Prepare release v3.0.0-beta1

Merge remote-tracking branch 'upstream/v2.9' into merge-branch-v2.9-into-master
fix: remove logs of the request
2025-11-03 08:23:51 +03:00 · 2022-12-05 16:58:04 +01:00 · 2022-12-05 15:23:06 +01:00 · 2022-12-05 11:30:05 +01:00 · 2022-12-01 14:30:06 +01:00 · 2022-12-01 10:10:05 +01:00
617 changed files with 23410 additions and 14509 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -6,12 +6,14 @@ body:
    attributes:
      label: Welcome!
      description: |
-        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
-        - the Traefik community forum: https://community.traefik.io/
+        The issue tracker is for reporting bugs and feature requests only.
+        For end-user related support questions, please use the [Traefik community forum](https://community.traefik.io/).

-        The configurations between 1.X and 2.X are NOT compatible. Please have a look [here](https://doc.traefik.io/traefik/getting-started/configuration-overview/).
+        All new/updated issues are triaged regularly by the maintainers.
+        All issues closed by a bot are subsequently double-checked by the maintainers.

        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+
      options:
        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
          required: true
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,16 +2,16 @@
 PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.8
+- for Traefik v2: use branch v2.9
+- for Traefik v3: use branch master

 Bug fixes:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.8
+- for Traefik v2: use branch v2.9
+- for Traefik v3: use branch master

 Enhancements:
- for Traefik v1: we only accept bug fixes
- for Traefik v2: use branch master
+- for Traefik v2: we only accept bug fixes
+- for Traefik v3: use branch master

 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -56,7 +56,7 @@ jobs:
          fetch-depth: 0

      - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -31,7 +31,7 @@ jobs:
          fetch-depth: 0

      - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -7,8 +7,8 @@ on:

 env:
  GO_VERSION: 1.19
-  GOLANGCI_LINT_VERSION: v1.48.0
-  MISSSPELL_VERSION: v0.3.4
+  GOLANGCI_LINT_VERSION: v1.50.0
+  MISSSPELL_VERSION: v0.4.0
  IN_DOCKER: ""

 jobs:
@@ -33,7 +33,7 @@ jobs:
          fetch-depth: 0

      - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
@@ -45,7 +45,7 @@ jobs:
        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}

      - name: Install missspell ${{ env.MISSSPELL_VERSION }}
-        run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
+        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}

      - name: Avoid generating webui
        run: touch webui/static/index.html
@@ -73,7 +73,7 @@ jobs:
          fetch-depth: 0

      - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
        with:
          path: |
            ~/go/pkg/mod
--- a/.golangci.toml
+++ b/.golangci.toml
@@ -1,233 +0,0 @@
-[run]
-  timeout = "10m"
-  skip-files = []
-  skip-dirs = [
-    "pkg/provider/kubernetes/crd/generated/",
-  ]
-
-[linters-settings]
-
-  [linters-settings.govet]
-    check-shadowing = false
-
-  [linters-settings.golint]
-    min-confidence = 0.0
-
-  [linters-settings.gocyclo]
-    min-complexity = 14.0
-
-  [linters-settings.goconst]
-    min-len = 3.0
-    min-occurrences = 4.0
-
-  [linters-settings.misspell]
-    locale = "US"
-
-  [linters-settings.funlen]
-    lines = 230 # default 60
-    statements = 120 # default 40
-
-  [linters-settings.forbidigo]
-    forbid = [
-      '^print(ln)?$',
-      '^spew\.Print(f|ln)?$',
-      '^spew\.Dump$',
-    ]
-
-  [linters-settings.depguard]
-    list-type = "blacklist"
-    include-go-root = false
-    packages = ["github.com/pkg/errors"]
-
-  [linters-settings.godox]
-    keywords = ["FIXME"]
-
-  [linters-settings.importas]
-    corev1 = "k8s.io/api/core/v1"
-    networkingv1beta1 = "k8s.io/api/networking/v1beta1"
-    extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
-    metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
-    kubeerror = "k8s.io/apimachinery/pkg/api/errors"
-    composeapi = "github.com/docker/compose/v2/pkg/api"
-
-  [linters-settings.revive]
-    [[linters-settings.revive.rules]]
-      name = "struct-tag"
-    [[linters-settings.rules]]
-      name = "blank-imports"
-    [[linters-settings.rules]]
-      name = "context-as-argument"
-    [[linters-settings.rules]]
-      name = "context-keys-type"
-    [[linters-settings.rules]]
-      name = "dot-imports"
-    [[linters-settings.rules]]
-      name = "error-return"
-    [[linters-settings.rules]]
-      name = "error-strings"
-    [[linters-settings.rules]]
-      name = "error-naming"
-    [[linters-settings.rules]]
-      name = "exported"
-    [[linters-settings.rules]]
-      name = "if-return"
-    [[linters-settings.rules]]
-      name = "increment-decrement"
-    [[linters-settings.rules]]
-      name = "var-naming"
-    [[linters-settings.rules]]
-      name = "var-declaration"
-    [[linters-settings.rules]]
-      name = "package-comments"
-    [[linters-settings.rules]]
-      name = "range"
-    [[linters-settings.rules]]
-      name = "receiver-naming"
-    [[linters-settings.rules]]
-      name = "time-naming"
-    [[linters-settings.rules]]
-      name = "unexported-return"
-    [[linters-settings.rules]]
-      name = "indent-error-flow"
-    [[linters-settings.rules]]
-      name = "errorf"
-    [[linters-settings.rules]]
-      name = "empty-block"
-    [[linters-settings.rules]]
-      name = "superfluous-else"
-    [[linters-settings.rules]]
-      name = "unused-parameter"
-    [[linters-settings.rules]]
-      name = "unreachable-code"
-    [[linters-settings.rules]]
-      name = "redefines-builtin-id"
-
-  [linters-settings.gomoddirectives]
-    replace-allow-list = [
-      "github.com/abbot/go-http-auth",
-      "github.com/go-check/check",
-      "github.com/gorilla/mux",
-      "github.com/mailgun/minheap",
-      "github.com/mailgun/multibuf",
-      "github.com/jaguilar/vt100",
-    ]
-
-[linters]
-  enable-all = true
-  disable = [
-    "scopelint", # Deprecated
-    "interfacer", # Deprecated
-    "maligned", # Deprecated
-    "golint", # Deprecated
-    "nosnakecase", # Deprecated
-    "execinquery", # Not relevant (SQL)
-    "sqlclosecheck", # Not relevant (SQL)
-    "rowserrcheck", # Not relevant (SQL)
-    "lll", # Not relevant
-    "gocyclo", # FIXME must be fixed
-    "cyclop", # Duplicate of gocyclo
-    "gocognit", # Too strict
-    "nestif", # Too many false-positive.
-    "prealloc", # Too many false-positive.
-    "makezero", # Not relevant
-    "ifshort", # Not relevant
-    "dupl", # Too strict
-    "gosec", # Too strict
-    "gochecknoinits",
-    "gochecknoglobals",
-    "wsl", # Too strict
-    "nlreturn", # Not relevant
-    "gomnd", # Too strict
-    "stylecheck", # skip because report issues related to some generated files.
-    "testpackage", # Too strict
-    "tparallel", # Not relevant
-    "paralleltest", # Not relevant
-    "exhaustive", # Not relevant
-    "exhaustivestruct", # Not relevant
-    "exhaustruct", # duplicate of exhaustivestruct
-    "goerr113", # Too strict
-    "wrapcheck", # Too strict
-    "noctx", # Too strict
-    "bodyclose", # Too many false-positive and panics.
-    "unparam", # Too strict
-    "godox", # Too strict
-    "forcetypeassert", # Too strict
-    "tagliatelle", # Not compatible with current tags.
-    "varnamelen", # not relevant
-    "nilnil", # not relevant
-    "ireturn", # not relevant
-    "contextcheck", # too many false-positive
-    "containedctx", # too many false-positive
-    "maintidx", # kind of duplicate of gocyclo
-    "nonamedreturns", # not relevant
-    "structcheck", # duplicate of unused
-  ]
-
-[issues]
-  exclude-use-default = false
-  max-per-linter = 0
-  max-same-issues = 0
-  exclude = [
-    "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
-    "should have a package comment, unless it's in another file for this package",
-    "SA1019: http.CloseNotifier has been deprecated",  # FIXME must be fixed
-    "SA1019: cfg.SSLRedirect is deprecated",
-    "SA1019: cfg.SSLTemporaryRedirect is deprecated",
-    "SA1019: cfg.SSLHost is deprecated",
-    "SA1019: cfg.SSLForceHost is deprecated",
-    "SA1019: cfg.FeaturePolicy is deprecated",
-    "SA1019: c.Providers.ConsulCatalog.Namespace is deprecated",
-    "SA1019: c.Providers.Consul.Namespace is deprecated",
-  ]
- [[issues.exclude-rules]]
-    path = "(.+)_test.go"
-    linters = ["goconst", "funlen", "godot", "nosnakecase"]
- [[issues.exclude-rules]]
-    path = "integration/.+_test.go"
-    text = "Error return value of `cmd\\.Process\\.Kill` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/(consul_catalog_test|constraint_test).go"
-    text = "Error return value of `(s.deregisterService|s.deregisterAgentService)` is not checked"
- [[issues.exclude-rules]]
-    path = "integration/grpc_test.go"
-    text = "Error return value of `closer` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/h2c/h2c.go"
-    text = "Error return value of `rw.Write` is not checked"
- [[issues.exclude-rules]]
-    path = "pkg/provider/docker/builder_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
-    text = "(U1000: func )?`(.+)` is unused"
- [[issues.exclude-rules]]
-    path = "pkg/server/service/bufferpool.go"
-    text = "SA6002: argument should be pointer-like to avoid allocations"
- [[issues.exclude-rules]]
-    path = "cmd/configuration.go"
-    text = "string `traefik` has (\\d) occurrences, make it a constant"
- [[issues.exclude-rules]]
-    path = "pkg/server/middleware/middlewares.go"
-    text = "Function 'buildConstructor' has too many statements"
- [[issues.exclude-rules]]
-    path = "pkg/tracing/haystack/logger.go"
-    linters = ["goprintffuncname"]
- [[issues.exclude-rules]]
-    path = "pkg/tracing/tracing.go"
-    text = "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
- [[issues.exclude-rules]]
-    path = "pkg/log/deprecated.go"
-    linters = ["godot"]
- [[issues.exclude-rules]]
-    path = "(.+)\\.go"
-    text = "struct-tag: unknown option 'inline' in JSON tag"
- [[issues.exclude-rules]]
-    path = "pkg/server/router/tcp/manager.go"
-    text = "Function 'buildEntryPointHandler' is too long (.+)"
- [[issues.exclude-rules]]
-    path = "pkg/tls/tlsmanager_test.go"
-    text = "SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18"
- [[issues.exclude-rules]]
-    path = "pkg/types/tls_test.go"
-    text = "SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18"
-
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,181 @@
+run:
+  timeout: 10m
+  skip-files: []
+  skip-dirs:
+    - pkg/provider/kubernetes/crd/generated/
+
+linters-settings:
+  govet:
+    check-shadowing: false
+  golint:
+    min-confidence: 0
+  gocyclo:
+    min-complexity: 14
+  goconst:
+    min-len: 3
+    min-occurrences: 4
+  misspell:
+    locale: US
+  funlen:
+    lines: -1
+    statements: 120
+  forbidigo:
+    forbid:
+      - ^print(ln)?$
+      - ^spew\.Print(f|ln)?$
+      - ^spew\.Dump$
+  depguard:
+    list-type: denylist
+    include-go-root: false
+    packages:
+      - github.com/pkg/errors
+  godox:
+    keywords:
+      - FIXME
+  importas:
+    corev1: k8s.io/api/core/v1
+    networkingv1beta1: k8s.io/api/networking/v1beta1
+    extensionsv1beta1: k8s.io/api/extensions/v1beta1
+    metav1: k8s.io/apimachinery/pkg/apis/meta/v1
+    kubeerror: k8s.io/apimachinery/pkg/api/errors
+    composeapi: github.com/docker/compose/v2/pkg/api
+  revive:
+    rules:
+      - name: struct-tag
+  rules:
+    - name: blank-imports
+    - name: context-as-argument
+    - name: context-keys-type
+    - name: dot-imports
+    - name: error-return
+    - name: error-strings
+    - name: error-naming
+    - name: exported
+    - name: if-return
+    - name: increment-decrement
+    - name: var-naming
+    - name: var-declaration
+    - name: package-comments
+    - name: range
+    - name: receiver-naming
+    - name: time-naming
+    - name: unexported-return
+    - name: indent-error-flow
+    - name: errorf
+    - name: empty-block
+    - name: superfluous-else
+    - name: unused-parameter
+    - name: unreachable-code
+    - name: redefines-builtin-id
+  gomoddirectives:
+    replace-allow-list:
+      - github.com/abbot/go-http-auth
+      - github.com/go-check/check
+      - github.com/gorilla/mux
+      - github.com/mailgun/minheap
+      - github.com/mailgun/multibuf
+      - github.com/jaguilar/vt100
+
+linters:
+  enable-all: true
+  disable:
+    - deadcode # deprecated
+    - exhaustivestruct # deprecated
+    - golint # deprecated
+    - ifshort # deprecated
+    - interfacer # deprecated
+    - maligned # deprecated
+    - nosnakecase # deprecated
+    - scopelint # deprecated
+    - scopelint # deprecated
+    - structcheck # deprecated
+    - varcheck # deprecated
+    - sqlclosecheck # not relevant (SQL)
+    - rowserrcheck # not relevant (SQL)
+    - execinquery # not relevant (SQL)
+    - cyclop # duplicate of gocyclo
+    - lll # Not relevant
+    - gocyclo # FIXME must be fixed
+    - gocognit # Too strict
+    - nestif # Too many false-positive.
+    - prealloc # Too many false-positive.
+    - makezero # Not relevant
+    - dupl # Too strict
+    - gosec # Too strict
+    - gochecknoinits
+    - gochecknoglobals
+    - wsl # Too strict
+    - nlreturn # Not relevant
+    - gomnd # Too strict
+    - stylecheck # skip because report issues related to some generated files.
+    - testpackage # Too strict
+    - tparallel # Not relevant
+    - paralleltest # Not relevant
+    - exhaustive # Not relevant
+    - exhaustruct # Not relevant
+    - goerr113 # Too strict
+    - wrapcheck # Too strict
+    - noctx # Too strict
+    - bodyclose # too many false-positive
+    - forcetypeassert # Too strict
+    - tagliatelle # Too strict
+    - varnamelen # Not relevant
+    - nilnil # Not relevant
+    - ireturn # Not relevant
+    - contextcheck # too many false-positive
+    - containedctx # too many false-positive
+    - maintidx # kind of duplicate of gocyclo
+    - nonamedreturns # Too strict
+
+issues:
+  exclude-use-default: false
+  max-per-linter: 0
+  max-same-issues: 0
+  exclude:
+    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
+    - "should have a package comment, unless it's in another file for this package"
+  exclude-rules:
+    - path: '(.+)_test.go'
+      linters:
+        - goconst
+        - funlen
+        - godot
+    - path: '(.+)_test.go'
+      text: ' always receives '
+      linters:
+        - unparam
+    - path: '(.+)\.go'
+      text: 'struct-tag: unknown option ''inline'' in JSON tag'
+      linters:
+        - revive
+    - path: pkg/server/service/bufferpool.go
+      text: 'SA6002: argument should be pointer-like to avoid allocations'
+    - path: pkg/server/middleware/middlewares.go
+      text: "Function 'buildConstructor' has too many statements"
+      linters:
+        - funlen
+    - path: pkg/logs/haystack.go
+      linters:
+        - goprintffuncname
+    - path: pkg/tracing/tracing.go
+      text: "printf-like formatting function 'SetErrorWithEvent' should be named 'SetErrorWithEventf'"
+      linters:
+        - goprintffuncname
+    - path: pkg/tls/tlsmanager_test.go
+      text: 'SA1019: config.ClientCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/types/tls_test.go
+      text: 'SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18'
+    - path: pkg/provider/kubernetes/(crd|gateway)/client.go
+      linters:
+        - interfacebloat
+    - path: pkg/metrics/metrics.go
+      linters:
+        - interfacebloat
+    - path: integration/healthcheck_test.go
+      text: 'Duplicate words \(wsp2,\) found'
+      linters:
+        - dupword
+    - path: pkg/types/domain_test.go
+      text: 'Duplicate words \(sub\) found'
+      linters:
+        - dupword
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -22,24 +22,27 @@ builds:
      - openbsd
    goarch:
      - amd64
-      - 386
+      - '386'
      - arm
      - arm64
      - ppc64le
      - s390x
    goarm:
-      - 7
-      - 6
-      - 5
+      - '7'
+      - '6'
    ignore:
      - goos: darwin
-        goarch: 386
+        goarch: '386'
      - goos: openbsd
        goarch: arm
      - goos: openbsd
        goarch: arm64
+      - goos: freebsd
+        goarch: arm
      - goos: freebsd
        goarch: arm64
+      - goos: windows
+        goarch: arm

 changelog:
  skip: true
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -25,7 +25,7 @@ global_job_config:
      - export "PATH=${GOPATH}/bin:${PATH}"
      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.48.0
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.50.0
      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
      - checkout
      - cache restore traefik-$(checksum go.sum)
@@ -64,7 +64,7 @@ blocks:
        - name: GH_VERSION
          value: 1.12.1
        - name: CODENAME
-          value: "vacherin"
+          value: "beaufort"
        - name: IN_DOCKER
          value: ""
      prologue:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,265 @@
+## [v3.0.0-beta1](https://github.com/traefik/traefik/tree/v3.0.0-beta1) (2022-12-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v3.0.0-beta1)
+
+**Enhancements:**
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [jilleJr](https://github.com/jilleJr))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+
+**Documentation:**
+- **[metrics]** Update and publish official Grafana Dashboard ([#9493](https://github.com/traefik/traefik/pull/9493) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.9.5](https://github.com/traefik/traefik/tree/v2.9.5) (2022-11-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.4...v2.9.5)
+
+**Bug fixes:**
+- **[logs,middleware]** Create a new capture instance for each incoming request ([#9510](https://github.com/traefik/traefik/pull/9510) by [sdelicata](https://github.com/sdelicata))
+
+**Documentation:**
+- **[k8s/helm]** Update helm repository ([#9506](https://github.com/traefik/traefik/pull/9506) by [charlie-haley](https://github.com/charlie-haley))
+- Enhance wording of building-testing page ([#9509](https://github.com/traefik/traefik/pull/9509) by [svx](https://github.com/svx))
+- Add link descriptions and update wording ([#9507](https://github.com/traefik/traefik/pull/9507) by [svx](https://github.com/svx))
+- Removes the experimental tag on the Traefik Hub header ([#9498](https://github.com/traefik/traefik/pull/9498) by [tfny](https://github.com/tfny))
+
+## [v2.9.4](https://github.com/traefik/traefik/tree/v2.9.4) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.9.0 ([#9413](https://github.com/traefik/traefik/pull/9413) by [tony-defa](https://github.com/tony-defa))
+- **[kv,redis]** Fix Redis configuration type ([#9435](https://github.com/traefik/traefik/pull/9435) by [ldez](https://github.com/ldez))
+- **[logs,middleware,metrics]** Handle capture on redefined http.responseWriters ([#9440](https://github.com/traefik/traefik/pull/9440) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,k8s]** Remove raw cert escape in PassTLSClientCert middleware ([#9412](https://github.com/traefik/traefik/pull/9412) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Update Yaegi to v0.14.3 ([#9468](https://github.com/traefik/traefik/pull/9468) by [ldez](https://github.com/ldez))
+- Remove side effect on default transport tests ([#9460](https://github.com/traefik/traefik/pull/9460) by [sdelicata](https://github.com/sdelicata))
+
+**Documentation:**
+- **[k8s]** Fix links to gateway API guides ([#9445](https://github.com/traefik/traefik/pull/9445) by [kevinpollet](https://github.com/kevinpollet))
+- Simplify dashboard rule example ([#9454](https://github.com/traefik/traefik/pull/9454) by [sosoba](https://github.com/sosoba))
+- Add v2.9 to release page ([#9438](https://github.com/traefik/traefik/pull/9438) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.3](https://github.com/traefik/traefik/tree/v2.9.3) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.3)
+
+Release canceled.
+
+## [v2.9.2](https://github.com/traefik/traefik/tree/v2.9.2) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.2)
+
+Release canceled.
+
+## [v2.9.1](https://github.com/traefik/traefik/tree/v2.9.1) (2022-10-03)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.9.1)
+
+**Enhancements:**
+- **[acme,tls]** ACME Default Certificate ([#9189](https://github.com/traefik/traefik/pull/9189) by [rtribotte](https://github.com/rtribotte))
+- **[consul,etcd,zk,kv,redis]** Update valkeyrie to v1.0.0 ([#9316](https://github.com/traefik/traefik/pull/9316) by [ldez](https://github.com/ldez))
+- **[consulcatalog,nomad]** Support Nomad canary deployment ([#9216](https://github.com/traefik/traefik/pull/9216) by [rtribotte](https://github.com/rtribotte))
+- **[consulcatalog]** Move consulcatalog provider to only use health apis ([#9140](https://github.com/traefik/traefik/pull/9140) by [kevinpollet](https://github.com/kevinpollet))
+- **[docker]** Add support for reaching containers using host networking on Podman ([#9190](https://github.com/traefik/traefik/pull/9190) by [freundTech](https://github.com/freundTech))
+- **[docker]** Use IPv6 address ([#9183](https://github.com/traefik/traefik/pull/9183) by [tomMoulard](https://github.com/tomMoulard))
+- **[docker]** Add allowEmptyServices for Docker provider ([#8690](https://github.com/traefik/traefik/pull/8690) by [jvasseur](https://github.com/jvasseur))
+- **[ecs]**  Add support for ECS Anywhere ([#9324](https://github.com/traefik/traefik/pull/9324) by [tuxpower](https://github.com/tuxpower))
+- **[healthcheck]** Add a method option to the service Health Check ([#9165](https://github.com/traefik/traefik/pull/9165) by [ddtmachado](https://github.com/ddtmachado))
+- **[http3]** Upgrade quic-go to v0.28.0 ([#9187](https://github.com/traefik/traefik/pull/9187) by [tomMoulard](https://github.com/tomMoulard))
+- **[http]** Start polling HTTP provider at the beginning ([#9116](https://github.com/traefik/traefik/pull/9116) by [moutoum](https://github.com/moutoum))
+- **[k8s/crd,plugins]** Load plugin configuration field value from Kubernetes Secret ([#9103](https://github.com/traefik/traefik/pull/9103) by [rtribotte](https://github.com/rtribotte))
+- **[logs,tcp]** Quiet down TCP RST packet error on read operation ([#9007](https://github.com/traefik/traefik/pull/9007) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Add traffic size metrics ([#9208](https://github.com/traefik/traefik/pull/9208) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,pilot]** Remove Pilot support ([#9330](https://github.com/traefik/traefik/pull/9330) by [ldez](https://github.com/ldez))
+- **[rules,tcp]** Support ALPN for TCP + TLS routers ([#8913](https://github.com/traefik/traefik/pull/8913) by [sh7dm](https://github.com/sh7dm))
+- **[tcp,service,udp]** Make the loadbalancers servers order random ([#9037](https://github.com/traefik/traefik/pull/9037) by [qmloong](https://github.com/qmloong))
+- **[tls]** Change default TLS options for more security ([#8951](https://github.com/traefik/traefik/pull/8951) by [ddtmachado](https://github.com/ddtmachado))
+- **[tracing]** Add Datadog GlobalTags support ([#9266](https://github.com/traefik/traefik/pull/9266) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[acme]** Fix ACME panic ([#9365](https://github.com/traefik/traefik/pull/9365) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Prepare release v2.9.0 ([#9409](https://github.com/traefik/traefik/pull/9409) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Rework metrics overview page ([#9366](https://github.com/traefik/traefik/pull/9366) by [ddtmachado](https://github.com/ddtmachado))
+- Prepare release v2.9.0-rc5 ([#9402](https://github.com/traefik/traefik/pull/9402) by [ldez](https://github.com/ldez))
+- Prepare release v2.9.0-rc4 ([#9372](https://github.com/traefik/traefik/pull/9372) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v2.9.0-rc3 ([#9344](https://github.com/traefik/traefik/pull/9344) by [kevinpollet](https://github.com/kevinpollet))
+- Prepare release v2.9.0-rc2 ([6c2c561](https://github.com/traefik/traefik/commit/6c2c561d8f935d76ccd07d28e1455c7768adc153) by [ldez](https://github.com/ldez))
+- Prepare release v2.9.0-rc1 ([#9334](https://github.com/traefik/traefik/pull/9334) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9400](https://github.com/traefik/traefik/pull/9400) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9371](https://github.com/traefik/traefik/pull/9371) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9367](https://github.com/traefik/traefik/pull/9367) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9350](https://github.com/traefik/traefik/pull/9350) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9343](https://github.com/traefik/traefik/pull/9343) by [kevinpollet](https://github.com/kevinpollet))
+- Merge v2.8.5 into master ([#9329](https://github.com/traefik/traefik/pull/9329) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9291](https://github.com/traefik/traefik/pull/9291) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9265](https://github.com/traefik/traefik/pull/9265) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9209](https://github.com/traefik/traefik/pull/9209) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9146](https://github.com/traefik/traefik/pull/9146) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9135](https://github.com/traefik/traefik/pull/9135) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.0](https://github.com/traefik/traefik/tree/v2.9.0) (2022-10-03)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.9.0)
+
+Release canceled.
+
+## [v2.9.0-rc5](https://github.com/traefik/traefik/tree/v2.9.0-rc5) (2022-09-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc4...v2.9.0-rc5)
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9400](https://github.com/traefik/traefik/pull/9400) by [ldez](https://github.com/ldez))
+
+## [v2.8.8](https://github.com/traefik/traefik/tree/v2.8.8) (2022-09-30)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.7...v2.8.8)
+
+**Bug fixes:**
+- **[server]** Update golang.org/x/net to latest version ([#9398](https://github.com/traefik/traefik/pull/9398) by [tspearconquest](https://github.com/tspearconquest))
+
+**Documentation:**
+- **[docker]** Fix watch option description for Docker provider ([#9391](https://github.com/traefik/traefik/pull/9391) by [bhuisgen](https://github.com/bhuisgen))
+- **[ecs]** Fix autoDiscoverClusters option documentation for ECS provider ([#9392](https://github.com/traefik/traefik/pull/9392) by [johnpekcan](https://github.com/johnpekcan))
+- **[k8s]** Improve documentation for publishedService and IP options ([#9380](https://github.com/traefik/traefik/pull/9380) by [samip5](https://github.com/samip5))
+
+## [v2.9.0-rc4](https://github.com/traefik/traefik/tree/v2.9.0-rc4) (2022-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc3...v2.9.0-rc4)
+
+**Bug fixes:**
+- **[acme]** Fix ACME panic ([#9365](https://github.com/traefik/traefik/pull/9365) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[metrics]** Rework metrics overview page ([#9366](https://github.com/traefik/traefik/pull/9366) by [ddtmachado](https://github.com/ddtmachado))
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9371](https://github.com/traefik/traefik/pull/9371) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9367](https://github.com/traefik/traefik/pull/9367) by [ldez](https://github.com/ldez))
+- Merge current v2.8 into v2.9 ([#9350](https://github.com/traefik/traefik/pull/9350) by [ldez](https://github.com/ldez))
+
+## [v2.8.7](https://github.com/traefik/traefik/tree/v2.8.7) (2022-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.5...v2.8.7)
+
+**Bug fixes:**
+- **[consulcatalog]** Fix UDP loadbalancer tags not being used with Consul Catalog ([#9357](https://github.com/traefik/traefik/pull/9357) by [t3hchipmunk](https://github.com/t3hchipmunk))
+- **[docker,rancher,ecs,provider]** Simplify AddServer algorithm ([#9358](https://github.com/traefik/traefik/pull/9358) by [ldez](https://github.com/ldez))
+- **[plugins]** Allow empty plugin configuration ([#9338](https://github.com/traefik/traefik/pull/9338) by [ldez](https://github.com/ldez))
+- **[rules]** Fix query parameter matching with equal ([#9369](https://github.com/traefik/traefik/pull/9369) by [ldez](https://github.com/ldez))
+- **[server]** Optimize websocket headers handling ([#9360](https://github.com/traefik/traefik/pull/9360) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[ecs]** Add documentation for ECS constraints option ([#9354](https://github.com/traefik/traefik/pull/9354) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/gatewayapi]** Fix link to RouteNamespaces ([#9349](https://github.com/traefik/traefik/pull/9349) by [ldez](https://github.com/ldez))
+- Add documentation for json schema usage to validate config in the FAQ ([#9340](https://github.com/traefik/traefik/pull/9340) by [rtribotte](https://github.com/rtribotte))
+- Add a note on case insensitive regex matching ([#9322](https://github.com/traefik/traefik/pull/9322) by [NEwa-05](https://github.com/NEwa-05))
+
+## [v2.8.6](https://github.com/traefik/traefik/tree/v2.8.6) (2022-09-23)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.5...v2.8.6)
+
+Release canceled.
+
+## [v2.9.0-rc3](https://github.com/traefik/traefik/tree/v2.9.0-rc3) (2022-09-16)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc2...v2.9.0-rc3)
+
+**Misc:**
+- Merge current v2.8 into v2.9 ([#9343](https://github.com/traefik/traefik/pull/9343) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.0-rc1](https://github.com/traefik/traefik/tree/v2.9.0-rc2) (2022-09-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.0-rc1...v2.9.0-rc2)
+
+**Enhancements:**
+- **[acme,tls]** ACME Default Certificate ([#9189](https://github.com/traefik/traefik/pull/9189) by [rtribotte](https://github.com/rtribotte))
+- **[consul,etcd,zk,kv,redis]** Update valkeyrie to v1.0.0 ([#9316](https://github.com/traefik/traefik/pull/9316) by [ldez](https://github.com/ldez))
+- **[consulcatalog,nomad]** Support Nomad canary deployment ([#9216](https://github.com/traefik/traefik/pull/9216) by [rtribotte](https://github.com/rtribotte))
+- **[consulcatalog]** Move consulcatalog provider to only use health apis ([#9140](https://github.com/traefik/traefik/pull/9140) by [kevinpollet](https://github.com/kevinpollet))
+- **[docker]** Add support for reaching containers using host networking on Podman ([#9190](https://github.com/traefik/traefik/pull/9190) by [freundTech](https://github.com/freundTech))
+- **[docker]** Use IPv6 address ([#9183](https://github.com/traefik/traefik/pull/9183) by [tomMoulard](https://github.com/tomMoulard))
+- **[docker]** Add allowEmptyServices for Docker provider ([#8690](https://github.com/traefik/traefik/pull/8690) by [jvasseur](https://github.com/jvasseur))
+- **[ecs]**  Add support for ECS Anywhere ([#9324](https://github.com/traefik/traefik/pull/9324) by [tuxpower](https://github.com/tuxpower))
+- **[healthcheck]** Add a method option to the service Health Check ([#9165](https://github.com/traefik/traefik/pull/9165) by [ddtmachado](https://github.com/ddtmachado))
+- **[http3]** Upgrade quic-go to v0.28.0 ([#9187](https://github.com/traefik/traefik/pull/9187) by [tomMoulard](https://github.com/tomMoulard))
+- **[http]** Start polling HTTP provider at the beginning ([#9116](https://github.com/traefik/traefik/pull/9116) by [moutoum](https://github.com/moutoum))
+- **[k8s/crd,plugins]** Load plugin configuration field value from Kubernetes Secret ([#9103](https://github.com/traefik/traefik/pull/9103) by [rtribotte](https://github.com/rtribotte))
+- **[logs,tcp]** Quiet down TCP RST packet error on read operation ([#9007](https://github.com/traefik/traefik/pull/9007) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Add traffic size metrics ([#9208](https://github.com/traefik/traefik/pull/9208) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware,pilot]** Remove Pilot support ([#9330](https://github.com/traefik/traefik/pull/9330) by [ldez](https://github.com/ldez))
+- **[rules,tcp]** Support ALPN for TCP + TLS routers ([#8913](https://github.com/traefik/traefik/pull/8913) by [sh7dm](https://github.com/sh7dm))
+- **[tcp,service,udp]** Make the loadbalancers servers order random ([#9037](https://github.com/traefik/traefik/pull/9037) by [qmloong](https://github.com/qmloong))
+- **[tls]** Change default TLS options for more security ([#8951](https://github.com/traefik/traefik/pull/8951) by [ddtmachado](https://github.com/ddtmachado))
+- **[tracing]** Add Datadog GlobalTags support ([#9266](https://github.com/traefik/traefik/pull/9266) by [sdelicata](https://github.com/sdelicata))
+
+**Misc:**
+- Merge v2.8.5 into master ([#9329](https://github.com/traefik/traefik/pull/9329) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9291](https://github.com/traefik/traefik/pull/9291) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.8 into master ([#9265](https://github.com/traefik/traefik/pull/9265) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9209](https://github.com/traefik/traefik/pull/9209) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9146](https://github.com/traefik/traefik/pull/9146) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.8 into master ([#9135](https://github.com/traefik/traefik/pull/9135) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v2.9.0-rc1](https://github.com/traefik/traefik/tree/v2.9.0-rc1) (2022-09-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.0-rc1...v2.9.0-rc1)
+
+Release canceled.
+
+## [v2.8.5](https://github.com/traefik/traefik/tree/v2.8.5) (2022-09-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.4...v2.8.5)
+
+**Bug fixes:**
+- **[plugins]** Update Yaegi to v0.14.2 ([#9327](https://github.com/traefik/traefik/pull/9327) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Fix IPv6 addr with square brackets ([#9313](https://github.com/traefik/traefik/pull/9313) by [moonlightwatch](https://github.com/moonlightwatch))
+- **[webui,api]** Display default TLS options in the dashboard ([#9312](https://github.com/traefik/traefik/pull/9312) by [skwair](https://github.com/skwair))
+
+**Documentation:**
+- **[docker]** Add healthcheck timeout seconds to value ([#9306](https://github.com/traefik/traefik/pull/9306) by [fty4](https://github.com/fty4))
+- Update deprecation notes about Pilot ([#9314](https://github.com/traefik/traefik/pull/9314) by [nmengin](https://github.com/nmengin))
+- Added resources for businesses ([#9268](https://github.com/traefik/traefik/pull/9268) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.8.4](https://github.com/traefik/traefik/tree/v2.8.4) (2022-09-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.3...v2.8.4)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Fix Docker provider mem leak on operation retries ([#9288](https://github.com/traefik/traefik/pull/9288) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Fix retry middleware on panic ([#9284](https://github.com/traefik/traefik/pull/9284) by [ldez](https://github.com/ldez))
+- **[plugins]** Allow Traefik starting even if plugin service is unavailable ([#9287](https://github.com/traefik/traefik/pull/9287) by [ldez](https://github.com/ldez))
+- chore: update paerser to v0.1.9 ([#9270](https://github.com/traefik/traefik/pull/9270) by [tomMoulard](https://github.com/tomMoulard))
+
+**Documentation:**
+- **[acme]** Fix infoblox acme provider documentation ([#9277](https://github.com/traefik/traefik/pull/9277) by [ldez](https://github.com/ldez))
+- **[k8s/crd]** Fix serversTransport CRD documentation ([#9283](https://github.com/traefik/traefik/pull/9283) by [cuishuang](https://github.com/cuishuang))
+- **[k8s/crd]** Fix k8s for example for rootCAs serversTransport ([#9274](https://github.com/traefik/traefik/pull/9274) by [ben-krieger](https://github.com/ben-krieger))
+- **[k8s]** Add missing networking apiGroup in Kubernetes RBACs examples and references ([#9295](https://github.com/traefik/traefik/pull/9295) by [fibsifan](https://github.com/fibsifan))
+- Update deprecation notes about Pilot ([#9300](https://github.com/traefik/traefik/pull/9300) by [nmengin](https://github.com/nmengin))
+
 ## [v2.8.3](https://github.com/traefik/traefik/tree/v2.8.3) (2022-08-12)
 [All Commits](https://github.com/traefik/traefik/compare/v2.8.2...v2.8.3)

@@ -6199,5 +6461,3 @@ Same changelog as v2.0.3.
 - Fix travis tag check [\#422](https://github.com/traefik/traefik/pull/422) ([emilevauge](https://github.com/emilevauge))
 - log info about TOML configuration file using [\#420](https://github.com/traefik/traefik/pull/420) ([cocap10](https://github.com/cocap10))
 - Doc about skipping some integration tests with '-check.f ConsulCatalogSuite' [\#418](https://github.com/traefik/traefik/pull/418) ([samber](https://github.com/samber))
-
-\* *This Change Log was automatically generated by [gcg](https://github.com/ldez/gcg)*
--- a/2
+++ b/2
@@ -189,7 +189,7 @@ generate-genconf:
 .PHONY: release-packages
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 4 --timeout="90m"
 	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- Websocket, HTTP/2, GRPC ready
+- Websocket, HTTP/2, gRPC ready
 - Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
 - Keeps access logs (JSON, CLF)
 - Fast
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,7 +1,6 @@
 # Security Policy

-We strongly advise you to register your Traefik instances to [Pilot](https://pilot.traefik.io) to be notified of security advisories that apply to your Traefik version.
-You can also join our security mailing list to be aware of the latest announcements from our security team.
+You can join our security mailing list to be aware of the latest announcements from our security team.
 You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).

 Reported vulnerabilities can be found on [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -13,10 +13,10 @@ RUN mkdir -p /usr/local/bin \
    | tar -xzC /usr/local/bin --transform 's#^.+/##x'

 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.48.0
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash -s -- -b $GOPATH/bin v1.50.0

 # Download misspell binary to bin folder in $GOPATH
-RUN curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4
+RUN curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.4.0

 # Download goreleaser binary to bin folder in $GOPATH
 RUN curl -sfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | sh
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -64,7 +64,7 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 	client := &http.Client{Timeout: 5 * time.Second}
 	protocol := "http"

-	// FIXME Handle TLS on ping etc...
+	// TODO Handle TLS on ping etc...
 	// if pingEntryPoint.TLS != nil {
 	// 	protocol = "https"
 	// 	tr := &http.Transport{
--- a/cmd/internal/gen/centrifuge.go
+++ b/cmd/internal/gen/centrifuge.go
@@ -72,22 +72,16 @@ func NewCentrifuge(rootPkg string) (*Centrifuge, error) {

 // Run runs the code extraction and the code generation.
 func (c Centrifuge) Run(dest string, pkgName string) error {
-	files, err := c.run(c.pkg.Scope(), c.rootPkg, pkgName)
-	if err != nil {
-		return err
-	}
+	files := c.run(c.pkg.Scope(), c.rootPkg, pkgName)

-	err = fileWriter{baseDir: dest}.Write(files)
+	err := fileWriter{baseDir: dest}.Write(files)
 	if err != nil {
 		return err
 	}

 	for _, p := range c.pkg.Imports() {
 		if contains(c.IncludedImports, p.Path()) {
-			fls, err := c.run(p.Scope(), p.Path(), p.Name())
-			if err != nil {
-				return err
-			}
+			fls := c.run(p.Scope(), p.Path(), p.Name())

 			err = fileWriter{baseDir: filepath.Join(dest, p.Name())}.Write(fls)
 			if err != nil {
@@ -99,7 +93,7 @@ func (c Centrifuge) Run(dest string, pkgName string) error {
 	return err
 }

-func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[string]*File, error) {
+func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) map[string]*File {
 	files := map[string]*File{}

 	for _, name := range sc.Names() {
@@ -158,7 +152,7 @@ func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[st
 		}
 	}

-	return files, nil
+	return files
 }

 func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -0,0 +1,89 @@
+package main
+
+import (
+	"io"
+	stdlog "log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/natefinch/lumberjack"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/sirupsen/logrus"
+	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v2/pkg/logs"
+)
+
+func init() {
+	// hide the first logs before the setup of the logger.
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+}
+
+func setupLogger(staticConfiguration *static.Configuration) {
+	// configure log format
+	w := getLogWriter(staticConfiguration)
+
+	// configure log level
+	logLevel := getLogLevel(staticConfiguration)
+
+	// create logger
+	logCtx := zerolog.New(w).With().Timestamp()
+	if logLevel <= zerolog.DebugLevel {
+		logCtx = logCtx.Caller()
+	}
+
+	log.Logger = logCtx.Logger().Level(logLevel)
+	zerolog.DefaultContextLogger = &log.Logger
+	zerolog.SetGlobalLevel(logLevel)
+
+	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
+	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
+
+	// configure default standard log.
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+}
+
+func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
+	var w io.Writer = os.Stderr
+
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		w = &lumberjack.Logger{
+			Filename:   staticConfiguration.Log.FilePath,
+			MaxSize:    staticConfiguration.Log.MaxSize,
+			MaxBackups: staticConfiguration.Log.MaxBackups,
+			MaxAge:     staticConfiguration.Log.MaxAge,
+			Compress:   true,
+		}
+	}
+
+	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
+		w = zerolog.ConsoleWriter{
+			Out:        w,
+			TimeFormat: time.RFC3339,
+			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
+		}
+	}
+
+	return w
+}
+
+func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
+	}
+
+	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
+	if err != nil {
+		log.Error().Err(err).
+			Str("logLevel", levelStr).
+			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
+
+		logLevel = zerolog.ErrorLevel
+	}
+
+	return logLevel
+}
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -30,7 +30,6 @@ func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]p
 	if hasPlugins(staticCfg) {
 		opts := plugins.ClientOptions{
 			Output: outputDir,
-			Token:  getPilotToken(staticCfg),
 		}

 		var err error
@@ -75,18 +74,6 @@ func checkUniquePluginNames(e *static.Experimental) error {
 	return nil
 }

-func isPilotEnabled(staticCfg *static.Configuration) bool {
-	return staticCfg.Pilot != nil && staticCfg.Pilot.Token != ""
-}
-
-func getPilotToken(staticCfg *static.Configuration) string {
-	if staticCfg.Pilot == nil {
-		return ""
-	}
-
-	return staticCfg.Pilot.Token
-}
-
 func hasPlugins(staticCfg *static.Configuration) bool {
 	return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
 }
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"sort"
 	"strings"
 	"syscall"
@@ -18,7 +17,9 @@ import (
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
+	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
 	"github.com/traefik/traefik/v2/cmd"
 	"github.com/traefik/traefik/v2/cmd/healthcheck"
@@ -28,22 +29,23 @@ import (
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/config/runtime"
 	"github.com/traefik/traefik/v2/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/logs"
 	"github.com/traefik/traefik/v2/pkg/metrics"
 	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v2/pkg/pilot"
 	"github.com/traefik/traefik/v2/pkg/provider/acme"
 	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
 	"github.com/traefik/traefik/v2/pkg/provider/hub"
+	"github.com/traefik/traefik/v2/pkg/provider/tailscale"
 	"github.com/traefik/traefik/v2/pkg/provider/traefik"
 	"github.com/traefik/traefik/v2/pkg/safe"
 	"github.com/traefik/traefik/v2/pkg/server"
 	"github.com/traefik/traefik/v2/pkg/server/middleware"
 	"github.com/traefik/traefik/v2/pkg/server/service"
 	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+	"github.com/traefik/traefik/v2/pkg/tracing"
+	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
 	"github.com/traefik/traefik/v2/pkg/types"
 	"github.com/traefik/traefik/v2/pkg/version"
-	"github.com/vulcand/oxy/roundrobin"
 )

 func main() {
@@ -85,27 +87,24 @@ Complete documentation is available at https://traefik.io`,
 }

 func runCmd(staticConfiguration *static.Configuration) error {
-	configureLogging(staticConfiguration)
+	setupLogger(staticConfiguration)

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

-	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
-	}
-
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}

-	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.Info().Str("version", version.Version).
+		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)

 	jsonConf, err := json.Marshal(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.Error().Err(err).Msg("Could not marshal static configuration")
+		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
 	}

 	if staticConfiguration.Global.CheckNewVersion {
@@ -130,16 +129,16 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.WithoutContext().Errorf("Failed to notify: %v", err)
+		log.Error().Err(err).Msg("Failed to notify")
 	}

 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
+		log.Error().Err(err).Msg("Could not enable Watchdog")
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
+		log.Info().Msgf("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -150,17 +149,17 @@ func runCmd(staticConfiguration *static.Configuration) error {

 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.WithoutContext().Error("Fail to tick watchdog")
+						log.Error().Msg("Fail to tick watchdog")
 					}
 				} else {
-					log.WithoutContext().Error(errHealthCheck)
+					log.Error().Err(errHealthCheck).Send()
 				}
 			}
 		})
 	}

 	svr.Wait()
-	log.WithoutContext().Info("Shutting down")
+	log.Info().Msg("Shutting down")
 	return nil
 }

@@ -189,6 +188,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)

+	// Tailscale
+
+	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+
 	// Entrypoints

 	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
@@ -201,34 +204,20 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	// Pilot
-
-	var aviator *pilot.Pilot
-	var pilotRegistry *metrics.PilotRegistry
-	if isPilotEnabled(staticConfiguration) {
-		pilotRegistry = metrics.RegisterPilot()
-
-		aviator = pilot.New(staticConfiguration.Pilot.Token, pilotRegistry, routinesPool)
-
-		routinesPool.GoCtx(func(ctx context.Context) {
-			aviator.Tick(ctx)
-		})
-	}
-
-	if staticConfiguration.Pilot != nil {
-		log.WithoutContext().Warn("Traefik Pilot is deprecated and will be removed soon. Please check our Blog for migration instructions later this year.")
-	}
-
 	// Plugins

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		return nil, err
+		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
 	}

 	// Providers plugins

 	for name, conf := range staticConfiguration.Providers.Plugin {
+		if pluginBuilder == nil {
+			break
+		}
+
 		p, err := pluginBuilder.BuildProvider(name, conf)
 		if err != nil {
 			return nil, fmt.Errorf("plugin: failed to build provider: %w", err)
@@ -256,21 +245,39 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// Metrics

 	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	if pilotRegistry != nil {
-		metricRegistries = append(metricRegistries, pilotRegistry)
-	}
 	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)

 	// Service manager factory

-	roundTripperManager := service.NewRoundTripperManager()
+	var spiffeX509Source *workloadapi.X509Source
+	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
+		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
+			Msg("Waiting on SPIFFE SVID delivery")
+
+		spiffeX509Source, err = workloadapi.NewX509Source(
+			ctx,
+			workloadapi.WithClientOptions(
+				workloadapi.WithAddr(
+					staticConfiguration.Spiffe.WorkloadAPIAddr,
+				),
+			),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
+		}
+		log.Info().Msg("Successfully obtained SPIFFE SVID.")
+	}
+
+	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
 	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)

 	// Router factory

 	accessLog := setupAccessLog(staticConfiguration.AccessLog)
-	chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
+	tracer := setupTracing(staticConfiguration.Tracing)
+
+	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
 	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)

 	// Watcher
@@ -305,7 +312,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	})

 	// Switch router
-	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP, aviator))
+	watcher.AddListener(switchRouter(routerFactory, serverEntryPointsTCP, serverEntryPointsUDP))

 	// Metrics
 	if metricsRegistry.IsEpEnabled() || metricsRegistry.IsSvcEnabled() {
@@ -321,13 +328,22 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)

-	// ACME
+	// Certificate Resolvers
+
 	resolverNames := map[string]struct{}{}
+
+	// ACME
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}

+	// Tailscale
+	for _, p := range tsProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.HandleConfigUpdate)
+	}
+
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -339,7 +355,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
 				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
 				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
+					Msg("Router uses a non-existent certificate resolver")
 			}
 		}
 	})
@@ -360,8 +377,24 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid

 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
+
+	// Determines if at least one EntryPoint is configured to be used by default.
+	var hasDefinedDefaults bool
+	for _, ep := range staticConfiguration.EntryPoints {
+		if ep.AsDefault {
+			hasDefinedDefaults = true
+			break
+		}
+	}
+
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
+		// By default all entrypoints are considered.
+		// If at least one is flagged, then only flagged entrypoints are included.
+		if hasDefinedDefaults && !cfg.AsDefault {
+			continue
+		}
+
+		// Traefik Hub entryPoint should not be used as a default entryPoint.
 		if hub.APIEntrypoint == name || hub.TunnelEntrypoint == name {
 			continue
 		}
@@ -369,7 +402,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+			log.Error().Err(err).Msg("Invalid protocol")
 		}

 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -381,22 +414,18 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 	return defaultEntryPoints
 }

-func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints, aviator *pilot.Pilot) func(conf dynamic.Configuration) {
+func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP server.TCPEntryPoints, serverEntryPointsUDP server.UDPEntryPoints) func(conf dynamic.Configuration) {
 	return func(conf dynamic.Configuration) {
 		rtConf := runtime.NewConfig(conf)

 		routers, udpRouters := routerFactory.CreateRouters(rtConf)

-		if aviator != nil {
-			aviator.SetDynamicConfiguration(conf)
-		}
-
 		serverEntryPointsTCP.Switch(routers)
 		serverEntryPointsUDP.Switch(udpRouters)
 	}
 }

-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
+// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

@@ -419,7 +448,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}

 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
 			continue
 		}

@@ -433,6 +462,27 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }

+// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
+func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
+	var providers []*tailscale.Provider
+	for name, resolver := range cfg.CertificatesResolvers {
+		if resolver.Tailscale == nil {
+			continue
+		}
+
+		tsProvider := &tailscale.Provider{ResolverName: name}
+
+		if err := providerAggregator.AddProvider(tsProvider); err != nil {
+			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
+			continue
+		}
+
+		providers = append(providers, tsProvider)
+	}
+
+	return providers
+}
+
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -441,42 +491,70 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry

 	if metricsConfig.Prometheus != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
-		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
+
+		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+			logger.Debug().Msg("Configured Prometheus metrics")
 		}
 	}

 	if metricsConfig.Datadog != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
-		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
-		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
-			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
+
+		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
+		logger.Debug().
+			Str("address", metricsConfig.Datadog.Address).
+			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
+			Msgf("Configured Datadog metrics")
 	}

 	if metricsConfig.StatsD != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
-		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
-		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
-			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()
+
+		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
+		logger.Debug().
+			Str("address", metricsConfig.StatsD.Address).
+			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
+			Msg("Configured StatsD metrics")
 	}

 	if metricsConfig.InfluxDB != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
-		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
-		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
-			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb").Logger()
+
+		registries = append(registries, metrics.RegisterInfluxDB(logger.WithContext(context.Background()), metricsConfig.InfluxDB))
+		logger.Debug().
+			Str("address", metricsConfig.InfluxDB.Address).
+			Str("pushInterval", metricsConfig.InfluxDB.PushInterval.String()).
+			Msg("Configured InfluxDB metrics")
 	}

 	if metricsConfig.InfluxDB2 != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
-		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
+
+		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
-				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+			logger.Debug().
+				Str("address", metricsConfig.InfluxDB2.Address).
+				Str("bucket", metricsConfig.InfluxDB2.Bucket).
+				Str("organization", metricsConfig.InfluxDB2.Org).
+				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
+				Msg("Configured InfluxDB v2 metrics")
+		}
+	}
+
+	if metricsConfig.OpenTelemetry != nil {
+		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
+
+		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OpenTelemetry)
+		if openTelemetryRegistry != nil {
+			registries = append(registries, openTelemetryRegistry)
+			logger.Debug().
+				Str("address", metricsConfig.OpenTelemetry.Address).
+				Str("pushInterval", metricsConfig.OpenTelemetry.PushInterval.String()).
+				Msg("Configured OpenTelemetry metrics")
 		}
 	}

@@ -504,64 +582,85 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {

 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger : %v", err)
+		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
 	}

 	return accessLoggerMiddleware
 }

-func configureLogging(staticConfiguration *static.Configuration) {
-	// configure default log flags
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-
-	// configure log level
-	// an explicitly defined log level always has precedence. if none is
-	// given and debug mode is disabled, the default is ERROR, and DEBUG
-	// otherwise.
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
+func setupTracing(conf *static.Tracing) *tracing.Tracing {
+	if conf == nil {
+		return nil
 	}

-	level, err := logrus.ParseLevel(levelStr)
-	if err != nil {
-		log.WithoutContext().Errorf("Error getting level: %v", err)
-	}
-	log.SetLevel(level)
+	var backend tracing.Backend

-	var logFile string
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		logFile = staticConfiguration.Log.FilePath
+	if conf.Jaeger != nil {
+		backend = conf.Jaeger
 	}

-	// configure log format
-	var formatter logrus.Formatter
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
-		formatter = &logrus.JSONFormatter{}
+	if conf.Zipkin != nil {
+		if backend != nil {
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Zipkin backend.")
 		} else {
-		disableColors := len(logFile) > 0
-		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
+			backend = conf.Zipkin
 		}
-	log.SetFormatter(formatter)
-
-	if len(logFile) > 0 {
-		dir := filepath.Dir(logFile)
-
-		if err := os.MkdirAll(dir, 0o755); err != nil {
-			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
 	}

-		err = log.OpenFile(logFile)
-		logrus.RegisterExitHandler(func() {
-			if err := log.CloseFile(); err != nil {
-				log.WithoutContext().Errorf("Error while closing log: %v", err)
+	if conf.Datadog != nil {
+		if backend != nil {
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Datadog backend.")
+		} else {
+			backend = conf.Datadog
 		}
-		})
+	}
+
+	if conf.Instana != nil {
+		if backend != nil {
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Instana backend.")
+		} else {
+			backend = conf.Instana
+		}
+	}
+
+	if conf.Haystack != nil {
+		if backend != nil {
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Haystack backend.")
+		} else {
+			backend = conf.Haystack
+		}
+	}
+
+	if conf.Elastic != nil {
+		if backend != nil {
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Elastic backend.")
+		} else {
+			backend = conf.Elastic
+		}
+	}
+
+	if conf.OpenTelemetry != nil {
+		if backend != nil {
+			log.Error().Msg("Tracing backends are all mutually exclusive: cannot create OpenTelemetry backend.")
+		} else {
+			backend = conf.OpenTelemetry
+		}
+	}
+
+	if backend == nil {
+		log.Debug().Msg("Could not initialize tracing, using Jaeger by default")
+		defaultBackend := &jaeger.Config{}
+		defaultBackend.SetDefaults()
+		backend = defaultBackend
+	}
+
+	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
-		}
+		log.Warn().Err(err).Msg("Unable to create tracer")
+		return nil
 	}
+	return tracer
 }

 func checkNewVersion() {
@@ -574,16 +673,16 @@ func checkNewVersion() {
 }

 func stats(staticConfiguration *static.Configuration) {
-	logger := log.WithoutContext()
+	logger := log.Info()

 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info(`Stats collection is enabled.`)
-		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Msg(`Stats collection is enabled.`)
+		logger.Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Msg(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info(`
+		logger.Msg(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -596,7 +695,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.WithoutContext().Debug(err)
+				log.Debug().Err(err).Send()
 			}
 		}
 	})
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v2/pkg/config/static"
 )

 // FooCert is a PEM-encoded TLS cert.
@@ -114,3 +115,79 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
+
+func TestGetDefaultsEntrypoints(t *testing.T) {
+	testCases := []struct {
+		desc        string
+		entrypoints static.EntryPoints
+		expected    []string
+	}{
+		{
+			desc: "Skips special names",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"traefik": {
+					Address: ":8080",
+				},
+				"traefikhub-api": {
+					Address: ":9900",
+				},
+				"traefikhub-tunl": {
+					Address: ":9901",
+				},
+			},
+			expected: []string{"web"},
+		},
+		{
+			desc: "Two EntryPoints not attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+		{
+			desc: "Two EntryPoints only one attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"websecure"},
+		},
+		{
+			desc: "Two attachable EntryPoints",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address:   ":80",
+					AsDefault: true,
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			actual := getDefaultsEntrypoints(&static.Configuration{
+				EntryPoints: test.entrypoints,
+			})
+
+			assert.ElementsMatch(t, test.expected, actual)
+		})
+	}
+}
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
--- a/docs/content/assets/img/middleware/ipwhitelist.png
+++ b/docs/content/assets/img/middleware/ipwhitelist.png
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -8,17 +8,22 @@ description: "Compile and test your own Traefik Proxy! Learn how to build your o
 Compile and Test Your Own Traefik!
 {: .subtitle }

-So you want to build your own Traefik binary from the sources?
+You want to build your own Traefik binary from the sources?
 Let's see how.

 ## Building

-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
+You need either [Docker](https://github.com/docker/docker "Link to website of Docker") and `make` (Method 1), or [Go](https://go.dev/ "Link to website of Go") (Method 2) in order to build Traefik.
 For changes to its dependencies, the `dep` dependency management tool is required.

 ### Method 1: Using `Docker` and `Makefile`

 Run make with the `binary` target.
+
+```bash
+make binary
+```
+
 This will create binaries for the Linux platform in the `dist` folder.

 In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
@@ -160,7 +165,7 @@ TESTFLAGS="-check.f MyTestSuite.My" make test-integration
 TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
 ```

-More: https://labix.org/gocheck
+Check [gocheck](https://labix.org/gocheck "Link to website of gocheck") for more information.

 ### Method 2: `go`

--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,10 +15,14 @@ Let's see how.

 ### General

-This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").

 ### Method 1: `Docker` and `make`

+Please make sure you have the following requirements installed:
+
+- [Docker](https://www.docker.com/ "Link to website of Docker")
+
 You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

 ```bash
@@ -43,9 +47,12 @@ $ make docs-build
 ...
 ```

-### Method 2: `mkdocs`
+### Method 2: `MkDocs`

-First, make sure you have `python` and `pip` installed.
+Please make sure you have the following requirements installed:
+
+- [Python](https://www.python.org/ "Link to website of Python")
+- [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")

 ```bash
 $ python --version
@@ -54,7 +61,7 @@ $ pip --version
 pip 1.5.2
 ```

-Then, install mkdocs with `pip`.
+Then, install MkDocs with `pip`.

 ```bash
 pip install --user -r requirements.txt
@@ -87,7 +94,7 @@ Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/bas

 !!! note "Clean & Verify"

-    If you've made changes to the documentation, it's safter to clean it before verifying it.
+    If you've made changes to the documentation, it's safer to clean it before verifying it.

    ```bash
    $ make docs
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -2,25 +2,4 @@

 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.

-| Feature                                                       | Deprecated | End of Support | Removal |
-|---------------------------------------------------------------|------------|----------------|---------|
-| [Pilot Dashboard (Metrics)](#pilot-dashboard-metrics)         | 2.7        | 2.8            | 3.0     |
-| [Pilot Plugins](#pilot-plugins)                               | 2.7        | 2.8            | 3.0     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace)   | 2.8        | N/A            | 3.0     |
-
-## Impact
-
-### Pilot Dashboard (Metrics)
-
-Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
-
-### Pilot Plugins 
-
-Starting on 2.7 the pilot token will not be a requirement anymore.  
-At 2.9, a new plugin catalog home should be available, decoupled from pilot.
-
-### Consul Enterprise Namespace
-
-Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
-please use the `namespaces` options instead.  
+There is no feature deprecation in Traefik v3 for now.
--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status:

 | Version | Release Date | Active Support     | Security Support | 
 |---------|--------------|--------------------|------------------|
-| 2.8     | Jun 29, 2022 |      Yes           |       Yes        |
+| 2.9     | Oct 03, 2022 | Yes                | Yes              |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No               |
 | 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No               |
 | 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No               |
 | 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No               |
--- a/docs/content/getting-started/concepts.md
+++ b/docs/content/getting-started/concepts.md
@@ -39,3 +39,5 @@ You no longer need to create and synchronize configuration files cluttered with
 !!! question "How does Traefik discover the services?"

    Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v2.8 --help
+# ex: docker run traefik:v3.0 --help
 ```

 All available arguments can also be found [here](../reference/static-configuration/cli.md).
@@ -94,17 +94,4 @@ All the configuration options are documented in their related section.

 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -157,3 +157,27 @@ By default, the following headers are automatically added when proxying requests

 For more details,
 please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
+
+## What does the "field not found" error mean?
+
+```shell
+error: field not found, node: -badField-
+```
+
+The "field not found" error occurs, when an unknown property is encountered in the dynamic or static configuration.
+
+One easy way to check whether a configuration file is well-formed, is to validate it with:
+
+- [JSON Schema of the static configuration](https://json.schemastore.org/traefik-v2.json)
+- [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json)
+
+## Why are some resources (routers, middlewares, services...) not created/applied?
+
+As a common tip, if a resource is dropped/not created by Traefik after the dynamic configuration was evaluated,
+one should look for an error in the logs.
+
+If found, the error obviously confirms that something went wrong while creating the resource,
+and the message should help in figuring out the mistake(s) in the configuration, and how to fix it.
+
+When using the file provider,
+one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.8/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.8/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.toml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.8
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.8`
+    ex: `traefik:v3.0`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -44,13 +44,13 @@ Traefik can be installed in Kubernetes using the Helm chart from <https://github

 Ensure that the following requirements are met:

-* Kubernetes 1.14+
-* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
+* Kubernetes 1.16+
+* Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

-Add Traefik's chart repository to Helm:
+Add Traefik Labs chart repository to Helm:

 ```bash
-helm repo add traefik https://helm.traefik.io/traefik
+helm repo add traefik https://traefik.github.io/charts
 ```

 You can update the chart repository by running:
@@ -68,6 +68,9 @@ helm install traefik traefik/traefik
 !!! tip "Helm Features"

    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+
+    Examples are provided [here](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md). 
+
    For instance, installing the chart in a dedicated namespace:

    ```bash tab="Install in a Dedicated Namespace"
@@ -83,8 +86,7 @@ helm install traefik traefik/traefik
    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
    {: #helm-custom-values }

-    The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    All parameters are documented in the default [`values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).

    You can also set Traefik command line flags using `additionalArguments`.
    Example of installation with logging set to `DEBUG`:
@@ -179,17 +181,4 @@ And run it:

 All the details are available in the [Contributing Guide](../contributing/building-testing.md)

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -53,6 +53,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
@@ -129,7 +130,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v2.8
+          image: traefik:v3.0
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v2 Traefik docker image
-    image: traefik:v2.8
+    image: traefik:v3.0
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -50,7 +50,12 @@ Now that we have a Traefik instance up and running, we will deploy new services.
 Edit your `docker-compose.yml` file and add the following at the end of your file.

 ```yaml
-# ...
+version: '3'
+
+services:
+
+  ...
+
  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
@@ -116,17 +121,4 @@ IP: 172.27.0.4

    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -294,7 +294,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
 For complete details, refer to your provider's _Additional configuration_ link.

 | Provider Name                                                                                      | Provider Code      | Environment Variables                                                                                                                       |                                                                                 |
-|----------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
+|----------------------------------------------------------------------------------------------------|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
 | [ACME DNS](https://github.com/joohoi/acme-dns)                                                     | `acme-dns`         | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns)         |
 | [Alibaba Cloud](https://www.alibabacloud.com)                                                      | `alidns`           | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID`                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/alidns)           |
 | [all-inkl](https://all-inkl.com)                                                                   | `allinkl`          | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD`                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl)          |
@@ -305,6 +305,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Bindman](https://github.com/labbsr0x/bindman-dns-webhook)                                         | `bindman`          | `BINDMAN_MANAGER_ADDRESS`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/bindman)          |
 | [Blue Cat](https://www.bluecatnetworks.com/)                                                       | `bluecat`          | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW`                                    | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat)          |
 | [Checkdomain](https://www.checkdomain.de/)                                                         | `checkdomain`      | `CHECKDOMAIN_TOKEN`,                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/)     |
+| [Civo](https://www.civo.com/)                                                                      | `civo`             | `CIVO_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/civo)             |
 | [CloudDNS](https://vshosting.eu/)                                                                  | `clouddns`         | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD`                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns)         |
 | [Cloudflare](https://www.cloudflare.com)                                                           | `cloudflare`       | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]`                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare)       |
 | [ClouDNS](https://www.cloudns.net/)                                                                | `cloudns`          | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns)          |
@@ -342,7 +343,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/)                                                | `ibmcloud`         | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud)         |
 | [IIJ DNS Platform Service](https://www.iij.ad.jp)                                                  | `iijdpf`           | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE`                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf)           |
 | [IIJ](https://www.iij.ad.jp/)                                                                      | `iij`              | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/iij)              |
-| [Infoblox](https://www.infoblox.com/)                                                              | `infoblox`     | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)     |
+| [Infoblox](https://www.infoblox.com/)                                                              | `infoblox`         | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox)         |
 | [Infomaniak](https://www.infomaniak.com)                                                           | `infomaniak`       | `INFOMANIAK_ACCESS_TOKEN`                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak)       |
 | [Internet.bs](https://internetbs.net)                                                              | `internetbs`       | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD`                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs)       |
 | [INWX](https://www.inwx.de/en)                                                                     | `inwx`             | `INWX_USERNAME`, `INWX_PASSWORD`                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/inwx)             |
@@ -359,6 +360,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [name.com](https://www.name.com/)                                                                  | `namedotcom`       | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom)       |
 | [Namecheap](https://www.namecheap.com)                                                             | `namecheap`        | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap)        |
 | [Namesilo](https://www.namesilo.com/)                                                              | `namesilo`         | `NAMESILO_API_KEY`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo)         |
+| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/)                                          | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN`                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
 | [Netcup](https://www.netcup.eu/)                                                                   | `netcup`           | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD`                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/netcup)           |
 | [Netlify](https://www.netlify.com)                                                                 | `netlify`          | `NETLIFY_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/netlify)          |
 | [Nicmanager](https://www.nicmanager.com)                                                           | `nicmanager`       | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD`                                                                                           | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager)       |
@@ -386,13 +388,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)                                         | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
 | [TransIP](https://www.transip.nl/)                                                                 | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
 | [UKFast SafeDNS](https://www.ans.co.uk/cloud-and-infrastructure/dedicated-servers/dns-management/) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
+| [Variomedia](https://www.variomedia.de/)                                                           | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)                                                    | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
 | [Vercel](https://vercel.com)                                                                       | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
 | [Versio](https://www.versio.nl/domeinnamen)                                                        | `versio`           | `VERSIO_USERNAME`, `VERSIO_PASSWORD`                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/versio)           |
 | [VinylDNS](https://www.vinyldns.io)                                                                | `vinyldns`         | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST`                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns)         |
+| [VK Cloud](https://mcs.mail.ru/)                                                                   | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
 | [Vscale](https://vscale.io/)                                                                       | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
 | [VULTR](https://www.vultr.com)                                                                     | `vultr`            | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
 | [WEDOS](https://www.wedos.com)                                                                     | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
+| [Yandex Cloud](https://cloud.yandex.com/en/)                                                       | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                                                       | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
 | [Zone.ee](https://www.zone.ee)                                                                     | `zoneee`           | `ZONEEE_API_USER`, `ZONEEE_API_KEY`                                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee)           |
 | [Zonomi](https://zonomi.com)                                                                       | `zonomi`           | `ZONOMI_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi)           |
@@ -661,23 +666,10 @@ certificatesResolvers:
 If Let's Encrypt is not reachable, the following certificates will apply:

  1. Previously generated ACME certificates (before downtime)
-  1. Expired ACME certificates
-  1. Provided certificates
+  2. Expired ACME certificates
+  3. Provided certificates

 !!! important
    For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/overview.md
+++ b/docs/content/https/overview.md
@@ -19,3 +19,5 @@ The next sections of this documentation explain how to configure the TLS connect
 That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/https/spiffe.md
+++ b/docs/content/https/spiffe.md
@@ -0,0 +1,54 @@
+---
+title: "Traefik SPIFFE Documentation"
+description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
+---
+
+# SPIFFE
+
+Secure the backend connection with SPIFFE.
+{: .subtitle }
+
+[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
+provides a secure identity in the form of a specially crafted X.509 certificate, 
+to every workload in an environment.
+
+Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
+
+## Configuration
+
+### General
+
+Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments.
+
+### Workload API
+
+The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
+
+!!! info "Enabling SPIFFE in ServersTransports"
+
+    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
+    Each [ServersTransport](../routing/services/index.md#serverstransport_1) that is meant to be secured with SPIFFE must [explicitly](../routing/services/index.md#spiffe) enable it.
+
+!!! warning "SPIFFE can cause Traefik to stall"
+	When using SPIFFE,
+	Traefik will wait for the first SVID to be delivered before starting.
+	If Traefik is hanging when waiting on SPIFFE SVID delivery,
+	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
+
+```yaml tab="File (YAML)"
+## Static configuration
+spiffe:
+    workloadAPIAddr: localhost
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[spiffe]
+    workloadAPIAddr: localhost
+```
+
+```bash tab="CLI"
+## Static configuration
+--spiffe.workloadAPIAddr=localhost
+```
--- a/docs/content/https/tailscale.md
+++ b/docs/content/https/tailscale.md
@@ -0,0 +1,237 @@
+---
+title: "Traefik Tailscale Documentation"
+description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
+---
+
+# Tailscale
+
+Provision TLS certificates for your internal Tailscale services.
+{: .subtitle }
+
+To protect a service with TLS, a certificate from a public Certificate Authority is needed.
+In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
+
+## Certificate resolvers
+
+To obtain a TLS certificate from the Tailscale daemon,
+a Tailscale certificate resolver needs to be configured as below.
+
+!!! info "Referencing a certificate resolver"
+
+    Defining a certificate resolver does not imply that routers are going to use it automatically.
+    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+    myresolver:
+        tailscale: {}
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.tailscale]
+```
+
+```bash tab="CLI"
+--certificatesresolvers.myresolver.tailscale=true
+```
+
+## Domain Definition
+
+A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
+
+- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
+  in the [router's rule](../routing/routers/index.md#rule).
+
+!!! info "Tailscale Domain Format"
+
+    The domain is only taken into account if it is a Tailscale-specific one,
+    i.e. of the form `machine-name.domains-alias.ts.net`.
+
+## Configuration Example
+
+!!! example "Enabling Tailscale certificate resolution"
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+
+      websecure:
+        address: ":443"
+
+    certificatesResolvers:
+      myresolver:
+        tailscale: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.tailscale]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.tailscale=true
+    ```
+
+!!! example "Domain from Router's Rule Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+    ```
+
+    ```json tab="Marathon"
+    labels: {
+      "traefik.http.routers.blog.rule": "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)",
+      "traefik.http.routers.blog.tls.certresolver": "myresolver",
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+      [http.routers.blog.tls]
+        certResolver = "myresolver"
+    ```
+
+!!! example "Domain from Router's tls.domain Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.containo.us/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: monitoring.yak-bebop.ts.net
+    ```
+
+    ```json tab="Marathon"
+    labels: {
+      "traefik.http.routers.blog.rule": "Path(`/metrics`)",
+      "traefik.http.routers.blog.tls.certresolver": "myresolver",
+      "traefik.http.routers.blog.tls.domains[0].main": "monitoring.yak-bebop.ts.net",
+    }
+    ```
+
+    ```yaml tab="Rancher"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+            domains:
+              - main: "monitoring.yak-bebop.ts.net"
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+        rule = "Path(`/metrics`)"
+        [http.routers.blog.tls]
+          certResolver = "myresolver"
+          [[http.routers.blog.tls.domains]]
+            main = "monitoring.yak-bebop.ts.net"
+    ```
+
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
+and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -157,7 +157,75 @@ data:
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
 ```

-If no default certificate is provided, Traefik generates and uses a self-signed certificate.
+If no `defaultCertificate` is provided, Traefik will use the generated one.
+
+### ACME Default Certificate
+
+You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
+The configuration to resolve the default certificate should be defined in a TLS store:
+
+!!! important "Precedence with the `defaultGeneratedCert` option"
+
+    The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: myresolver
+        domain:
+          main: example.org
+          sans:
+            - foo.example.org
+            - bar.example.org
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.stores]
+  [tls.stores.default.defaultGeneratedCert]
+    resolver = "myresolver"
+    [tls.stores.default.defaultGeneratedCert.domain]
+      main = "example.org"
+      sans = ["foo.example.org", "bar.example.org"]
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSStore
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  defaultGeneratedCert:
+    resolver: myresolver
+    domain:
+      main: example.org
+      sans:
+        - foo.example.org
+        - bar.example.org
+```
+
+```yaml tab="Docker"
+## Dynamic configuration
+labels:
+  - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
+  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
+```
+
+```json tab="Marathon"
+labels: {
+  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
+  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
+}
+```

 ## TLS Options

@@ -490,3 +558,5 @@ spec:
      - secretCA
    clientAuthType: RequireAndVerifyClientCert
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/includes/.markdownlint.json
+++ b/docs/content/includes/.markdownlint.json
@@ -0,0 +1,4 @@
+{
+  "extends": "../../.markdownlint.json",
+  "MD041": false
+}
--- a/docs/content/includes/traefik-for-business-applications.md
+++ b/docs/content/includes/traefik-for-business-applications.md
@@ -0,0 +1,16 @@
+---
+
+!!! question "Using Traefik for Business Applications?"
+
+    If you are using Traefik for commercial applications,
+    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
+    You can use it as your:
+
+    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
+    - [Docker Swarm Ingress Controller](https://traefik.io/solutions/docker-swarm-ingress/)
+    - [API Gateway](https://traefik.io/solutions/api-gateway/)
+
+    Traefik Enterprise enables centralized access management,
+    distributed Let's Encrypt,
+    and other advanced capabilities.
+    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -15,7 +15,7 @@ It makes reusing the same groups easier.

 ## Configuration Example

-Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.

 ```yaml tab="Docker"
 labels:
@@ -25,7 +25,7 @@ labels:
  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -80,7 +80,7 @@ kind: Middleware
 metadata:
  name: known-ips
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
    - 192.168.1.7
    - 127.0.0.1/32
@@ -93,7 +93,7 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -105,7 +105,7 @@ spec:
  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
-  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
+  "traefik.http.middlewares.known-ips.ipallowlist.sourceRange": "192.168.1.7,127.0.0.1/32",
  "traefik.http.services.service1.loadbalancer.server.port": "80"
 }
 ```
@@ -118,7 +118,7 @@ labels:
  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

@@ -150,7 +150,7 @@ http:
        scheme: https

    known-ips:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - "192.168.1.7"
          - "127.0.0.1/32"
@@ -180,7 +180,7 @@ http:
  [http.middlewares.https-only.redirectScheme]
    scheme = "https"

-  [http.middlewares.known-ips.ipWhiteList]
+  [http.middlewares.known-ips.ipAllowList]
    sourceRange = ["192.168.1.7", "127.0.0.1/32"]

 [http.services]
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -5,23 +5,24 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before

 # Compress

-Compress Responses before Sending them to the Client
+Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }

 ![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware uses gzip compression.
+The Compress middleware supports gzip and Brotli compression.
+The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Enable gzip compression
+# Enable compression
 labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

 ```yaml tab="Kubernetes"
-# Enable gzip compression
+# Enable compression
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
@@ -31,7 +32,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Enable gzip compression
+# Enable compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```

@@ -42,13 +43,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Enable gzip compression
+# Enable compression
 labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

 ```yaml tab="File (YAML)"
-# Enable gzip compression
+# Enable compression
 http:
  middlewares:
    test-compress:
@@ -56,7 +57,7 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Enable gzip compression
+# Enable compression
 [http.middlewares]
  [http.middlewares.test-compress.compress]
 ```
@@ -65,23 +66,34 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
-    * The `Accept-Encoding` request header contains `gzip`.
+    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+    If the `Accept-Encoding` request header is absent, it is meant as br compression is requested.
+    If it is present, but its value is the empty string, then compression is disabled.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
-    It will also set the `Content-Type` header according to the detected MIME type.
+    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes).
+    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).

 ## Configuration Options

 ### `excludedContentTypes`

+_Optional, Default=""_ 
+
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.

 The responses with content types defined in `excludedContentTypes` are not compressed.

 Content types are compared in a case-insensitive, whitespace-ignored manner.

+!!! info "In the case of gzip"
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
+!!! info "gRPC"
+
+    Note that `application/grpc` is never compressed.
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
@@ -130,9 +142,9 @@ http:

 ### `minResponseBodyBytes`

-`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+_Optional, Default=1024_

-The default value is `1024`, which should be a reasonable value for most cases.
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.

 Responses smaller than the specified values will not be compressed.

--- a/docs/content/middlewares/http/contenttype.md
+++ b/docs/content/middlewares/http/contenttype.md
@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
 ---

 # ContentType
@@ -8,84 +8,59 @@ description: "Traefik Proxy's HTTP middleware can automatically specify the cont
 Handling Content-Type auto-detection
 {: .subtitle }

-The Content-Type middleware - or rather its `autoDetect` option -
-specifies whether to let the `Content-Type` header,
-if it has not been defined by the backend,
-be automatically set to a value derived from the contents of the response.
-
-As a proxy, the default behavior should be to leave the header alone,
-regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was not already defined,
-and altering this behavior would be a breaking change which would impact many users.
-
-This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
+when it is not set by the backend.

 !!! info

-    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
-    is still to automatically set the `Content-Type` header.
-    Therefore, given the default value of the `autoDetect` option (false),
-    simply enabling this middleware for a router switches the router's behavior.
-
    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).

 ## Configuration Examples

 ```yaml tab="Docker"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```yaml tab="Kubernetes"
-# Disable auto-detection
+# Enable auto-detection
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: autodetect
 spec:
-  contentType:
-    autoDetect: false
+  contentType: {}
 ```

 ```yaml tab="Consul Catalog"
-# Disable auto-detection
- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+# Enable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
+  "traefik.http.middlewares.autodetect.contenttype": "true"
 }
 ```

 ```yaml tab="Rancher"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```yaml tab="File (YAML)"
-# Disable auto-detection
+# Enable auto-detection
 http:
  middlewares:
    autodetect:
-      contentType:
-        autoDetect: false
+      contentType: {}
 ```

 ```toml tab="File (TOML)"
-# Disable auto-detection
+# Enable auto-detection
 [http.middlewares]
  [http.middlewares.autodetect.contentType]
-     autoDetect=false
 ```
-
-## Configuration Options
-
-### `autoDetect`
-
-`autoDetect` specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
-be automatically set to a value derived from the contents of the response.
--- a/docs/content/middlewares/http/grpcweb.md
+++ b/docs/content/middlewares/http/grpcweb.md
@@ -0,0 +1,77 @@
+---
+title: "Traefik GrpcWeb Documentation"
+description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
+---
+
+# GrpcWeb
+
+Converting gRPC Web requests to HTTP/2 gRPC requests.
+{: .subtitle }
+
+The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
+
+!!! tip
+
+    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
+    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: test-grpcweb
+spec:
+  grpcWeb:
+    allowOrigins:
+      - "*"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
+```
+
+```json tab="Marathon"
+"labels": {
+  "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins": "*"
+}
+```
+
+```yaml tab="Rancher"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.alloworigins=*"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-grpcweb:
+      grpcWeb:
+        allowOrigins:
+          - "*"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-grpcweb.grpcWeb]
+    allowOrigins = ["*"]
+```
+
+## Configuration Options
+
+### `allowOrigins`
+
+The `allowOrigins` contains the list of allowed origins.
+A wildcard origin `*` can also be configured to match all requests.
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -364,43 +364,11 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.

 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.

-### `sslRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-The `sslRedirect` only allow HTTPS requests when set to `true`.
-
-### `sslTemporaryRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-
-### `sslHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
-
 ### `sslProxyHeaders`

 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).

-### `sslForceHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
-
 ### `stsSeconds`

 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@@ -452,14 +420,6 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates

 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.

-### `featurePolicy`
-
-!!! warning
-
-    Deprecated in favor of `permissionsPolicy`
-
-The `featurePolicy` allows sites to control browser features.
-
 ### `permissionsPolicy`

 The `permissionsPolicy` allows sites to control browser features.
@@ -469,3 +429,5 @@ The `permissionsPolicy` allows sites to control browser features.
 Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -1,32 +1,30 @@
 ---
-title: "Traefik HTTP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik HTTP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---

-# IPWhiteList
+# IPAllowList

 Limiting Clients to Specific IPs
 {: .subtitle }

-![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
-IPWhitelist accepts / refuses requests based on the client IP.
+IPAllowList accepts / refuses requests based on the client IP.

 ## Configuration Examples

 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -34,27 +32,27 @@ spec:

 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -63,7 +61,7 @@ http:
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

@@ -86,7 +84,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th

 !!! example "Examples of Depth & X-Forwarded-For"

-    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -95,20 +93,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

 ```yaml tab="Docker"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```yaml tab="Kubernetes"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -117,31 +115,31 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
 }
 ```

 ```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```yaml tab="File (YAML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -150,11 +148,11 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      depth = 2
 ```

@@ -177,7 +175,7 @@ http:
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
@@ -185,9 +183,9 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    ipStrategy:
      excludedIPs:
        - 127.0.0.1/32
@@ -196,27 +194,27 @@ spec:

 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
+  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Exclude from `X-Forwarded-For`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        ipStrategy:
          excludedIPs:
            - "127.0.0.1/32"
@@ -226,7 +224,7 @@ http:
 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -142,7 +142,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
@@ -156,4 +156,6 @@ http:

 ## Community Middlewares

-Please take a look at the community-contributed plugins in the [plugin catalog](https://pilot.traefik.io/plugins).
+Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -16,10 +16,10 @@ PassTLSClientCert adds the selected data from the passed client TLS certificate

 ## Configuration Examples

-Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.

 ```yaml tab="Docker"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```
@@ -35,7 +35,7 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

@@ -46,13 +46,13 @@ spec:
 ```

 ```yaml tab="Rancher"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 labels:
  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

 ```yaml tab="File (YAML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
  middlewares:
    test-passtlsclientcert:
@@ -61,13 +61,13 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
+# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 [http.middlewares]
  [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    pem = true
 ```

-??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
+??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"

    ```yaml tab="Docker"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
@@ -254,12 +254,12 @@ http:

 PassTLSClientCert can add two headers to the request:

- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
+- `X-Forwarded-Tls-Client-Cert` that contains the pem.
 - `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.

 !!! info

-    * Each header value is a string that has been escaped in order to be a valid URL query.
+    * `X-Forwarded-Tls-Client-Cert-Info` header value is a string that has been escaped in order to be a valid URL query.
    * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
    That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.

@@ -371,7 +371,7 @@ The following example shows a complete certificate and explains each of the midd

 ### `pem`

-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.
+The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the certificate.

 In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:

--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -88,85 +88,3 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
-
-### `forceSlash`
-
-_Optional, Default=true_
-
-The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It is recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-
-    - `forceSlash=true`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-    - `forceSlash=false`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: example
-spec:
-  stripPrefix:
-    prefixes:
-      - "/foobar"
-    forceSlash: false
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    example:
-      stripPrefix:
-        prefixes:
-          - "/foobar"
-        forceSlash: false
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.example.stripPrefix]
-    prefixes = ["/foobar"]
-    forceSlash = false
-```
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -129,3 +129,5 @@ http:
 A list of HTTP middlewares can be found [here](http/overview.md).

 A list of TCP middlewares can be found [here](tcp/overview.md).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/middlewares/tcp/ipallowlist.md
+++ b/docs/content/middlewares/tcp/ipallowlist.md
@@ -1,30 +1,30 @@
 ---
-title: "Traefik TCP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik TCP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---

-# IPWhiteList
+# IPAllowList

 Limiting Clients to Specific IPs
 {: .subtitle }

-IPWhitelist accepts / refuses connections based on the client IP.
+IPAllowList accepts / refuses connections based on the client IP.

 ## Configuration Examples

 ```yaml tab="Docker"
 # Accepts connections from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -32,25 +32,25 @@ spec:

 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
+  "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
 }
 ```

 ```yaml tab="Rancher"
 # Accepts request from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [tcp.middlewares]
-  [tcp.middlewares.test-ipwhitelist.ipWhiteList]
+  [tcp.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

@@ -58,8 +58,8 @@ labels:
 # Accepts request from defined IP
 tcp:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -18,10 +18,10 @@ whoami:
  #  A container that exposes an API to show its IP address
  image: traefik/whoami
  labels:
-    # Create a middleware named `foo-ip-whitelist`
-    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
+    # Create a middleware named `foo-ip-allowlist`
+    - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```

 ```yaml tab="Kubernetes IngressRoute"
@@ -43,9 +43,9 @@ spec:
 apiVersion: traefik.containo.us/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: foo-ip-whitelist
+  name: foo-ip-allowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourcerange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -60,30 +60,30 @@ spec:
  routes:
    # more fields...
    middlewares:
-      - name: foo-ip-whitelist
+      - name: foo-ip-allowlist
 ```

 ```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
+# Create a middleware named `foo-ip-allowlist`
+- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
 ```

 ```json tab="Marathon"
 "labels": {
-  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
-  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
+  "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7",
+  "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@marathon"
 }
 ```

 ```yaml tab="Rancher"
 # As a Rancher Label
 labels:
-  # Create a middleware named `foo-ip-whitelist`
-  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
+  # Create a middleware named `foo-ip-allowlist`
+  - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+  - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@rancher"
 ```

 ```toml tab="File (TOML)"
@@ -91,11 +91,11 @@ labels:
 [tcp.routers]
  [tcp.routers.router1]
    service = "myService"
-    middlewares = ["foo-ip-whitelist"]
+    middlewares = ["foo-ip-allowlist"]
    rule = "Host(`example.com`)"

 [tcp.middlewares]
-  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
+  [tcp.middlewares.foo-ip-allowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]

 [tcp.services]
@@ -114,12 +114,12 @@ tcp:
    router1:
      service: myService
      middlewares:
-        - "foo-ip-whitelist"
+        - "foo-ip-allowlist"
      rule: "Host(`example.com`)"

  middlewares:
-    foo-ip-whitelist:
-      ipWhiteList:
+    foo-ip-allowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -137,4 +137,4 @@ tcp:
 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
 | [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -109,7 +109,7 @@ Then any router can refer to an instance of the wanted middleware.

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.8/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
@@ -280,7 +280,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o

    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
-    # https://doc.traefik.io/traefik/v2.8/reference/dynamic-configuration/kubernetes-crd/#definitions
+    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
    apiVersion: traefik.containo.us/v1alpha1
    kind: TLSOption
    metadata:
--- a/docs/content/migration/v2-to-v3.md
+++ b/docs/content/migration/v2-to-v3.md
@@ -0,0 +1,52 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+The version 3 of Traefik introduces a number of breaking changes,
+which require one to update their configuration when they migrate from v2 to v3.
+The goal of this page is to recapitulate all of these changes, and in particular to give examples,
+feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
+
+## IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+## gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
+
+## Deprecated Options Removal
+
+- The `pilot` option has been removed from the static configuration.
+- The `tracing.datadog.globaltag` option has been removed.
+- The `namespace` option of Consul, Consul Catalog and Nomad providers has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- the `preferServerCipherSuites` option has been removed.
+
+## Matchers
+
+In v3, the `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Headers`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+## Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -50,6 +50,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses
    verbs:
@@ -58,6 +59,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
@@ -147,6 +149,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses
    verbs:
@@ -155,6 +158,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
@@ -440,8 +444,8 @@ To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](.

 ### Kubernetes Gateway API Provider

-In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) of the specification and 
-[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
+In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
+[route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
 Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.

 ## v2.6.0 to v2.6.1
@@ -480,3 +484,15 @@ Since `v2.5.0`, the `PreferServerCipherSuites` is [deprecated and ignored](https
 in `v2.8.2` the `preferServerCipherSuites` option is also deprecated and ignored in Traefik.

 In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function. ([details](https://tip.golang.org/doc/go1.18#sha1))
+
+## v2.9
+
+### Traefik Pilot
+
+In `v2.9`, Traefik Pilot support has been removed.
+
+## v2.10
+
+### Nomad Namespace
+
+In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -229,6 +229,7 @@ accessLog:
    | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
    | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
    | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
+    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |

 ## Log Rotation

@@ -254,7 +255,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v2.8
+    image: traefik:v3.0
    environment:
      - TZ=US/Alaska
    command:
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -64,7 +64,7 @@ log:

 #### `level`

-By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
+By default, the `level` is set to `ERROR`. Alternative logging levels are `TRACE`, `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.

 ```yaml tab="File (YAML)"
 log:
@@ -80,10 +80,101 @@ log:
 --log.level=DEBUG
 ```

+#### `noColor`
+
+When using the 'common' format, disables the colorized output.
+
+```yaml tab="File (YAML)"
+log:
+  noColor: true
+```
+
+```toml tab="File (TOML)"
+[log]
+  noColor = true
+```
+
+```bash tab="CLI"
+--log.nocolor=true
+```
+
 ## Log Rotation

-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
+The rotation of the log files can be configured with the following options.

-!!! warning
-    This does not work on Windows due to the lack of USR signals.
+### `maxSize`
+
+`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
+It defaults to 100 megabytes.
+
+```yaml tab="File (YAML)"
+log:
+  maxSize: 1
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxSize = 1
+```
+
+```bash tab="CLI"
+--log.maxsize=1
+```
+
+### `maxBackups`
+
+`maxBackups` is the maximum number of old log files to retain.
+The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
+
+```yaml tab="File (YAML)"
+log:
+  maxBackups: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxBackups = 3
+```
+
+```bash tab="CLI"
+--log.maxbackups=3
+```
+
+### `maxAge`
+
+`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
+Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
+The default is not to remove old log files based on age.
+
+```yaml tab="File (YAML)"
+log:
+  maxAge: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxAge = 3
+```
+
+```bash tab="CLI"
+--log.maxage=3
+```
+
+### `compress`
+
+`compress` determines if the rotated log files should be compressed using gzip.
+The default is not to perform compression.
+
+```yaml tab="File (YAML)"
+log:
+  compress: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  compress = 3
+```
+
+```bash tab="CLI"
+--log.compress=3
+```
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -0,0 +1,353 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several metrics backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry:
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry exporter will export metrics to the collector by using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.address=localhost:4318
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addEntryPointsLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addEntryPointsLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addEntryPointsLabels=true
+```
+
+#### `addRoutersLabels`
+
+_Optional, Default=false_
+
+Enable metrics on routers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addRoutersLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addRoutersLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addRoutersLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addServicesLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addServicesLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addServicesLabels=true
+```
+
+#### `explicitBoundaries`
+
+_Optional, Default=".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10"_
+
+Explicit boundaries for Histogram data points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    explicitBoundaries:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    explicitBoundaries = [0.1,0.3,1.2,5.0]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.explicitBoundaries=0.1,0.3,1.2,5.0
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.headers.foo=bar --metrics.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.insecure=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+Interval at which metrics are sent to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    pushInterval: 10s
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    pushInterval = "10s"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.pushInterval=10s
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending metrics.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.grpc=true
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -1,11 +1,11 @@
 ---
 title: "Traefik Metrics Overview"
-description: "Traefik Proxy supports four metrics backend systems: Datadog, InfluxDB, Prometheus, and StatsD. Read the full documentation to get started."
+description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB, Prometheus, and StatsD. Read the full documentation to get started."
 ---

 # Metrics

-Traefik supports 4 metrics backends:
+Traefik supports these metrics backends:

 - [Datadog](./datadog.md)
 - [InfluxDB](./influxdb.md)
@@ -13,428 +13,193 @@ Traefik supports 4 metrics backends:
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)

+Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346) and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
+
 ## Global Metrics

-| Metric                                                                  | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-------------------------------------------------------------------------|---------|----------------------|------------|--------|
-| [Configuration reloads](#configuration-reloads)                         | ✓       | ✓                    | ✓          | ✓      |
-| [Last Configuration Reload Success](#last-configuration-reload-success) | ✓       | ✓                    | ✓          | ✓      |
-| [TLS certificates expiration](#tls-certificates-expiration)             | ✓       | ✓                    | ✓          | ✓      |
+| Metric                                      | Type    | Description                                             |
+|---------------------------------------------|---------|---------------------------------------------------------|
+| Config reload total                         | Count   | The total count of configuration reloads.               |
+| Config reload last success                  | Gauge   | The timestamp of the last configuration reload success. |
+| TLS certificates not after                  | Gauge   | The expiration date of certificates.                    |

-### Configuration Reloads
-
-The total count of configuration reloads.
+```prom tab="Prometheus"
+traefik_config_reloads_total
+traefik_config_last_reload_success
+traefik_tls_certs_not_after
+```

 ```dd tab="Datadog"
 config.reload.total
+config.reload.lastSuccessTimestamp
+tls.certs.notAfterTimestamp
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.config.reload.total
-```
-
-```prom tab="Prometheus"
-traefik_config_reloads_total
+traefik.config.reload.lastSuccessTimestamp
+traefik.tls.certs.notAfterTimestamp
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.config.reload.total
-```
-
-### Last Configuration Reload Success
-
-The timestamp of the last configuration reload success.
-
-```dd tab="Datadog"
-config.reload.lastSuccessTimestamp
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.config.reload.lastSuccessTimestamp
-```
-
-```prom tab="Prometheus"
-traefik_config_last_reload_success
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.config.reload.lastSuccessTimestamp
-```
-
-### TLS certificates expiration
-
-The expiration date of certificates.
-
-[Labels](#labels): `cn`, `sans`, `serial`.
-
-```dd tab="Datadog"
-tls.certs.notAfterTimestamp
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.tls.certs.notAfterTimestamp
-```
-
-```prom tab="Prometheus"
-traefik_tls_certs_not_after
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.tls.certs.notAfterTimestamp
 ```

 ## EntryPoint Metrics

-| Metric                                                    | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-----------------------------------------------------------|---------|----------------------|------------|--------|
-| [HTTP Requests Count](#http-requests-count)               | ✓       | ✓                    | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count)             | ✓       | ✓                    | ✓          | ✓      |
-| [Request Duration Histogram](#request-duration-histogram) | ✓       | ✓                    | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count)         | ✓       | ✓                    | ✓          | ✓      |
+| Metric                | Type      | [Labels](#labels)                          | Description                                                         |
+|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
+| Open connections      | Count     | `method`, `protocol`, `entrypoint`         | The current count of open connections on an entrypoint.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |

-### HTTP Requests Count
-
-The total count of HTTP requests received by an entrypoint.
-
-[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.
+```prom tab="Prometheus"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_open_connections
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```

 ```dd tab="Datadog"
 entrypoint.request.total
+entrypoint.request.tls.total
+entrypoint.request.duration
+entrypoint.connections.open
+entrypoint.requests.bytes.total
+entrypoint.responses.bytes.total
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.entrypoint.requests.total
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_total
+traefik.entrypoint.requests.tls.total
+traefik.entrypoint.request.duration
+traefik.entrypoint.connections.open
+traefik.entrypoint.requests.bytes.total
+traefik.entrypoint.responses.bytes.total
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.entrypoint.request.total
-```
-
-### HTTPS Requests Count
-
-The total count of HTTPS requests received by an entrypoint.
-
-[Labels](#labels): `tls_version`, `tls_cipher`, `entrypoint`.
-
-```dd tab="Datadog"
-entrypoint.request.tls.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.entrypoint.requests.tls.total
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_tls_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.entrypoint.request.tls.total
-```
-
-### Request Duration Histogram
-
-Request processing duration histogram on an entrypoint.
-
-[Labels](#labels): `code`, `method`, `protocol`, `entrypoint`.
-
-```dd tab="Datadog"
-entrypoint.request.duration
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.entrypoint.request.duration
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_request_duration_seconds
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.entrypoint.request.duration
-```
-
-### Open Connections Count
-
-The current count of open connections on an entrypoint.
-
-[Labels](#labels): `method`, `protocol`, `entrypoint`.
-
-```dd tab="Datadog"
-entrypoint.connections.open
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.entrypoint.connections.open
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_open_connections
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.entrypoint.connections.open
+{prefix}.entrypoint.requests.bytes.total
+{prefix}.entrypoint.responses.bytes.total
 ```

 ## Router Metrics

-| Metric                                                      | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-------------------------------------------------------------|---------|----------------------|------------|--------|
-| [HTTP Requests Count](#http-requests-count_1)               | ✓       | ✓                    | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_1)             | ✓       | ✓                    | ✓          | ✓      |
-| [Request Duration Histogram](#request-duration-histogram_1) | ✓       | ✓                    | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count_1)         | ✓       | ✓                    | ✓          | ✓      |
+| Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
+|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
+| Open connections      | Count     | `method`, `protocol`, `router`, `service`         | The current count of open connections on a router.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |

-### HTTP Requests Count
-
-The total count of HTTP requests handled by a router.
-
-[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
+```prom tab="Prometheus"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_open_connections
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```

 ```dd tab="Datadog"
 router.request.total
+router.request.tls.total
+router.request.duration
+router.connections.open
+router.requests.bytes.total
+router.responses.bytes.total
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.router.requests.total
-```
-
-```prom tab="Prometheus"
-traefik_router_requests_total
+traefik.router.requests.tls.total
+traefik.router.request.duration
+traefik.router.connections.open
+traefik.router.requests.bytes.total
+traefik.router.responses.bytes.total
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.router.request.total
-```
-
-### HTTPS Requests Count
-
-The total count of HTTPS requests handled by a router.
-
-[Labels](#labels): `tls_version`, `tls_cipher`, `router`, `service`.
-
-```dd tab="Datadog"
-router.request.tls.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.router.requests.tls.total
-```
-
-```prom tab="Prometheus"
-traefik_router_requests_tls_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.router.request.tls.total
-```
-
-### Request Duration Histogram
-
-Request processing duration histogram on a router.
-
-[Labels](#labels): `code`, `method`, `protocol`, `router`, `service`.
-
-```dd tab="Datadog"
-router.request.duration
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.router.request.duration
-```
-
-```prom tab="Prometheus"
-traefik_router_request_duration_seconds
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.router.request.duration
-```
-
-### Open Connections Count
-
-The current count of open connections on a router.
-
-[Labels](#labels): `method`, `protocol`, `router`, `service`.
-
-```dd tab="Datadog"
-router.connections.open
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.router.connections.open
-```
-
-```prom tab="Prometheus"
-traefik_router_open_connections
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.router.connections.open
+{prefix}.router.requests.bytes.total
+{prefix}.router.responses.bytes.total
 ```

 ## Service Metrics

-| Metric                                                      | DataDog | InfluxDB / InfluxDB2 | Prometheus | StatsD |
-|-------------------------------------------------------------|---------|----------------------|------------|--------|
-| [HTTP Requests Count](#http-requests-count_2)               | ✓       | ✓                    | ✓          | ✓      |
-| [HTTPS Requests Count](#https-requests-count_2)             | ✓       | ✓                    | ✓          | ✓      |
-| [Request Duration Histogram](#request-duration-histogram_2) | ✓       | ✓                    | ✓          | ✓      |
-| [Open Connections Count](#open-connections-count_2)         | ✓       | ✓                    | ✓          | ✓      |
-| [Requests Retries Count](#requests-retries-count)           | ✓       | ✓                    | ✓          | ✓      |
-| [Service Server UP](#service-server-up)                     | ✓       | ✓                    | ✓          | ✓      |
+| Metric                | Type      | Labels                                  | Description                                                 |
+|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
+| Open connections      | Count     | `method`, `protocol`, `service`         | The current count of open connections on a service.         |
+| Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
+| Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |

-### HTTP Requests Count
-
-The total count of HTTP requests processed on a service.
-
-[Labels](#labels): `code`, `method`, `protocol`, `service`.
+```prom tab="Prometheus"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_open_connections
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```

 ```dd tab="Datadog"
 service.request.total
+router.service.tls.total
+service.request.duration
+service.connections.open
+service.retries.total
+service.server.up
+service.requests.bytes.total
+service.responses.bytes.total
 ```

 ```influxdb tab="InfluxDB / InfluxDB2"
 traefik.service.requests.total
-```
-
-```prom tab="Prometheus"
-traefik_service_requests_total
+traefik.service.requests.tls.total
+traefik.service.request.duration
+traefik.service.connections.open
+traefik.service.retries.total
+traefik.service.server.up
+traefik.service.requests.bytes.total
+traefik.service.responses.bytes.total
 ```

 ```statsd tab="StatsD"
 # Default prefix: "traefik"
 {prefix}.service.request.total
-```
-
-### HTTPS Requests Count
-
-The total count of HTTPS requests processed on a service.
-
-[Labels](#labels): `tls_version`, `tls_cipher`, `service`.
-
-```dd tab="Datadog"
-router.service.tls.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.requests.tls.total
-```
-
-```prom tab="Prometheus"
-traefik_service_requests_tls_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.request.tls.total
-```
-
-### Request Duration Histogram
-
-Request processing duration histogram on a service.
-
-[Labels](#labels): `code`, `method`, `protocol`, `service`.
-
-```dd tab="Datadog"
-service.request.duration
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.request.duration
-```
-
-```prom tab="Prometheus"
-traefik_service_request_duration_seconds
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.request.duration
-```
-
-### Open Connections Count
-
-The current count of open connections on a service.
-
-[Labels](#labels): `method`, `protocol`, `service`.
-
-```dd tab="Datadog"
-service.connections.open
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.connections.open
-```
-
-```prom tab="Prometheus"
-traefik_service_open_connections
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.connections.open
-```
-
-### Requests Retries Count
-
-The count of requests retries on a service.
-
-[Labels](#labels): `service`.
-
-```dd tab="Datadog"
-service.retries.total
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.retries.total
-```
-
-```prom tab="Prometheus"
-traefik_service_retries_total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.retries.total
-```
-
-### Service Server UP
-
-Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.
-
-[Labels](#labels): `service`, `url`.
-
-```dd tab="Datadog"
-service.server.up
-```
-
-```influxdb tab="InfluxDB / InfluxDB2"
-traefik.service.server.up
-```
-
-```prom tab="Prometheus"
-traefik_service_server_up
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
 {prefix}.service.server.up
+{prefix}.service.requests.bytes.total
+{prefix}.service.responses.bytes.total
 ```

 ## Labels
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -65,26 +65,31 @@ tracing:
 --tracing.datadog.debug=true
 ```

-#### `globalTag`
+#### `globalTags`

 _Optional, Default=empty_

-Applies a shared key:value tag on all spans.
+Applies a list of shared key:value tags on all spans.

 ```yaml tab="File (YAML)"
 tracing:
  datadog:
-    globalTag: sample
+    globalTags:
+      tag1: foo
+      tag2: bar
 ```

 ```toml tab="File (TOML)"
 [tracing]
  [tracing.datadog]
-    globalTag = "sample"
+    [tracing.datadog.globalTags]
+      tag1 = "foo"
+      tag2 = "bar"
 ```

 ```bash tab="CLI"
--tracing.datadog.globalTag=sample
+--tracing.datadog.globalTags.tag1=foo
+--tracing.datadog.globalTags.tag2=bar
 ```

 #### `prioritySampling`
--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -0,0 +1,246 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry tracer:
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry trace reporter will export traces to the collector using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+!!! info "Trace sampling"
+
+	By default, the OpenTelemetry trace reporter will sample 100% of traces.
+	See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send spans to.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.address=localhost:4318
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with spans by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.headers.foo=bar --tracing.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send spans to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.insecure=true
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending traces.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+_Optional_
+
+This instructs the reporter to send spans to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.grpc=true
+```
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -72,7 +72,7 @@ to allow defining:

 - One or more security features through [middlewares](../middlewares/overview.md)
  like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
-  [forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
+  [forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).

 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
  through Traefik itself (sometimes referred as "Traefik-ception").
@@ -128,3 +128,5 @@ api:

 You can now access the dashboard on the port `8080` of the Traefik instance,
 at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -667,41 +667,6 @@ providers:

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        namespace: "production" 
-        # ...
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-      namespace = "production"
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consulcatalog.namespace=production
-    # ...
-    ```
-
 ### `namespaces`

 _Optional, Default=""_
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```

-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace to query.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        # ...
-        namespace: "production"
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consul]
-      # ...
-      namespace = "production"
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consul.namespace=production
-    ```
-
 ### `namespaces`

 _Optional, Default=""_
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -133,12 +133,20 @@ the IP address of the host is resolved as follows:

 <!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
 - try a lookup of `host.docker.internal`
- if the lookup was unsuccessful, fall back to `127.0.0.1`
+- if the lookup was unsuccessful, try a lookup of `host.containers.internal`, ([Podman](https://docs.podman.io/en/latest/) equivalent of `host.docker.internal`)
+- if that lookup was also unsuccessful, fall back to `127.0.0.1`

 On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
 as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
 the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`

+### IPv4 && IPv6
+
+When using a docker stack that uses IPv6,
+Traefik will use the IPv4 container IP before its IPv6 counterpart.
+Therefore, on an IPv6 Docker stack,
+Traefik will use the IPv6 container IP.
+
 ### Docker API Access

 Traefik requires access to the docker socket to get its dynamic configuration.
@@ -257,7 +265,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A

    services:
      traefik:
-         image: traefik:v2.8 # The official v2 Traefik docker image
+         image: traefik:v3.0 # The official v2 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -531,7 +539,7 @@ providers:

 _Optional, Default=true_

-Watch Docker Swarm events.
+Watch Docker events.

 ```yaml tab="File (YAML)"
 providers:
@@ -715,17 +723,31 @@ providers:
 --providers.docker.tls.insecureSkipVerify=true
 ```

-!!! question "Using Traefik for Business Applications?"
+### `allowEmptyServices`

-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
+_Optional, Default=false_

-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
+If the parameter is set to `true`,
+any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created 
+regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers.
+It also then stays alive and responsive even at times when it becomes empty,
+i.e. when all its children containers become unhealthy.
+This results in `503` HTTP responses instead of `404` ones,
+in the above cases.

-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+```yaml tab="File (YAML)"
+providers:
+  docker:
+    allowEmptyServices: true
+```
+
+```toml tab="File (TOML)"
+[providers.docker]
+  allowEmptyServices = true
+```
+
+```bash tab="CLI"
+--providers.docker.allowEmptyServices=true
+```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -47,7 +47,8 @@ Traefik needs the following policy to read ECS information:
                "ecs:DescribeTasks",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
-                "ec2:DescribeInstances"
+                "ec2:DescribeInstances",
+                "ssm:DescribeInstanceInformation"
            ],
            "Resource": [
                "*"
@@ -57,6 +58,10 @@ Traefik needs the following policy to read ECS information:
 }
 ```

+!!! info "ECS Anywhere"
+
+    Please note that the `ssm:DescribeInstanceInformation` action is required for ECS anywhere instances discovery.
+
 ## Provider Configuration

 ### `autoDiscoverClusters`
@@ -65,7 +70,7 @@ _Optional, Default=false_

 Search for services in cluster list.

- If set to `true` service discovery is disabled on configured clusters, but enabled for all other clusters.
+- If set to `true` service discovery is enabled for all clusters.
 - If set to `false` service discovery is enabled on configured clusters only.

 ```yaml tab="File (YAML)"
@@ -86,11 +91,39 @@ providers:
 # ...
 ```

+### `ecsAnywhere`
+
+_Optional, Default=false_
+
+Enable ECS Anywhere support.
+
+- If set to `true` service discovery is enabled for ECS Anywhere instances.
+- If set to `false` service discovery is disabled for ECS Anywhere instances.
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    ecsAnywhere: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  ecsAnywhere = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.ecsAnywhere=true
+# ...
+```
+
 ### `clusters`

 _Optional, Default=["default"]_

 Search for services in cluster list.
+This option is ignored if `autoDiscoverClusters` is set to `true`.

 ```yaml tab="File (YAML)"
 providers:
@@ -137,6 +170,94 @@ providers:
 # ...
 ```

+### `constraints`
+
+_Optional, Default=""_
+
+The `constraints` option can be set to an expression that Traefik matches against the container labels (task),
+to determine whether to create any route for that container. 
+If none of the container labels match the expression, no route for that container is created. 
+If the expression is empty, all detected containers are included.
+
+The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
+as well as the usual boolean logic, as shown in examples below.
+
+??? example "Constraints Expression Examples"
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and value `foo`
+    constraints = "Label(`a.label.name`, `foo`)"
+    ```
+
+    ```toml
+    # Excludes containers having any label with key `a.label.name` and value `foo`
+    constraints = "!Label(`a.label.name`, `value`)"
+    ```
+
+    ```toml
+    # With logical AND.
+    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical OR.
+    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
+    ```
+
+    ```toml
+    # With logical AND and OR, with precedence set by parentheses.
+    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
+    ```
+
+    ```toml
+    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
+    constraints = "LabelRegex(`a.label.name`, `a.+`)"
+    ```
+
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    constraints: "Label(`a.label.name`,`foo`)"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  constraints = "Label(`a.label.name`,`foo`)"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.constraints=Label(`a.label.name`,`foo`)
+# ...
+```
+
+### `healthyTasksOnly`
+
+_Optional, Default=false_
+
+Determines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    healthyTasksOnly: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  healthyTasksOnly = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.healthyTasksOnly=true
+# ...
+```
+
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen

 !!! tip

-    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)

 ## Configuration Examples

@@ -291,3 +291,5 @@ To illustrate, it is possible to easily define multiple routers, services, and T
      # ...
    {{ end }}
    ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -76,6 +76,26 @@ providers:
 --providers.http.pollTimeout=5s
 ```

+### `headers`
+
+_Optional_
+
+Defines custom headers to be sent to the endpoint.
+
+```yaml tab="File (YAML)"
+providers:
+  headers:
+    name: value
+```
+
+```toml tab="File (TOML)"
+[providers.http.headers]
+  name = "value"
+```
+
+```bash tab="CLI"
+--providers.http.headers.name=value
+
 ### `tls`

 _Optional_
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -35,10 +35,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```

 ## Resource Configuration
@@ -344,3 +344,5 @@ providers:
 ## Full Example

 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -78,7 +78,7 @@ This provider is proposed as an experimental feature and partially supports the

 The Kubernetes Gateway API project provides several guides on how to use the APIs.
 These guides can help you to go further than the example above.
-The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha2/guides/getting-started/) details how to install the CRDs from their repository.
+The [getting started guide](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) details how to install the CRDs from their repository.

 !!! note ""

--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -374,7 +374,7 @@ providers:

 _Optional, Default: ""_

-IP used for Kubernetes Ingress endpoints.
+This IP will get copied to Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6).

 ```yaml tab="File (YAML)"
 providers:
@@ -398,7 +398,9 @@ providers:

 _Optional, Default: ""_

-Published Kubernetes Service to copy status from.
+The Kubernetes service to copy status from.
+When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the ingresses.
+
 Format: `namespace/servicename`.

 ```yaml tab="File (YAML)"
@@ -500,19 +502,6 @@ providers:
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.8/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.9/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@@ -440,26 +440,37 @@ providers:

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

-### `namespace`
+### `namespaces`

 _Optional, Default=""_

-The `namespace` option defines the namespace in which the Nomad services will be discovered.
+The `namespaces` option defines the namespaces in which the nomad services will be discovered.
+When using the `namespaces` option, the discovered object names will be suffixed as shown below:
+
+```text
+<resource-name>@nomad-<namespace>
+```
+
+!!! warning
+  
+    One should only define either the `namespaces` option or the `namespace` option.

 ```yaml tab="File (YAML)"
 providers:
  nomad:
-    namespace: "production"
+    namespaces:
+      - "ns1"
+      - "ns2"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.nomad]
-  namespace = "production"
+  namespaces = ["ns1", "ns2"]
  # ...
 ```

 ```bash tab="CLI"
--providers.nomad.namespace=production
+--providers.nomad.namespaces=ns1,ns2
 # ...
 ```
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -213,6 +213,7 @@ you can do so in two different ways:
 List of providers that support these features:

 - [Docker](./docker.md#exposedbydefault)
+- [ECS](./ecs.md#exposedbydefault)
 - [Consul Catalog](./consul-catalog.md#exposedbydefault)
 - [Nomad](./nomad.md#exposedbydefault)
 - [Rancher](./rancher.md#exposedbydefault)
@@ -223,6 +224,7 @@ List of providers that support these features:
 List of providers that support constraints:

 - [Docker](./docker.md#constraints)
+- [ECS](./ecs.md#constraints)
 - [Consul Catalog](./consul-catalog.md#constraints)
 - [Nomad](./nomad.md#constraints)
 - [Rancher](./rancher.md#constraints)
@@ -230,3 +232,5 @@ List of providers that support constraints:
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
 - [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -17,7 +17,7 @@
 - "traefik.http.middlewares.middleware05.compress=true"
 - "traefik.http.middlewares.middleware05.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware05.compress.minresponsebodybytes=42"
- "traefik.http.middlewares.middleware06.contenttype.autodetect=true"
+- "traefik.http.middlewares.middleware06.contenttype=true"
 - "traefik.http.middlewares.middleware07.digestauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.realm=foobar"
 - "traefik.http.middlewares.middleware07.digestauth.removeheader=true"
@@ -31,7 +31,6 @@
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
- "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
@@ -54,7 +53,6 @@
 - "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
- "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
 - "traefik.http.middlewares.middleware10.headers.framedeny=true"
 - "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
@@ -62,18 +60,14 @@
 - "traefik.http.middlewares.middleware10.headers.permissionspolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
- "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
- "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
- "traefik.http.middlewares.middleware10.headers.sslredirect=true"
- "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
 - "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
 - "traefik.http.middlewares.middleware10.headers.stspreload=true"
 - "traefik.http.middlewares.middleware10.headers.stsseconds=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth=42"
- "traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips=foobar, foobar"
- "traefik.http.middlewares.middleware11.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth=42"
+- "traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips=foobar, foobar"
+- "traefik.http.middlewares.middleware11.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.http.middlewares.middleware12.inflightreq.amount=42"
 - "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
@@ -118,9 +112,9 @@
 - "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware20.retry.attempts=42"
 - "traefik.http.middlewares.middleware20.retry.initialinterval=42"
- "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
+- "traefik.http.middlewares.middleware23.grpcweb.alloworigins=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.priority=42"
@@ -151,10 +145,12 @@
 - "traefik.http.services.service01.loadbalancer.healthcheck.hostname=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.interval=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.path=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.method=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.status=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.port=42"
 - "traefik.http.services.service01.loadbalancer.healthcheck.scheme=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.mode=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.timeout=foobar"
- "traefik.http.services.service01.loadbalancer.healthcheck.followredirects=true"
 - "traefik.http.services.service01.loadbalancer.passhostheader=true"
 - "traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval=foobar"
 - "traefik.http.services.service01.loadbalancer.serverstransport=foobar"
@@ -165,7 +161,7 @@
 - "traefik.http.services.service01.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service01.loadbalancer.server.port=foobar"
 - "traefik.http.services.service01.loadbalancer.server.scheme=foobar"
- "traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange=foobar, foobar"
+- "traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount=42"
 - "traefik.tcp.routers.tcprouter0.entrypoints=foobar, foobar"
 - "traefik.tcp.routers.tcprouter0.middlewares=foobar, foobar"
@@ -201,3 +197,13 @@
 - "traefik.udp.routers.udprouter1.entrypoints=foobar, foobar"
 - "traefik.udp.routers.udprouter1.service=foobar"
 - "traefik.udp.services.udpservice01.loadbalancer.server.port=foobar"
+- "traefik.tls.stores.Store0.defaultcertificate.certfile=foobar"
+- "traefik.tls.stores.Store0.defaultcertificate.keyfile=foobar"
+- "traefik.tls.stores.Store0.defaultgeneratedcert.domain.main=foobar"
+- "traefik.tls.stores.Store0.defaultgeneratedcert.domain.sans=foobar, foobar"
+- "traefik.tls.stores.Store0.defaultgeneratedcert.resolver=foobar"
+- "traefik.tls.stores.Store1.defaultcertificate.certfile=foobar"
+- "traefik.tls.stores.Store1.defaultcertificate.keyfile=foobar"
+- "traefik.tls.stores.Store1.defaultgeneratedcert.domain.main=foobar"
+- "traefik.tls.stores.Store1.defaultgeneratedcert.domain.sans=foobar, foobar"
+- "traefik.tls.stores.Store1.defaultgeneratedcert.resolver=foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -53,17 +53,20 @@
          url = "foobar"
        [http.services.Service01.loadBalancer.healthCheck]
          scheme = "foobar"
+          mode = "foobar"
          path = "foobar"
+          method = "foobar"
+          status = 42
          port = 42
-          interval = "foobar"
-          timeout = "foobar"
+          interval = "42s"
+          timeout = "42s"
          hostname = "foobar"
          followRedirects = true
          [http.services.Service01.loadBalancer.healthCheck.headers]
            name0 = "foobar"
            name1 = "foobar"
        [http.services.Service01.loadBalancer.responseForwarding]
-          flushInterval = "foobar"
+          flushInterval = "42s"
    [http.services.Service02]
      [http.services.Service02.mirroring]
        service = "foobar"
@@ -134,7 +137,6 @@
        minResponseBodyBytes = 42
    [http.middlewares.Middleware06]
      [http.middlewares.Middleware06.contentType]
-        autoDetect = true
    [http.middlewares.Middleware07]
      [http.middlewares.Middleware07.digestAuth]
        users = ["foobar", "foobar"]
@@ -156,7 +158,6 @@
        authRequestHeaders = ["foobar", "foobar"]
        [http.middlewares.Middleware09.forwardAuth.tls]
          ca = "foobar"
-          caOptional = true
          cert = "foobar"
          key = "foobar"
          insecureSkipVerify = true
@@ -172,10 +173,6 @@
        addVaryHeader = true
        allowedHosts = ["foobar", "foobar"]
        hostsProxyHeaders = ["foobar", "foobar"]
-        sslRedirect = true
-        sslTemporaryRedirect = true
-        sslHost = "foobar"
-        sslForceHost = true
        stsSeconds = 42
        stsIncludeSubdomains = true
        stsPreload = true
@@ -188,7 +185,6 @@
        contentSecurityPolicy = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
-        featurePolicy = "foobar"
        permissionsPolicy = "foobar"
        isDevelopment = true
        [http.middlewares.Middleware10.headers.customRequestHeaders]
@@ -201,9 +197,9 @@
          name0 = "foobar"
          name1 = "foobar"
    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware11.ipWhiteList]
+      [http.middlewares.Middleware11.ipAllowList]
        sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware11.ipWhiteList.ipStrategy]
+        [http.middlewares.Middleware11.ipAllowList.ipStrategy]
          depth = 42
          excludedIPs = ["foobar", "foobar"]
    [http.middlewares.Middleware12]
@@ -279,10 +275,12 @@
    [http.middlewares.Middleware21]
      [http.middlewares.Middleware21.stripPrefix]
        prefixes = ["foobar", "foobar"]
-        forceSlash = true
    [http.middlewares.Middleware22]
      [http.middlewares.Middleware22.stripPrefixRegex]
        regex = ["foobar", "foobar"]
+    [http.middlewares.Middleware23]
+      [http.middlewares.Middleware23.grpcWeb]
+        allowOrigins = ["foobar", "foobar"]
  [http.serversTransports]
    [http.serversTransports.ServersTransport0]
      serverName = "foobar"
@@ -299,12 +297,18 @@
      [[http.serversTransports.ServersTransport0.certificates]]
        certFile = "foobar"
        keyFile = "foobar"
+
      [http.serversTransports.ServersTransport0.forwardingTimeouts]
        dialTimeout = "42s"
        responseHeaderTimeout = "42s"
        idleConnTimeout = "42s"
        readIdleTimeout = "42s"
        pingTimeout = "42s"
+
+      [http.serversTransports.ServersTransport0.spiffe]
+        ids = ["foobar", "foobar"]
+        trustDomain = "foobar"
+
    [http.serversTransports.ServersTransport1]
      serverName = "foobar"
      insecureSkipVerify = true
@@ -320,6 +324,7 @@
      [[http.serversTransports.ServersTransport1.certificates]]
        certFile = "foobar"
        keyFile = "foobar"
+
      [http.serversTransports.ServersTransport1.forwardingTimeouts]
        dialTimeout = "42s"
        responseHeaderTimeout = "42s"
@@ -327,6 +332,10 @@
        readIdleTimeout = "42s"
        pingTimeout = "42s"

+      [http.serversTransports.ServersTransport1.spiffe]
+        ids = ["foobar", "foobar"]
+        trustDomain = "foobar"
+
 [tcp]
  [tcp.routers]
    [tcp.routers.TCPRouter0]
@@ -389,7 +398,7 @@
          weight = 42
  [tcp.middlewares]
    [tcp.middlewares.TCPMiddleware00]
-      [tcp.middlewares.TCPMiddleware00.ipWhiteList]
+      [tcp.middlewares.TCPMiddleware00.ipAllowList]
        sourceRange = ["foobar", "foobar"]
    [tcp.middlewares.TCPMiddleware01]
      [tcp.middlewares.TCPMiddleware01.inFlightConn]
@@ -441,7 +450,6 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
-      preferServerCipherSuites = true
      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options0.clientAuth]
        caFiles = ["foobar", "foobar"]
@@ -452,7 +460,6 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
-      preferServerCipherSuites = true
      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options1.clientAuth]
        caFiles = ["foobar", "foobar"]
@@ -462,7 +469,17 @@
      [tls.stores.Store0.defaultCertificate]
        certFile = "foobar"
        keyFile = "foobar"
+      [tls.stores.Store0.defaultGeneratedCert]
+        resolver = "foobar"
+        [tls.stores.Store0.defaultGeneratedCert.domain]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
    [tls.stores.Store1]
      [tls.stores.Store1.defaultCertificate]
        certFile = "foobar"
        keyFile = "foobar"
+      [tls.stores.Store1.defaultGeneratedCert]
+        resolver = "foobar"
+        [tls.stores.Store1.defaultGeneratedCert.domain]
+          main = "foobar"
+          sans = ["foobar", "foobar"]
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -58,10 +58,13 @@ http:
          - url: foobar
        healthCheck:
          scheme: foobar
+          mode: foobar
          path: foobar
+          method: foobar
+          status: 42
          port: 42
-          interval: foobar
-          timeout: foobar
+          interval: 42s
+          timeout: 42s
          hostname: foobar
          followRedirects: true
          headers:
@@ -69,7 +72,7 @@ http:
            name1: foobar
        passHostHeader: true
        responseForwarding:
-          flushInterval: foobar
+          flushInterval: 42s
        serversTransport: foobar
    Service02:
      mirroring:
@@ -138,8 +141,7 @@ http:
          - foobar
        minResponseBodyBytes: 42
    Middleware06:
-      contentType:
-        autoDetect: true
+      contentType: {}
    Middleware07:
      digestAuth:
        users:
@@ -161,7 +163,6 @@ http:
        address: foobar
        tls:
          ca: foobar
-          caOptional: true
          cert: foobar
          key: foobar
          insecureSkipVerify: true
@@ -205,13 +206,9 @@ http:
        hostsProxyHeaders:
          - foobar
          - foobar
-        sslRedirect: true
-        sslTemporaryRedirect: true
-        sslHost: foobar
        sslProxyHeaders:
          name0: foobar
          name1: foobar
-        sslForceHost: true
        stsSeconds: 42
        stsIncludeSubdomains: true
        stsPreload: true
@@ -224,11 +221,10 @@ http:
        contentSecurityPolicy: foobar
        publicKey: foobar
        referrerPolicy: foobar
-        featurePolicy: foobar
        permissionsPolicy: foobar
        isDevelopment: true
    Middleware11:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - foobar
          - foobar
@@ -316,12 +312,16 @@ http:
        prefixes:
          - foobar
          - foobar
-        forceSlash: true
    Middleware22:
      stripPrefixRegex:
        regex:
          - foobar
          - foobar
+    Middleware23:
+      grpcWeb:
+        allowOrigins:
+          - foobar
+          - foobar
  serversTransports:
    ServersTransport0:
      serverName: foobar
@@ -343,6 +343,12 @@ http:
        pingTimeout: 42s
      disableHTTP2: true
      peerCertURI: foobar
+      spiffe:
+        ids:
+          - foobar
+          - foobar
+        trustDomain: foobar
+
    ServersTransport1:
      serverName: foobar
      insecureSkipVerify: true
@@ -363,6 +369,12 @@ http:
        pingTimeout: 42s
      disableHTTP2: true
      peerCertURI: foobar
+      spiffe:
+        ids:
+          - foobar
+          - foobar
+        trustDomain: foobar
+
 tcp:
  routers:
    TCPRouter0:
@@ -429,7 +441,7 @@ tcp:
            weight: 42
  middlewares:
    TCPMiddleware00:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - foobar
          - foobar
@@ -489,7 +501,6 @@ tls:
          - foobar
        clientAuthType: foobar
      sniStrict: true
-      preferServerCipherSuites: true
      alpnProtocols:
        - foobar
        - foobar
@@ -508,7 +519,6 @@ tls:
          - foobar
        clientAuthType: foobar
      sniStrict: true
-      preferServerCipherSuites: true
      alpnProtocols:
        - foobar
        - foobar
@@ -517,7 +527,21 @@ tls:
      defaultCertificate:
        certFile: foobar
        keyFile: foobar
+      defaultGeneratedCert:
+        resolver: foobar
+        domain:
+          main: foobar
+          sans:
+            - foobar
+            - foobar
    Store1:
      defaultCertificate:
        certFile: foobar
        keyFile: foobar
+      defaultGeneratedCert:
+        resolver: foobar
+        domain:
+          main: foobar
+          sans:
+            - foobar
+            - foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.8/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -56,11 +56,11 @@ spec:
                      - Rule
                      type: string
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#rule'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule'
                      type: string
                    middlewares:
                      description: 'Middlewares defines the list of references to
-                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-middleware'
+                        Middleware resources. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware'
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -79,7 +79,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.8/routing/routers/#priority'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority'
                      type: integer
                    services:
                      description: Services defines the list of Service. It can contain
@@ -145,7 +145,7 @@ spec:
                            type: string
                          sticky:
                            description: 'Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -190,16 +190,16 @@ spec:
                  type: object
                type: array
              tls:
-                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#tls'
+                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.8/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -217,15 +217,15 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSOption. More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          TLSOption. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                    required:
                    - name
@@ -241,11 +241,11 @@ spec:
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSStore. More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          TLSStore. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                    required:
                    - name
@@ -307,7 +307,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.8/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -318,7 +318,7 @@ spec:
                  description: RouteTCP holds the TCP route configuration.
                  properties:
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#rule_1'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1'
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -341,7 +341,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.8/routing/routers/#priority_1'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1'
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -366,7 +366,7 @@ spec:
                            x-kubernetes-int-or-string: true
                          proxyProtocol:
                            description: 'ProxyProtocol defines the PROXY protocol
-                              configuration. More info: https://doc.traefik.io/traefik/v2.8/routing/services/#proxy-protocol'
+                              configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol'
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -397,16 +397,16 @@ spec:
                type: array
              tls:
                description: 'TLS defines the TLS configuration on a layer 4 / TCP
-                  Route. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#tls_1'
+                  Route. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.8/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -424,7 +424,7 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -518,7 +518,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.8/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -597,7 +597,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -617,7 +617,7 @@ spec:
              addPrefix:
                description: 'AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding
-                  it. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/addprefix/'
+                  it. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/'
                properties:
                  prefix:
                    description: Prefix is the string to add before the current path
@@ -627,11 +627,11 @@ spec:
              basicAuth:
                description: 'BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/basicauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -651,7 +651,7 @@ spec:
              buffering:
                description: 'Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can
-                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/buffering/#maxrequestbodybytes'
+                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes'
                properties:
                  maxRequestBodyBytes:
                    description: 'MaxRequestBodyBytes defines the maximum allowed
@@ -684,13 +684,13 @@ spec:
                  retryExpression:
                    description: 'RetryExpression defines the retry conditions. It
                      is a logical combination of functions with operators AND (&&)
-                      and OR (||). More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/buffering/#retryexpression'
+                      and OR (||). More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression'
                    type: string
                type: object
              chain:
                description: 'Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other
-                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/chain/'
+                  pieces of middleware. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/'
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -744,12 +744,13 @@ spec:
              compress:
                description: 'Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the
-                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/compress/'
+                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/'
                properties:
                  excludedContentTypes:
                    description: ExcludedContentTypes defines the list of content
                      types to compare the Content-Type header of the incoming requests
-                      and responses before compressing.
+                      and responses before compressing. `application/grpc` is always
+                      excluded.
                    items:
                      type: string
                    type: array
@@ -761,28 +762,18 @@ spec:
                type: object
              contentType:
                description: ContentType holds the content-type middleware configuration.
-                  This middleware exists to enable the correct behavior until at least
-                  the default one can be changed in a future version.
-                properties:
-                  autoDetect:
-                    description: AutoDetect specifies whether to let the `Content-Type`
-                      header, if it has not been set by the backend, be automatically
-                      set to a value derived from the contents of the response. As
-                      a proxy, the default behavior should be to leave the header
-                      alone, regardless of what the backend did with it. However,
-                      the historic default was to always auto-detect and set the header
-                      if it was nil, and it is going to be kept that way in order
-                      to support users currently relying on it.
-                    type: boolean
+                  This middleware sets the `Content-Type` header value to the media
+                  type detected from the response content, when it is not set by the
+                  backend.
                type: object
              digestAuth:
                description: 'DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/digestauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -801,7 +792,7 @@ spec:
              errors:
                description: 'ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according
-                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/errorpages/'
+                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/'
                properties:
                  query:
                    description: Query defines the URL for the error page (hosted
@@ -810,7 +801,7 @@ spec:
                    type: string
                  service:
                    description: 'Service defines the reference to a Kubernetes Service
-                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/errorpages/#service'
+                      that will serve the error page. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service'
                    properties:
                      kind:
                        description: Kind defines the kind of the Service.
@@ -867,7 +858,7 @@ spec:
                        type: string
                      sticky:
                        description: 'Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -916,7 +907,7 @@ spec:
              forwardAuth:
                description: 'ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/forwardauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/'
                properties:
                  address:
                    description: Address defines the authentication server address.
@@ -939,14 +930,12 @@ spec:
                    description: 'AuthResponseHeadersRegex defines the regex to match
                      headers to copy from the authentication server response and
                      set on forwarded request, after stripping all headers that match
-                      the regex. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/forwardauth/#authresponseheadersregex'
+                      the regex. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex'
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
-                      caOptional:
-                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@@ -967,10 +956,21 @@ spec:
                      forward) all X-Forwarded-* headers.'
                    type: boolean
                type: object
+              grpcWeb:
+                description: GrpcWeb holds the gRPC web middleware configuration.
+                  This middleware converts a gRPC web request to an HTTP/2 gRPC request.
+                properties:
+                  allowOrigins:
+                    description: AllowOrigins is a list of allowable origins. Can
+                      also be a wildcard origin "*".
+                    items:
+                      type: string
+                    type: array
+                type: object
              headers:
                description: 'Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers. More
-                  info: https://doc.traefik.io/traefik/v2.8/middlewares/http/headers/#customrequestheaders'
+                  info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders'
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -1054,9 +1054,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@@ -1092,12 +1089,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@@ -1106,14 +1097,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@@ -1131,7 +1114,7 @@ spec:
              inFlightReq:
                description: 'InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and
-                  served concurrently. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/inflightreq/'
+                  served concurrently. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/'
                properties:
                  amount:
                    description: Amount defines the maximum amount of allowed simultaneous
@@ -1145,11 +1128,11 @@ spec:
                      group requests as originating from a common source. If several
                      strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost. More
-                      info: https://doc.traefik.io/traefik/v2.8/middlewares/http/inflightreq/#sourcecriterion'
+                      info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion'
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1174,14 +1157,14 @@ spec:
                        type: boolean
                    type: object
                type: object
-              ipWhiteList:
-                description: 'IPWhiteList holds the IP whitelist middleware configuration.
+              ipAllowList:
+                description: 'IPAllowList holds the IP allowlist middleware configuration.
                  This middleware accepts / refuses requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/'
                properties:
                  ipStrategy:
                    description: 'IPStrategy holds the IP strategy configuration used
-                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/#ipstrategy'
+                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1205,7 +1188,7 @@ spec:
              passTLSClientCert:
                description: 'PassTLSClientCert holds the pass TLS client cert middleware
                  configuration. This middleware adds the selected data from the passed
-                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/passtlsclientcert/'
+                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/'
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1300,7 +1283,7 @@ spec:
                    type: object
                  pem:
                    description: PEM sets the X-Forwarded-Tls-Client-Cert header with
-                      the escaped certificate.
+                      the certificate.
                    type: boolean
                type: object
              plugin:
@@ -1312,7 +1295,7 @@ spec:
              rateLimit:
                description: 'RateLimit holds the rate limit configuration. This middleware
                  ensures that services will receive a fair amount of requests, and
-                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ratelimit/'
+                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/'
                properties:
                  average:
                    description: Average is the maximum rate, by default in requests/s,
@@ -1345,7 +1328,7 @@ spec:
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1373,7 +1356,7 @@ spec:
              redirectRegex:
                description: 'RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/redirectregex/#regex'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1391,7 +1374,7 @@ spec:
              redirectScheme:
                description: 'RedirectScheme holds the redirect scheme middleware
                  configuration. This middleware redirects requests from a scheme/port
-                  to another. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/redirectscheme/'
+                  to another. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1407,7 +1390,7 @@ spec:
              replacePath:
                description: 'ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the
-                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/replacepath/'
+                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/'
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1417,7 +1400,7 @@ spec:
              replacePathRegex:
                description: 'ReplacePathRegex holds the replace path regex middleware
                  configuration. This middleware replaces the path of a URL using
-                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/replacepathregex/'
+                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1433,7 +1416,7 @@ spec:
                  middleware reissues requests a given number of times to a backend
                  server if that server does not reply. As soon as the server answers,
                  the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/retry/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/'
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1453,13 +1436,8 @@ spec:
              stripPrefix:
                description: 'StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/stripprefix/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/'
                properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
@@ -1470,7 +1448,7 @@ spec:
              stripPrefixRegex:
                description: 'StripPrefixRegex holds the strip prefix regex middleware
                  configuration. This middleware removes the matching prefixes from
-                  the URL path. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/stripprefixregex/'
+                  the URL path. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -1514,7 +1492,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v2.8/middlewares/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1541,8 +1519,8 @@ spec:
                    format: int64
                    type: integer
                type: object
-              ipWhiteList:
-                description: IPWhiteList defines the IPWhiteList middleware configuration.
+              ipAllowList:
+                description: IPAllowList defines the IPAllowList middleware configuration.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1588,7 +1566,7 @@ spec:
        description: 'ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v2.8/routing/services/#serverstransport_1'
+          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1679,6 +1657,19 @@ spec:
                description: ServerName defines the server name used to contact the
                  server.
                type: string
+              spiffe:
+                description: Spiffe defines the SPIFFE configuration.
+                properties:
+                  ids:
+                    description: IDs defines the allowed SPIFFE IDs (takes precedence
+                      over the SPIFFE TrustDomain).
+                    items:
+                      type: string
+                    type: array
+                  trustDomain:
+                    description: TrustDomain defines the allowed SPIFFE trust domain.
+                    type: string
+                type: object
            type: object
        required:
        - metadata
@@ -1715,7 +1706,7 @@ spec:
      openAPIV3Schema:
        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
          allowing to configure some parameters of the TLS connection. More info:
-          https://doc.traefik.io/traefik/v2.8/https/tls/#tls-options'
+          https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1735,13 +1726,13 @@ spec:
              alpnProtocols:
                description: 'ALPNProtocols defines the list of supported application
                  level protocols for the TLS handshake, in order of preference. More
-                  info: https://doc.traefik.io/traefik/v2.8/https/tls/#alpn-protocols'
+                  info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols'
                items:
                  type: string
                type: array
              cipherSuites:
                description: 'CipherSuites defines the list of supported cipher suites
-                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#cipher-suites'
+                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites'
                items:
                  type: string
                type: array
@@ -1768,7 +1759,7 @@ spec:
                type: object
              curvePreferences:
                description: 'CurvePreferences defines the preferred elliptic curves
-                  in a specific order. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#curve-preferences'
+                  in a specific order. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences'
                items:
                  type: string
                type: array
@@ -1782,12 +1773,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
@@ -1829,7 +1814,7 @@ spec:
        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
          the time being, only the TLSStore named default is supported. This means
          that you cannot have two stores that are named default in different Kubernetes
-          namespaces. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#certificates-stores'
+          namespaces. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -1870,6 +1855,27 @@ spec:
                required:
                - secretName
                type: object
+              defaultGeneratedCert:
+                description: DefaultGeneratedCert defines the default generated certificate
+                  configuration.
+                properties:
+                  domain:
+                    description: Domain is the domain definition for the DefaultCertificate.
+                    properties:
+                      main:
+                        description: Main defines the main domain name.
+                        type: string
+                      sans:
+                        description: SANs defines the subject alternative domain names.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  resolver:
+                    description: Resolver is the name of the resolver that will be
+                      used to issue the DefaultCertificate.
+                    type: string
+                type: object
            type: object
        required:
        - metadata
@@ -1906,7 +1912,7 @@ spec:
      openAPIV3Schema:
        description: 'TraefikService is the CRD implementation of a Traefik Service.
          TraefikService object allows to: - Apply weight to Services on load-balancing
-          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-traefikservice'
+          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -2005,7 +2011,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2089,7 +2095,7 @@ spec:
                    type: string
                  sticky:
                    description: 'Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -2189,7 +2195,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2228,7 +2234,7 @@ spec:
                    type: array
                  sticky:
                    description: 'Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
@@ -26,6 +26,7 @@ rules:
      - watch
  - apiGroups:
      - extensions
+      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
@@ -148,7 +148,7 @@ spec:
        - name: whoamitcp
          port: 8080
      middlewares:
-        - name: ipwhitelist
+        - name: ipallowlist
  tls:
    secretName: foosecret
    passthrough: false
@@ -193,7 +193,6 @@ spec:
      - foobar
    clientAuthType: RequireAndVerifyClientCert
  sniStrict: true
-  preferServerCipherSuites: true
  alpnProtocols:
    - foobar
    - foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v2.8
+          image: traefik:v3.0
          args:
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -19,7 +19,7 @@
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/excludedContentTypes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware05/compress/minResponseBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware06/contentType/autoDetect` | `true` |
+| `traefik/http/middlewares/Middleware06/contentType` | `` |
 | `traefik/http/middlewares/Middleware07/digestAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware07/digestAuth/realm` | `foobar` |
 | `traefik/http/middlewares/Middleware07/digestAuth/removeHeader` | `true` |
@@ -37,7 +37,6 @@
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/ca` | `foobar` |
-| `traefik/http/middlewares/Middleware09/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/cert` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/insecureSkipVerify` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/key` | `foobar` |
@@ -66,7 +65,6 @@
 | `traefik/http/middlewares/Middleware10/headers/customRequestHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/featurePolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/forceSTSHeader` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/frameDeny` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/hostsProxyHeaders/0` | `foobar` |
@@ -75,20 +73,16 @@
 | `traefik/http/middlewares/Middleware10/headers/permissionsPolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/publicKey` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/referrerPolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/sslForceHost` | `true` |
-| `traefik/http/middlewares/Middleware10/headers/sslHost` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/headers/sslRedirect` | `true` |
-| `traefik/http/middlewares/Middleware10/headers/sslTemporaryRedirect` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/depth` | `42` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/0` | `foobar` |
-| `traefik/http/middlewares/Middleware11/ipWhiteList/sourceRange/1` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/depth` | `42` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/0` | `foobar` |
+| `traefik/http/middlewares/Middleware11/ipAllowList/sourceRange/1` | `foobar` |
 | `traefik/http/middlewares/Middleware12/inFlightReq/amount` | `42` |
 | `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware12/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
@@ -135,11 +129,12 @@
 | `traefik/http/middlewares/Middleware19/replacePathRegex/replacement` | `foobar` |
 | `traefik/http/middlewares/Middleware20/retry/attempts` | `42` |
 | `traefik/http/middlewares/Middleware20/retry/initialInterval` | `42s` |
-| `traefik/http/middlewares/Middleware21/stripPrefix/forceSlash` | `true` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/0` | `foobar` |
 | `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/1` | `foobar` |
+| `traefik/http/middlewares/Middleware23/grpcWeb/allowOrigins/0` | `foobar` |
+| `traefik/http/middlewares/Middleware23/grpcWeb/allowOrigins/1` | `foobar` |
 | `traefik/http/routers/Router0/entryPoints/0` | `foobar` |
 | `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
 | `traefik/http/routers/Router0/middlewares/0` | `foobar` |
@@ -186,6 +181,9 @@
 | `traefik/http/serversTransports/ServersTransport0/rootCAs/0` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport0/rootCAs/1` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport0/serverName` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/0` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/1` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport0/spiffe/trustDomain` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/certificates/0/certFile` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/certificates/0/keyFile` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/certificates/1/certFile` | `foobar` |
@@ -202,17 +200,23 @@
 | `traefik/http/serversTransports/ServersTransport1/rootCAs/0` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/rootCAs/1` | `foobar` |
 | `traefik/http/serversTransports/ServersTransport1/serverName` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/0` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/1` | `foobar` |
+| `traefik/http/serversTransports/ServersTransport1/spiffe/trustDomain` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/followRedirects` | `true` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name0` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/headers/name1` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/hostname` | `foobar` |
-| `traefik/http/services/Service01/loadBalancer/healthCheck/interval` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/interval` | `42s` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/method` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/mode` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/path` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/port` | `42` |
 | `traefik/http/services/Service01/loadBalancer/healthCheck/scheme` | `foobar` |
-| `traefik/http/services/Service01/loadBalancer/healthCheck/timeout` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/status` | `42` |
+| `traefik/http/services/Service01/loadBalancer/healthCheck/timeout` | `42s` |
 | `traefik/http/services/Service01/loadBalancer/passHostHeader` | `true` |
-| `traefik/http/services/Service01/loadBalancer/responseForwarding/flushInterval` | `foobar` |
+| `traefik/http/services/Service01/loadBalancer/responseForwarding/flushInterval` | `42s` |
 | `traefik/http/services/Service01/loadBalancer/servers/0/url` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/servers/1/url` | `foobar` |
 | `traefik/http/services/Service01/loadBalancer/serversTransport` | `foobar` |
@@ -239,8 +243,8 @@
 | `traefik/http/services/Service04/failover/fallback` | `foobar` |
 | `traefik/http/services/Service04/failover/healthCheck` | `` |
 | `traefik/http/services/Service04/failover/service` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/0` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware00/ipWhiteList/sourceRange/1` | `foobar` |
+| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/0` | `foobar` |
+| `traefik/tcp/middlewares/TCPMiddleware00/ipAllowList/sourceRange/1` | `foobar` |
 | `traefik/tcp/middlewares/TCPMiddleware01/inFlightConn/amount` | `42` |
 | `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
 | `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
@@ -301,7 +305,6 @@
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
-| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
 | `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
 | `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
@@ -314,12 +317,19 @@
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
-| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options1/sniStrict` | `true` |
 | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
+| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/main` | `foobar` |
+| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0` | `foobar` |
+| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1` | `foobar` |
+| `traefik/tls/stores/Store0/defaultGeneratedCert/resolver` | `foobar` |
 | `traefik/tls/stores/Store1/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store1/defaultCertificate/keyFile` | `foobar` |
+| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/main` | `foobar` |
+| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/0` | `foobar` |
+| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/1` | `foobar` |
+| `traefik/tls/stores/Store1/defaultGeneratedCert/resolver` | `foobar` |
 | `traefik/udp/routers/UDPRouter0/entryPoints/0` | `foobar` |
 | `traefik/udp/routers/UDPRouter0/entryPoints/1` | `foobar` |
 | `traefik/udp/routers/UDPRouter0/service` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@@ -17,7 +17,7 @@
 "traefik.http.middlewares.middleware05.compress": "true",
 "traefik.http.middlewares.middleware05.compress.excludedcontenttypes": "foobar, foobar",
 "traefik.http.middlewares.middleware05.compress.minresponsebodybytes": "42",
-"traefik.http.middlewares.middleware06.contenttype.autodetect": "true",
+"traefik.http.middlewares.middleware06.contenttype": "true",
 "traefik.http.middlewares.middleware07.digestauth.headerfield": "foobar",
 "traefik.http.middlewares.middleware07.digestauth.realm": "foobar",
 "traefik.http.middlewares.middleware07.digestauth.removeheader": "true",
@@ -31,7 +31,6 @@
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
-"traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
@@ -54,7 +53,6 @@
 "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
-"traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
 "traefik.http.middlewares.middleware10.headers.framedeny": "true",
 "traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
@@ -62,18 +60,14 @@
 "traefik.http.middlewares.middleware10.headers.permissionspolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.publickey": "foobar",
 "traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
-"traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
-"traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
-"traefik.http.middlewares.middleware10.headers.sslredirect": "true",
-"traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
 "traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
 "traefik.http.middlewares.middleware10.headers.stspreload": "true",
 "traefik.http.middlewares.middleware10.headers.stsseconds": "42",
-"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.depth": "42",
-"traefik.http.middlewares.middleware11.ipwhitelist.ipstrategy.excludedips": "foobar, foobar",
-"traefik.http.middlewares.middleware11.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.depth": "42",
+"traefik.http.middlewares.middleware11.ipallowlist.ipstrategy.excludedips": "foobar, foobar",
+"traefik.http.middlewares.middleware11.ipallowlist.sourcerange": "foobar, foobar",
 "traefik.http.middlewares.middleware12.inflightreq.amount": "42",
 "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.depth": "42",
 "traefik.http.middlewares.middleware12.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
@@ -118,9 +112,9 @@
 "traefik.http.middlewares.middleware19.replacepathregex.replacement": "foobar",
 "traefik.http.middlewares.middleware20.retry.attempts": "42",
 "traefik.http.middlewares.middleware20.retry.initialinterval": "42",
-"traefik.http.middlewares.middleware21.stripprefix.forceslash": "true",
 "traefik.http.middlewares.middleware21.stripprefix.prefixes": "foobar, foobar",
 "traefik.http.middlewares.middleware22.stripprefixregex.regex": "foobar, foobar",
+"traefik.http.middlewares.middleware23.grpcweb.alloworigins": "foobar, foobar",
 "traefik.http.routers.router0.entrypoints": "foobar, foobar",
 "traefik.http.routers.router0.middlewares": "foobar, foobar",
 "traefik.http.routers.router0.priority": "42",
@@ -149,14 +143,16 @@
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",
-"traefik.http.services.service01.loadbalancer.healthcheck.interval": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.interval": "42s",
 "traefik.http.services.service01.loadbalancer.healthcheck.path": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.method": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.status": "42",
 "traefik.http.services.service01.loadbalancer.healthcheck.port": "42",
 "traefik.http.services.service01.loadbalancer.healthcheck.scheme": "foobar",
-"traefik.http.services.service01.loadbalancer.healthcheck.timeout": "foobar",
-"traefik.http.services.service01.loadbalancer.healthcheck.followredirects": "true",
+"traefik.http.services.service01.loadbalancer.healthcheck.mode": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.timeout": "42s",
 "traefik.http.services.service01.loadbalancer.passhostheader": "true",
-"traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "foobar",
+"traefik.http.services.service01.loadbalancer.responseforwarding.flushinterval": "42s",
 "traefik.http.services.service01.loadbalancer.serverstransport": "foobar",
 "traefik.http.services.service01.loadbalancer.sticky.cookie": "true",
 "traefik.http.services.service01.loadbalancer.sticky.cookie.httponly": "true",
@@ -165,7 +161,7 @@
 "traefik.http.services.service01.loadbalancer.sticky.cookie.secure": "true",
 "traefik.http.services.service01.loadbalancer.server.port": "foobar",
 "traefik.http.services.service01.loadbalancer.server.scheme": "foobar",
-"traefik.tcp.middlewares.tcpmiddleware00.ipwhitelist.sourcerange": "foobar, foobar",
+"traefik.tcp.middlewares.tcpmiddleware00.ipallowlist.sourcerange": "foobar, foobar",
 "traefik.tcp.middlewares.tcpmiddleware01.inflightconn.amount": "42",
 "traefik.tcp.routers.tcprouter0.entrypoints": "foobar, foobar",
 "traefik.tcp.routers.tcprouter0.middlewares": "foobar, foobar",
@@ -201,3 +197,13 @@
 "traefik.udp.routers.udprouter1.entrypoints": "foobar, foobar",
 "traefik.udp.routers.udprouter1.service": "foobar",
 "traefik.udp.services.udpservice01.loadbalancer.server.port": "foobar",
+"traefik.tls.stores.Store0.defaultcertificate.certfile": "foobar",
+"traefik.tls.stores.Store0.defaultcertificate.keyfile": "foobar",
+"traefik.tls.stores.Store0.defaultgeneratedcert.domain.main": "foobar",
+"traefik.tls.stores.Store0.defaultgeneratedcert.domain.sans": "foobar, foobar",
+"traefik.tls.stores.Store0.defaultgeneratedcert.resolver": "foobar",
+"traefik.tls.stores.Store1.defaultcertificate.certfile": "foobar",
+"traefik.tls.stores.Store1.defaultcertificate.keyfile": "foobar",
+"traefik.tls.stores.Store1.defaultgeneratedcert.domain.main": "foobar",
+"traefik.tls.stores.Store1.defaultgeneratedcert.domain.sans": "foobar, foobar",
+"traefik.tls.stores.Store1.defaultgeneratedcert.resolver": "foobar",
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutes.yaml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.8/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -56,11 +56,11 @@ spec:
                      - Rule
                      type: string
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#rule'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule'
                      type: string
                    middlewares:
                      description: 'Middlewares defines the list of references to
-                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-middleware'
+                        Middleware resources. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware'
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -79,7 +79,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.8/routing/routers/#priority'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority'
                      type: integer
                    services:
                      description: Services defines the list of Service. It can contain
@@ -145,7 +145,7 @@ spec:
                            type: string
                          sticky:
                            description: 'Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -190,16 +190,16 @@ spec:
                  type: object
                type: array
              tls:
-                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#tls'
+                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.8/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -217,15 +217,15 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSOption. More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsoption'
+                          TLSOption. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                    required:
                    - name
@@ -241,11 +241,11 @@ spec:
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
-                          TLSStore. More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-tlsstore'
+                          TLSStore. More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                    required:
                    - name
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressroutetcps.yaml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.8/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
@@ -50,7 +50,7 @@ spec:
                  description: RouteTCP holds the TCP route configuration.
                  properties:
                    match:
-                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#rule_1'
+                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1'
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -73,7 +73,7 @@ spec:
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
-                        info: https://doc.traefik.io/traefik/v2.8/routing/routers/#priority_1'
+                        info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1'
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -98,7 +98,7 @@ spec:
                            x-kubernetes-int-or-string: true
                          proxyProtocol:
                            description: 'ProxyProtocol defines the PROXY protocol
-                              configuration. More info: https://doc.traefik.io/traefik/v2.8/routing/services/#proxy-protocol'
+                              configuration. More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol'
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -129,16 +129,16 @@ spec:
                type: array
              tls:
                description: 'TLS defines the TLS configuration on a layer 4 / TCP
-                  Route. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#tls_1'
+                  Route. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
-                      static configuration. More info: https://doc.traefik.io/traefik/v2.8/https/acme/#certificate-resolvers'
+                      static configuration. More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
-                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.8/routing/routers/#domains'
+                      used to issue certificates. More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -156,7 +156,7 @@ spec:
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
-                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#tls-options'
+                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_ingressrouteudps.yaml
@@ -39,7 +39,7 @@ spec:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v2.8/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
@@ -20,7 +20,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -40,7 +40,7 @@ spec:
              addPrefix:
                description: 'AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding
-                  it. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/addprefix/'
+                  it. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/'
                properties:
                  prefix:
                    description: Prefix is the string to add before the current path
@@ -50,11 +50,11 @@ spec:
              basicAuth:
                description: 'BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/basicauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -74,7 +74,7 @@ spec:
              buffering:
                description: 'Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can
-                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/buffering/#maxrequestbodybytes'
+                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes'
                properties:
                  maxRequestBodyBytes:
                    description: 'MaxRequestBodyBytes defines the maximum allowed
@@ -107,13 +107,13 @@ spec:
                  retryExpression:
                    description: 'RetryExpression defines the retry conditions. It
                      is a logical combination of functions with operators AND (&&)
-                      and OR (||). More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/buffering/#retryexpression'
+                      and OR (||). More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression'
                    type: string
                type: object
              chain:
                description: 'Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other
-                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/chain/'
+                  pieces of middleware. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/'
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -167,12 +167,13 @@ spec:
              compress:
                description: 'Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the
-                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/compress/'
+                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/'
                properties:
                  excludedContentTypes:
                    description: ExcludedContentTypes defines the list of content
                      types to compare the Content-Type header of the incoming requests
-                      and responses before compressing.
+                      and responses before compressing. `application/grpc` is always
+                      excluded.
                    items:
                      type: string
                    type: array
@@ -184,28 +185,18 @@ spec:
                type: object
              contentType:
                description: ContentType holds the content-type middleware configuration.
-                  This middleware exists to enable the correct behavior until at least
-                  the default one can be changed in a future version.
-                properties:
-                  autoDetect:
-                    description: AutoDetect specifies whether to let the `Content-Type`
-                      header, if it has not been set by the backend, be automatically
-                      set to a value derived from the contents of the response. As
-                      a proxy, the default behavior should be to leave the header
-                      alone, regardless of what the backend did with it. However,
-                      the historic default was to always auto-detect and set the header
-                      if it was nil, and it is going to be kept that way in order
-                      to support users currently relying on it.
-                    type: boolean
+                  This middleware sets the `Content-Type` header value to the media
+                  type detected from the response content, when it is not set by the
+                  backend.
                type: object
              digestAuth:
                description: 'DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/digestauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
-                      authenticated user. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/basicauth/#headerfield'
+                      authenticated user. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
@@ -224,7 +215,7 @@ spec:
              errors:
                description: 'ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according
-                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/errorpages/'
+                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/'
                properties:
                  query:
                    description: Query defines the URL for the error page (hosted
@@ -233,7 +224,7 @@ spec:
                    type: string
                  service:
                    description: 'Service defines the reference to a Kubernetes Service
-                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/errorpages/#service'
+                      that will serve the error page. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service'
                    properties:
                      kind:
                        description: Kind defines the kind of the Service.
@@ -290,7 +281,7 @@ spec:
                        type: string
                      sticky:
                        description: 'Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -339,7 +330,7 @@ spec:
              forwardAuth:
                description: 'ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/forwardauth/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/'
                properties:
                  address:
                    description: Address defines the authentication server address.
@@ -362,14 +353,12 @@ spec:
                    description: 'AuthResponseHeadersRegex defines the regex to match
                      headers to copy from the authentication server response and
                      set on forwarded request, after stripping all headers that match
-                      the regex. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/forwardauth/#authresponseheadersregex'
+                      the regex. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex'
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
-                      caOptional:
-                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@@ -390,10 +379,21 @@ spec:
                      forward) all X-Forwarded-* headers.'
                    type: boolean
                type: object
+              grpcWeb:
+                description: GrpcWeb holds the gRPC web middleware configuration.
+                  This middleware converts a gRPC web request to an HTTP/2 gRPC request.
+                properties:
+                  allowOrigins:
+                    description: AllowOrigins is a list of allowable origins. Can
+                      also be a wildcard origin "*".
+                    items:
+                      type: string
+                    type: array
+                type: object
              headers:
                description: 'Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers. More
-                  info: https://doc.traefik.io/traefik/v2.8/middlewares/http/headers/#customrequestheaders'
+                  info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders'
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -477,9 +477,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
-                  featurePolicy:
-                    description: 'Deprecated: use PermissionsPolicy instead.'
-                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@@ -515,12 +512,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
-                  sslForceHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: boolean
-                  sslHost:
-                    description: 'Deprecated: use RedirectRegex instead.'
-                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@@ -529,14 +520,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
-                  sslRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
-                  sslTemporaryRedirect:
-                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
-                      instead.'
-                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@@ -554,7 +537,7 @@ spec:
              inFlightReq:
                description: 'InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and
-                  served concurrently. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/inflightreq/'
+                  served concurrently. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/'
                properties:
                  amount:
                    description: Amount defines the maximum amount of allowed simultaneous
@@ -568,11 +551,11 @@ spec:
                      group requests as originating from a common source. If several
                      strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost. More
-                      info: https://doc.traefik.io/traefik/v2.8/middlewares/http/inflightreq/#sourcecriterion'
+                      info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion'
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -597,14 +580,14 @@ spec:
                        type: boolean
                    type: object
                type: object
-              ipWhiteList:
-                description: 'IPWhiteList holds the IP whitelist middleware configuration.
+              ipAllowList:
+                description: 'IPAllowList holds the IP allowlist middleware configuration.
                  This middleware accepts / refuses requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/'
                properties:
                  ipStrategy:
                    description: 'IPStrategy holds the IP strategy configuration used
-                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/#ipstrategy'
+                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -628,7 +611,7 @@ spec:
              passTLSClientCert:
                description: 'PassTLSClientCert holds the pass TLS client cert middleware
                  configuration. This middleware adds the selected data from the passed
-                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/passtlsclientcert/'
+                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/'
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -723,7 +706,7 @@ spec:
                    type: object
                  pem:
                    description: PEM sets the X-Forwarded-Tls-Client-Cert header with
-                      the escaped certificate.
+                      the certificate.
                    type: boolean
                type: object
              plugin:
@@ -735,7 +718,7 @@ spec:
              rateLimit:
                description: 'RateLimit holds the rate limit configuration. This middleware
                  ensures that services will receive a fair amount of requests, and
-                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ratelimit/'
+                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/'
                properties:
                  average:
                    description: Average is the maximum rate, by default in requests/s,
@@ -768,7 +751,7 @@ spec:
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
-                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/ipwhitelist/#ipstrategy'
+                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -796,7 +779,7 @@ spec:
              redirectRegex:
                description: 'RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/redirectregex/#regex'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -814,7 +797,7 @@ spec:
              redirectScheme:
                description: 'RedirectScheme holds the redirect scheme middleware
                  configuration. This middleware redirects requests from a scheme/port
-                  to another. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/redirectscheme/'
+                  to another. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -830,7 +813,7 @@ spec:
              replacePath:
                description: 'ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the
-                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/replacepath/'
+                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/'
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -840,7 +823,7 @@ spec:
              replacePathRegex:
                description: 'ReplacePathRegex holds the replace path regex middleware
                  configuration. This middleware replaces the path of a URL using
-                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/replacepathregex/'
+                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -856,7 +839,7 @@ spec:
                  middleware reissues requests a given number of times to a backend
                  server if that server does not reply. As soon as the server answers,
                  the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/retry/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/'
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -876,13 +859,8 @@ spec:
              stripPrefix:
                description: 'StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/stripprefix/'
+                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/'
                properties:
-                  forceSlash:
-                    description: 'ForceSlash ensures that the resulting stripped path
-                      is not the empty string, by replacing it with / when necessary.
-                      Default: true.'
-                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
@@ -893,7 +871,7 @@ spec:
              stripPrefixRegex:
                description: 'StripPrefixRegex holds the strip prefix regex middleware
                  configuration. This middleware removes the matching prefixes from
-                  the URL path. More info: https://doc.traefik.io/traefik/v2.8/middlewares/http/stripprefixregex/'
+                  the URL path. More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewaretcps.yaml
@@ -20,7 +20,7 @@ spec:
    schema:
      openAPIV3Schema:
        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v2.8/middlewares/overview/'
+          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -47,8 +47,8 @@ spec:
                    format: int64
                    type: integer
                type: object
-              ipWhiteList:
-                description: IPWhiteList defines the IPWhiteList middleware configuration.
+              ipAllowList:
+                description: IPAllowList defines the IPAllowList middleware configuration.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
@@ -22,7 +22,7 @@ spec:
        description: 'ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v2.8/routing/services/#serverstransport_1'
+          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -113,6 +113,19 @@ spec:
                description: ServerName defines the server name used to contact the
                  server.
                type: string
+              spiffe:
+                description: Spiffe defines the SPIFFE configuration.
+                properties:
+                  ids:
+                    description: IDs defines the allowed SPIFFE IDs (takes precedence
+                      over the SPIFFE TrustDomain).
+                    items:
+                      type: string
+                    type: array
+                  trustDomain:
+                    description: TrustDomain defines the allowed SPIFFE trust domain.
+                    type: string
+                type: object
            type: object
        required:
        - metadata
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
@@ -21,7 +21,7 @@ spec:
      openAPIV3Schema:
        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
          allowing to configure some parameters of the TLS connection. More info:
-          https://doc.traefik.io/traefik/v2.8/https/tls/#tls-options'
+          https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -41,13 +41,13 @@ spec:
              alpnProtocols:
                description: 'ALPNProtocols defines the list of supported application
                  level protocols for the TLS handshake, in order of preference. More
-                  info: https://doc.traefik.io/traefik/v2.8/https/tls/#alpn-protocols'
+                  info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols'
                items:
                  type: string
                type: array
              cipherSuites:
                description: 'CipherSuites defines the list of supported cipher suites
-                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#cipher-suites'
+                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites'
                items:
                  type: string
                type: array
@@ -74,7 +74,7 @@ spec:
                type: object
              curvePreferences:
                description: 'CurvePreferences defines the preferred elliptic curves
-                  in a specific order. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#curve-preferences'
+                  in a specific order. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences'
                items:
                  type: string
                type: array
@@ -88,12 +88,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
-              preferServerCipherSuites:
-                description: 'PreferServerCipherSuites defines whether the server
-                  chooses a cipher suite among his own instead of among the client''s.
-                  It is enabled automatically when minVersion or maxVersion is set.
-                  Deprecated: https://github.com/golang/go/issues/45430'
-                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml
@@ -22,7 +22,7 @@ spec:
        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
          the time being, only the TLSStore named default is supported. This means
          that you cannot have two stores that are named default in different Kubernetes
-          namespaces. More info: https://doc.traefik.io/traefik/v2.8/https/tls/#certificates-stores'
+          namespaces. More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -63,6 +63,27 @@ spec:
                required:
                - secretName
                type: object
+              defaultGeneratedCert:
+                description: DefaultGeneratedCert defines the default generated certificate
+                  configuration.
+                properties:
+                  domain:
+                    description: Domain is the domain definition for the DefaultCertificate.
+                    properties:
+                      main:
+                        description: Main defines the main domain name.
+                        type: string
+                      sans:
+                        description: SANs defines the subject alternative domain names.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  resolver:
+                    description: Resolver is the name of the resolver that will be
+                      used to issue the DefaultCertificate.
+                    type: string
+                type: object
            type: object
        required:
        - metadata
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_traefikservices.yaml
@@ -21,7 +21,7 @@ spec:
      openAPIV3Schema:
        description: 'TraefikService is the CRD implementation of a Traefik Service.
          TraefikService object allows to: - Apply weight to Services on load-balancing
-          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#kind-traefikservice'
+          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
@@ -120,7 +120,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -204,7 +204,7 @@ spec:
                    type: string
                  sticky:
                    description: 'Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -304,7 +304,7 @@ spec:
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v2.8/routing/services/#sticky-sessions'
+                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -343,7 +343,7 @@ spec:
                    type: array
                  sticky:
                    description: 'Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v2.8/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
+                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -99,12 +99,18 @@ Storage to use. (Default: ```acme.json```)
 `--certificatesresolvers.<name>.acme.tlschallenge`:  
 Activate TLS-ALPN-01 Challenge. (Default: ```true```)

+`--certificatesresolvers.<name>.tailscale`:  
+Enables Tailscale certificate resolution. (Default: ```true```)
+
 `--entrypoints.<name>`:  
 Entry points definition. (Default: ```false```)

 `--entrypoints.<name>.address`:  
 Entry point address.

+`--entrypoints.<name>.asdefault`:  
+Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
+
 `--entrypoints.<name>.forwardedheaders.insecure`:  
 Trust all forwarded headers. (Default: ```false```)

@@ -240,6 +246,9 @@ The TLS key for Traefik Proxy as a TLS client.
 `--log`:  
 Traefik log settings. (Default: ```false```)

+`--log.compress`:  
+Determines if the rotated log files should be compressed using gzip. (Default: ```false```)
+
 `--log.filepath`:  
 Traefik log file path. Stdout is used when omitted or empty.

@@ -249,6 +258,18 @@ Traefik log format: json | common (Default: ```common```)
 `--log.level`:  
 Log level set to traefik logs. (Default: ```ERROR```)

+`--log.maxage`:  
+Maximum number of days to retain old log files based on the timestamp encoded in their filename. (Default: ```0```)
+
+`--log.maxbackups`:  
+Maximum number of old log files to retain. (Default: ```0```)
+
+`--log.maxsize`:  
+Maximum size in megabytes of the log file before it gets rotated. (Default: ```0```)
+
+`--log.nocolor`:  
+When using the 'common' format, disables the colorized output. (Default: ```false```)
+
 `--metrics.datadog`:  
 Datadog metrics exporter type. (Default: ```false```)

@@ -336,6 +357,51 @@ InfluxDB v2 push interval. (Default: ```10```)
 `--metrics.influxdb2.token`:  
 InfluxDB v2 access token.

+`--metrics.opentelemetry`:  
+OpenTelemetry metrics exporter type. (Default: ```false```)
+
+`--metrics.opentelemetry.addentrypointslabels`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`--metrics.opentelemetry.address`:  
+Address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`--metrics.opentelemetry.addrouterslabels`:  
+Enable metrics on routers. (Default: ```false```)
+
+`--metrics.opentelemetry.addserviceslabels`:  
+Enable metrics on services. (Default: ```true```)
+
+`--metrics.opentelemetry.explicitboundaries`:  
+Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.100000, 0.250000, 0.500000, 1.000000, 2.500000, 5.000000, 10.000000```)
+
+`--metrics.opentelemetry.grpc`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`--metrics.opentelemetry.headers.<name>`:  
+Headers sent with payload.
+
+`--metrics.opentelemetry.insecure`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`--metrics.opentelemetry.path`:  
+Set the URL path of the collector endpoint.
+
+`--metrics.opentelemetry.pushinterval`:  
+Period between calls to collect a checkpoint. (Default: ```10```)
+
+`--metrics.opentelemetry.tls.ca`:  
+TLS CA
+
+`--metrics.opentelemetry.tls.cert`:  
+TLS cert
+
+`--metrics.opentelemetry.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--metrics.opentelemetry.tls.key`:  
+TLS key
+
 `--metrics.prometheus`:  
 Prometheus metrics exporter type. (Default: ```false```)

@@ -378,12 +444,6 @@ Prefix to use for metrics collection. (Default: ```traefik```)
 `--metrics.statsd.pushinterval`:  
 StatsD push interval. (Default: ```10```)

-`--pilot.dashboard`:  
-Enable Traefik Pilot in the dashboard. (Default: ```true```)
-
-`--pilot.token`:  
-Traefik Pilot token.
-
 `--ping`:  
 Enable ping. (Default: ```false```)

@@ -400,26 +460,17 @@ Terminating status code (Default: ```503```)
 Enable Consul backend with default settings. (Default: ```false```)

 `--providers.consul.endpoints`:  
-KV store endpoints (Default: ```127.0.0.1:8500```)
-
-`--providers.consul.namespace`:  
-Sets the namespace used to discover the configuration (Consul Enterprise only).
+KV store endpoints. (Default: ```127.0.0.1:8500```)

 `--providers.consul.namespaces`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).

-`--providers.consul.password`:  
-KV Password
-
 `--providers.consul.rootkey`:  
-Root key used for KV store (Default: ```traefik```)
+Root key used for KV store. (Default: ```traefik```)

 `--providers.consul.tls.ca`:  
 TLS CA

-`--providers.consul.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.consul.tls.cert`:  
 TLS cert

@@ -430,10 +481,7 @@ TLS insecure skip verify (Default: ```false```)
 TLS key

 `--providers.consul.token`:  
-KV Token
-
-`--providers.consul.username`:  
-KV Username
+Per-request ACL token.

 `--providers.consulcatalog`:  
 Enable ConsulCatalog backend with default settings. (Default: ```false```)
@@ -474,9 +522,6 @@ The URI scheme for the Consul server
 `--providers.consulcatalog.endpoint.tls.ca`:  
 TLS CA

-`--providers.consulcatalog.endpoint.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.consulcatalog.endpoint.tls.cert`:  
 TLS cert

@@ -492,9 +537,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `--providers.consulcatalog.exposedbydefault`:  
 Expose containers by default. (Default: ```true```)

-`--providers.consulcatalog.namespace`:  
-Sets the namespace used to discover services (Consul Enterprise only).
-
 `--providers.consulcatalog.namespaces`:  
 Sets the namespaces used to discover services (Consul Enterprise only).

@@ -519,6 +561,9 @@ Watch Consul API events. (Default: ```false```)
 `--providers.docker`:  
 Enable Docker backend with default settings. (Default: ```false```)

+`--providers.docker.allowemptyservices`:  
+Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. (Default: ```false```)
+
 `--providers.docker.constraints`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.

@@ -546,9 +591,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `--providers.docker.tls.ca`:  
 TLS CA

-`--providers.docker.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.docker.tls.cert`:  
 TLS cert

@@ -562,19 +604,19 @@ TLS key
 Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)

 `--providers.docker.watch`:  
-Watch Docker Swarm events. (Default: ```true```)
+Watch Docker events. (Default: ```true```)

 `--providers.ecs`:  
 Enable AWS ECS backend with default settings. (Default: ```false```)

 `--providers.ecs.accesskeyid`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key ID to use for making requests.

 `--providers.ecs.autodiscoverclusters`:  
-Auto discover cluster (Default: ```false```)
+Auto discover cluster. (Default: ```false```)

 `--providers.ecs.clusters`:  
-ECS Clusters name (Default: ```default```)
+ECS Cluster names. (Default: ```default```)

 `--providers.ecs.constraints`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
@@ -582,36 +624,39 @@ Constraints is an expression that Traefik matches against the container's labels
 `--providers.ecs.defaultrule`:  
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)

+`--providers.ecs.ecsanywhere`:  
+Enable ECS Anywhere support. (Default: ```false```)
+
 `--providers.ecs.exposedbydefault`:  
-Expose services by default (Default: ```true```)
+Expose services by default. (Default: ```true```)
+
+`--providers.ecs.healthytasksonly`:  
+Determines whether to discover only healthy tasks. (Default: ```false```)

 `--providers.ecs.refreshseconds`:  
-Polling interval (in seconds) (Default: ```15```)
+Polling interval (in seconds). (Default: ```15```)

 `--providers.ecs.region`:  
-The AWS region to use for requests
+AWS region to use for requests.

 `--providers.ecs.secretaccesskey`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key to use for making requests.

 `--providers.etcd`:  
 Enable Etcd backend with default settings. (Default: ```false```)

 `--providers.etcd.endpoints`:  
-KV store endpoints (Default: ```127.0.0.1:2379```)
+KV store endpoints. (Default: ```127.0.0.1:2379```)

 `--providers.etcd.password`:  
-KV Password
+Password for authentication.

 `--providers.etcd.rootkey`:  
-Root key used for KV store (Default: ```traefik```)
+Root key used for KV store. (Default: ```traefik```)

 `--providers.etcd.tls.ca`:  
 TLS CA

-`--providers.etcd.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.etcd.tls.cert`:  
 TLS cert

@@ -621,11 +666,8 @@ TLS insecure skip verify (Default: ```false```)
 `--providers.etcd.tls.key`:  
 TLS key

-`--providers.etcd.token`:  
-KV Token
-
 `--providers.etcd.username`:  
-KV Username
+Username for authentication.

 `--providers.file.debugloggeneratedtemplate`:  
 Enable debug logging of generated configuration template. (Default: ```false```)
@@ -645,6 +687,9 @@ Enable HTTP backend with default settings. (Default: ```false```)
 `--providers.http.endpoint`:  
 Load configuration from this endpoint.

+`--providers.http.headers.<name>`:  
+Define custom headers to be sent to the endpoint.
+
 `--providers.http.pollinterval`:  
 Polling interval for endpoint. (Default: ```5```)

@@ -654,9 +699,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `--providers.http.tls.ca`:  
 TLS CA

-`--providers.http.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.http.tls.cert`:  
 TLS cert

@@ -801,9 +843,6 @@ Set a response header timeout for Marathon. (Default: ```60```)
 `--providers.marathon.tls.ca`:  
 TLS CA

-`--providers.marathon.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.marathon.tls.cert`:  
 TLS cert

@@ -843,9 +882,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `--providers.nomad.endpoint.tls.ca`:  
 TLS CA

-`--providers.nomad.endpoint.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.nomad.endpoint.tls.cert`:  
 TLS cert

@@ -861,8 +897,8 @@ Token is used to provide a per-request ACL token.
 `--providers.nomad.exposedbydefault`:  
 Expose Nomad services by default. (Default: ```true```)

-`--providers.nomad.namespace`:  
-Sets the Nomad namespace used to discover services.
+`--providers.nomad.namespaces`:  
+Sets the Nomad namespaces used to discover services.

 `--providers.nomad.prefix`:  
 Prefix for nomad service tags. (Default: ```traefik```)
@@ -909,21 +945,21 @@ Watch provider. (Default: ```true```)
 `--providers.redis`:  
 Enable Redis backend with default settings. (Default: ```false```)

+`--providers.redis.db`:  
+Database to be selected after connecting to the server. (Default: ```0```)
+
 `--providers.redis.endpoints`:  
-KV store endpoints (Default: ```127.0.0.1:6379```)
+KV store endpoints. (Default: ```127.0.0.1:6379```)

 `--providers.redis.password`:  
-KV Password
+Password for authentication.

 `--providers.redis.rootkey`:  
-Root key used for KV store (Default: ```traefik```)
+Root key used for KV store. (Default: ```traefik```)

 `--providers.redis.tls.ca`:  
 TLS CA

-`--providers.redis.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
 `--providers.redis.tls.cert`:  
 TLS cert

@@ -933,11 +969,8 @@ TLS insecure skip verify (Default: ```false```)
 `--providers.redis.tls.key`:  
 TLS key

-`--providers.redis.token`:  
-KV Token
-
 `--providers.redis.username`:  
-KV Username
+Username for authentication.

 `--providers.rest`:  
 Enable Rest backend with default settings. (Default: ```false```)
@@ -949,34 +982,16 @@ Activate REST Provider directly on the entryPoint named traefik. (Default: ```fa
 Enable ZooKeeper backend with default settings. (Default: ```false```)

 `--providers.zookeeper.endpoints`:  
-KV store endpoints (Default: ```127.0.0.1:2181```)
+KV store endpoints. (Default: ```127.0.0.1:2181```)

 `--providers.zookeeper.password`:  
-KV Password
+Password for authentication.

 `--providers.zookeeper.rootkey`:  
-Root key used for KV store (Default: ```traefik```)
-
-`--providers.zookeeper.tls.ca`:  
-TLS CA
-
-`--providers.zookeeper.tls.caoptional`:  
-TLS CA.Optional (Default: ```false```)
-
-`--providers.zookeeper.tls.cert`:  
-TLS cert
-
-`--providers.zookeeper.tls.insecureskipverify`:  
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.zookeeper.tls.key`:  
-TLS key
-
-`--providers.zookeeper.token`:  
-KV Token
+Root key used for KV store. (Default: ```traefik```)

 `--providers.zookeeper.username`:  
-KV Username
+Username for authentication.

 `--serverstransport.forwardingtimeouts.dialtimeout`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
@@ -996,6 +1011,18 @@ If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, D
 `--serverstransport.rootcas`:  
 Add cert file for self-signed certificate.

+`--serverstransport.spiffe`:  
+Defines the SPIFFE configuration. (Default: ```false```)
+
+`--serverstransport.spiffe.ids`:  
+Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
+
+`--serverstransport.spiffe.trustdomain`:  
+Defines the allowed SPIFFE trust domain.
+
+`--spiffe.workloadapiaddr`:  
+Defines the workload API address.
+
 `--tracing`:  
 OpenTracing configuration. (Default: ```false```)

@@ -1008,8 +1035,8 @@ Sets the header name prefix used to store baggage items in a map.
 `--tracing.datadog.debug`:  
 Enables Datadog debug. (Default: ```false```)

-`--tracing.datadog.globaltag`:  
-Sets a key:value tag on all spans.
+`--tracing.datadog.globaltags.<name>`:  
+Sets a list of key:value tags on all spans.

 `--tracing.datadog.localagenthostport`:  
 Sets the Datadog Agent host:port. (Default: ```localhost:8126```)
@@ -1113,6 +1140,36 @@ Sets the sampling type. (Default: ```const```)
 `--tracing.jaeger.tracecontextheadername`:  
 Sets the header name used to store the trace ID. (Default: ```uber-trace-id```)

+`--tracing.opentelemetry`:  
+Settings for OpenTelemetry. (Default: ```false```)
+
+`--tracing.opentelemetry.address`:  
+Sets the address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`--tracing.opentelemetry.grpc`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`--tracing.opentelemetry.headers.<name>`:  
+Defines additional headers to be sent with the payloads.
+
+`--tracing.opentelemetry.insecure`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`--tracing.opentelemetry.path`:  
+Sets the URL path of the collector endpoint.
+
+`--tracing.opentelemetry.tls.ca`:  
+TLS CA
+
+`--tracing.opentelemetry.tls.cert`:  
+TLS cert
+
+`--tracing.opentelemetry.tls.insecureskipverify`:  
+TLS insecure skip verify (Default: ```false```)
+
+`--tracing.opentelemetry.tls.key`:  
+TLS key
+
 `--tracing.servicename`:  
 Set the name for this service. (Default: ```traefik```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -99,12 +99,18 @@ Storage to use. (Default: ```acme.json```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_TLSCHALLENGE`:  
 Activate TLS-ALPN-01 Challenge. (Default: ```true```)

+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_TAILSCALE`:  
+Enables Tailscale certificate resolution. (Default: ```true```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>`:  
 Entry points definition. (Default: ```false```)

 `TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:  
 Entry point address.

+`TRAEFIK_ENTRYPOINTS_<NAME>_ASDEFAULT`:  
+Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
 Trust all forwarded headers. (Default: ```false```)

@@ -240,6 +246,9 @@ The TLS key for Traefik Proxy as a TLS client.
 `TRAEFIK_LOG`:  
 Traefik log settings. (Default: ```false```)

+`TRAEFIK_LOG_COMPRESS`:  
+Determines if the rotated log files should be compressed using gzip. (Default: ```false```)
+
 `TRAEFIK_LOG_FILEPATH`:  
 Traefik log file path. Stdout is used when omitted or empty.

@@ -249,6 +258,18 @@ Traefik log format: json | common (Default: ```common```)
 `TRAEFIK_LOG_LEVEL`:  
 Log level set to traefik logs. (Default: ```ERROR```)

+`TRAEFIK_LOG_MAXAGE`:  
+Maximum number of days to retain old log files based on the timestamp encoded in their filename. (Default: ```0```)
+
+`TRAEFIK_LOG_MAXBACKUPS`:  
+Maximum number of old log files to retain. (Default: ```0```)
+
+`TRAEFIK_LOG_MAXSIZE`:  
+Maximum size in megabytes of the log file before it gets rotated. (Default: ```0```)
+
+`TRAEFIK_LOG_NOCOLOR`:  
+When using the 'common' format, disables the colorized output. (Default: ```false```)
+
 `TRAEFIK_METRICS_DATADOG`:  
 Datadog metrics exporter type. (Default: ```false```)

@@ -336,6 +357,51 @@ InfluxDB retention policy used when protocol is http.
 `TRAEFIK_METRICS_INFLUXDB_USERNAME`:  
 InfluxDB username (only with http).

+`TRAEFIK_METRICS_OPENTELEMETRY`:  
+OpenTelemetry metrics exporter type. (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDENTRYPOINTSLABELS`:  
+Enable metrics on entry points. (Default: ```true```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDRESS`:  
+Address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDROUTERSLABELS`:  
+Enable metrics on routers. (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_ADDSERVICESLABELS`:  
+Enable metrics on services. (Default: ```true```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_EXPLICITBOUNDARIES`:  
+Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.100000, 0.250000, 0.500000, 1.000000, 2.500000, 5.000000, 10.000000```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_GRPC`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_HEADERS_<NAME>`:  
+Headers sent with payload.
+
+`TRAEFIK_METRICS_OPENTELEMETRY_INSECURE`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_PATH`:  
+Set the URL path of the collector endpoint.
+
+`TRAEFIK_METRICS_OPENTELEMETRY_PUSHINTERVAL`:  
+Period between calls to collect a checkpoint. (Default: ```10```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_METRICS_OPENTELEMETRY_TLS_KEY`:  
+TLS key
+
 `TRAEFIK_METRICS_PROMETHEUS`:  
 Prometheus metrics exporter type. (Default: ```false```)

@@ -378,12 +444,6 @@ Prefix to use for metrics collection. (Default: ```traefik```)
 `TRAEFIK_METRICS_STATSD_PUSHINTERVAL`:  
 StatsD push interval. (Default: ```10```)

-`TRAEFIK_PILOT_DASHBOARD`:  
-Enable Traefik Pilot in the dashboard. (Default: ```true```)
-
-`TRAEFIK_PILOT_TOKEN`:  
-Traefik Pilot token.
-
 `TRAEFIK_PING`:  
 Enable ping. (Default: ```false```)

@@ -438,9 +498,6 @@ The URI scheme for the Consul server
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CERT`:  
 TLS cert

@@ -456,9 +513,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
 Expose containers by default. (Default: ```true```)

-`TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACE`:  
-Sets the namespace used to discover services (Consul Enterprise only).
-
 `TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACES`:  
 Sets the namespaces used to discover services (Consul Enterprise only).

@@ -481,26 +535,17 @@ Use stale consistency for catalog reads. (Default: ```false```)
 Watch Consul API events. (Default: ```false```)

 `TRAEFIK_PROVIDERS_CONSUL_ENDPOINTS`:  
-KV store endpoints (Default: ```127.0.0.1:8500```)
-
-`TRAEFIK_PROVIDERS_CONSUL_NAMESPACE`:  
-Sets the namespace used to discover the configuration (Consul Enterprise only).
+KV store endpoints. (Default: ```127.0.0.1:8500```)

 `TRAEFIK_PROVIDERS_CONSUL_NAMESPACES`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).

-`TRAEFIK_PROVIDERS_CONSUL_PASSWORD`:  
-KV Password
-
 `TRAEFIK_PROVIDERS_CONSUL_ROOTKEY`:  
-Root key used for KV store (Default: ```traefik```)
+Root key used for KV store. (Default: ```traefik```)

 `TRAEFIK_PROVIDERS_CONSUL_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_CONSUL_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CERT`:  
 TLS cert

@@ -511,14 +556,14 @@ TLS insecure skip verify (Default: ```false```)
 TLS key

 `TRAEFIK_PROVIDERS_CONSUL_TOKEN`:  
-KV Token
-
-`TRAEFIK_PROVIDERS_CONSUL_USERNAME`:  
-KV Username
+Per-request ACL token.

 `TRAEFIK_PROVIDERS_DOCKER`:  
 Enable Docker backend with default settings. (Default: ```false```)

+`TRAEFIK_PROVIDERS_DOCKER_ALLOWEMPTYSERVICES`:  
+Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_DOCKER_CONSTRAINTS`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.

@@ -546,9 +591,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
 TLS cert

@@ -562,19 +604,19 @@ TLS key
 Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)

 `TRAEFIK_PROVIDERS_DOCKER_WATCH`:  
-Watch Docker Swarm events. (Default: ```true```)
+Watch Docker events. (Default: ```true```)

 `TRAEFIK_PROVIDERS_ECS`:  
 Enable AWS ECS backend with default settings. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_ACCESSKEYID`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key ID to use for making requests.

 `TRAEFIK_PROVIDERS_ECS_AUTODISCOVERCLUSTERS`:  
-Auto discover cluster (Default: ```false```)
+Auto discover cluster. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_CLUSTERS`:  
-ECS Clusters name (Default: ```default```)
+ECS Cluster names. (Default: ```default```)

 `TRAEFIK_PROVIDERS_ECS_CONSTRAINTS`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
@@ -582,36 +624,39 @@ Constraints is an expression that Traefik matches against the container's labels
 `TRAEFIK_PROVIDERS_ECS_DEFAULTRULE`:  
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)

+`TRAEFIK_PROVIDERS_ECS_ECSANYWHERE`:  
+Enable ECS Anywhere support. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_ECS_EXPOSEDBYDEFAULT`:  
-Expose services by default (Default: ```true```)
+Expose services by default. (Default: ```true```)
+
+`TRAEFIK_PROVIDERS_ECS_HEALTHYTASKSONLY`:  
+Determines whether to discover only healthy tasks. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ECS_REFRESHSECONDS`:  
-Polling interval (in seconds) (Default: ```15```)
+Polling interval (in seconds). (Default: ```15```)

 `TRAEFIK_PROVIDERS_ECS_REGION`:  
-The AWS region to use for requests
+AWS region to use for requests.

 `TRAEFIK_PROVIDERS_ECS_SECRETACCESSKEY`:  
-The AWS credentials access key to use for making requests
+AWS credentials access key to use for making requests.

 `TRAEFIK_PROVIDERS_ETCD`:  
 Enable Etcd backend with default settings. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ETCD_ENDPOINTS`:  
-KV store endpoints (Default: ```127.0.0.1:2379```)
+KV store endpoints. (Default: ```127.0.0.1:2379```)

 `TRAEFIK_PROVIDERS_ETCD_PASSWORD`:  
-KV Password
+Password for authentication.

 `TRAEFIK_PROVIDERS_ETCD_ROOTKEY`:  
-Root key used for KV store (Default: ```traefik```)
+Root key used for KV store. (Default: ```traefik```)

 `TRAEFIK_PROVIDERS_ETCD_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_ETCD_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_ETCD_TLS_CERT`:  
 TLS cert

@@ -621,11 +666,8 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_PROVIDERS_ETCD_TLS_KEY`:  
 TLS key

-`TRAEFIK_PROVIDERS_ETCD_TOKEN`:  
-KV Token
-
 `TRAEFIK_PROVIDERS_ETCD_USERNAME`:  
-KV Username
+Username for authentication.

 `TRAEFIK_PROVIDERS_FILE_DEBUGLOGGENERATEDTEMPLATE`:  
 Enable debug logging of generated configuration template. (Default: ```false```)
@@ -645,6 +687,9 @@ Enable HTTP backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_HTTP_ENDPOINT`:  
 Load configuration from this endpoint.

+`TRAEFIK_PROVIDERS_HTTP_HEADERS_<NAME>`:  
+Define custom headers to be sent to the endpoint.
+
 `TRAEFIK_PROVIDERS_HTTP_POLLINTERVAL`:  
 Polling interval for endpoint. (Default: ```5```)

@@ -654,9 +699,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `TRAEFIK_PROVIDERS_HTTP_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_HTTP_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_HTTP_TLS_CERT`:  
 TLS cert

@@ -804,9 +846,6 @@ Set a TLS handshake timeout for Marathon. (Default: ```5```)
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
 TLS cert

@@ -843,9 +882,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CERT`:  
 TLS cert

@@ -861,8 +897,8 @@ Token is used to provide a per-request ACL token.
 `TRAEFIK_PROVIDERS_NOMAD_EXPOSEDBYDEFAULT`:  
 Expose Nomad services by default. (Default: ```true```)

-`TRAEFIK_PROVIDERS_NOMAD_NAMESPACE`:  
-Sets the Nomad namespace used to discover services.
+`TRAEFIK_PROVIDERS_NOMAD_NAMESPACES`:  
+Sets the Nomad namespaces used to discover services.

 `TRAEFIK_PROVIDERS_NOMAD_PREFIX`:  
 Prefix for nomad service tags. (Default: ```traefik```)
@@ -909,21 +945,21 @@ Watch provider. (Default: ```true```)
 `TRAEFIK_PROVIDERS_REDIS`:  
 Enable Redis backend with default settings. (Default: ```false```)

+`TRAEFIK_PROVIDERS_REDIS_DB`:  
+Database to be selected after connecting to the server. (Default: ```0```)
+
 `TRAEFIK_PROVIDERS_REDIS_ENDPOINTS`:  
-KV store endpoints (Default: ```127.0.0.1:6379```)
+KV store endpoints. (Default: ```127.0.0.1:6379```)

 `TRAEFIK_PROVIDERS_REDIS_PASSWORD`:  
-KV Password
+Password for authentication.

 `TRAEFIK_PROVIDERS_REDIS_ROOTKEY`:  
-Root key used for KV store (Default: ```traefik```)
+Root key used for KV store. (Default: ```traefik```)

 `TRAEFIK_PROVIDERS_REDIS_TLS_CA`:  
 TLS CA

-`TRAEFIK_PROVIDERS_REDIS_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
 `TRAEFIK_PROVIDERS_REDIS_TLS_CERT`:  
 TLS cert

@@ -933,11 +969,8 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_PROVIDERS_REDIS_TLS_KEY`:  
 TLS key

-`TRAEFIK_PROVIDERS_REDIS_TOKEN`:  
-KV Token
-
 `TRAEFIK_PROVIDERS_REDIS_USERNAME`:  
-KV Username
+Username for authentication.

 `TRAEFIK_PROVIDERS_REST`:  
 Enable Rest backend with default settings. (Default: ```false```)
@@ -949,34 +982,16 @@ Activate REST Provider directly on the entryPoint named traefik. (Default: ```fa
 Enable ZooKeeper backend with default settings. (Default: ```false```)

 `TRAEFIK_PROVIDERS_ZOOKEEPER_ENDPOINTS`:  
-KV store endpoints (Default: ```127.0.0.1:2181```)
+KV store endpoints. (Default: ```127.0.0.1:2181```)

 `TRAEFIK_PROVIDERS_ZOOKEEPER_PASSWORD`:  
-KV Password
+Password for authentication.

 `TRAEFIK_PROVIDERS_ZOOKEEPER_ROOTKEY`:  
-Root key used for KV store (Default: ```traefik```)
-
-`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_CA`:  
-TLS CA
-
-`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_CAOPTIONAL`:  
-TLS CA.Optional (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_CERT`:  
-TLS cert
-
-`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_INSECURESKIPVERIFY`:  
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_PROVIDERS_ZOOKEEPER_TLS_KEY`:  
-TLS key
-
-`TRAEFIK_PROVIDERS_ZOOKEEPER_TOKEN`:  
-KV Token
+Root key used for KV store. (Default: ```traefik```)

 `TRAEFIK_PROVIDERS_ZOOKEEPER_USERNAME`:  
-KV Username
+Username for authentication.

 `TRAEFIK_SERVERSTRANSPORT_FORWARDINGTIMEOUTS_DIALTIMEOUT`:  
 The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
@@ -996,6 +1011,18 @@ If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, D
 `TRAEFIK_SERVERSTRANSPORT_ROOTCAS`:  
 Add cert file for self-signed certificate.

+`TRAEFIK_SERVERSTRANSPORT_SPIFFE`:  
+Defines the SPIFFE configuration. (Default: ```false```)
+
+`TRAEFIK_SERVERSTRANSPORT_SPIFFE_IDS`:  
+Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
+
+`TRAEFIK_SERVERSTRANSPORT_SPIFFE_TRUSTDOMAIN`:  
+Defines the allowed SPIFFE trust domain.
+
+`TRAEFIK_SPIFFE_WORKLOADAPIADDR`:  
+Defines the workload API address.
+
 `TRAEFIK_TRACING`:  
 OpenTracing configuration. (Default: ```false```)

@@ -1008,8 +1035,8 @@ Sets the header name prefix used to store baggage items in a map.
 `TRAEFIK_TRACING_DATADOG_DEBUG`:  
 Enables Datadog debug. (Default: ```false```)

-`TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
-Sets a key:value tag on all spans.
+`TRAEFIK_TRACING_DATADOG_GLOBALTAGS_<NAME>`:  
+Sets a list of key:value tags on all spans.

 `TRAEFIK_TRACING_DATADOG_LOCALAGENTHOSTPORT`:  
 Sets the Datadog Agent host:port. (Default: ```localhost:8126```)
@@ -1113,6 +1140,36 @@ Sets the sampling type. (Default: ```const```)
 `TRAEFIK_TRACING_JAEGER_TRACECONTEXTHEADERNAME`:  
 Sets the header name used to store the trace ID. (Default: ```uber-trace-id```)

+`TRAEFIK_TRACING_OPENTELEMETRY`:  
+Settings for OpenTelemetry. (Default: ```false```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_ADDRESS`:  
+Sets the address (host:port) of the collector endpoint. (Default: ```localhost:4318```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_GRPC`:  
+gRPC specific configuration for the OpenTelemetry collector. (Default: ```true```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_HEADERS_<NAME>`:  
+Defines additional headers to be sent with the payloads.
+
+`TRAEFIK_TRACING_OPENTELEMETRY_INSECURE`:  
+Disables client transport security for the exporter. (Default: ```false```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_PATH`:  
+Sets the URL path of the collector endpoint.
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_CA`:  
+TLS CA
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_CERT`:  
+TLS cert
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_INSECURESKIPVERIFY`:  
+TLS insecure skip verify (Default: ```false```)
+
+`TRAEFIK_TRACING_OPENTELEMETRY_TLS_KEY`:  
+TLS key
+
 `TRAEFIK_TRACING_SERVICENAME`:  
 Set the name for this service. (Default: ```traefik```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -14,6 +14,7 @@
 [entryPoints]
  [entryPoints.EntryPoint0]
    address = "foobar"
+    asDefault = true
    [entryPoints.EntryPoint0.transport]
      [entryPoints.EntryPoint0.transport.lifeCycle]
        requestAcceptGraceTimeout = "42s"
@@ -67,9 +68,9 @@
    network = "foobar"
    swarmModeRefreshSeconds = "42s"
    httpClientTimeout = "42s"
+    allowEmptyServices = true
    [providers.docker.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -94,7 +95,6 @@
    respectReadinessChecks = true
    [providers.marathon.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -124,8 +124,8 @@
    allowExternalNameServices = true
    labelSelector = "foobar"
    ingressClass = "foobar"
-    allowEmptyServices = true
    throttleDuration = "42s"
+    allowEmptyServices = true
  [providers.kubernetesGateway]
    endpoint = "foobar"
    token = "foobar"
@@ -156,9 +156,8 @@
    connectAware = true
    connectByDefault = true
    serviceName = "foobar"
-    namespace = "foobar"
-    namespaces = ["foobar", "foobar"]
    watch = true
+    namespaces = ["foobar", "foobar"]
    [providers.consulCatalog.endpoint]
      address = "foobar"
      scheme = "foobar"
@@ -167,7 +166,6 @@
      endpointWaitTime = "42s"
      [providers.consulCatalog.endpoint.tls]
        ca = "foobar"
-        caOptional = true
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
@@ -175,13 +173,13 @@
        username = "foobar"
        password = "foobar"
  [providers.nomad]
+    defaultRule = "foobar"
    constraints = "foobar"
    prefix = "foobar"
-    refreshInterval = "42s"
    stale = true
+    namespaces = ["foobar", "foobar"]
    exposedByDefault = true
-    defaultRule = "foobar"
-    namespace = "foobar"
+    refreshInterval = "42s"
    [providers.nomad.endpoint]
      address = "foobar"
      region = "foobar"
@@ -189,7 +187,6 @@
      endpointWaitTime = "42s"
      [providers.nomad.endpoint.tls]
        ca = "foobar"
-        caOptional = true
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
@@ -203,17 +200,15 @@
    region = "foobar"
    accessKeyID = "foobar"
    secretAccessKey = "foobar"
+    ecsAnywhere = true
+    healthyTasksOnly = true
  [providers.consul]
    rootKey = "foobar"
    endpoints = ["foobar", "foobar"]
-    username = "foobar"
-    password = "foobar"
    token = "foobar"
-    namespace = "foobar"
    namespaces = ["foobar", "foobar"]
    [providers.consul.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -222,10 +217,8 @@
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
-    token = "foobar"
    [providers.etcd.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -234,22 +227,14 @@
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
-    token = "foobar"
-    [providers.zooKeeper.tls]
-      ca = "foobar"
-      caOptional = true
-      cert = "foobar"
-      key = "foobar"
-      insecureSkipVerify = true
  [providers.redis]
    rootKey = "foobar"
    endpoints = ["foobar", "foobar"]
    username = "foobar"
    password = "foobar"
-    token = "foobar"
+    db = 42
    [providers.redis.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -257,9 +242,11 @@
    endpoint = "foobar"
    pollInterval = "42s"
    pollTimeout = "42s"
+    [providers.http.headers]
+      name0 = "foobar"
+      name1 = "foobar"
    [providers.http.tls]
      ca = "foobar"
-      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@@ -306,7 +293,8 @@
    addRoutersLabels = true
    addServicesLabels = true
    [metrics.influxDB.additionalLabels]
-      foobar = "foobar"
+      name0 = "foobar"
+      name1 = "foobar"
  [metrics.influxDB2]
    address = "foobar"
    token = "foobar"
@@ -317,7 +305,27 @@
    addRoutersLabels = true
    addServicesLabels = true
    [metrics.influxDB2.additionalLabels]
-      foobar = "foobar"
+      name0 = "foobar"
+      name1 = "foobar"
+  [metrics.openTelemetry]
+    address = "foobar"
+    addEntryPointsLabels = true
+    addRoutersLabels = true
+    addServicesLabels = true
+    pushInterval = "42s"
+    path = "foobar"
+    explicitBoundaries =  [42.0, 42.0]
+    insecure = true
+    [metrics.openTelemetry.headers]
+      name0 = "foobar"
+      name1 = "foobar"
+    [metrics.openTelemetry.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      insecureSkipVerify = true
+      key = "foobar"
+    [metrics.openTelemetry.grpc]

 [ping]
  entryPoint = "foobar"
@@ -326,8 +334,13 @@

 [log]
  level = "foobar"
-  filePath = "foobar"
  format = "foobar"
+  noColor = true
+  filePath = "foobar"
+  maxSize = 42
+  maxBackups = 42
+  maxAge = 42
+  compress = true

 [accessLog]
  filePath = "foobar"
@@ -371,7 +384,9 @@
    sampleRate = 42.0
  [tracing.datadog]
    localAgentHostPort = "foobar"
-    globalTag = "foobar"
+    [tracing.datadog.globalTags]
+      tag1 = "foobar"
+      tag2 = "foobar"
    debug = true
    prioritySampling = true
    traceIDHeaderName = "foobar"
@@ -395,6 +410,20 @@
    serverURL = "foobar"
    secretToken = "foobar"
    serviceEnvironment = "foobar"
+  [tracing.openTelemetry]
+    address = "foobar"
+    insecure = true
+    path = "foobar"
+    [tracing.openTelemetry.headers]
+      name0 = "foobar"
+      name1 = "foobar"
+    [tracing.openTelemetry.tls]
+      ca = "foobar"
+      caOptional = true
+      cert = "foobar"
+      key = "foobar"
+      insecureSkipVerify = true
+    [tracing.openTelemetry.grpc]

 [hostResolver]
  cnameFlattening = true
@@ -421,29 +450,7 @@
      [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
-  [certificatesResolvers.CertificateResolver1]
-    [certificatesResolvers.CertificateResolver1.acme]
-      email = "foobar"
-      caServer = "foobar"
-      preferredChain = "foobar"
-      storage = "foobar"
-      keyType = "foobar"
-      certificatesDuration = 42
-      [certificatesResolvers.CertificateResolver1.acme.eab]
-        kid = "foobar"
-        hmacEncoded = "foobar"
-      [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
-        provider = "foobar"
-        delayBeforeCheck = "42s"
-        resolvers = ["foobar", "foobar"]
-        disablePropagationCheck = true
-      [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
-        entryPoint = "foobar"
-      [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
-
-[pilot]
-  token = "foobar"
-  dashboard = true
+  [certificatesResolvers.CertificateResolver1.tailscale]

 [hub]
  [hub.tls]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -14,6 +14,7 @@ serversTransport:
 entryPoints:
  EntryPoint0:
    address: foobar
+    asDefault: true
    transport:
      lifeCycle:
        requestAcceptGraceTimeout: 42s
@@ -69,7 +70,6 @@ providers:
    defaultRule: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -79,6 +79,7 @@ providers:
    network: foobar
    swarmModeRefreshSeconds: 42s
    httpClientTimeout: 42s
+    allowEmptyServices: true
  file:
    directory: foobar
    watch: true
@@ -94,7 +95,6 @@ providers:
    dcosToken: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -168,11 +168,10 @@ providers:
    connectAware: true
    connectByDefault: true
    serviceName: foobar
-    namespace: foobar
+    watch: true
    namespaces:
      - foobar
      - foobar
-    watch: true
    endpoint:
      address: foobar
      scheme: foobar
@@ -181,7 +180,6 @@ providers:
      endpointWaitTime: 42s
      tls:
        ca: foobar
-        caOptional: true
        cert: foobar
        key: foobar
        insecureSkipVerify: true
@@ -189,13 +187,15 @@ providers:
        username: foobar
        password: foobar
  nomad:
+    defaultRule: foobar
    constraints: foobar
    prefix: foobar
-    refreshInterval: 42s
    stale: true
+    namespaces:
+      - foobar
+      - foobar
    exposedByDefault: true
-    defaultRule: foobar
-    namespace: foobar
+    refreshInterval: 42s
    endpoint:
      address: foobar
      region: foobar
@@ -203,7 +203,6 @@ providers:
      endpointWaitTime: 42s
      tls:
        ca: foobar
-        caOptional: true
        cert: foobar
        key: foobar
        insecureSkipVerify: true
@@ -219,21 +218,19 @@ providers:
    region: foobar
    accessKeyID: foobar
    secretAccessKey: foobar
+    ecsAnywhere: true
+    healthyTasksOnly: true
  consul:
    rootKey: foobar
    endpoints:
      - foobar
      - foobar
-    username: foobar
-    password: foobar
    token: foobar
-    namespace: foobar
    namespaces:
      - foobar
      - foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -244,10 +241,8 @@ providers:
      - foobar
    username: foobar
    password: foobar
-    token: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -258,13 +253,6 @@ providers:
      - foobar
    username: foobar
    password: foobar
-    token: foobar
-    tls:
-      ca: foobar
-      caOptional: true
-      cert: foobar
-      key: foobar
-      insecureSkipVerify: true
  redis:
    rootKey: foobar
    endpoints:
@@ -272,10 +260,9 @@ providers:
      - foobar
    username: foobar
    password: foobar
-    token: foobar
+    db: 42
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -283,9 +270,11 @@ providers:
    endpoint: foobar
    pollInterval: 42s
    pollTimeout: 42s
+    headers:
+      name0: foobar
+      name1: foobar
    tls:
      ca: foobar
-      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@@ -332,7 +321,8 @@ metrics:
    addRoutersLabels: true
    addServicesLabels: true
    additionalLabels:
-      foobar: foobar
+      name0: foobar
+      name1: foobar
  influxDB2:
    address: foobar
    token: foobar
@@ -343,7 +333,29 @@ metrics:
    addRoutersLabels: true
    addServicesLabels: true
    additionalLabels:
-      foobar: foobar
+      name0: foobar
+      name1: foobar
+  openTelemetry:
+    address: foobar
+    addEntryPointsLabels: true
+    addRoutersLabels: true
+    addServicesLabels: true
+    explicitBoundaries:
+      - 42
+      - 42
+    headers:
+      name0: foobar
+      name1: foobar
+    insecure: true
+    path: foobar
+    pushInterval: 42s
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      insecureSkipVerify: true
+      key: foobar
+    grpc: {}

 ping:
  entryPoint: foobar
@@ -351,8 +363,13 @@ ping:
  terminatingStatusCode: 42
 log:
  level: foobar
-  filePath: foobar
  format: foobar
+  noColor: true
+  filePath: foobar
+  maxSize: 42
+  maxBackups: 42
+  maxAge: 42
+  compress: true
 accessLog:
  filePath: foobar
  format: foobar
@@ -396,7 +413,9 @@ tracing:
    sampleRate: 42
  datadog:
    localAgentHostPort: foobar
-    globalTag: foobar
+    globalTags:
+      tag1: foobar
+      tag2: foobar
    debug: true
    prioritySampling: true
    traceIDHeaderName: foobar
@@ -420,6 +439,20 @@ tracing:
    serverURL: foobar
    secretToken: foobar
    serviceEnvironment: foobar
+  openTelemetry:
+    address: foobar
+    headers:
+      name0: foobar
+      name1: foobar
+    insecure: true
+    path: foobar
+    tls:
+      ca: foobar
+      caOptional: true
+      cert: foobar
+      key: foobar
+      insecureSkipVerify: true
+    grpc: {}
 hostResolver:
  cnameFlattening: true
  resolvConfig: foobar
@@ -447,29 +480,7 @@ certificatesResolvers:
        entryPoint: foobar
      tlsChallenge: {}
  CertificateResolver1:
-    acme:
-      email: foobar
-      caServer: foobar
-      certificatesDuration: 42
-      preferredChain: foobar
-      storage: foobar
-      keyType: foobar
-      eab:
-        kid: foobar
-        hmacEncoded: foobar
-      dnsChallenge:
-        provider: foobar
-        delayBeforeCheck: 42s
-        resolvers:
-          - foobar
-          - foobar
-        disablePropagationCheck: true
-      httpChallenge:
-        entryPoint: foobar
-      tlsChallenge: {}
-pilot:
-  token: foobar
-  dashboard: true
+    tailscale: {}
 hub:
  tls:
    insecure: true
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -233,6 +233,54 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar

    Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.

+### AsDefault
+
+_Optional, Default=false_
+
+The `AsDefault` option marks the EntryPoint to be in the list of default EntryPoints.
+EntryPoints in this list are used (by default) on HTTP and TCP routers that do not define their own [EntryPoints option](./routers/index.md#entrypoints).
+
+!!! info "List of default EntryPoints"
+
+    If there is no EntryPoint with the `AsDefault` option set to `true`, 
+    then the list of default EntryPoints includes all HTTP/TCP EntryPoints.
+
+    If at least one EntryPoint has the `AsDefault` option set to `true`,
+    then the list of default EntryPoints includes only EntryPoints that have the `AsDefault` option set to `true`.
+
+    Some built-in EntryPoints are always excluded from the list, namely: `traefik`, `traefikhub-api`, and `traefikhub-tunl`.
+
+!!! warning "Only TCP and HTTP"
+
+    The `AsDefault` option has no effect on UDP EntryPoints.
+    When a UDP router does not define the [EntryPoints option](./routers/index.md#entrypoints_2),
+    it is attached to all available UDP EntryPoints.
+
+??? example "Defining only one EntryPoint as default"
+
+    ```yaml tab="File (yaml)"
+    entryPoints:
+      web:
+        address: ":80"
+      websecure:
+        address: ":443"
+        asDefault: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints.web]
+      address = ":80"
+    [entryPoints.websecure]
+      address = ":443"
+      asDefault = true
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    --entrypoints.websecure.asDefault=true
+    ```
+
 ### HTTP/2

 #### `maxConcurrentStreams`
@@ -968,17 +1016,4 @@ entrypoints.foo.address=:8000/udp
 entrypoints.foo.udp.timeout=10s
 ```

-!!! question "Using Traefik for Business Applications?"
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).
+{!traefik-for-business-applications.md!}
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@@ -325,6 +325,61 @@ serversTransport:
 --serversTransport.maxIdleConnsPerHost=7
 ```

+### `spiffe`
+
+Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration 
+before using it to secure the connection between Traefik and the backends.  
+
+#### `spiffe.ids`
+
+_Optional_
+
+`ids` defines the allowed SPIFFE IDs.
+This takes precedence over the SPIFFE TrustDomain.
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+    spiffe:
+      ids:
+        - spiffe://trust-domain/id1
+        - spiffe://trust-domain/id2
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.spiffe]
+  ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.spiffe.ids=spiffe://trust-domain/id1,spiffe://trust-domain/id2
+```
+
+#### `spiffe.trustDomain`
+
+_Optional_
+
+`trustDomain` defines the allowed SPIFFE trust domain.
+
+```yaml tab="File (YAML)"
+## Static configuration
+serversTransport:
+  trustDomain: spiffe://trust-domain
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[serversTransport.spiffe]
+  trustDomain = "spiffe://trust-domain"
+```
+
+```bash tab="CLI"
+## Static configuration
+--serversTransport.spiffe.trustDomain=spiffe://trust-domain
+```
+
 ### `forwardingTimeouts`

 `forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.
@@ -406,3 +461,5 @@ serversTransport:
 ## Static configuration
 --serversTransport.forwardingTimeouts.idleConnTimeout=1s
 ```
+
+{!traefik-for-business-applications.md!}
--- a/docs/content/routing/providers/consul-catalog.md
+++ b/docs/content/routing/providers/consul-catalog.md
@@ -185,6 +185,22 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
    traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.method`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.status=42
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
    
    See [health check](../services/index.md#health-check) for more information.
@@ -470,6 +486,20 @@ You can tell Traefik to consider (or not) the service as a Connect capable one b

 This option overrides the value of `connectByDefault`.

+#### `traefik.consulcatalog.canary`
+
+```yaml
+traefik.consulcatalog.canary=true
+```
+
+When ConsulCatalog, in the context of a Nomad orchestrator,
+is a provider (of service registration) for Traefik,
+one might have the need to distinguish within Traefik between a [Canary](https://learn.hashicorp.com/tutorials/nomad/job-blue-green-and-canary-deployments#deploy-with-canaries) instance of a service, or a production one.
+For example if one does not want them to be part of the same load-balancer.
+
+Therefore, this option, which is meant to be provided as one of the values of the `canary_tags` field in the Nomad [service stanza](https://www.nomadproject.io/docs/job-specification/service#canary_tags),
+allows Traefik to identify that the associated instance is a canary one.
+
 #### Port Lookup

 Traefik is capable of detecting the port to use, by following the default consul Catalog flow.
--- a/docs/content/routing/providers/docker.md
+++ b/docs/content/routing/providers/docker.md
@@ -339,6 +339,22 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
    - "traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo"
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.method`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar"
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.status=42"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"

    See [health check](../services/index.md#health-check) for more information.
@@ -360,7 +376,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
    See [health check](../services/index.md#health-check) for more information.

    ```yaml
-    - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10s"
    ```

 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"
--- a/docs/content/routing/providers/ecs.md
+++ b/docs/content/routing/providers/ecs.md
@@ -187,6 +187,22 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
    traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
    ```

+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.method`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.method=foobar
+    ```
+
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.status`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.status=42
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.port`"
    
    See [health check](../services/index.md#health-check) for more information.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Romain	519ed8bde5	Prepare release v3.0.0-beta1	2022-12-05 16:58:04 +01:00
romain	46a61ce9c8	Merge remote-tracking branch 'upstream/v2.9' into merge-branch-v2.9-into-master	2022-12-05 15:23:06 +01:00
Ludovic Fernandez	778188ed34	fix: remove logs of the request	2022-12-05 11:30:05 +01:00
Nicolas Mengin	88603810a8	Add information about the Hub Agent	2022-12-01 14:30:06 +01:00
mloiseleur	c7647b4938	doc: Update Helm installation section	2022-12-01 10:10:05 +01:00
Janik	af71443b61	Added networking example	2022-11-30 15:04:05 +01:00
Ludovic Fernandez	c57876c116	Improve provider logs	2022-11-30 09:50:05 +01:00
Tom Moulard	0d81fac3fc	Add OpenTelemetry tracing and metrics support	2022-11-29 15:34:05 +01:00
Simon Delicata	db287c4d31	Disable Content-Type auto-detection by default	2022-11-29 11:48:05 +01:00
Antoine	4d86668af3	Update routing syntax Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2022-11-28 15:48:05 +01:00
Fernandez Ludovic	b93141992e	Merge branch v2.9 into master	2022-11-28 09:01:53 +01:00
Ludovic Fernandez	18d66d7432	Update go-acme/lego to v4.9.1	2022-11-28 08:48:04 +01:00
Simon Delicata	a3e4c85ec0	Remove deprecated options	2022-11-25 10:50:06 +01:00
Ludovic Fernandez	bee86b5ac7	fix: log level	2022-11-25 09:52:04 +01:00
Ludovic Fernandez	0ba51d62fa	fix: flaky with shutdown tests	2022-11-24 17:06:07 +01:00
Kevin Pollet	268d1edc8f	Fix flaky healthcheck test	2022-11-24 16:32:05 +01:00
Ludovic Fernandez	580e7fa774	fix: flaky tests on the configuration watcher	2022-11-24 16:00:06 +01:00
Romain	7c72780820	Add missing serialNumber passTLSClientCert option to middleware panel	2022-11-24 12:30:05 +01:00
Ali Afsharzadeh	46c266661c	Add a status option to the service health check	2022-11-24 11:40:05 +01:00
Fernandez Ludovic	61325d7b91	Merge branch v2.9 into master	2022-11-23 17:30:49 +01:00
Kevin Pollet	68e8eb2435	Update k3s image to rancher/k3s:v1.20.15-k3s1	2022-11-23 17:28:04 +01:00
Kevin Pollet	3f8aa13e68	Fix error when setting ServerUp metric labels	2022-11-23 16:04:05 +01:00
Ludovic Fernandez	08279047ae	Improve test logger assertions	2022-11-23 12:14:04 +01:00
Ludovic Fernandez	3dd4968c41	Retry on plugin API calls	2022-11-23 11:42:04 +01:00
Fernandez Ludovic	ba1ca68977	Merge branch v2.9 into master	2022-11-23 09:22:52 +01:00
Ludovic Fernandez	81a5b1b4c8	Increase the timeout on plugin download	2022-11-22 18:30:05 +01:00
Romain	52e6ce95cf	Update DataDog tracing dependency to v1.43.1	2022-11-22 15:12:06 +01:00
Jérôme Guiard	d547718fdd	Support of allowEmptyServices in TraefikService	2022-11-22 10:18:04 +01:00
Ludovic Fernandez	56f7515ecd	New logger for the Traefik logs	2022-11-21 18:36:05 +01:00
mpl	af4e74c39d	doc: clarify PathPrefix greediness	2022-11-21 17:30:06 +01:00
xmessi	27c02b5a56	Log TLS client subject	2022-11-21 10:18:05 +01:00
Romain	f6b7940b76	Prepare release v2.9.5 (#9513 )	2022-11-17 15:57:23 +01:00
Simon Delicata	f1b91a119d	Create a new capture instance for each incoming request Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-11-17 10:26:06 +01:00
Romain	630de7481e	Support SNI routing with Postgres STARTTLS connections Co-authored-by: Michael Kuhnt <michael.kuhnt@daimler.com> Co-authored-by: Julien Salleyron <julien@containo.us> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-11-16 15:34:10 +01:00
Julien Salleyron	fadee5e87b	Rework servers load-balancer to use the WRR Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-11-16 11:38:07 +01:00
sven	35d8281f4d	docs(contributing): enhance wording of building-testing page	2022-11-15 19:34:04 +01:00
Greg	67d9c8da0b	Add support for Brotli Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> Co-authored-by: Tom Moulard <tom.moulard@traefik.io> Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-11-15 10:56:08 +01:00
sven	00de5c711a	docs(contributing): add link descriptions and update wording	2022-11-15 10:28:07 +01:00
Charlie Haley	b935c80dbd	docs: update helm repository	2022-11-14 16:04:16 +01:00
tfny	22c6630412	Removes the experimental tag on the Traefik Hub header	2022-11-09 00:12:05 +01:00
mloiseleur	1a1cfd1adc	Update and publish official Grafana Dashboard	2022-11-08 15:32:06 +01:00
Ngọc Long	240fb871b6	Support gRPC and gRPC-Web protocol in metrics	2022-11-08 10:52:09 +01:00
Kevin Pollet	b2c4221429	Update vulcand/oxy to v1.4.2	2022-11-07 10:28:08 +01:00
Ludovic Fernandez	d131ef57da	chore: update nhooyr.io/websocket	2022-11-03 16:30:08 +01:00
Ludovic Fernandez	97de552e06	chore: update github.com/opencontainers/runc	2022-11-03 16:28:05 +01:00
kevinpollet	281fa25844	Merge branch v2.9 into master	2022-10-28 09:22:36 +02:00
Fernandez Ludovic	454f552691	Prepare release v2.9.4	2022-10-27 20:40:05 +02:00
Fernandez Ludovic	7258048403	Prepare release v2.9.3	2022-10-27 17:50:54 +02:00
Julien Salleyron	bd3eaf4f5e	Add GrpcWeb middleware Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-10-27 17:34:06 +02:00
Kevin Pollet	15f7472091	Prepare release v2.9.2	2022-10-27 16:53:16 +02:00
Romain	a041a6b198	Handle capture on redefined http.responseWriters Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-10-27 16:08:06 +02:00
Ludovic Fernandez	7582da9650	Update Yaegi to v0.14.3	2022-10-26 18:22:05 +02:00
Ludovic Fernandez	7a6bfd3336	chore: change TCP middleware package	2022-10-26 17:42:07 +02:00
Wambugu	1b9873cae9	Renaming IPWhiteList to IPAllowList	2022-10-26 17:16:05 +02:00
Fernandez Ludovic	e86f21ae7b	Merge branch 'v2.9' into master	2022-10-24 11:24:41 +02:00
Simon Delicata	ccbbd0d766	Remove side effect on default transport tests	2022-10-24 10:52:04 +02:00
Ludovic Fernandez	93212125e3	chore: bump github.com/BurntSushi/toml to v1.2.1	2022-10-23 14:16:05 +02:00
Ludovic Fernandez	be3b798dd6	chore: update actions/cache to v3	2022-10-21 16:08:05 +02:00
sosoba	8128d6ca26	Simplify dashboard rule example	2022-10-18 15:38:12 +02:00
Julien Levesy	194247caae	Check if default servers transport spiffe config is not nil	2022-10-18 10:28:07 +02:00
kevinpollet	cd0654026a	Merge branch v2.9 into master	2022-10-17 18:53:37 +02:00
Ludovic Fernandez	14ab1514dc	chore: update linter	2022-10-17 12:00:10 +02:00
Kevin Pollet	40242294d8	Fix links to gateway API guides	2022-10-17 10:52:08 +02:00
Romain	996eccf5b7	Remove unnecessary linting exclusions	2022-10-14 18:52:08 +02:00
Julien Levesy	b39ce8cc58	Support SPIFFE mTLS between Traefik and Backend servers	2022-10-14 17:16:08 +02:00
Kevin Pollet	e9de061b84	Add v2.9 to release page	2022-10-14 16:04:07 +02:00
Kevin Pollet	33f0aed5ea	Support custom headers when fetching configuration through HTTP	2022-10-14 15:10:10 +02:00
Ludovic Fernandez	0ca1c8aac3	fix: redis configuration type	2022-10-13 15:34:09 +02:00
Romain	2c550c284d	Remove raw cert escape in PassTLSClientCert middleware	2022-10-13 15:08:08 +02:00
Ludovic Fernandez	87815586be	chore: update misspell	2022-10-11 18:18:09 +02:00
mpl	09d6383621	ISSUE_TEMPLATE: clarify maintainers involvement in issues closing	2022-10-11 14:30:08 +02:00
kalle (jag)	188ef84c4f	Allow to define default entrypoints (for HTTP/TCP)	2022-10-11 09:36:08 +02:00
kevinpollet	a5c520664a	Merge branch v2.9 into master	2022-10-06 16:40:09 +02:00
Tom Moulard	39b0077725	chore: update linter	2022-10-04 20:38:09 +02:00
tony-defa	e2a9caf760	updated go-acme/lego to v4.9.0 Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>	2022-10-04 12:36:09 +02:00
Tom Moulard	bc79796c38	prepare-release-v2.9.1 (#9410 )	2022-10-03 16:17:58 +02:00
Tom Moulard	b1db81d8ac	Prepare release v2.9.0 (#9409 )	2022-10-03 15:43:04 +02:00
Kevin Pollet	38d7011487	Add Tailscale certificate resolver Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-09-30 15:20:08 +02:00
Ludovic Fernandez	ae7db879d9	Prepare release v2.9.0-rc5	2022-09-30 15:02:08 +02:00
Fernandez Ludovic	dd34905ea9	Merge branch v2.8 into v2.9	2022-09-30 12:24:04 +02:00
Ludovic Fernandez	3812e6f3cb	Prepare release v2.8.8	2022-09-30 12:03:03 +02:00
John Pekcan	627175694d	Fix autoDiscoverClusters option documentation for ECS provider	2022-09-30 10:57:48 +02:00
Boris HUISGEN	82cf6c9577	Fix watch option description for Docker provider	2022-09-30 10:50:09 +02:00
tspearconquest	63a1186d3e	Update golang.org/x/net to latest version	2022-09-30 10:22:10 +02:00
Skyler Mäntysaari	f75f636e27	Improve documentation for publishedService and IP options	2022-09-29 10:14:08 +02:00
Ludovic Fernandez	615dc7fd35	Prepare release v2.8.7	2022-09-23 16:22:38 +02:00
Kevin Pollet	52b6b057f0	Prepare release v2.9.0-rc4	2022-09-23 16:01:00 +02:00
Fernandez Ludovic	7b3faef4b3	Merge branch v2.8 into v2.9	2022-09-23 15:28:57 +02:00
Kevin Pollet	7758880f3f	Prepare release v2.8.6	2022-09-23 15:24:15 +02:00
Ludovic Fernandez	d04903edb2	fix: query parameter matching with equal	2022-09-23 15:12:29 +02:00
Douglas De Toni Machado	a63d5c95a8	Rework metrics overview page	2022-09-23 11:06:09 +02:00
Ludovic Fernandez	bb66950197	fix: acme panic	2022-09-23 10:42:09 +02:00
Fernandez Ludovic	c4cc30ccc6	Merge branch v2.8 into v2.9	2022-09-23 09:07:13 +02:00
Julien Salleyron	9cd54baca4	Optimize websocket headers handling Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-09-22 10:00:09 +02:00
Ludovic Fernandez	7ac687a0a9	providers: simplify AddServer algorithms	2022-09-21 14:54:08 +02:00
t3hchipmunk	83ae1021f6	fix: UDP loadbalancer tags not being used with Consul Catalog	2022-09-21 14:30:09 +02:00
jjacque	033fccccc7	Support gRPC healthcheck	2022-09-20 16:54:08 +02:00
Michael Hampton	df99a9fb57	Add option to keep only healthy ECS tasks	2022-09-20 15:42:08 +02:00
Romain	67e3bc6380	Add documentation for ECS constraints option	2022-09-20 12:22:08 +02:00
Thomas Harris	d6b69e1347	Support multiple namespaces in the Nomad Provider	2022-09-19 16:26:08 +02:00
romain	4bd055cf97	Merge branch v2.9 into master	2022-09-19 13:52:58 +02:00
Fernandez Ludovic	4b291b2cf8	Merge branch v2.8 into v2.9	2022-09-19 11:53:00 +02:00
Ludovic Fernandez	89870ad539	docs: fix link to RouteNamespaces	2022-09-19 11:26:08 +02:00
Kevin Pollet	5bc03af75f	Prepare release v2.9.0-rc3	2022-09-16 16:00:08 +02:00
kevinpollet	30ec5c58fe	Merge current v2.8 into v2.9	2022-09-16 14:57:07 +02:00
NEwa-05	a4b447256b	Add a note on case insensitive regex matching	2022-09-16 12:16:09 +02:00
Romain	1c9a7b8c61	Add documentation for json schema usage to validate config in the FAQ Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-09-16 09:54:09 +02:00
Ludovic Fernandez	d06573de6c	plugins: allow empty config	2022-09-15 11:00:09 +02:00
Fernandez Ludovic	6c2c561d8f	Prepare release v2.9.0-rc2	2022-09-14 17:33:51 +02:00
Fernandez Ludovic	e5309a4601	chore: drop Windows arm v5/6/7	2022-09-14 17:29:26 +02:00
Romain	e9f98fb6eb	Prepare release v2.9.0-rc1 (#9334 )	2022-09-14 16:52:03 +02:00
José Gaspar	b351266b2d	Add support for ECS Anywhere	2022-09-14 16:22:08 +02:00
Michael	fd95560c66	fix: shellcheck	2022-09-14 15:10:08 +02:00
Qi	788f8fa951	Make the loadbalancers servers order random Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-09-14 14:42:08 +02:00
Romain	89dc466b23	Quiet down TCP RST packet error on read operation	2022-09-14 11:50:08 +02:00
Ludovic Fernandez	ab8d7d2e78	Remove Pilot support	2022-09-14 10:56:08 +02:00
Romain	a002ccfce3	ACME Default Certificate Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com> Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-09-13 20:34:08 +02:00
romain	693d5da1b9	Merge v2.8 into master	2022-09-13 17:17:58 +02:00
Romain	8ddc37d528	Prepare release v2.8.5	2022-09-13 17:13:58 +02:00
Kevin Pollet	0cb2652f51	Update Yaegi to v0.14.2	2022-09-13 15:44:08 +02:00
Fernandez Ludovic	fe8e7ab5b8	docs: update Docker Swarm link	2022-09-12 23:13:11 +02:00
Ludovic Fernandez	d531963f95	Update valkeyrie to v1.0.0	2022-09-12 17:40:09 +02:00
Tom Moulard	d578ed7327	Add traffic size metrics Co-authored-by: OmarElawady <omarelawady1998@gmail.com> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-09-12 17:10:09 +02:00
Simon Delicata	10528c973a	Add Datadog GlobalTags support	2022-09-12 15:14:08 +02:00
Fernandez Ludovic	56a1ed4220	docs: update Docker Swarm Load Balancer link	2022-09-10 01:18:29 +02:00
Dylan Rodgers	37b6edb28c	Added resources for businesses	2022-09-09 17:17:53 +02:00
Antoine	44a2b85dba	Display default TLS options in the dashboard	2022-09-09 12:46:09 +02:00
MoonLightWatch	77c8d60092	fix: IPv6 addr in square brackets	2022-09-09 10:44:07 +02:00
Nicolas Mengin	b33c8cec0b	Update deprecation notes about Pilot	2022-09-08 11:22:08 +02:00
Tom Moulard	52df1d63fe	Use IPv6 address	2022-09-08 11:20:09 +02:00
Douglas De Toni Machado	c84378d649	Change default TLS options for more security	2022-09-08 10:56:08 +02:00
Marco Lecheler	12dccc4fdd	doc: add healthcheck timeout seconds to value	2022-09-05 17:22:08 +02:00
Romain	32e44816c9	Prepare release v2.8.4	2022-09-02 16:38:08 +02:00
Nicolas Mengin	23c74c9f2e	Update deprecation notes about Pilot	2022-09-02 16:00:09 +02:00
Johannes Ballmann	9a82d96e68	Add missing networking apiGroup in Kubernetes RBACs examples and references	2022-09-02 12:18:08 +02:00
Ludovic Fernandez	d9589878fb	fix: allow starting Traefik even if plugin services have an issue	2022-09-02 11:44:08 +02:00
romain	703de5331b	Merge current v2.8 into master	2022-08-31 18:19:31 +02:00
Romain	d3e4d56a0d	Fix Docker provider mem leak on operation retries Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-08-31 18:04:08 +02:00
Ludovic Fernandez	adf82d72ae	chore: update linter	2022-08-31 08:24:08 +02:00
Ludovic Fernandez	25027d6df8	fix: don't retry on panic	2022-08-29 11:36:08 +02:00
cui fliter	e56dfeb7d5	fix a typo	2022-08-29 09:24:07 +02:00
Ludovic Fernandez	5ca7fff7f6	doc: fix infobloc documentation	2022-08-25 10:34:09 +02:00
Ben Krieger	dfa1f3fc00	Fix k8s for example for rootCAs serversTransport	2022-08-24 16:16:08 +02:00
Tom Moulard	b26c45af2b	chore: update paerser to v0.1.9	2022-08-19 15:58:08 +02:00
kevinpollet	626da4c0ae	Merge current v2.8 into master	2022-08-18 14:50:44 +02:00
Tom Moulard	9c02612f65	Update codegen docker image to golang:1.19	2022-08-18 11:24:08 +02:00
Douglas De Toni Machado	af749f1864	Add a method option to the service Health Check	2022-08-08 15:22:07 +02:00
Romain	2a2ea759d1	Support Nomad canary deployment Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-08-01 17:52:08 +02:00
kevinpollet	ab94bbaece	Merge current v2.8 into master	2022-07-25 17:31:51 +02:00
Adrian Freund	f85f3b68aa	Add support for reaching containers using host networking on Podman	2022-07-19 16:22:08 +02:00
Tom Moulard	cdda9a18ab	Upgrade quic-go to v0.28.0	2022-07-18 11:10:08 +02:00
Dmitry Sharshakov	4dc379c601	Support ALPN for TCP + TLS routers	2022-07-07 16:58:09 +02:00
Jérôme	aff334ffb4	Add allowEmptyServices for Docker provider	2022-07-06 10:24:08 +02:00
kevinpollet	c51e590591	Merge current v2.8 into master	2022-06-30 10:24:37 +02:00
Kevin Pollet	3c1d5e0393	Move consulcatalog provider to only use health apis Co-authored-by: Charles Zaffery <czaffery@roblox.com>	2022-06-29 12:04:09 +02:00
kevinpollet	ba3f5b318c	Merge current v2.8 into master	2022-06-28 09:30:51 +02:00
Maxence Moutoussamy	467c8b31c3	Start polling HTTP provider at the beginning Co-authored-by: Jason Quigley <jason@onecha.net>	2022-06-24 12:34:08 +02:00
Romain	f8f685193d	Load plugin configuration field value from Kubernetes Secret Co-authored-by: nnlquan <longquan0104@gmail.com>	2022-06-20 15:44:08 +02:00