.2.2
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philhofer/fwd v1.0.0 // indirect
-	github.com/pires/go-proxyproto v0.5.0
+	github.com/pires/go-proxyproto v0.6.1
 	github.com/pmezard/go-difflib v1.0.0
-	github.com/prometheus/client_golang v1.7.1
+	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/client_model v0.2.0
 	github.com/rancher/go-rancher-metadata v0.0.0-20200311180630-7f4c936a06ac
-	github.com/sirupsen/logrus v1.7.0
+	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
 	github.com/tinylib/msgp v1.0.2 // indirect
 	github.com/traefik/paerser v0.1.4
-	github.com/traefik/yaegi v0.10.0
+	github.com/traefik/yaegi v0.11.2
 	github.com/uber/jaeger-client-go v2.29.1+incompatible
 	github.com/uber/jaeger-lib v2.2.0+incompatible
 	github.com/unrolled/render v1.0.2
@@ -84,11 +73,11 @@ require (
 	go.elastic.co/apm v1.13.1
 	go.elastic.co/apm/module/apmot v1.13.1
 	golang.org/x/mod v0.4.2
-	golang.org/x/net v0.0.0-20210428140749-89ef3d95e781
+	golang.org/x/net v0.0.0-20211209124913-491a49abca63
 	golang.org/x/sys v0.0.0-20210817190340-bfb29a6856f2 // indirect
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
-	golang.org/x/tools v0.1.1
-	google.golang.org/grpc v1.27.1
+	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6
+	golang.org/x/tools v0.1.2
+	google.golang.org/grpc v1.38.0
 	gopkg.in/DataDog/dd-trace-go.v1 v1.19.0
 	gopkg.in/fsnotify.v1 v1.4.7
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
@@ -109,3 +98,6 @@ replace (
 	github.com/mailgun/minheap => github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595
 	github.com/mailgun/multibuf => github.com/containous/multibuf v0.0.0-20190809014333-8b6c9a7e6bba
 )
+
+// https://github.com/docker/compose/blob/e44222664abd07ce1d1fe6796d84d93cbc7468c3/go.mod#L131
+replace github.com/jaguilar/vt100 => github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305

integration/access_log_test.go

@@ -36,12 +36,7 @@ type accessLogValue struct {
 
 func (s *AccessLogSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "access_log")
-	s.composeProject.Start(c)
-
-	s.composeProject.Container(c, "server0")
-	s.composeProject.Container(c, "server1")
-	s.composeProject.Container(c, "server2")
-	s.composeProject.Container(c, "server3")
+	s.composeUp(c)
 }
 
 func (s *AccessLogSuite) TearDownTest(c *check.C) {
@@ -122,7 +117,7 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontend(c *check.C) {
 			code:       "200",
 			user:       "test",
 			routerName: "rt-authFrontend",
-			serviceURL: "http://172.17.0",
+			serviceURL: "http://172.31.42",
 		},
 	}
 
@@ -136,8 +131,6 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontend(c *check.C) {
 
 	checkStatsForLogFile(c)
 
-	s.composeProject.Container(c, "authFrontend")
-
 	waitForTraefik(c, "authFrontend")
 
 	// Verify Traefik started OK
@@ -193,7 +186,7 @@ func (s *AccessLogSuite) TestAccessLogDigestAuthMiddleware(c *check.C) {
 			code:       "200",
 			user:       "test",
 			routerName: "rt-digestAuthMiddleware",
-			serviceURL: "http://172.17.0",
+			serviceURL: "http://172.31.42",
 		},
 	}
 
@@ -207,8 +200,6 @@ func (s *AccessLogSuite) TestAccessLogDigestAuthMiddleware(c *check.C) {
 
 	checkStatsForLogFile(c)
 
-	s.composeProject.Container(c, "digestAuthMiddleware")
-
 	waitForTraefik(c, "digestAuthMiddleware")
 
 	// Verify Traefik started OK
@@ -322,8 +313,6 @@ func (s *AccessLogSuite) TestAccessLogFrontendRedirect(c *check.C) {
 
 	checkStatsForLogFile(c)
 
-	s.composeProject.Container(c, "frontendRedirect")
-
 	waitForTraefik(c, "frontendRedirect")
 
 	// Verify Traefik started OK
@@ -375,8 +364,6 @@ func (s *AccessLogSuite) TestAccessLogRateLimit(c *check.C) {
 
 	checkStatsForLogFile(c)
 
-	s.composeProject.Container(c, "rateLimit")
-
 	waitForTraefik(c, "rateLimit")
 
 	// Verify Traefik started OK
@@ -471,8 +458,6 @@ func (s *AccessLogSuite) TestAccessLogFrontendWhitelist(c *check.C) {
 
 	checkStatsForLogFile(c)
 
-	s.composeProject.Container(c, "frontendWhitelist")
-
 	waitForTraefik(c, "frontendWhitelist")
 
 	// Verify Traefik started OK
@@ -504,7 +489,7 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontendSuccess(c *check.C) {
 			code:       "200",
 			user:       "test",
 			routerName: "rt-authFrontend",
-			serviceURL: "http://172.17.0",
+			serviceURL: "http://172.31.42",
 		},
 	}
 
@@ -518,8 +503,6 @@ func (s *AccessLogSuite) TestAccessLogAuthFrontendSuccess(c *check.C) {
 
 	checkStatsForLogFile(c)
 
-	s.composeProject.Container(c, "authFrontend")
-
 	waitForTraefik(c, "authFrontend")
 
 	// Verify Traefik started OK
@@ -548,7 +531,6 @@ func checkNoOtherTraefikProblems(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	if len(traefikLog) > 0 {
 		fmt.Printf("%s\n", string(traefikLog))
-		c.Assert(traefikLog, checker.HasLen, 0)
 	}
 }
 
@@ -616,7 +598,6 @@ func checkTraefikStarted(c *check.C) []byte {
 	c.Assert(err, checker.IsNil)
 	if len(traefikLog) > 0 {
 		fmt.Printf("%s\n", string(traefikLog))
-		c.Assert(traefikLog, checker.HasLen, 0)
 	}
 	return traefikLog
 }

integration/acme_test.go

@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -19,7 +20,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// ACME test suites (using libcompose).
+// ACME test suites.
 type AcmeSuite struct {
 	BaseSuite
 	pebbleIP      string
@@ -54,7 +55,8 @@ const (
 )
 
 func (s *AcmeSuite) getAcmeURL() string {
-	return fmt.Sprintf("https://%s:14000/dir", s.pebbleIP)
+	return fmt.Sprintf("https://%s/dir",
+		net.JoinHostPort(s.pebbleIP, "14000"))
 }
 
 func setupPebbleRootCA() (*http.Transport, error) {
@@ -86,11 +88,10 @@ func setupPebbleRootCA() (*http.Transport, error) {
 
 func (s *AcmeSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "pebble")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
-	s.fakeDNSServer = startFakeDNSServer()
-
-	s.pebbleIP = s.composeProject.Container(c, "pebble").NetworkSettings.IPAddress
+	s.fakeDNSServer = startFakeDNSServer(s.getContainerIP(c, "traefik"))
+	s.pebbleIP = s.getComposeServiceIP(c, "pebble")
 
 	pebbleTransport, err := setupPebbleRootCA()
 	if err != nil {
@@ -115,15 +116,14 @@ func (s *AcmeSuite) SetUpSuite(c *check.C) {
 }
 
 func (s *AcmeSuite) TearDownSuite(c *check.C) {
-	err := s.fakeDNSServer.Shutdown()
-	if err != nil {
-		c.Log(err)
+	if s.fakeDNSServer != nil {
+		err := s.fakeDNSServer.Shutdown()
+		if err != nil {
+			c.Log(err)
+		}
 	}
 
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
-	}
+	s.composeDown(c)
 }
 
 func (s *AcmeSuite) TestHTTP01Domains(c *check.C) {

integration/consul_catalog_test.go

@@ -2,6 +2,7 @@ package integration
 
 import (
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"time"
@@ -14,32 +15,31 @@ import (
 
 type ConsulCatalogSuite struct {
 	BaseSuite
-	consulClient       *api.Client
-	consulAgentClient  *api.Client
-	consulAddress      string
-	consulAgentAddress string
+	consulClient      *api.Client
+	consulAgentClient *api.Client
+	consulURL         string
 }
 
 func (s *ConsulCatalogSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "consul_catalog")
-	s.composeProject.Start(c)
-	s.consulAddress = "http://" + s.composeProject.Container(c, "consul").NetworkSettings.IPAddress + ":8500"
-	client, err := api.NewClient(&api.Config{
-		Address: s.consulAddress,
+	s.composeUp(c)
+
+	s.consulURL = "http://" + net.JoinHostPort(s.getComposeServiceIP(c, "consul"), "8500")
+
+	var err error
+	s.consulClient, err = api.NewClient(&api.Config{
+		Address: s.consulURL,
 	})
 	c.Check(err, check.IsNil)
-	s.consulClient = client
 
 	// Wait for consul to elect itself leader
 	err = s.waitToElectConsulLeader()
 	c.Assert(err, checker.IsNil)
 
-	s.consulAgentAddress = "http://" + s.composeProject.Container(c, "consul-agent").NetworkSettings.IPAddress + ":8500"
-	clientAgent, err := api.NewClient(&api.Config{
-		Address: s.consulAgentAddress,
+	s.consulAgentClient, err = api.NewClient(&api.Config{
+		Address: "http://" + net.JoinHostPort(s.getComposeServiceIP(c, "consul-agent"), "8500"),
 	})
 	c.Check(err, check.IsNil)
-	s.consulAgentClient = clientAgent
 }
 
 func (s *ConsulCatalogSuite) waitToElectConsulLeader() error {
@@ -66,13 +66,6 @@ func (s *ConsulCatalogSuite) waitForConnectCA() error {
 	})
 }
 
-func (s *ConsulCatalogSuite) TearDownSuite(c *check.C) {
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
-	}
-}
-
 func (s *ConsulCatalogSuite) registerService(reg *api.AgentServiceRegistration, onAgent bool) error {
 	client := s.consulClient
 	if onAgent {
@@ -96,7 +89,7 @@ func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *c
 		Name:    "whoami",
 		Tags:    []string{"traefik.enable=true"},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami1"),
 	}
 	err := s.registerService(reg1, false)
 	c.Assert(err, checker.IsNil)
@@ -106,7 +99,7 @@ func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *c
 		Name:    "whoami",
 		Tags:    []string{"traefik.enable=true"},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami2"),
 	}
 	err = s.registerService(reg2, false)
 	c.Assert(err, checker.IsNil)
@@ -116,7 +109,7 @@ func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *c
 		Name:    "whoami",
 		Tags:    []string{"traefik.enable=true"},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami3"),
 	}
 	err = s.registerService(reg3, false)
 	c.Assert(err, checker.IsNil)
@@ -124,7 +117,7 @@ func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *c
 	tempObjects := struct {
 		ConsulAddress string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 	}
 
 	file := s.adaptFile(c, "fixtures/consul_catalog/default_not_exposed.toml", tempObjects)
@@ -163,7 +156,7 @@ func (s *ConsulCatalogSuite) TestWithNotExposedByDefaultAndDefaultsSettings(c *c
 }
 
 func (s *ConsulCatalogSuite) TestByLabels(c *check.C) {
-	containerIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	containerIP := s.getComposeServiceIP(c, "whoami1")
 
 	reg := &api.AgentServiceRegistration{
 		ID:   "whoami1",
@@ -183,7 +176,7 @@ func (s *ConsulCatalogSuite) TestByLabels(c *check.C) {
 	tempObjects := struct {
 		ConsulAddress string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 	}
 
 	file := s.adaptFile(c, "fixtures/consul_catalog/default_not_exposed.toml", tempObjects)
@@ -195,7 +188,7 @@ func (s *ConsulCatalogSuite) TestByLabels(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	err = try.GetRequest("http://127.0.0.1:8000/whoami", 2*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContainsOr("Hostname: whoami1", "Hostname: whoami2", "Hostname: whoami3"))
+	err = try.GetRequest("http://127.0.0.1:8000/whoami", 5*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContainsOr("Hostname: whoami1", "Hostname: whoami2", "Hostname: whoami3"))
 	c.Assert(err, checker.IsNil)
 
 	err = s.deregisterService("whoami1", false)
@@ -207,7 +200,7 @@ func (s *ConsulCatalogSuite) TestSimpleConfiguration(c *check.C) {
 		ConsulAddress string
 		DefaultRule   string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -219,7 +212,7 @@ func (s *ConsulCatalogSuite) TestSimpleConfiguration(c *check.C) {
 		Name:    "whoami",
 		Tags:    []string{"traefik.enable=true"},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami1"),
 	}
 	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
@@ -246,7 +239,7 @@ func (s *ConsulCatalogSuite) TestRegisterServiceWithoutIP(c *check.C) {
 		ConsulAddress string
 		DefaultRule   string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -285,7 +278,7 @@ func (s *ConsulCatalogSuite) TestDefaultConsulService(c *check.C) {
 		DefaultRule   string
 	}{
 
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -296,7 +289,7 @@ func (s *ConsulCatalogSuite) TestDefaultConsulService(c *check.C) {
 		ID:      "whoami1",
 		Name:    "whoami",
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami1"),
 	}
 	err := s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
@@ -324,7 +317,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithTCPLabels(c *check.C) {
 		ConsulAddress string
 		DefaultRule   string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -341,7 +334,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithTCPLabels(c *check.C) {
 			"traefik.tcp.Services.Super.Loadbalancer.server.port=8080",
 		},
 		Port:    8080,
-		Address: s.composeProject.Container(c, "whoamitcp").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoamitcp"),
 	}
 
 	err := s.registerService(reg, false)
@@ -371,7 +364,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithLabels(c *check.C) {
 		ConsulAddress string
 		DefaultRule   string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -386,7 +379,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithLabels(c *check.C) {
 			"traefik.http.Routers.Super.Rule=Host(`my.super.host`)",
 		},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami1"),
 	}
 
 	err := s.registerService(reg1, false)
@@ -400,7 +393,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithLabels(c *check.C) {
 			"traefik.http.Routers.SuperHost.Rule=Host(`my-super.host`)",
 		},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami2"),
 	}
 	err = s.registerService(reg2, false)
 	c.Assert(err, checker.IsNil)
@@ -438,7 +431,7 @@ func (s *ConsulCatalogSuite) TestSameServiceIDOnDifferentConsulAgent(c *check.C)
 		ConsulAddress string
 		DefaultRule   string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -457,7 +450,7 @@ func (s *ConsulCatalogSuite) TestSameServiceIDOnDifferentConsulAgent(c *check.C)
 		Name:    "whoami",
 		Tags:    tags,
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami1"),
 	}
 	err := s.registerService(reg1, false)
 	c.Assert(err, checker.IsNil)
@@ -467,7 +460,7 @@ func (s *ConsulCatalogSuite) TestSameServiceIDOnDifferentConsulAgent(c *check.C)
 		Name:    "whoami",
 		Tags:    tags,
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami2"),
 	}
 	err = s.registerService(reg2, true)
 	c.Assert(err, checker.IsNil)
@@ -490,8 +483,7 @@ func (s *ConsulCatalogSuite) TestSameServiceIDOnDifferentConsulAgent(c *check.C)
 	c.Assert(err, checker.IsNil)
 
 	err = try.Request(req, 2*time.Second, try.StatusCodeIs(200),
-		try.BodyContainsOr(s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
-			s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress))
+		try.BodyContainsOr(s.getComposeServiceIP(c, "whoami1"), s.getComposeServiceIP(c, "whoami2")))
 	c.Assert(err, checker.IsNil)
 
 	err = s.deregisterService("whoami", false)
@@ -506,7 +498,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithOneMissingLabels(c *check.C) {
 		ConsulAddress string
 		DefaultRule   string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 		DefaultRule:   "Host(`{{ normalize .Name }}.consul.localhost`)",
 	}
 
@@ -521,7 +513,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithOneMissingLabels(c *check.C) {
 			"traefik.random.value=my.super.host",
 		},
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: s.getComposeServiceIP(c, "whoami1"),
 	}
 
 	err := s.registerService(reg, false)
@@ -546,11 +538,12 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithOneMissingLabels(c *check.C) {
 }
 
 func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck(c *check.C) {
+	whoamiIP := s.getComposeServiceIP(c, "whoami1")
 	tags := []string{
 		"traefik.enable=true",
 		"traefik.http.routers.router1.rule=Path(`/whoami`)",
 		"traefik.http.routers.router1.service=service1",
-		"traefik.http.services.service1.loadBalancer.server.url=http://" + s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		"traefik.http.services.service1.loadBalancer.server.url=http://" + whoamiIP,
 	}
 
 	reg1 := &api.AgentServiceRegistration{
@@ -558,7 +551,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck(c *check.C) {
 		Name:    "whoami",
 		Tags:    tags,
 		Port:    80,
-		Address: s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress,
+		Address: whoamiIP,
 		Check: &api.AgentServiceCheck{
 			CheckID:  "some-failed-check",
 			TCP:      "127.0.0.1:1234",
@@ -574,7 +567,7 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck(c *check.C) {
 	tempObjects := struct {
 		ConsulAddress string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 	}
 
 	file := s.adaptFile(c, "fixtures/consul_catalog/simple.toml", tempObjects)
@@ -592,17 +585,16 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck(c *check.C) {
 	err = s.deregisterService("whoami1", false)
 	c.Assert(err, checker.IsNil)
 
-	containerIP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
-
+	whoami2IP := s.getComposeServiceIP(c, "whoami2")
 	reg2 := &api.AgentServiceRegistration{
 		ID:      "whoami2",
 		Name:    "whoami",
 		Tags:    tags,
 		Port:    80,
-		Address: containerIP,
+		Address: whoami2IP,
 		Check: &api.AgentServiceCheck{
 			CheckID:  "some-ok-check",
-			TCP:      containerIP + ":80",
+			TCP:      whoami2IP + ":80",
 			Name:     "some-ok-check",
 			Interval: "1s",
 			Timeout:  "1s",
@@ -629,7 +621,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect(c *check.C) {
 	err := s.waitForConnectCA()
 	c.Assert(err, checker.IsNil)
 
-	connectIP := s.composeProject.Container(c, "connect").NetworkSettings.IPAddress
+	connectIP := s.getComposeServiceIP(c, "connect")
 	reg := &api.AgentServiceRegistration{
 		ID:   "uuid-api1",
 		Name: "uuid-api",
@@ -649,7 +641,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect(c *check.C) {
 	err = s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
-	whoamiIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoamiIP := s.getComposeServiceIP(c, "whoami1")
 	regWhoami := &api.AgentServiceRegistration{
 		ID:   "whoami1",
 		Name: "whoami",
@@ -667,7 +659,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect(c *check.C) {
 	tempObjects := struct {
 		ConsulAddress string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 	}
 	file := s.adaptFile(c, "fixtures/consul_catalog/connect.toml", tempObjects)
 	defer os.Remove(file)
@@ -695,7 +687,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_ByDefault(c *check.C) {
 	err := s.waitForConnectCA()
 	c.Assert(err, checker.IsNil)
 
-	connectIP := s.composeProject.Container(c, "connect").NetworkSettings.IPAddress
+	connectIP := s.getComposeServiceIP(c, "connect")
 	reg := &api.AgentServiceRegistration{
 		ID:   "uuid-api1",
 		Name: "uuid-api",
@@ -714,7 +706,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_ByDefault(c *check.C) {
 	err = s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
-	whoamiIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoamiIP := s.getComposeServiceIP(c, "whoami1")
 	regWhoami := &api.AgentServiceRegistration{
 		ID:   "whoami1",
 		Name: "whoami1",
@@ -729,7 +721,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_ByDefault(c *check.C) {
 	err = s.registerService(regWhoami, false)
 	c.Assert(err, checker.IsNil)
 
-	whoami2IP := s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
+	whoami2IP := s.getComposeServiceIP(c, "whoami2")
 	regWhoami2 := &api.AgentServiceRegistration{
 		ID:   "whoami2",
 		Name: "whoami2",
@@ -748,7 +740,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_ByDefault(c *check.C) {
 	tempObjects := struct {
 		ConsulAddress string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 	}
 	file := s.adaptFile(c, "fixtures/consul_catalog/connect_by_default.toml", tempObjects)
 	defer os.Remove(file)
@@ -781,7 +773,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_NotAware(c *check.C) {
 	err := s.waitForConnectCA()
 	c.Assert(err, checker.IsNil)
 
-	connectIP := s.composeProject.Container(c, "connect").NetworkSettings.IPAddress
+	connectIP := s.getComposeServiceIP(c, "connect")
 	reg := &api.AgentServiceRegistration{
 		ID:   "uuid-api1",
 		Name: "uuid-api",
@@ -801,7 +793,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_NotAware(c *check.C) {
 	err = s.registerService(reg, false)
 	c.Assert(err, checker.IsNil)
 
-	whoamiIP := s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	whoamiIP := s.getComposeServiceIP(c, "whoami1")
 	regWhoami := &api.AgentServiceRegistration{
 		ID:   "whoami1",
 		Name: "whoami",
@@ -819,7 +811,7 @@ func (s *ConsulCatalogSuite) TestConsulConnect_NotAware(c *check.C) {
 	tempObjects := struct {
 		ConsulAddress string
 	}{
-		ConsulAddress: s.consulAddress,
+		ConsulAddress: s.consulURL,
 	}
 	file := s.adaptFile(c, "fixtures/consul_catalog/connect_not_aware.toml", tempObjects)
 	defer os.Remove(file)

integration/consul_test.go

@@ -3,6 +3,8 @@ package integration
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -18,20 +20,24 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Consul test suites (using libcompose).
+// Consul test suites.
 type ConsulSuite struct {
 	BaseSuite
-	kvClient store.Store
+	kvClient  store.Store
+	consulURL string
 }
 
 func (s *ConsulSuite) setupStore(c *check.C) {
 	s.createComposeProject(c, "consul")
-	s.composeProject.Start(c)
+	s.composeUp(c)
+
+	consulAddr := net.JoinHostPort(s.getComposeServiceIP(c, "consul"), "8500")
+	s.consulURL = fmt.Sprintf("http://%s", consulAddr)
 
 	consul.Register()
 	kv, err := valkeyrie.NewStore(
 		store.CONSUL,
-		[]string{s.composeProject.Container(c, "consul").NetworkSettings.IPAddress + ":8500"},
+		[]string{consulAddr},
 		&store.Config{
 			ConnectionTimeout: 10 * time.Second,
 		},
@@ -46,20 +52,10 @@ func (s *ConsulSuite) setupStore(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
-func (s *ConsulSuite) TearDownTest(c *check.C) {
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
-	}
-}
-
-func (s *ConsulSuite) TearDownSuite(c *check.C) {}
-
 func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 	s.setupStore(c)
 
-	address := "http://" + s.composeProject.Container(c, "consul").NetworkSettings.IPAddress + ":8500"
-	file := s.adaptFile(c, "fixtures/consul/simple.toml", struct{ ConsulAddress string }{address})
+	file := s.adaptFile(c, "fixtures/consul/simple.toml", struct{ ConsulAddress string }{s.consulURL})
 	defer os.Remove(file)
 
 	data := map[string]string{

integration/docker_compose_test.go

@@ -14,33 +14,17 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-const (
-	composeProject = "minimal"
-)
-
 // Docker tests suite.
 type DockerComposeSuite struct {
 	BaseSuite
 }
 
 func (s *DockerComposeSuite) SetUpSuite(c *check.C) {
-	s.createComposeProject(c, composeProject)
-	s.composeProject.Start(c)
-}
-
-func (s *DockerComposeSuite) TearDownSuite(c *check.C) {
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
-	}
+	s.createComposeProject(c, "minimal")
+	s.composeUp(c)
 }
 
 func (s *DockerComposeSuite) TestComposeScale(c *check.C) {
-	serviceCount := 2
-	composeService := "whoami1"
-
-	s.composeProject.Scale(c, composeService, serviceCount)
-
 	tempObjects := struct {
 		DockerHost  string
 		DefaultRule string
@@ -81,8 +65,8 @@ func (s *DockerComposeSuite) TestComposeScale(c *check.C) {
 		if strings.HasSuffix(name, "@internal") {
 			continue
 		}
-		c.Assert(name, checker.Equals, composeService+"-integrationtest"+composeProject+"@docker")
-		c.Assert(service.LoadBalancer.Servers, checker.HasLen, serviceCount)
+		c.Assert(name, checker.Equals, "whoami1-"+s.composeProject.Name+"@docker")
+		c.Assert(service.LoadBalancer.Servers, checker.HasLen, 2)
 		// We could break here, but we don't just to keep us honest.
 	}
 }

integration/docker_test.go

@@ -6,80 +6,24 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"strings"
 	"time"
 
-	"github.com/docker/docker/pkg/namesgenerator"
 	"github.com/go-check/check"
-	d "github.com/libkermit/docker"
-	"github.com/libkermit/docker-check"
 	"github.com/traefik/traefik/v2/integration/try"
 	checker "github.com/vdemeester/shakers"
 )
 
-// Images to have or pull before the build in order to make it work.
-// FIXME handle this offline but loading them before build.
-var RequiredImages = map[string]string{
-	"swarm":          "1.0.0",
-	"traefik/whoami": "latest",
-}
-
 // Docker tests suite.
 type DockerSuite struct {
 	BaseSuite
-	project *docker.Project
 }
 
-func (s *DockerSuite) startContainer(c *check.C, image string, args ...string) string {
-	return s.startContainerWithConfig(c, image, d.ContainerConfig{
-		Cmd: args,
-	})
-}
-
-func (s *DockerSuite) startContainerWithLabels(c *check.C, image string, labels map[string]string, args ...string) string {
-	return s.startContainerWithConfig(c, image, d.ContainerConfig{
-		Cmd:    args,
-		Labels: labels,
-	})
-}
-
-func (s *DockerSuite) startContainerWithNameAndLabels(c *check.C, name, image string, labels map[string]string, args ...string) string {
-	return s.startContainerWithConfig(c, image, d.ContainerConfig{
-		Name:   name,
-		Cmd:    args,
-		Labels: labels,
-	})
-}
-
-func (s *DockerSuite) startContainerWithConfig(c *check.C, image string, config d.ContainerConfig) string {
-	if config.Name == "" {
-		config.Name = namesgenerator.GetRandomName(10)
-	}
-
-	container := s.project.StartWithConfig(c, image, config)
-
-	// FIXME(vdemeester) this is ugly (it's because of the / in front of the name in docker..)
-	return strings.SplitAfter(container.Name, "/")[1]
-}
-
-func (s *DockerSuite) stopAndRemoveContainerByName(c *check.C, name string) {
-	s.project.Stop(c, name)
-	s.project.Remove(c, name)
-}
-
-func (s *DockerSuite) SetUpSuite(c *check.C) {
-	project := docker.NewProjectFromEnv(c)
-	s.project = project
-
-	// Pull required images
-	for repository, tag := range RequiredImages {
-		image := fmt.Sprintf("%s:%s", repository, tag)
-		s.project.Pull(c, image)
-	}
+func (s *DockerSuite) SetUpTest(c *check.C) {
+	s.createComposeProject(c, "docker")
 }
 
 func (s *DockerSuite) TearDownTest(c *check.C) {
-	s.project.Clean(c, os.Getenv("CIRCLECI") != "") // FIXME
+	s.composeDown(c)
 }
 
 func (s *DockerSuite) TestSimpleConfiguration(c *check.C) {
@@ -94,13 +38,15 @@ func (s *DockerSuite) TestSimpleConfiguration(c *check.C) {
 	file := s.adaptFile(c, "fixtures/docker/simple.toml", tempObjects)
 	defer os.Remove(file)
 
+	s.composeUp(c)
+
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	// TODO validate : run on 80
 	// Expected a 404 as we did not configure anything
 	err = try.GetRequest("http://127.0.0.1:8000/", 500*time.Millisecond, try.StatusCodeIs(http.StatusNotFound))
 	c.Assert(err, checker.IsNil)
@@ -118,18 +64,19 @@ func (s *DockerSuite) TestDefaultDockerContainers(c *check.C) {
 	file := s.adaptFile(c, "fixtures/docker/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	name := s.startContainer(c, "swarm:1.0.0", "manage", "token://blablabla")
+	s.composeUp(c, "simple")
 
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
 	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/version", nil)
 	c.Assert(err, checker.IsNil)
-	req.Host = fmt.Sprintf("%s.docker.localhost", strings.ReplaceAll(name, "_", "-"))
+	req.Host = fmt.Sprintf("simple-%s.docker.localhost", s.composeProject.Name)
 
 	// FIXME Need to wait than 500 milliseconds more (for swarm or traefik to boot up ?)
 	resp, err := try.ResponseUntilStatusCode(req, 1500*time.Millisecond, http.StatusOK)
@@ -156,18 +103,12 @@ func (s *DockerSuite) TestDockerContainersWithTCPLabels(c *check.C) {
 	file := s.adaptFile(c, "fixtures/docker/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := map[string]string{
-		"traefik.tcp.Routers.Super.Rule":                      "HostSNI(`my.super.host`)",
-		"traefik.tcp.Routers.Super.tls":                       "true",
-		"traefik.tcp.Services.Super.Loadbalancer.server.port": "8080",
-	}
-
-	s.startContainerWithLabels(c, "traefik/whoamitcp", labels, "-name", "my.super.host")
+	s.composeUp(c, "withtcplabels")
 
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
@@ -193,17 +134,7 @@ func (s *DockerSuite) TestDockerContainersWithLabels(c *check.C) {
 	file := s.adaptFile(c, "fixtures/docker/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := map[string]string{
-		"traefik.http.Routers.Super.Rule": "Host(`my.super.host`)",
-	}
-	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
-
-	// Start another container by replacing a '.' by a '-'
-	labels = map[string]string{
-		"traefik.http.Routers.SuperHost.Rule": "Host(`my-super.host`)",
-	}
-	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blablabla")
+	s.composeUp(c, "withlabels1", "withlabels2")
 
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -249,15 +180,12 @@ func (s *DockerSuite) TestDockerContainersWithOneMissingLabels(c *check.C) {
 	file := s.adaptFile(c, "fixtures/docker/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := map[string]string{
-		"traefik.random.value": "my.super.host",
-	}
-	s.startContainerWithLabels(c, "swarm:1.0.0", labels, "manage", "token://blabla")
+	s.composeUp(c, "withonelabelmissing")
 
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
@@ -285,16 +213,12 @@ func (s *DockerSuite) TestRestartDockerContainers(c *check.C) {
 	file := s.adaptFile(c, "fixtures/docker/simple.toml", tempObjects)
 	defer os.Remove(file)
 
-	// Start a container with some labels
-	labels := map[string]string{
-		"traefik.http.Routers.Super.Rule":                       "Host(`my.super.host`)",
-		"traefik.http.Services.powpow.LoadBalancer.server.Port": "2375",
-	}
-	s.startContainerWithNameAndLabels(c, "powpow", "swarm:1.0.0", labels, "manage", "token://blabla")
+	s.composeUp(c, "powpow")
 
 	// Start traefik
 	cmd, display := s.traefikCmd(withConfigFile(file))
 	defer display(c)
+
 	err := cmd.Start()
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
@@ -318,16 +242,14 @@ func (s *DockerSuite) TestRestartDockerContainers(c *check.C) {
 	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("powpow"))
 	c.Assert(err, checker.IsNil)
 
-	s.stopAndRemoveContainerByName(c, "powpow")
-	defer s.project.Remove(c, "powpow")
+	s.composeStop(c, "powpow")
 
 	time.Sleep(5 * time.Second)
 
 	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("powpow"))
 	c.Assert(err, checker.NotNil)
 
-	s.startContainerWithNameAndLabels(c, "powpow", "swarm:1.0.0", labels, "manage", "token://blabla")
-
+	s.composeUp(c, "powpow")
 	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 60*time.Second, try.BodyContains("powpow"))
 	c.Assert(err, checker.IsNil)
 }

integration/error_pages_test.go

@@ -10,7 +10,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// ErrorPagesSuite test suites (using libcompose).
+// ErrorPagesSuite test suites.
 type ErrorPagesSuite struct {
 	BaseSuite
 	ErrorPageIP string
@@ -19,10 +19,10 @@ type ErrorPagesSuite struct {
 
 func (s *ErrorPagesSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "error_pages")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
-	s.ErrorPageIP = s.composeProject.Container(c, "nginx2").NetworkSettings.IPAddress
-	s.BackendIP = s.composeProject.Container(c, "nginx1").NetworkSettings.IPAddress
+	s.ErrorPageIP = s.getComposeServiceIP(c, "nginx2")
+	s.BackendIP = s.getComposeServiceIP(c, "nginx1")
 }
 
 func (s *ErrorPagesSuite) TestSimpleConfiguration(c *check.C) {

integration/etcd_test.go

@@ -3,6 +3,7 @@ package integration
 import (
 	"bytes"
 	"encoding/json"
+	"net"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -18,20 +19,24 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// etcd test suites (using libcompose).
+// etcd test suites.
 type EtcdSuite struct {
 	BaseSuite
 	kvClient store.Store
+	etcdAddr string
 }
 
-func (s *EtcdSuite) setupStore(c *check.C) {
+func (s *EtcdSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "etcd")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
 	etcdv3.Register()
-	kv, err := valkeyrie.NewStore(
+
+	var err error
+	s.etcdAddr = net.JoinHostPort(s.getComposeServiceIP(c, "etcd"), "2379")
+	s.kvClient, err = valkeyrie.NewStore(
 		store.ETCDV3,
-		[]string{s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress + ":2379"},
+		[]string{s.etcdAddr},
 		&store.Config{
 			ConnectionTimeout: 10 * time.Second,
 		},
@@ -39,27 +44,14 @@ func (s *EtcdSuite) setupStore(c *check.C) {
 	if err != nil {
 		c.Fatal("Cannot create store etcd")
 	}
-	s.kvClient = kv
 
 	// wait for etcd
-	err = try.Do(60*time.Second, try.KVExists(kv, "test"))
+	err = try.Do(60*time.Second, try.KVExists(s.kvClient, "test"))
 	c.Assert(err, checker.IsNil)
 }
 
-func (s *EtcdSuite) TearDownTest(c *check.C) {
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
-	}
-}
-
-func (s *EtcdSuite) TearDownSuite(c *check.C) {}
-
 func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
-	s.setupStore(c)
-
-	address := s.composeProject.Container(c, "etcd").NetworkSettings.IPAddress + ":2379"
-	file := s.adaptFile(c, "fixtures/etcd/simple.toml", struct{ EtcdAddress string }{address})
+	file := s.adaptFile(c, "fixtures/etcd/simple.toml", struct{ EtcdAddress string }{s.etcdAddr})
 	defer os.Remove(file)
 
 	data := map[string]string{

integration/fake_dns_server.go

@@ -9,7 +9,9 @@ import (
 	"github.com/traefik/traefik/v2/pkg/log"
 )
 
-type handler struct{}
+type handler struct {
+	traefikIP string
+}
 
 // ServeDNS a fake DNS server
 // Simplified version of the Challenge Test Server from Boulder
@@ -21,11 +23,6 @@ func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	m.SetReply(r)
 	m.Compress = false
 
-	fakeDNS := os.Getenv("DOCKER_HOST_IP")
-	if fakeDNS == "" {
-		fakeDNS = "127.0.0.1"
-	}
-
 	for _, q := range r.Question {
 		logger.Infof("Query -- [%s] %s", q.Name, dns.TypeToString[q.Qtype])
 
@@ -38,7 +35,7 @@ func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 				Class:  dns.ClassINET,
 				Ttl:    0,
 			}
-			record.A = net.ParseIP(fakeDNS)
+			record.A = net.ParseIP(s.traefikIP)
 
 			m.Answer = append(m.Answer, record)
 		case dns.TypeCAA:
@@ -101,11 +98,11 @@ func (s *handler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }
 
-func startFakeDNSServer() *dns.Server {
+func startFakeDNSServer(traefikIP string) *dns.Server {
 	srv := &dns.Server{
 		Addr:    ":5053",
 		Net:     "udp",
-		Handler: &handler{},
+		Handler: &handler{traefikIP},
 	}
 
 	go func() {

integration/file_test.go

@@ -15,7 +15,7 @@ type FileSuite struct{ BaseSuite }
 
 func (s *FileSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "file")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 }
 
 func (s *FileSuite) TestSimpleConfiguration(c *check.C) {

integration/fixtures/file/dir/simple2.toml

@@ -6,4 +6,4 @@
 [http.services]
   [http.services.service2.loadBalancer]
     [[http.services.service2.loadBalancer.servers]]
-      url = "http://172.17.0.123:80"
+      url = "http://127.0.0.1:80"

integration/fixtures/k8s/01-traefik-crd.yml

@@ -840,7 +840,7 @@ spec:
                       info configuration.
                     properties:
                       issuer:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:
@@ -867,7 +867,7 @@ spec:
                       serialNumber:
                         type: boolean
                       subject:
-                        description: TLSCLientCertificateDNInfo holds the client TLS
+                        description: TLSClientCertificateDNInfo holds the client TLS
                           certificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739
                         properties:
                           commonName:
@@ -1226,6 +1226,7 @@ spec:
                     enum:
                     - NoClientCert
                     - RequestClientCert
+                    - RequireAnyClientCert
                     - VerifyClientCertIfGiven
                     - RequireAndVerifyClientCert
                     type: string

integration/fixtures/retry/backoff.toml

@@ -33,13 +33,13 @@
     [http.services.service1.loadBalancer]
 
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoamiEndpoint}}:8080"
+        url = "http://{{ .WhoamiIP }}:8080"
 
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoamiEndpoint}}:8081"
+        url = "http://{{ .WhoamiIP }}:8081"
 
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoamiEndpoint}}:8082"
+        url = "http://{{ .WhoamiIP }}:8082"
 
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoamiEndpoint}}:80"
+        url = "http://{{ .WhoamiIP }}:80"

integration/fixtures/retry/simple.toml

@@ -31,7 +31,7 @@
     [http.services.service1.loadBalancer]
 
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoamiEndpoint}}:8080"
+        url = "http://{{ .WhoamiIP }}:8080"
 
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoamiEndpoint}}:80"
+        url = "http://{{ .WhoamiIP }}:80"

integration/fixtures/tcp/catch-all-no-tls-with-https.toml

@@ -27,7 +27,7 @@
   [tcp.services]
     [tcp.services.whoami-no-tls.loadBalancer]
       [[tcp.services.whoami-no-tls.loadBalancer.servers]]
-        address = "localhost:8086"
+        address = "whoami-no-tls:8080"
 
 [http]
   [http.routers]
@@ -40,4 +40,4 @@
   [http.services]
     [http.services.whoami.loadBalancer]
       [[http.services.whoami.loadBalancer.servers]]
-        url = "http://localhost:8085"
+        url = "http://whoami:80"

integration/fixtures/tcp/catch-all-no-tls.toml

@@ -27,4 +27,4 @@
   [tcp.services]
     [tcp.services.whoami-no-tls.loadBalancer]
       [[tcp.services.whoami-no-tls.loadBalancer.servers]]
-        address = "localhost:8086"
+        address = "whoami-banner:8080"

integration/fixtures/tcp/ip-whitelist.toml

@@ -38,18 +38,14 @@
   [tcp.services]
     [tcp.services.whoami-a.loadBalancer]
       [[tcp.services.whoami-a.loadBalancer.servers]]
-        address = "localhost:8081"
+        address = "whoami-a:8080"
 
     [tcp.services.whoami-b.loadBalancer]
       [[tcp.services.whoami-b.loadBalancer.servers]]
-        address = "localhost:8082"
+        address = "whoami-b:8080"
 
   [tcp.middlewares]
     [tcp.middlewares.allowing-ipwhitelist.ipWhiteList]
       sourceRange = ["127.0.0.1/32"]
     [tcp.middlewares.blocking-ipwhitelist.ipWhiteList]
       sourceRange = ["127.127.127.127/32"]
-
-[[tls.certificates]]
-  certFile = "fixtures/tcp/whoami-c.crt"
-  keyFile = "fixtures/tcp/whoami-c.key"

integration/fixtures/tcp/mixed.toml

@@ -29,11 +29,15 @@
       rule = "Path(`/whoami/`)"
       service = "whoami"
       [http.routers.my-https-router.tls]
+    [http.routers.api]
+      rule = "PathPrefix(`/api`)"
+      service = "api@internal"
+      entryPoints = ["traefik"]
 
   [http.services]
     [http.services.whoami.loadBalancer]
       [[http.services.whoami.loadBalancer.servers]]
-        url = "http://localhost:8085"
+        url = "http://whoami:80"
 [tcp]
   [tcp.routers]
     [tcp.routers.to-whoami-a]
@@ -58,15 +62,15 @@
 
     [tcp.services.whoami-a.loadBalancer]
       [[tcp.services.whoami-a.loadBalancer.servers]]
-        address = "localhost:8081"
+        address = "whoami-a:8080"
 
     [tcp.services.whoami-b.loadBalancer]
       [[tcp.services.whoami-b.loadBalancer.servers]]
-        address = "localhost:8082"
+        address = "whoami-b:8080"
 
     [tcp.services.whoami-no-cert.loadBalancer]
       [[tcp.services.whoami-no-cert.loadBalancer.servers]]
-        address = "localhost:8083"
+        address = "whoami-no-cert:8080"
 
 [[tls.certificates]]
   certFile = "fixtures/tcp/whoami-c.crt"

integration/fixtures/tcp/multi-tls-options.toml

@@ -36,7 +36,7 @@
     [tcp.services.whoami-no-cert]
       [tcp.services.whoami-no-cert.loadBalancer]
         [[tcp.services.whoami-no-cert.loadBalancer.servers]]
-        address = "localhost:8083"
+        address = "whoami-no-cert:8080"
 
 [tls.options]
 

integration/fixtures/tcp/non-tls-fallback.toml

@@ -24,14 +24,14 @@
       service = "whoami-a"
       entryPoints = [ "tcp" ]
       [tcp.routers.to-whoami-a.tls]
-        passthrough=true
+        passthrough = true
 
     [tcp.routers.to-whoami-b]
       rule = "HostSNI(`whoami-b.test`)"
       service = "whoami-b"
       entryPoints = [ "tcp" ]
       [tcp.routers.to-whoami-b.tls]
-        passthrough=true
+        passthrough = true
 
     [tcp.routers.to-whoami-no-cert]
       rule = "HostSNI(`whoami-c.test`)"
@@ -47,16 +47,17 @@
   [tcp.services]
     [tcp.services.whoami-no-tls.loadBalancer]
       [[tcp.services.whoami-no-tls.loadBalancer.servers]]
-        address = "localhost:8084"
+        address = "whoami-no-tls:8080"
 
     [tcp.services.whoami-a.loadBalancer]
       [[tcp.services.whoami-a.loadBalancer.servers]]
-        address = "localhost:8081"
+        address = "whoami-a:8080"
 
     [tcp.services.whoami-b.loadBalancer]
       [[tcp.services.whoami-b.loadBalancer.servers]]
-        address = "localhost:8082"
+        address = "whoami-b:8080"
 
     [tcp.services.whoami-no-cert.loadBalancer]
       [[tcp.services.whoami-no-cert.loadBalancer.servers]]
-        address = "localhost:8083"
+        address = "whoami-no-cert:8080"
+

integration/fixtures/tcp/non-tls.toml

@@ -27,4 +27,4 @@
   [tcp.services]
     [tcp.services.whoami-no-tls.loadBalancer]
       [[tcp.services.whoami-no-tls.loadBalancer.servers]]
-        address = "localhost:8084"
+        address = "whoami-no-tls:8080"

integration/fixtures/tcp/wrr.toml

@@ -18,25 +18,24 @@
 ## dynamic configuration ##
 [tcp]
   [tcp.routers]
-    [tcp.routers.to-whoami-a]
-      rule = "HostSNI(`whoami-a.test`)"
+    [tcp.routers.to-whoami-b]
+      rule = "HostSNI(`whoami-b.test`)"
       service = "whoami"
       entryPoints = [ "tcp" ]
-      [tcp.routers.to-whoami-a.tls]
+      [tcp.routers.to-whoami-b.tls]
         passthrough=true
 
     [[tcp.services.whoami.weighted.services]]
-        name="whoami-a"
+        name="whoami-b"
         weight=3
     [[tcp.services.whoami.weighted.services]]
-        name="whoami-b"
+        name="whoami-ab"
         weight=1
 
-    [tcp.services.whoami-a.loadBalancer]
-      [[tcp.services.whoami-a.loadBalancer.servers]]
-        address = "localhost:8081"
-
     [tcp.services.whoami-b.loadBalancer]
       [[tcp.services.whoami-b.loadBalancer.servers]]
-        address = "localhost:8082"
+        address = "whoami-b:8080"
 
+    [tcp.services.whoami-ab.loadBalancer]
+      [[tcp.services.whoami-ab.loadBalancer.servers]]
+        address = "whoami-ab:8080"

integration/fixtures/tracing/simple-jaeger-collector.toml

@@ -55,16 +55,16 @@
     [http.services.service1.loadBalancer]
       passHostHeader = true
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"
 
   [http.services.service2]
     [http.services.service2.loadBalancer]
       passHostHeader = true
       [[http.services.service2.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"
 
   [http.services.service3]
     [http.services.service3.loadBalancer]
       passHostHeader = true
       [[http.services.service3.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"

integration/fixtures/tracing/simple-jaeger.toml

@@ -54,16 +54,16 @@
     [http.services.service1.loadBalancer]
       passHostHeader = true
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"
 
   [http.services.service2]
     [http.services.service2.loadBalancer]
       passHostHeader = true
       [[http.services.service2.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"
 
   [http.services.service3]
     [http.services.service3.loadBalancer]
       passHostHeader = true
       [[http.services.service3.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"

integration/fixtures/tracing/simple-zipkin.toml

@@ -50,16 +50,16 @@
     [http.services.service1.loadBalancer]
       passHostHeader = true
       [[http.services.service1.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"
 
   [http.services.service2]
     [http.services.service2.loadBalancer]
       passHostHeader = true
       [[http.services.service2.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"
 
   [http.services.service3]
     [http.services.service3.loadBalancer]
       passHostHeader = true
       [[http.services.service3.loadBalancer.servers]]
-        url = "http://{{.WhoAmiIP}}:{{.WhoAmiPort}}"
+        url = "http://{{.WhoamiIP}}:{{.WhoamiPort}}"

integration/healthcheck_test.go

@@ -3,7 +3,7 @@ package integration
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"time"
@@ -13,7 +13,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// HealthCheck test suites (using libcompose).
+// HealthCheck test suites.
 type HealthCheckSuite struct {
 	BaseSuite
 	whoami1IP string
@@ -24,12 +24,12 @@ type HealthCheckSuite struct {
 
 func (s *HealthCheckSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "healthcheck")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
-	s.whoami1IP = s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
-	s.whoami2IP = s.composeProject.Container(c, "whoami2").NetworkSettings.IPAddress
-	s.whoami3IP = s.composeProject.Container(c, "whoami3").NetworkSettings.IPAddress
-	s.whoami4IP = s.composeProject.Container(c, "whoami4").NetworkSettings.IPAddress
+	s.whoami1IP = s.getComposeServiceIP(c, "whoami1")
+	s.whoami2IP = s.getComposeServiceIP(c, "whoami2")
+	s.whoami3IP = s.getComposeServiceIP(c, "whoami3")
+	s.whoami4IP = s.getComposeServiceIP(c, "whoami4")
 }
 
 func (s *HealthCheckSuite) TestSimpleConfiguration(c *check.C) {
@@ -90,7 +90,7 @@ func (s *HealthCheckSuite) TestSimpleConfiguration(c *check.C) {
 
 	// Check if the service with bad health check (whoami2) never respond.
 	err = try.Request(frontendReq, 2*time.Second, try.BodyContains(s.whoami2IP))
-	c.Assert(err, checker.Not(checker.IsNil))
+	c.Assert(err, checker.NotNil)
 
 	// TODO validate : run on 80
 	resp, err := http.Get("http://127.0.0.1:8000/")
@@ -331,7 +331,7 @@ func (s *HealthCheckSuite) TestPropagate(c *check.C) {
 		resp, err := client.Do(rootReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)
@@ -347,7 +347,7 @@ func (s *HealthCheckSuite) TestPropagate(c *check.C) {
 		resp, err := client.Do(fooReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)
@@ -363,7 +363,7 @@ func (s *HealthCheckSuite) TestPropagate(c *check.C) {
 		resp, err := client.Do(barReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)
@@ -413,7 +413,7 @@ func (s *HealthCheckSuite) TestPropagate(c *check.C) {
 		resp, err := client.Do(rootReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)
@@ -426,7 +426,7 @@ func (s *HealthCheckSuite) TestPropagate(c *check.C) {
 		resp, err := client.Do(fooReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)
@@ -439,7 +439,7 @@ func (s *HealthCheckSuite) TestPropagate(c *check.C) {
 		resp, err := client.Do(barReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)
@@ -533,7 +533,7 @@ func (s *HealthCheckSuite) TestPropagateReload(c *check.C) {
 		resp, err := client.Do(rootReq)
 		c.Assert(err, checker.IsNil)
 
-		body, err := ioutil.ReadAll(resp.Body)
+		body, err := io.ReadAll(resp.Body)
 		c.Assert(err, checker.IsNil)
 
 		c.Assert(string(body), checker.Contains, want)

integration/hostresolver_test.go

@@ -13,9 +13,7 @@ type HostResolverSuite struct{ BaseSuite }
 
 func (s *HostResolverSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "hostresolver")
-
-	s.composeProject.Start(c)
-	s.composeProject.Container(c, "server1")
+	s.composeUp(c)
 }
 
 func (s *HostResolverSuite) TestSimpleConfig(c *check.C) {
@@ -48,7 +46,7 @@ func (s *HostResolverSuite) TestSimpleConfig(c *check.C) {
 		c.Assert(err, checker.IsNil)
 		req.Host = test.host
 
-		err = try.Request(req, 500*time.Millisecond, try.StatusCodeIs(test.status), try.HasBody())
+		err = try.Request(req, 1*time.Second, try.StatusCodeIs(test.status), try.HasBody())
 		c.Assert(err, checker.IsNil)
 	}
 }

integration/https_test.go

@@ -1063,13 +1063,13 @@ func (s *HTTPSSuite) TestEntryPointHttpsRedirectAndPathModification(c *check.C)
 	for _, test := range testCases {
 		sourceURL := fmt.Sprintf("http://127.0.0.1:8888%s", test.path)
 		for _, host := range test.hosts {
-			req, err := http.NewRequest("GET", sourceURL, nil)
+			req, err := http.NewRequest(http.MethodGet, sourceURL, nil)
 			c.Assert(err, checker.IsNil)
 			req.Host = host
 
 			resp, err := client.Do(req)
 			c.Assert(err, checker.IsNil)
-			defer resp.Body.Close()
+			resp.Body.Close()
 
 			location := resp.Header.Get("Location")
 			expected := fmt.Sprintf("https://%s:8443%s", host, test.path)

integration/integration_test.go

@@ -3,9 +3,9 @@ package integration
 
 import (
 	"bytes"
+	"context"
 	"flag"
 	"fmt"
-	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -14,17 +14,23 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/compose-spec/compose-go/cli"
+	"github.com/compose-spec/compose-go/types"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/compose/v2/cmd/formatter"
+	composeapi "github.com/docker/compose/v2/pkg/api"
+	"github.com/docker/compose/v2/pkg/compose"
+	dockertypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
 	"github.com/fatih/structs"
 	"github.com/go-check/check"
-	compose "github.com/libkermit/compose/check"
 	"github.com/traefik/traefik/v2/pkg/log"
 	checker "github.com/vdemeester/shakers"
 )
 
 var (
 	integration = flag.Bool("integration", false, "run integration tests")
-	container   = flag.Bool("container", false, "run container integration tests")
-	host        = flag.Bool("host", false, "run host integration tests")
 	showLog     = flag.Bool("tlog", false, "always show Traefik logs")
 )
 
@@ -34,45 +40,39 @@ func Test(t *testing.T) {
 		return
 	}
 
-	if *container {
-		// tests launched from a container
-		check.Suite(&AccessLogSuite{})
-		check.Suite(&AcmeSuite{})
-		check.Suite(&EtcdSuite{})
-		check.Suite(&ConsulSuite{})
-		check.Suite(&ConsulCatalogSuite{})
-		check.Suite(&DockerComposeSuite{})
-		check.Suite(&DockerSuite{})
-		check.Suite(&ErrorPagesSuite{})
-		check.Suite(&FileSuite{})
-		check.Suite(&GRPCSuite{})
-		check.Suite(&HealthCheckSuite{})
-		check.Suite(&HeadersSuite{})
-		check.Suite(&HostResolverSuite{})
-		check.Suite(&HTTPSuite{})
-		check.Suite(&HTTPSSuite{})
-		check.Suite(&KeepAliveSuite{})
-		check.Suite(&LogRotationSuite{})
-		check.Suite(&MarathonSuite{})
-		check.Suite(&MarathonSuite15{})
-		check.Suite(&RateLimitSuite{})
-		check.Suite(&RedisSuite{})
-		check.Suite(&RestSuite{})
-		check.Suite(&RetrySuite{})
-		check.Suite(&SimpleSuite{})
-		check.Suite(&TimeoutSuite{})
-		check.Suite(&TLSClientHeadersSuite{})
-		check.Suite(&TracingSuite{})
-		check.Suite(&UDPSuite{})
-		check.Suite(&WebsocketSuite{})
-		check.Suite(&ZookeeperSuite{})
-	}
-	if *host {
-		// tests launched from the host
-		check.Suite(&K8sSuite{})
-		check.Suite(&ProxyProtocolSuite{})
-		check.Suite(&TCPSuite{})
-	}
+	check.Suite(&AccessLogSuite{})
+	check.Suite(&AcmeSuite{})
+	check.Suite(&ConsulCatalogSuite{})
+	check.Suite(&ConsulSuite{})
+	check.Suite(&DockerComposeSuite{})
+	check.Suite(&DockerSuite{})
+	check.Suite(&ErrorPagesSuite{})
+	check.Suite(&EtcdSuite{})
+	check.Suite(&FileSuite{})
+	check.Suite(&GRPCSuite{})
+	check.Suite(&HeadersSuite{})
+	check.Suite(&HealthCheckSuite{})
+	check.Suite(&HostResolverSuite{})
+	check.Suite(&HTTPSSuite{})
+	check.Suite(&HTTPSuite{})
+	check.Suite(&K8sSuite{})
+	check.Suite(&KeepAliveSuite{})
+	check.Suite(&LogRotationSuite{})
+	check.Suite(&MarathonSuite15{})
+	check.Suite(&MarathonSuite{})
+	check.Suite(&ProxyProtocolSuite{})
+	check.Suite(&RateLimitSuite{})
+	check.Suite(&RedisSuite{})
+	check.Suite(&RestSuite{})
+	check.Suite(&RetrySuite{})
+	check.Suite(&SimpleSuite{})
+	check.Suite(&TCPSuite{})
+	check.Suite(&TimeoutSuite{})
+	check.Suite(&TLSClientHeadersSuite{})
+	check.Suite(&TracingSuite{})
+	check.Suite(&UDPSuite{})
+	check.Suite(&WebsocketSuite{})
+	check.Suite(&ZookeeperSuite{})
 
 	check.TestingT(t)
 }
@@ -80,36 +80,72 @@ func Test(t *testing.T) {
 var traefikBinary = "../dist/traefik"
 
 type BaseSuite struct {
-	composeProject *compose.Project
+	composeProject       *types.Project
+	dockerComposeService composeapi.Service
+	dockerClient         *client.Client
 }
 
 func (s *BaseSuite) TearDownSuite(c *check.C) {
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
+	if s.composeProject != nil && s.dockerComposeService != nil {
+		s.composeDown(c)
 	}
 }
 
+// createComposeProject creates the docker compose project stored as a field in the BaseSuite.
+// This method should be called before starting and/or stopping compose services.
 func (s *BaseSuite) createComposeProject(c *check.C, name string) {
-	projectName := fmt.Sprintf("integration-test-%s", name)
+	projectName := fmt.Sprintf("traefik-integration-test-%s", name)
 	composeFile := fmt.Sprintf("resources/compose/%s.yml", name)
 
-	addrs, err := net.InterfaceAddrs()
+	var err error
+	s.dockerClient, err = client.NewClientWithOpts()
 	c.Assert(err, checker.IsNil)
-	for _, addr := range addrs {
-		ip, _, err := net.ParseCIDR(addr.String())
-		c.Assert(err, checker.IsNil)
-		if !ip.IsLoopback() && ip.To4() != nil {
-			_ = os.Setenv("DOCKER_HOST_IP", ip.String())
-			break
-		}
-	}
 
-	s.composeProject = compose.CreateProject(c, projectName, composeFile)
+	s.dockerComposeService = compose.NewComposeService(s.dockerClient, &configfile.ConfigFile{})
+	ops, err := cli.NewProjectOptions([]string{composeFile}, cli.WithName(projectName))
+	c.Assert(err, checker.IsNil)
+
+	s.composeProject, err = cli.ProjectFromOptions(ops)
+	c.Assert(err, checker.IsNil)
 }
 
-func withConfigFile(file string) string {
-	return "--configFile=" + file
+// composeUp starts the given services of the current docker compose project, if they are not already started.
+// Already running services are not affected (i.e. not stopped).
+func (s *BaseSuite) composeUp(c *check.C, services ...string) {
+	c.Assert(s.composeProject, check.NotNil)
+	c.Assert(s.dockerComposeService, check.NotNil)
+
+	// We use Create and Restart instead of Up, because the only option that actually works to control which containers
+	// are started is within the RestartOptions.
+	err := s.dockerComposeService.Create(context.Background(), s.composeProject, composeapi.CreateOptions{})
+	c.Assert(err, checker.IsNil)
+
+	err = s.dockerComposeService.Restart(context.Background(), s.composeProject, composeapi.RestartOptions{Services: services})
+	c.Assert(err, checker.IsNil)
+}
+
+// composeStop stops the given services of the current docker compose project and removes the corresponding containers.
+func (s *BaseSuite) composeStop(c *check.C, services ...string) {
+	c.Assert(s.dockerComposeService, check.NotNil)
+	c.Assert(s.composeProject, check.NotNil)
+
+	err := s.dockerComposeService.Stop(context.Background(), s.composeProject, composeapi.StopOptions{Services: services})
+	c.Assert(err, checker.IsNil)
+
+	err = s.dockerComposeService.Remove(context.Background(), s.composeProject, composeapi.RemoveOptions{
+		Services: services,
+		Force:    true,
+	})
+	c.Assert(err, checker.IsNil)
+}
+
+// composeDown stops all compose project services and removes the corresponding containers.
+func (s *BaseSuite) composeDown(c *check.C) {
+	c.Assert(s.dockerComposeService, check.NotNil)
+	c.Assert(s.composeProject, check.NotNil)
+
+	err := s.dockerComposeService.Down(context.Background(), s.composeProject.Name, composeapi.DownOptions{})
+	c.Assert(err, checker.IsNil)
 }
 
 func (s *BaseSuite) cmdTraefik(args ...string) (*exec.Cmd, *bytes.Buffer) {
@@ -134,6 +170,7 @@ func (s *BaseSuite) traefikCmd(args ...string) (*exec.Cmd, func(*check.C)) {
 	return cmd, func(c *check.C) {
 		if c.Failed() || *showLog {
 			s.displayLogK3S(c)
+			s.displayLogCompose(c)
 			s.displayTraefikLog(c, out)
 		}
 	}
@@ -153,6 +190,25 @@ func (s *BaseSuite) displayLogK3S(c *check.C) {
 	log.WithoutContext().Println()
 }
 
+func (s *BaseSuite) displayLogCompose(c *check.C) {
+	if s.dockerComposeService == nil || s.composeProject == nil {
+		log.WithoutContext().Infof("%s: No docker compose logs.", c.TestName())
+		return
+	}
+
+	log.WithoutContext().Infof("%s: docker compose logs: ", c.TestName())
+
+	logWriter := log.WithoutContext().WriterLevel(log.GetLevel())
+	logConsumer := formatter.NewLogConsumer(context.Background(), logWriter, false, true)
+
+	err := s.dockerComposeService.Logs(context.Background(), s.composeProject.Name, logConsumer, composeapi.LogOptions{})
+	c.Assert(err, checker.IsNil)
+
+	log.WithoutContext().Println()
+	log.WithoutContext().Println("################################")
+	log.WithoutContext().Println()
+}
+
 func (s *BaseSuite) displayTraefikLog(c *check.C, output *bytes.Buffer) {
 	if output == nil || output.Len() == 0 {
 		log.WithoutContext().Infof("%s: No Traefik logs.", c.TestName())
@@ -168,6 +224,7 @@ func (s *BaseSuite) getDockerHost() string {
 		// Default docker socket
 		dockerHost = "unix:///var/run/docker.sock"
 	}
+
 	return dockerHost
 }
 
@@ -192,3 +249,38 @@ func (s *BaseSuite) adaptFile(c *check.C, path string, tempObjects interface{})
 
 	return tmpFile.Name()
 }
+
+func (s *BaseSuite) getComposeServiceIP(c *check.C, name string) string {
+	filter := filters.NewArgs(
+		filters.Arg("label", fmt.Sprintf("%s=%s", composeapi.ProjectLabel, s.composeProject.Name)),
+		filters.Arg("label", fmt.Sprintf("%s=%s", composeapi.ServiceLabel, name)),
+	)
+
+	containers, err := s.dockerClient.ContainerList(context.Background(), dockertypes.ContainerListOptions{Filters: filter})
+	c.Assert(err, checker.IsNil)
+	c.Assert(containers, checker.HasLen, 1)
+
+	networkNames := s.composeProject.NetworkNames()
+	c.Assert(networkNames, checker.HasLen, 1)
+
+	network := s.composeProject.Networks[networkNames[0]]
+	return containers[0].NetworkSettings.Networks[network.Name].IPAddress
+}
+
+func (s *BaseSuite) getContainerIP(c *check.C, name string) string {
+	container, err := s.dockerClient.ContainerInspect(context.Background(), name)
+	c.Assert(err, checker.IsNil)
+	c.Assert(container.NetworkSettings.Networks, check.NotNil)
+
+	for _, network := range container.NetworkSettings.Networks {
+		return network.IPAddress
+	}
+
+	// Should never happen.
+	c.Error("No network found")
+	return ""
+}
+
+func withConfigFile(file string) string {
+	return "--configFile=" + file
+}

integration/k8s_test.go

@@ -28,7 +28,7 @@ type K8sSuite struct{ BaseSuite }
 
 func (s *K8sSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "k8s")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
 	abs, err := filepath.Abs("./fixtures/k8s/config.skip/kubeconfig.yaml")
 	c.Assert(err, checker.IsNil)
@@ -44,7 +44,7 @@ func (s *K8sSuite) SetUpSuite(c *check.C) {
 }
 
 func (s *K8sSuite) TearDownSuite(c *check.C) {
-	s.composeProject.Stop(c)
+	s.composeDown(c)
 
 	generatedFiles := []string{
 		"./fixtures/k8s/config.skip/kubeconfig.yaml",
@@ -56,8 +56,7 @@ func (s *K8sSuite) TearDownSuite(c *check.C) {
 	}
 
 	for _, filename := range generatedFiles {
-		err := os.Remove(filename)
-		if err != nil {
+		if err := os.Remove(filename); err != nil {
 			log.WithoutContext().Warning(err)
 		}
 	}

integration/log_rotation_test.go

@@ -13,17 +13,38 @@ import (
 
 	"github.com/go-check/check"
 	"github.com/traefik/traefik/v2/integration/try"
+	"github.com/traefik/traefik/v2/pkg/log"
 	checker "github.com/vdemeester/shakers"
 )
 
+const (
+	traefikTestLogFileRotated       = traefikTestLogFile + ".rotated"
+	traefikTestAccessLogFileRotated = traefikTestAccessLogFile + ".rotated"
+)
+
 // Log rotation integration test suite.
 type LogRotationSuite struct{ BaseSuite }
 
 func (s *LogRotationSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "access_log")
-	s.composeProject.Start(c)
+	s.composeUp(c)
+}
 
-	s.composeProject.Container(c, "server1")
+func (s *LogRotationSuite) TearDownSuite(c *check.C) {
+	s.composeDown(c)
+
+	generatedFiles := []string{
+		traefikTestLogFile,
+		traefikTestLogFileRotated,
+		traefikTestAccessLogFile,
+		traefikTestAccessLogFileRotated,
+	}
+
+	for _, filename := range generatedFiles {
+		if err := os.Remove(filename); err != nil {
+			log.WithoutContext().Warning(err)
+		}
+	}
 }
 
 func (s *LogRotationSuite) TestAccessLogRotation(c *check.C) {
@@ -36,8 +57,6 @@ func (s *LogRotationSuite) TestAccessLogRotation(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	defer os.Remove(traefikTestAccessLogFile)
-
 	// Verify Traefik started ok
 	verifyEmptyErrorLog(c, "traefik.log")
 
@@ -52,7 +71,7 @@ func (s *LogRotationSuite) TestAccessLogRotation(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// Rename access log
-	err = os.Rename(traefikTestAccessLogFile, traefikTestAccessLogFile+".rotated")
+	err = os.Rename(traefikTestAccessLogFile, traefikTestAccessLogFileRotated)
 	c.Assert(err, checker.IsNil)
 
 	// in the midst of the requests, issue SIGUSR1 signal to server process
@@ -66,8 +85,8 @@ func (s *LogRotationSuite) TestAccessLogRotation(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// Verify access.log.rotated output as expected
-	logAccessLogFile(c, traefikTestAccessLogFile+".rotated")
-	lineCount := verifyLogLines(c, traefikTestAccessLogFile+".rotated", 0, true)
+	logAccessLogFile(c, traefikTestAccessLogFileRotated)
+	lineCount := verifyLogLines(c, traefikTestAccessLogFileRotated, 0, true)
 	c.Assert(lineCount, checker.GreaterOrEqualThan, 1)
 
 	// make sure that the access log file is at least created before we do assertions on it
@@ -95,12 +114,10 @@ func (s *LogRotationSuite) TestTraefikLogRotation(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	defer os.Remove(traefikTestAccessLogFile)
-
 	waitForTraefik(c, "server1")
 
 	// Rename traefik log
-	err = os.Rename(traefikTestLogFile, traefikTestLogFile+".rotated")
+	err = os.Rename(traefikTestLogFile, traefikTestLogFileRotated)
 	c.Assert(err, checker.IsNil)
 
 	// issue SIGUSR1 signal to server process
@@ -118,7 +135,7 @@ func (s *LogRotationSuite) TestTraefikLogRotation(c *check.C) {
 	c.Assert(err, checker.IsNil)
 
 	// we have at least 6 lines in traefik.log.rotated
-	lineCount := verifyLogLines(c, traefikTestLogFile+".rotated", 0, false)
+	lineCount := verifyLogLines(c, traefikTestLogFileRotated, 0, false)
 
 	// GreaterOrEqualThan used to ensure test doesn't break
 	// If more log entries are output on startup

integration/marathon15_test.go

@@ -1,7 +1,6 @@
 package integration
 
 import (
-	"fmt"
 	"net/http"
 	"os"
 	"time"
@@ -12,7 +11,7 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Marathon test suites (using libcompose).
+// Marathon test suites.
 type MarathonSuite15 struct {
 	BaseSuite
 	marathonURL string
@@ -20,53 +19,15 @@ type MarathonSuite15 struct {
 
 func (s *MarathonSuite15) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "marathon15")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
-	marathonIPAddr := s.composeProject.Container(c, containerNameMarathon).NetworkSettings.IPAddress
-	c.Assert(marathonIPAddr, checker.Not(checker.HasLen), 0)
-	s.marathonURL = "http://" + marathonIPAddr + ":8080"
+	s.marathonURL = "http://" + containerNameMarathon + ":8080"
 
 	// Wait for Marathon readiness prior to creating the client so that we
 	// don't run into the "all cluster members down" state right from the
 	// start.
 	err := try.GetRequest(s.marathonURL+"/v2/leader", 1*time.Minute, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-
-	// Add entry for Mesos slave container IP address in the hosts file so
-	// that Traefik can properly forward traffic.
-	// This is necessary as long as we are still using the docker-compose v1
-	// spec. Once we switch to v2 or higher, we can have both the test/builder
-	// container and the Mesos slave container join the same custom network and
-	// enjoy DNS-discoverable container host names.
-	mesosSlaveIPAddr := s.composeProject.Container(c, containerNameMesosSlave).NetworkSettings.IPAddress
-	c.Assert(mesosSlaveIPAddr, checker.Not(checker.HasLen), 0)
-	err = s.extendDockerHostsFile(containerNameMesosSlave, mesosSlaveIPAddr)
-	c.Assert(err, checker.IsNil)
-}
-
-// extendDockerHostsFile extends the hosts file (/etc/hosts) by the given
-// host/IP address mapping if we are running inside a container.
-func (s *MarathonSuite15) extendDockerHostsFile(host, ipAddr string) error {
-	const hostsFile = "/etc/hosts"
-
-	// Determine if the run inside a container. The most reliable way to
-	// do this is to inject an indicator, which we do in terms of an
-	// environment variable.
-	// (See also https://groups.google.com/d/topic/docker-user/JOGE7AnJ3Gw/discussion.)
-	if os.Getenv("CONTAINER") == "DOCKER" {
-		// We are running inside a container -- extend the hosts file.
-		file, err := os.OpenFile(hostsFile, os.O_APPEND|os.O_WRONLY, 0o600)
-		if err != nil {
-			return err
-		}
-		defer file.Close()
-
-		if _, err = file.WriteString(fmt.Sprintf("%s\t%s\n", ipAddr, host)); err != nil {
-			return err
-		}
-	}
-
-	return nil
 }
 
 func (s *MarathonSuite15) TestConfigurationUpdate(c *check.C) {

integration/marathon_test.go

@@ -1,7 +1,6 @@
 package integration
 
 import (
-	"fmt"
 	"net/http"
 	"os"
 	"time"
@@ -12,12 +11,9 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-const (
-	containerNameMesosSlave = "mesos-slave"
-	containerNameMarathon   = "marathon"
-)
+const containerNameMarathon = "marathon"
 
-// Marathon test suites (using libcompose).
+// Marathon test suites.
 type MarathonSuite struct {
 	BaseSuite
 	marathonURL string
@@ -25,53 +21,15 @@ type MarathonSuite struct {
 
 func (s *MarathonSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "marathon")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
-	marathonIPAddr := s.composeProject.Container(c, containerNameMarathon).NetworkSettings.IPAddress
-	c.Assert(marathonIPAddr, checker.Not(checker.HasLen), 0)
-	s.marathonURL = "http://" + marathonIPAddr + ":8080"
+	s.marathonURL = "http://" + containerNameMarathon + ":8080"
 
 	// Wait for Marathon readiness prior to creating the client so that we
 	// don't run into the "all cluster members down" state right from the
 	// start.
 	err := try.GetRequest(s.marathonURL+"/v2/leader", 1*time.Minute, try.StatusCodeIs(http.StatusOK))
 	c.Assert(err, checker.IsNil)
-
-	// Add entry for Mesos slave container IP address in the hosts file so
-	// that Traefik can properly forward traffic.
-	// This is necessary as long as we are still using the docker-compose v1
-	// spec. Once we switch to v2 or higher, we can have both the test/builder
-	// container and the Mesos slave container join the same custom network and
-	// enjoy DNS-discoverable container host names.
-	mesosSlaveIPAddr := s.composeProject.Container(c, containerNameMesosSlave).NetworkSettings.IPAddress
-	c.Assert(mesosSlaveIPAddr, checker.Not(checker.HasLen), 0)
-	err = s.extendDockerHostsFile(containerNameMesosSlave, mesosSlaveIPAddr)
-	c.Assert(err, checker.IsNil)
-}
-
-// extendDockerHostsFile extends the hosts file (/etc/hosts) by the given
-// host/IP address mapping if we are running inside a container.
-func (s *MarathonSuite) extendDockerHostsFile(host, ipAddr string) error {
-	const hostsFile = "/etc/hosts"
-
-	// Determine if the run inside a container. The most reliable way to
-	// do this is to inject an indicator, which we do in terms of an
-	// environment variable.
-	// (See also https://groups.google.com/d/topic/docker-user/JOGE7AnJ3Gw/discussion.)
-	if os.Getenv("CONTAINER") == "DOCKER" {
-		// We are running inside a container -- extend the hosts file.
-		file, err := os.OpenFile(hostsFile, os.O_APPEND|os.O_WRONLY, 0o600)
-		if err != nil {
-			return err
-		}
-		defer file.Close()
-
-		if _, err = file.WriteString(fmt.Sprintf("%s\t%s\n", ipAddr, host)); err != nil {
-			return err
-		}
-	}
-
-	return nil
 }
 
 func deployApplication(c *check.C, client marathon.Marathon, application *marathon.Application) {

integration/proxy_protocol_test.go

@@ -10,22 +10,27 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-type ProxyProtocolSuite struct{ BaseSuite }
+type ProxyProtocolSuite struct {
+	BaseSuite
+	gatewayIP string
+	haproxyIP string
+	whoamiIP  string
+}
 
 func (s *ProxyProtocolSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "proxy-protocol")
-	s.composeProject.Start(c)
+	s.composeUp(c)
+
+	s.gatewayIP = s.getContainerIP(c, "traefik")
+	s.haproxyIP = s.getComposeServiceIP(c, "haproxy")
+	s.whoamiIP = s.getComposeServiceIP(c, "whoami")
 }
 
 func (s *ProxyProtocolSuite) TestProxyProtocolTrusted(c *check.C) {
-	gatewayIP := s.composeProject.Container(c, "haproxy").NetworkSettings.Gateway
-	haproxyIP := s.composeProject.Container(c, "haproxy").NetworkSettings.IPAddress
-	whoamiIP := s.composeProject.Container(c, "whoami").NetworkSettings.IPAddress
-
 	file := s.adaptFile(c, "fixtures/proxy-protocol/with.toml", struct {
 		HaproxyIP string
 		WhoamiIP  string
-	}{HaproxyIP: haproxyIP, WhoamiIP: whoamiIP})
+	}{HaproxyIP: s.haproxyIP, WhoamiIP: s.whoamiIP})
 	defer os.Remove(file)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -34,21 +39,17 @@ func (s *ProxyProtocolSuite) TestProxyProtocolTrusted(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	err = try.GetRequest("http://"+haproxyIP+"/whoami", 1*time.Second,
+	err = try.GetRequest("http://"+s.haproxyIP+"/whoami", 1*time.Second,
 		try.StatusCodeIs(http.StatusOK),
-		try.BodyContains("X-Forwarded-For: "+gatewayIP))
+		try.BodyContains("X-Forwarded-For: "+s.gatewayIP))
 	c.Assert(err, checker.IsNil)
 }
 
 func (s *ProxyProtocolSuite) TestProxyProtocolV2Trusted(c *check.C) {
-	gatewayIP := s.composeProject.Container(c, "haproxy").NetworkSettings.Gateway
-	haproxyIP := s.composeProject.Container(c, "haproxy").NetworkSettings.IPAddress
-	whoamiIP := s.composeProject.Container(c, "whoami").NetworkSettings.IPAddress
-
 	file := s.adaptFile(c, "fixtures/proxy-protocol/with.toml", struct {
 		HaproxyIP string
 		WhoamiIP  string
-	}{HaproxyIP: haproxyIP, WhoamiIP: whoamiIP})
+	}{HaproxyIP: s.haproxyIP, WhoamiIP: s.whoamiIP})
 	defer os.Remove(file)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -57,20 +58,17 @@ func (s *ProxyProtocolSuite) TestProxyProtocolV2Trusted(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	err = try.GetRequest("http://"+haproxyIP+":81/whoami", 1*time.Second,
+	err = try.GetRequest("http://"+s.haproxyIP+":81/whoami", 1*time.Second,
 		try.StatusCodeIs(http.StatusOK),
-		try.BodyContains("X-Forwarded-For: "+gatewayIP))
+		try.BodyContains("X-Forwarded-For: "+s.gatewayIP))
 	c.Assert(err, checker.IsNil)
 }
 
 func (s *ProxyProtocolSuite) TestProxyProtocolNotTrusted(c *check.C) {
-	haproxyIP := s.composeProject.Container(c, "haproxy").NetworkSettings.IPAddress
-	whoamiIP := s.composeProject.Container(c, "whoami").NetworkSettings.IPAddress
-
 	file := s.adaptFile(c, "fixtures/proxy-protocol/without.toml", struct {
 		HaproxyIP string
 		WhoamiIP  string
-	}{HaproxyIP: haproxyIP, WhoamiIP: whoamiIP})
+	}{HaproxyIP: s.haproxyIP, WhoamiIP: s.whoamiIP})
 	defer os.Remove(file)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -79,20 +77,17 @@ func (s *ProxyProtocolSuite) TestProxyProtocolNotTrusted(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	err = try.GetRequest("http://"+haproxyIP+"/whoami", 1*time.Second,
+	err = try.GetRequest("http://"+s.haproxyIP+"/whoami", 1*time.Second,
 		try.StatusCodeIs(http.StatusOK),
-		try.BodyContains("X-Forwarded-For: "+haproxyIP))
+		try.BodyContains("X-Forwarded-For: "+s.haproxyIP))
 	c.Assert(err, checker.IsNil)
 }
 
 func (s *ProxyProtocolSuite) TestProxyProtocolV2NotTrusted(c *check.C) {
-	haproxyIP := s.composeProject.Container(c, "haproxy").NetworkSettings.IPAddress
-	whoamiIP := s.composeProject.Container(c, "whoami").NetworkSettings.IPAddress
-
 	file := s.adaptFile(c, "fixtures/proxy-protocol/without.toml", struct {
 		HaproxyIP string
 		WhoamiIP  string
-	}{HaproxyIP: haproxyIP, WhoamiIP: whoamiIP})
+	}{HaproxyIP: s.haproxyIP, WhoamiIP: s.whoamiIP})
 	defer os.Remove(file)
 
 	cmd, display := s.traefikCmd(withConfigFile(file))
@@ -101,8 +96,8 @@ func (s *ProxyProtocolSuite) TestProxyProtocolV2NotTrusted(c *check.C) {
 	c.Assert(err, checker.IsNil)
 	defer s.killCmd(cmd)
 
-	err = try.GetRequest("http://"+haproxyIP+":81/whoami", 1*time.Second,
+	err = try.GetRequest("http://"+s.haproxyIP+":81/whoami", 1*time.Second,
 		try.StatusCodeIs(http.StatusOK),
-		try.BodyContains("X-Forwarded-For: "+haproxyIP))
+		try.BodyContains("X-Forwarded-For: "+s.haproxyIP))
 	c.Assert(err, checker.IsNil)
 }

integration/ratelimit_test.go

@@ -17,9 +17,9 @@ type RateLimitSuite struct {
 
 func (s *RateLimitSuite) SetUpSuite(c *check.C) {
 	s.createComposeProject(c, "ratelimit")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
-	s.ServerIP = s.composeProject.Container(c, "whoami1").NetworkSettings.IPAddress
+	s.ServerIP = s.getComposeServiceIP(c, "whoami1")
 }
 
 func (s *RateLimitSuite) TestSimpleConfiguration(c *check.C) {

integration/redis_test.go

@@ -3,6 +3,7 @@ package integration
 import (
 	"bytes"
 	"encoding/json"
+	"net"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -18,20 +19,22 @@ import (
 	checker "github.com/vdemeester/shakers"
 )
 
-// Redis test suites (using libcompose).
+// Redis test suites.
 type RedisSuite struct {
 	BaseSuite
-	kvClient store.Store
+	kvClient  store.Store
+	redisAddr string
 }
 
 func (s *RedisSuite) setupStore(c *check.C) {
 	s.createComposeProject(c, "redis")
-	s.composeProject.Start(c)
+	s.composeUp(c)
 
+	s.redisAddr = net.JoinHostPort(s.getComposeServiceIP(c, "redis"), "6379")
 	redis.Register()
 	kv, err := valkeyrie.NewStore(
 		store.REDIS,
-		[]string{s.composeProject.Container(c, "redis").NetworkSettings.IPAddress + ":6379"},
+		[]string{s.redisAddr},
 		&store.Config{
 			ConnectionTimeout: 10 * time.Second,
 		},
@@ -46,20 +49,10 @@ func (s *RedisSuite) setupStore(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
-func (s *RedisSuite) TearDownTest(c *check.C) {
-	// shutdown and delete compose project
-	if s.composeProject != nil {
-		s.composeProject.Stop(c)
-	}
-}
-
-func (s *RedisSuite) TearDownSuite(c *check.C) {}
-
 func (s *RedisSuite) TestSimpleConfiguration(c *check.C) {
 	s.setupStore(c)
 
-	address := s.composeProject.Container(c, "redis").NetworkSettings.IPAddress + ":6379"
-	file := s.adaptFile(c, "fixtures/redis/simple.toml", struct{ RedisAddress string }{address})
+	file := s.adaptFile(c, "fixtures/redis/simple.toml", struct{ RedisAddress string }{s.redisAddr})
 	defer os.Remove(file)
 
 	data := map[string]string{

integration/resources/compose/access_log.yml

@@ -1,77 +1,91 @@
-server0:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-server0.entryPoints=web
-    - traefik.http.routers.rt-server0.rule=Path("/test")
-    - traefik.http.services.service1.loadbalancer.server.port=80
-server1:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-server1.entryPoints=web
-    - traefik.http.routers.rt-server1.rule=Host("frontend1.docker.local")
-    - traefik.http.routers.rt-server1.service=service1
-    - traefik.http.services.service1.loadbalancer.server.port=80
-server2:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-server2.entryPoints=web
-    - traefik.http.routers.rt-server2.rule=Host("frontend2.docker.local")
-    - traefik.http.services.service2.loadbalancer.server.port=80
-server3:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-server3.entryPoints=web
-    - traefik.http.routers.rt-server3.rule=Host("frontend2.docker.local")
-    - traefik.http.services.service2.loadbalancer.server.port=80
-authFrontend:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-authFrontend.entryPoints=httpFrontendAuth
-    - traefik.http.routers.rt-authFrontend.rule=Host("frontend.auth.docker.local")
-    - traefik.http.routers.rt-authFrontend.middlewares=basicauth
-    - traefik.http.middlewares.basicauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
-    - traefik.http.services.service3.loadbalancer.server.port=80
-digestAuthMiddleware:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-digestAuthMiddleware.entryPoints=digestAuth
-    - traefik.http.routers.rt-digestAuthMiddleware.rule=Host("entrypoint.digest.auth.docker.local")
-    - traefik.http.routers.rt-digestAuthMiddleware.middlewares=digestauth
-    - traefik.http.middlewares.digestauth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05, test2:traefik:518845800f9e2bfb1f1f740ec24f074e
-    - traefik.http.services.service3.loadbalancer.server.port=80
-frontendRedirect:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-frontendRedirect.entryPoints=frontendRedirect
-    - traefik.http.routers.rt-frontendRedirect.rule=Path("/test")
-    - traefik.http.routers.rt-frontendRedirect.middlewares=redirecthttp
-    - traefik.http.middlewares.redirecthttp.redirectScheme.scheme=http
-    - traefik.http.middlewares.redirecthttp.redirectScheme.port=8000
-    - traefik.http.services.service3.loadbalancer.server.port=80
-rateLimit:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-rateLimit.entryPoints=httpRateLimit
-    - traefik.http.routers.rt-rateLimit.rule=Host("ratelimit.docker.local")
-    - traefik.http.routers.rt-rateLimit.middlewares=rate
-    - traefik.http.middlewares.rate.ratelimit
-    - traefik.http.middlewares.rate.ratelimit.average=1
-    - traefik.http.middlewares.rate.ratelimit.burst=2
-    - traefik.http.services.service3.loadbalancer.server.port=80
-frontendWhitelist:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.rt-frontendWhitelist.entryPoints=web
-    - traefik.http.routers.rt-frontendWhitelist.rule=Host("frontend.whitelist.docker.local")
-    - traefik.http.routers.rt-frontendWhitelist.middlewares=wl
-    - traefik.http.middlewares.wl.ipwhitelist.sourcerange=8.8.8.8/32
-    - traefik.http.services.service3.loadbalancer.server.port=80
+version: "3.8"
+services:
+  server0:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-server0.entryPoints: web
+      traefik.http.routers.rt-server0.rule: Path(`/test`)
+      traefik.http.services.service1.loadbalancer.server.port: 80
+
+  server1:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-server1.entryPoints: web
+      traefik.http.routers.rt-server1.rule: Host(`frontend1.docker.local`)
+      traefik.http.routers.rt-server1.service: service1
+      traefik.http.services.service1.loadbalancer.server.port: 80
+
+  server2:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-server2.entryPoints: web
+      traefik.http.routers.rt-server2.rule: Host(`frontend2.docker.local`)
+      traefik.http.services.service2.loadbalancer.server.port: 80
+
+  server3:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-server3.entryPoints: web
+      traefik.http.routers.rt-server3.rule: Host(`frontend2.docker.local`)
+      traefik.http.services.service2.loadbalancer.server.port: 80
+
+  authFrontend:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-authFrontend.entryPoints: httpFrontendAuth
+      traefik.http.routers.rt-authFrontend.rule: Host(`frontend.auth.docker.local`)
+      traefik.http.routers.rt-authFrontend.middlewares: basicauth
+      traefik.http.middlewares.basicauth.basicauth.users: test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/
+      traefik.http.services.service3.loadbalancer.server.port: 80
+
+  digestAuthMiddleware:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-digestAuthMiddleware.entryPoints: digestAuth
+      traefik.http.routers.rt-digestAuthMiddleware.rule: Host(`entrypoint.digest.auth.docker.local`)
+      traefik.http.routers.rt-digestAuthMiddleware.middlewares: digestauth
+      traefik.http.middlewares.digestauth.digestauth.users: test:traefik:a2688e031edb4be6a3797f3882655c05, test2:traefik:518845800f9e2bfb1f1f740ec24f074e
+      traefik.http.services.service3.loadbalancer.server.port: 80
+
+  frontendRedirect:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-frontendRedirect.entryPoints: frontendRedirect
+      traefik.http.routers.rt-frontendRedirect.rule: Path(`/test`)
+      traefik.http.routers.rt-frontendRedirect.middlewares: redirecthttp
+      traefik.http.middlewares.redirecthttp.redirectScheme.scheme: http
+      traefik.http.middlewares.redirecthttp.redirectScheme.port: 8000
+      traefik.http.services.service3.loadbalancer.server.port: 80
+
+  rateLimit:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-rateLimit.entryPoints: httpRateLimit
+      traefik.http.routers.rt-rateLimit.rule: Host(`ratelimit.docker.local`)
+      traefik.http.routers.rt-rateLimit.middlewares: rate
+      traefik.http.middlewares.rate.ratelimit.average: 1
+      traefik.http.middlewares.rate.ratelimit.burst: 2
+      traefik.http.services.service3.loadbalancer.server.port: 80
+
+  frontendWhitelist:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.rt-frontendWhitelist.entryPoints: web
+      traefik.http.routers.rt-frontendWhitelist.rule: Host(`frontend.whitelist.docker.local`)
+      traefik.http.routers.rt-frontendWhitelist.middlewares: wl
+      traefik.http.middlewares.wl.ipwhitelist.sourcerange: 8.8.8.8/32
+      traefik.http.services.service3.loadbalancer.server.port: 80
+
+networks:
+  default:
+    name: traefik-test-network
+    external: true

integration/resources/compose/base.yml

@@ -1,11 +1,18 @@
-whoami1:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=true
-    - traefik.http.routers.router1.rule=PathPrefix("/whoami")
-    - traefik.http.routers.router2.rule=PathPrefix("/whoami2")
+version: "3.8"
+services:
+  whoami1:
+    image: traefik/whoami
+    labels:
+      traefik.enable: true
+      traefik.http.routers.router1.rule: PathPrefix(`/whoami`)
+      traefik.http.routers.router2.rule: PathPrefix(`/whoami2`)
 
-whoami2:
-  image: traefik/whoami
-  labels:
-    - traefik.enable=false
+  whoami2:
+    image: traefik/whoami
+    labels:
+      traefik.enable: false
+
+networks:
+  default:
+    name: traefik-test-network
+    external: true