Prepare release v3.1.0 rc3

Merge branch v3.0 into v3.1
Prepare release v3.0.4
2025-09-30 17:44:25 +03:00 · 2024-07-02 17:18:03 +02:00 · 2024-07-02 16:33:29 +02:00 · 2024-07-02 15:42:03 +02:00 · 2024-07-02 14:43:56 +02:00 · 2024-07-02 14:22:03 +02:00
375 changed files with 34268 additions and 8022 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -11,7 +11,7 @@ Bug fixes:

 Enhancements:
 - for Traefik v2: we only accept bug fixes
- for Traefik v3: use branch master
+- for Traefik v3: use branch v3.0

 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -12,7 +12,7 @@ env:
 jobs:

  build-webui:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -20,9 +20,21 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: yarn
+          cache-dependency-path: webui/yarn.lock
+
      - name: Build webui
+        working-directory: ./webui
+        run: |
+          yarn install
+          yarn build
+
+      - name: Package webui
        run: |
-          make clean-webui generate-webui
          tar czvf webui.tar.gz ./webui/static/

      - name: Artifact webui
@@ -35,7 +47,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [ ubuntu-22.04, macos-latest, windows-latest ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
    needs:
      - build-webui

--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -9,7 +9,7 @@ jobs:

  docs:
    name: Check, verify and build documentation
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -14,7 +14,7 @@ jobs:

  docs:
    name: Doc Process
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    if: github.repository == 'traefik/traefik'

    steps:
--- a/.github/workflows/experimental.yaml
+++ b/.github/workflows/experimental.yaml
@@ -15,7 +15,7 @@ jobs:
  experimental:
    if: github.repository == 'traefik/traefik'
    name: Build experimental image on branch
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:

@@ -25,9 +25,18 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Setup node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: yarn
+          cache-dependency-path: webui/yarn.lock
+
      - name: Build webui
+        working-directory: ./webui
        run: |
-          make clean-webui generate-webui
+          yarn install
+          yarn build

      - name: Set up Go ${{ env.GO_VERSION }}
        uses: actions/setup-go@v5
--- a/.github/workflows/test-conformance.yaml
+++ b/.github/workflows/test-conformance.yaml
@@ -15,7 +15,7 @@ env:
 jobs:

  test-conformance:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -31,12 +31,5 @@ jobs:
      - name: Avoid generating webui
        run: touch webui/static/index.html

-      - name: Build binary
-        run: make binary
-
-      - name: Setcap
-        run: |
-          sudo setcap 'cap_net_bind_service=+ep' dist/linux/amd64/traefik
-
      - name: K8s Gateway API conformance test
-        run: make test-gateway-api-conformance-ci
+        run: make test-gateway-api-conformance
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -12,7 +12,7 @@ env:
 jobs:

  build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -32,14 +32,14 @@ jobs:
        run: make binary

  test-integration:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    needs:
      - build
    strategy:
      fail-fast: true
      matrix:
        parallel: [12]
-        index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 , 11]
+        index: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]

    steps:
      - name: Check out code
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -11,7 +11,7 @@ env:
 jobs:

  test-unit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -29,3 +29,24 @@ jobs:

      - name: Tests
        run: make test-unit
+
+  test-ui-unit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: webui/.nvmrc
+          cache: 'yarn'
+          cache-dependency-path: webui/yarn.lock
+
+      - name: UI unit tests
+        run: |
+          yarn --cwd webui install
+          yarn --cwd webui test:unit:ci
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -7,13 +7,13 @@ on:

 env:
  GO_VERSION: '1.22'
-  GOLANGCI_LINT_VERSION: v1.57.0
-  MISSSPELL_VERSION: v0.4.1
+  GOLANGCI_LINT_VERSION: v1.59.0
+  MISSSPELL_VERSION: v0.6.0

 jobs:

  validate:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
@@ -39,7 +39,7 @@ jobs:
        run: make validate

  validate-generate:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Check out code
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -146,6 +146,7 @@ linters-settings:
      - github.com/mailgun/multibuf
      - github.com/jaguilar/vt100
      - github.com/cucumber/godog
+      - github.com/http-wasm/http-wasm-host-go
  testifylint:
    disable:
      - suite-dont-use-pkg
@@ -155,23 +156,16 @@ linters-settings:
    checks:
      - all
      - -SA1019
+  errcheck:
+    exclude-functions:
+      - fmt.Fprintln
 linters:
  enable-all: true
  disable:
-    - deadcode # deprecated
-    - exhaustivestruct # deprecated
-    - golint # deprecated
-    - ifshort # deprecated
-    - interfacer # deprecated
-    - maligned # deprecated
-    - nosnakecase # deprecated
-    - scopelint # deprecated
-    - scopelint # deprecated
-    - structcheck # deprecated
-    - varcheck # deprecated
+    - execinquery # deprecated
+    - gomnd # deprecated
    - sqlclosecheck # not relevant (SQL)
    - rowserrcheck # not relevant (SQL)
-    - execinquery # not relevant (SQL)
    - cyclop # duplicate of gocyclo
    - lll # Not relevant
    - gocyclo # FIXME must be fixed
@@ -185,14 +179,14 @@ linters:
    - gochecknoglobals
    - wsl # Too strict
    - nlreturn # Not relevant
-    - gomnd # Too strict
+    - mnd # Too strict
    - stylecheck # skip because report issues related to some generated files.
    - testpackage # Too strict
    - tparallel # Not relevant
    - paralleltest # Not relevant
    - exhaustive # Not relevant
    - exhaustruct # Not relevant
-    - goerr113 # Too strict
+    - err113 # Too strict
    - wrapcheck # Too strict
    - noctx # Too strict
    - bodyclose # too many false-positive
@@ -208,7 +202,6 @@ linters:
    - gosmopolitan  # not relevant
    - exportloopref # Useless with go1.22
    - musttag
-    - intrange # bug (fixed in golangci-lint v1.58)

 issues:
  exclude-use-default: false
@@ -226,6 +219,8 @@ issues:
        - goconst
        - funlen
        - godot
+        - canonicalheader
+        - fatcontext
    - path: '(.+)_test.go'
      text: ' always receives '
      linters:
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -25,7 +25,7 @@ global_job_config:
      - export "PATH=${GOPATH}/bin:${PATH}"
      - mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
      - export GOPROXY=https://proxy.golang.org,direct
-      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.57.0
+      - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.59.0
      - curl -sSfL https://gist.githubusercontent.com/traefiker/6d7ac019c11d011e4f131bb2cca8900e/raw/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
      - checkout
      - cache restore traefik-$(checksum go.sum)
@@ -46,7 +46,7 @@ blocks:
        - name: GH_VERSION
          value: 2.32.1
        - name: CODENAME
-          value: "beaufort"
+          value: "comte"
      prologue:
        commands:
          - export VERSION=${SEMAPHORE_GIT_TAG_NAME}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,344 @@
+## [v3.1.0-rc3](https://github.com/traefik/traefik/tree/v3.1.0-rc3) (2024-07-02)
+[All Commits](https://github.com/traefik/traefik/compare/v3.1.0-rc2...v3.1.0-rc3)
+
+**Bug fixes:**
+- **[k8s,k8s/gatewayapi]** Do not disable Gateway API provider if not enabled in experimental ([#10862](https://github.com/traefik/traefik/pull/10862) by [kevinpollet](https://github.com/kevinpollet))
+
+**Misc:**
+- Merge current v3.0 into v3.1 ([#10871](https://github.com/traefik/traefik/pull/10871) by [rtribotte](https://github.com/rtribotte))
+
+## [v3.0.4](https://github.com/traefik/traefik/tree/v3.0.4) (2024-07-02)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.3...v3.0.4)
+
+**Documentation:**
+- **[k8s]** Fix some documentation links ([#10841](https://github.com/traefik/traefik/pull/10841) by [rtribotte](https://github.com/rtribotte))
+- Update maintainers ([#10827](https://github.com/traefik/traefik/pull/10827) by [emilevauge](https://github.com/emilevauge))
+
+**Misc:**
+- Merge current v2.11 into v3.0 ([#10869](https://github.com/traefik/traefik/pull/10869) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10851](https://github.com/traefik/traefik/pull/10851) by [mmatur](https://github.com/mmatur))
+- Merge current v2.11 into v3.0 ([#10831](https://github.com/traefik/traefik/pull/10831) by [mmatur](https://github.com/mmatur))
+
+## [v2.11.6](https://github.com/traefik/traefik/tree/v2.11.6) (2024-07-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.5...v2.11.6)
+
+**Bug fixes:**
+- **[ecs]** Fix ECS config for OIDC + IRSA ([#10814](https://github.com/traefik/traefik/pull/10814) by [mmatur](https://github.com/mmatur))
+- **[http3]** Disable QUIC 0-RTT ([#10867](https://github.com/traefik/traefik/pull/10867) by [mmatur](https://github.com/mmatur))
+- **[middleware,server]** Remove interface names from IPv6 ([#10813](https://github.com/traefik/traefik/pull/10813) by [JeroenED](https://github.com/JeroenED))
+
+**Documentation:**
+- **[docker,acme]** Fix a typo in the ACME docker-compose docs ([#10866](https://github.com/traefik/traefik/pull/10866) by [ciacon](https://github.com/ciacon))
+- Update Advanced Capabilities Callout ([#10846](https://github.com/traefik/traefik/pull/10846) by [tomatokoolaid](https://github.com/tomatokoolaid))
+- Update maintainers ([#10834](https://github.com/traefik/traefik/pull/10834) by [emilevauge](https://github.com/emilevauge))
+- Fix readme badge for Semaphore CI ([#10830](https://github.com/traefik/traefik/pull/10830) by [mmatur](https://github.com/mmatur))
+- Fix typo in keepAliveMaxTime docs ([#10825](https://github.com/traefik/traefik/pull/10825) by [shochdoerfer](https://github.com/shochdoerfer))
+
+## [v3.1.0-rc2](https://github.com/traefik/traefik/tree/v3.1.0-rc2) (2024-06-28)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta3...v3.1.0-rc2)
+
+**Enhancements:**
+- **[k8s,k8s/gatewayapi]** Support invalid HTTPRoute status ([#10714](https://github.com/traefik/traefik/pull/10714) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** KubernetesGateway provider is no longer experimental ([#10840](https://github.com/traefik/traefik/pull/10840) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Bump Gateway API to v1.1.0 ([#10835](https://github.com/traefik/traefik/pull/10835) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Fix route attachments to gateways ([#10761](https://github.com/traefik/traefik/pull/10761) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support HTTPRoute method and query param matching ([#10815](https://github.com/traefik/traefik/pull/10815) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support HTTPURLRewrite filter ([#10571](https://github.com/traefik/traefik/pull/10571) by [SantoDE](https://github.com/SantoDE))
+- **[k8s,k8s/gatewayapi]** Set Gateway HTTPRoute status ([#10667](https://github.com/traefik/traefik/pull/10667) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support ReferenceGrant for HTTPRoute backends ([#10771](https://github.com/traefik/traefik/pull/10771) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/gatewayapi]** Compute HTTPRoute priorities ([#10766](https://github.com/traefik/traefik/pull/10766) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s,k8s/gatewayapi]** Support RegularExpression for path matching ([#10717](https://github.com/traefik/traefik/pull/10717) by [dmavrommatis](https://github.com/dmavrommatis))
+- **[k8s/crd,k8s]** Support HealthCheck for ExternalName services ([#10467](https://github.com/traefik/traefik/pull/10467) by [marcmognol](https://github.com/marcmognol))
+- **[k8s/ingress,k8s/crd,k8s,k8s/gatewayapi]** Migrate to EndpointSlices API  ([#10664](https://github.com/traefik/traefik/pull/10664) by [jnoordsij](https://github.com/jnoordsij))
+- **[k8s/ingress,k8s/crd,k8s]** Change log level from Warning to Info when ExternalName services is enabled ([#10682](https://github.com/traefik/traefik/pull/10682) by [marcmognol](https://github.com/marcmognol))
+- **[k8s/ingress,k8s/crd,k8s]** Allow to use internal Node IPs for NodePort services ([#10278](https://github.com/traefik/traefik/pull/10278) by [jorisvergeer](https://github.com/jorisvergeer))
+- **[middleware,k8s,k8s/gatewayapi]** Improve HTTPRoute Redirect Filter with port and scheme ([#10784](https://github.com/traefik/traefik/pull/10784) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,k8s,k8s/gatewayapi]** Support HTTPRoute redirect port and scheme ([#10802](https://github.com/traefik/traefik/pull/10802) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Support Content-Security-Policy-Report-Only in the headers middleware ([#10709](https://github.com/traefik/traefik/pull/10709) by [SpecLad](https://github.com/SpecLad))
+- **[middleware]** Add support for Zstandard to the compression middleware ([#10660](https://github.com/traefik/traefik/pull/10660) by [Belphemur](https://github.com/Belphemur))
+- **[plugins]** Enhance wasm plugins ([#10829](https://github.com/traefik/traefik/pull/10829) by [juliens](https://github.com/juliens))
+- **[plugins]** Add logs for plugins load ([#10848](https://github.com/traefik/traefik/pull/10848) by [mmatur](https://github.com/mmatur))
+- **[server]** Support systemd socket-activation ([#10399](https://github.com/traefik/traefik/pull/10399) by [juliens](https://github.com/juliens))
+
+**Bug fixes:**
+- **[healthcheck,k8s/crd,k8s]** Fix Healthcheck default value for ExternalName services ([#10778](https://github.com/traefik/traefik/pull/10778) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,metrics,tracing]** Upgrade to OpenTelemetry Semantic Conventions v1.26.0 ([#10850](https://github.com/traefik/traefik/pull/10850) by [mmatur](https://github.com/mmatur))
+- **[plugins]** Fix build only linux and darwin support wazergo ([#10857](https://github.com/traefik/traefik/pull/10857) by [juliens](https://github.com/juliens))
+
+**Documentation:**
+- **[k8s,k8s/gatewayapi]** Fix the Kubernetes GatewayAPI documentation ([#10844](https://github.com/traefik/traefik/pull/10844) by [nmengin](https://github.com/nmengin))
+
+**Misc:**
+- Merge current v3.0 into master ([#10853](https://github.com/traefik/traefik/pull/10853) by [mmatur](https://github.com/mmatur))
+- Merge current v3.0 into master ([#10811](https://github.com/traefik/traefik/pull/10811) by [mmatur](https://github.com/mmatur))
+- Merge current v3.0 into master ([#10789](https://github.com/traefik/traefik/pull/10789) by [ldez](https://github.com/ldez))
+- Merge current v3.0 into master ([#10750](https://github.com/traefik/traefik/pull/10750) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v3.0 into master ([#10655](https://github.com/traefik/traefik/pull/10655) by [ldez](https://github.com/ldez))
+- Merge current v3.0 into master  ([#10567](https://github.com/traefik/traefik/pull/10567) by [ldez](https://github.com/ldez))
+- Merge current v3.0 into master ([#10418](https://github.com/traefik/traefik/pull/10418) by [mmatur](https://github.com/mmatur))
+- Merge current v3.0 into master ([#10040](https://github.com/traefik/traefik/pull/10040) by [mmatur](https://github.com/mmatur))
+
+## [v3.1.0-rc1](https://github.com/traefik/traefik/tree/v3.1.0-rc1) (2024-06-27)
+
+Release canceled.
+
+## [v3.0.3](https://github.com/traefik/traefik/tree/v3.0.3) (2024-06-18)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.2...v3.0.3)
+
+**Misc:**
+- Merge v2.11 into v3.0 ([#10823](https://github.com/traefik/traefik/pull/10823) by [kevinpollet](https://github.com/kevinpollet))
+- Merge v2.11 into v3.0 ([#10810](https://github.com/traefik/traefik/pull/10810) by [mmatur](https://github.com/mmatur))
+
+## [v2.11.5](https://github.com/traefik/traefik/tree/v2.11.5) (2024-06-18)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.4...v2.11.5)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.17.4 ([#10803](https://github.com/traefik/traefik/pull/10803) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Update the supported versions table ([#10798](https://github.com/traefik/traefik/pull/10798) by [nmengin](https://github.com/nmengin))
+
+## [v3.0.2](https://github.com/traefik/traefik/tree/v3.0.2) (2024-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.1...v3.0.2)
+
+**Bug fixes:**
+- **[logs]** Bump OTel dependencies ([#10763](https://github.com/traefik/traefik/pull/10763) by [DrFaust92](https://github.com/DrFaust92))
+- **[logs]** Append to log file if it exists ([#10756](https://github.com/traefik/traefik/pull/10756) by [lbenguigui](https://github.com/lbenguigui))
+- **[metrics]** Fix service name label_replace in Grafana ([#10758](https://github.com/traefik/traefik/pull/10758) by [xdavidwu](https://github.com/xdavidwu))
+- **[middleware]** Forward the correct status code when compression is disabled within the Brotli handler ([#10780](https://github.com/traefik/traefik/pull/10780) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Support Accept-Encoding header weights with Compress middleware ([#10777](https://github.com/traefik/traefik/pull/10777) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- Update v2 &gt; v3 migration guide ([#10728](https://github.com/traefik/traefik/pull/10728) by [0anas01](https://github.com/0anas01))
+
+**Misc:**
+- Merge current v2.11 into v3.0 ([#10796](https://github.com/traefik/traefik/pull/10796) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10781](https://github.com/traefik/traefik/pull/10781) by [ldez](https://github.com/ldez))
+
+## [v2.11.4](https://github.com/traefik/traefik/tree/v2.11.4) (2024-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.3...v2.11.4)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.17.3 ([#10768](https://github.com/traefik/traefik/pull/10768) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[acme]** Fix .com and .org domain examples  ([#10635](https://github.com/traefik/traefik/pull/10635) by [rptaylor](https://github.com/rptaylor))
+- **[middleware]** Add a note about the Ratelimit middleware&#39;s behavior when the sourceCriterion header is missing ([#10752](https://github.com/traefik/traefik/pull/10752) by [dgutzmann](https://github.com/dgutzmann))
+- Add user guides link to getting started ([#10785](https://github.com/traefik/traefik/pull/10785) by [norlinhenrik](https://github.com/norlinhenrik))
+- Remove helm default repo warning as repo has been long deprecated ([#10772](https://github.com/traefik/traefik/pull/10772) by [corneliusroemer](https://github.com/corneliusroemer))
+
+## [v3.0.1](https://github.com/traefik/traefik/tree/v3.0.1) (2024-05-22)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0...v3.0.1)
+
+**Bug fixes:**
+- **[k8s/ingress]** Fix rule syntax version for all internal routers ([#10689](https://github.com/traefik/traefik/pull/10689) by [HalloTschuess](https://github.com/HalloTschuess))
+- **[metrics,tracing]** Allow empty configuration for OpenTelemetry metrics and tracing ([#10729](https://github.com/traefik/traefik/pull/10729) by [rtribotte](https://github.com/rtribotte))
+- **[provider,tls]** Bump tscert dependency to 28a91b69a046 ([#10668](https://github.com/traefik/traefik/pull/10668) by [kevinpollet](https://github.com/kevinpollet))
+- **[rules,tcp]** Fix the rule syntax mechanism for TCP ([#10680](https://github.com/traefik/traefik/pull/10680) by [lbenguigui](https://github.com/lbenguigui))
+- **[tls,server]** Remove deadlines when handling PostgreSQL connections ([#10675](https://github.com/traefik/traefik/pull/10675) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Add support for IP White list ([#10740](https://github.com/traefik/traefik/pull/10740) by [davidbaptista](https://github.com/davidbaptista))
+
+**Documentation:**
+- **[http3]** Add link to the new http3 config in migration ([#10673](https://github.com/traefik/traefik/pull/10673) by [yyewolf](https://github.com/yyewolf))
+- **[logs]** Fix log.compress value ([#10716](https://github.com/traefik/traefik/pull/10716) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Fix OTel documentation ([#10723](https://github.com/traefik/traefik/pull/10723) by [nmengin](https://github.com/nmengin))
+- **[middleware]** Fix doc consistency forwardauth ([#10724](https://github.com/traefik/traefik/pull/10724) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Remove providers not supported in documentation ([#10725](https://github.com/traefik/traefik/pull/10725) by [mmatur](https://github.com/mmatur))
+- **[rules]** Fix typo in PathRegexp explanation ([#10719](https://github.com/traefik/traefik/pull/10719) by [BreadInvasion](https://github.com/BreadInvasion))
+- **[rules]** Fix router documentation example ([#10704](https://github.com/traefik/traefik/pull/10704) by [ldez](https://github.com/ldez))
+
+## [v2.11.3](https://github.com/traefik/traefik/tree/v2.11.3) (2024-05-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.2...v2.11.3)
+
+**Bug fixes:**
+- **[server]** Remove deadlines for non-TLS connections ([#10615](https://github.com/traefik/traefik/pull/10615) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Display of Content Security Policy values getting out of screen ([#10710](https://github.com/traefik/traefik/pull/10710) by [brandonfl](https://github.com/brandonfl))
+- **[webui]** Fix provider icon size ([#10621](https://github.com/traefik/traefik/pull/10621) by [framebassman](https://github.com/framebassman))
+
+**Documentation:**
+- **[k8s/crd]** Fix migration/v2.md ([#10658](https://github.com/traefik/traefik/pull/10658) by [stemar94](https://github.com/stemar94))
+- **[k8s/gatewayapi]** Fix HTTPRoute use of backendRefs ([#10630](https://github.com/traefik/traefik/pull/10630) by [sakaru](https://github.com/sakaru))
+- **[k8s/gatewayapi]** Fix HTTPRoute path type ([#10629](https://github.com/traefik/traefik/pull/10629) by [sakaru](https://github.com/sakaru))
+- **[k8s]** Improve mirroring example on Kubernetes ([#10701](https://github.com/traefik/traefik/pull/10701) by [mloiseleur](https://github.com/mloiseleur))
+- Consistent entryPoints capitalization in CLI flag usage ([#10650](https://github.com/traefik/traefik/pull/10650) by [jnoordsij](https://github.com/jnoordsij))
+- Fix unfinished migration sentence for v2.11.2 ([#10633](https://github.com/traefik/traefik/pull/10633) by [kevinpollet](https://github.com/kevinpollet))
+
+## [v3.0.0](https://github.com/traefik/traefik/tree/v3.0.0) (2024-04-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta1...v3.0.0)
+
+**Enhancements:**
+- **[consul]** ConsulCatalog StrictChecks ([#10388](https://github.com/traefik/traefik/pull/10388) by [djenriquez](https://github.com/djenriquez))
+- **[docker,docker/swarm]** Split Docker provider ([#9652](https://github.com/traefik/traefik/pull/9652) by [ldez](https://github.com/ldez))
+- **[docker,service]** Adds weight on ServersLoadBalancer ([#10372](https://github.com/traefik/traefik/pull/10372) by [juliens](https://github.com/juliens))
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[file]** Reload provider file configuration on SIGHUP ([#9993](https://github.com/traefik/traefik/pull/9993) by [sokoide](https://github.com/sokoide))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[http3]** Moves HTTP/3 outside the experimental section ([#9570](https://github.com/traefik/traefik/pull/9570) by [sdelicata](https://github.com/sdelicata))
+- **[k8s,hub]** Remove deprecated code ([#9804](https://github.com/traefik/traefik/pull/9804) by [ldez](https://github.com/ldez))
+- **[k8s,k8s/gatewayapi]** Support for cross-namespace references / GatewayAPI ReferenceGrants ([#10346](https://github.com/traefik/traefik/pull/10346) by [pascal-hofmann](https://github.com/pascal-hofmann))
+- **[k8s,k8s/gatewayapi]** Support HostSNIRegexp in GatewayAPI TLS routes ([#9486](https://github.com/traefik/traefik/pull/9486) by [ddtmachado](https://github.com/ddtmachado))
+- **[k8s,k8s/gatewayapi]** Upgrade gateway api to v1.0.0 ([#10205](https://github.com/traefik/traefik/pull/10205) by [mmatur](https://github.com/mmatur))
+- **[k8s/crd,k8s]** Support file path as input param for Kubernetes token value ([#10232](https://github.com/traefik/traefik/pull/10232) by [sssash18](https://github.com/sssash18))
+- **[k8s/gatewayapi]** Add option to set Gateway status address ([#10582](https://github.com/traefik/traefik/pull/10582) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Toggle support for experimental channel ([#10435](https://github.com/traefik/traefik/pull/10435) by [SantoDE](https://github.com/SantoDE))
+- **[k8s/gatewayapi]** Add option to set Gateway status address ([#10582](https://github.com/traefik/traefik/pull/10582) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Add support for HTTPRequestRedirectFilter in k8s Gateway API ([#9408](https://github.com/traefik/traefik/pull/9408) by [romantomjak](https://github.com/romantomjak))
+- **[k8s/gatewayapi]** Handle middlewares in filters extension reference ([#10511](https://github.com/traefik/traefik/pull/10511) by [youkoulayley](https://github.com/youkoulayley))
+- **[k8s/ingress,k8s/crd,k8s,k8s/gatewayapi]** Use runtime.Object in routerTransform ([#10523](https://github.com/traefik/traefik/pull/10523) by [juliens](https://github.com/juliens))
+- **[k8s/ingress,k8s]** Add option to the Ingress provider to disable IngressClass lookup ([#9281](https://github.com/traefik/traefik/pull/9281) by [jandillenkofer](https://github.com/jandillenkofer))
+- **[k8s/ingress,k8s]** Remove support of the networking.k8s.io/v1beta1 APIVersion ([#9949](https://github.com/traefik/traefik/pull/9949) by [rtribotte](https://github.com/rtribotte))
+- **[logs]** Introduce static config hints ([#10351](https://github.com/traefik/traefik/pull/10351) by [rtribotte](https://github.com/rtribotte))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[marathon]** Remove Marathon provider ([#9614](https://github.com/traefik/traefik/pull/9614) by [rtribotte](https://github.com/rtribotte))
+- **[metrics,tracing,accesslogs]** Remove observability for internal resources ([#9633](https://github.com/traefik/traefik/pull/9633) by [rtribotte](https://github.com/rtribotte))
+- **[metrics,tracing]** Upgrade opentelemetry dependencies ([#10472](https://github.com/traefik/traefik/pull/10472) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Add support for sending DogStatsD metrics over Unix Socket ([#10199](https://github.com/traefik/traefik/pull/10199) by [liamvdv](https://github.com/liamvdv))
+- **[metrics]** Remove InfluxDB v1 metrics middleware ([#9612](https://github.com/traefik/traefik/pull/9612) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Upgrade OpenTelemetry dependencies ([#10181](https://github.com/traefik/traefik/pull/10181) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing,otel]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[middleware,authentication,tracing]** Add captured headers options for tracing ([#10457](https://github.com/traefik/traefik/pull/10457) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,authentication]** Add forwardAuth.addAuthCookiesToResponse ([#8924](https://github.com/traefik/traefik/pull/8924) by [tgunsch](https://github.com/tgunsch))
+- **[middleware,metrics]** Semconv OTLP stable HTTP metrics ([#10421](https://github.com/traefik/traefik/pull/10421) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Feat re introduce IpWhitelist middleware as deprecated ([#10341](https://github.com/traefik/traefik/pull/10341) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Disable br compression when no Accept-Encoding header is present ([#10178](https://github.com/traefik/traefik/pull/10178) by [robin-moser](https://github.com/robin-moser))
+- **[middleware]** Implements the includedContentTypes option for the compress middleware ([#10207](https://github.com/traefik/traefik/pull/10207) by [rjsocha](https://github.com/rjsocha))
+- **[middleware]** Add `rejectStatusCode` option to `IPAllowList` middleware ([#10130](https://github.com/traefik/traefik/pull/10130) by [jfly](https://github.com/jfly))
+- **[middleware]** Merge v2.11 into v3.0 ([#10426](https://github.com/traefik/traefik/pull/10426) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Add ResponseCode to CircuitBreaker ([#10147](https://github.com/traefik/traefik/pull/10147) by [fahhem](https://github.com/fahhem))
+- **[nomad]** Allow empty services ([#10375](https://github.com/traefik/traefik/pull/10375) by [chrispruitt](https://github.com/chrispruitt))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[plugins]** Add http-wasm plugin support to Traefik ([#10189](https://github.com/traefik/traefik/pull/10189) by [zetaab](https://github.com/zetaab))
+- **[plugins]** Upgrade http-wasm host to v0.6.0 to support clients using v0.4.0 ([#10475](https://github.com/traefik/traefik/pull/10475) by [jcchavezs](https://github.com/jcchavezs))
+- **[rancher]** Remove Rancher v1 provider ([#9613](https://github.com/traefik/traefik/pull/9613) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Bring back v2 rule matchers ([#10339](https://github.com/traefik/traefik/pull/10339) by [rtribotte](https://github.com/rtribotte))
+- **[rules]** Remove containous/mux from HTTP muxer ([#9558](https://github.com/traefik/traefik/pull/9558) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Add SO_REUSEPORT support for EntryPoints ([#9834](https://github.com/traefik/traefik/pull/9834) by [aofei](https://github.com/aofei))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [applejag](https://github.com/applejag))
+- **[sticky-session]** Support setting sticky cookie max age  ([#10176](https://github.com/traefik/traefik/pull/10176) by [Patrick0308](https://github.com/Patrick0308))
+- **[tls,tcp,service]** Add TCP Servers Transports support ([#9465](https://github.com/traefik/traefik/pull/9465) by [sdelicata](https://github.com/sdelicata))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- **[tracing,otel]** Migrate to opentelemetry ([#10223](https://github.com/traefik/traefik/pull/10223) by [zetaab](https://github.com/zetaab))
+- **[tracing]** Support OTEL_PROPAGATORS to configure tracing propagation ([#10465](https://github.com/traefik/traefik/pull/10465) by [youkoulayley](https://github.com/youkoulayley))
+- **[webui,middleware,k8s/gatewayapi]** Support RequestHeaderModifier filter ([#10521](https://github.com/traefik/traefik/pull/10521) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Added router priority to webui&#39;s list and detail page ([#9004](https://github.com/traefik/traefik/pull/9004) by [bendre90](https://github.com/bendre90))
+- Reintroduce dropped v2 dynamic config ([#10355](https://github.com/traefik/traefik/pull/10355) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[consul,tls]** Enable TLS for Consul Connect TCP services ([#10140](https://github.com/traefik/traefik/pull/10140) by [rtribotte](https://github.com/rtribotte))
+- **[docker]** Fix struct names in comment ([#10503](https://github.com/traefik/traefik/pull/10503) by [hishope](https://github.com/hishope))
+- **[k8s/crd,k8s]** Adds the missing circuit-breaker response code for CRD ([#10625](https://github.com/traefik/traefik/pull/10625) by [ldez](https://github.com/ldez))
+- **[k8s/crd,k8s]** Delete warning in Kubernetes CRD provider about the supported version ([#10414](https://github.com/traefik/traefik/pull/10414) by [nmengin](https://github.com/nmengin))
+- **[logs]** Avoid cumulative send anonymous usage log ([#10579](https://github.com/traefik/traefik/pull/10579) by [mmatur](https://github.com/mmatur))
+- **[logs]** Change traefik cmd error log to error level ([#9569](https://github.com/traefik/traefik/pull/9569) by [tomMoulard](https://github.com/tomMoulard))
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix OpenTelemetry metrics ([#9962](https://github.com/traefik/traefik/pull/9962) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Fix OpenTelemetry service name ([#9619](https://github.com/traefik/traefik/pull/9619) by [tomMoulard](https://github.com/tomMoulard))
+- **[metrics]** Fix open connections metric ([#9656](https://github.com/traefik/traefik/pull/9656) by [mpl](https://github.com/mpl))
+- **[metrics]** Remove config reload failure metrics ([#9660](https://github.com/traefik/traefik/pull/9660) by [rtribotte](https://github.com/rtribotte))
+- **[metrics]** Fix OpenTelemetry unit tests ([#10380](https://github.com/traefik/traefik/pull/10380) by [mmatur](https://github.com/mmatur))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[middleware,authentication,metrics,tracing]** Align OpenTelemetry tracing and metrics configurations ([#10404](https://github.com/traefik/traefik/pull/10404) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Fix brotli response status code when compression is disabled ([#10396](https://github.com/traefik/traefik/pull/10396) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Allow short healthcheck interval with long timeout ([#9832](https://github.com/traefik/traefik/pull/9832) by [kevinmcconnell](https://github.com/kevinmcconnell))
+- **[middleware]** Fix GrpcWeb middleware to clear ContentLength after translating to normal gRPC message ([#9782](https://github.com/traefik/traefik/pull/9782) by [CleverUnderDog](https://github.com/CleverUnderDog))
+- **[provider,tls]** Bump tscert dependency to 28a91b69a046 ([#10668](https://github.com/traefik/traefik/pull/10668) by [kevinpollet](https://github.com/kevinpollet))
+- **[rules]** Rework Host and HostRegexp matchers ([#9559](https://github.com/traefik/traefik/pull/9559) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Support regexp in path/pathprefix in matcher v2 ([#10546](https://github.com/traefik/traefik/pull/10546) by [youkoulayley](https://github.com/youkoulayley))
+- **[sticky-session,server]** Set sameSite field for wrr load balancer sticky cookie ([#10066](https://github.com/traefik/traefik/pull/10066) by [sunyakun](https://github.com/sunyakun))
+- **[tcp]** Don&#39;t log EOF or timeout errors while peeking first bytes in Postgres StartTLS hook ([#9663](https://github.com/traefik/traefik/pull/9663) by [rtribotte](https://github.com/rtribotte))
+- **[tls,server]** Compute priority for https forwarder TLS routes ([#10288](https://github.com/traefik/traefik/pull/10288) by [rtribotte](https://github.com/rtribotte))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+- **[webui]** Detect dashboard assets content types ([#9622](https://github.com/traefik/traefik/pull/9622) by [tomMoulard](https://github.com/tomMoulard))
+- **[webui]** Add missing Docker Swarm logo ([#10529](https://github.com/traefik/traefik/pull/10529) by [ldez](https://github.com/ldez))
+- **[webui]** fix: detect dashboard content types ([#9594](https://github.com/traefik/traefik/pull/9594) by [ldez](https://github.com/ldez))
+- Fix a regression on flags using spaces between key and value ([#10445](https://github.com/traefik/traefik/pull/10445) by [ldez](https://github.com/ldez))
+
+**Documentation:**
+- **[docker/swarm]** Remove documentation of old swarm options ([#10001](https://github.com/traefik/traefik/pull/10001) by [ldez](https://github.com/ldez))
+- **[docker/swarm]** Fix minor typo in swarm example ([#10071](https://github.com/traefik/traefik/pull/10071) by [kaznovac](https://github.com/kaznovac))
+- **[k8s,k8s/gatewayapi]** Add ReferenceGrants to Gateway API Traefik controller RBAC ([#10462](https://github.com/traefik/traefik/pull/10462) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Update Kubernetes version for v3 Helm chart ([#10637](https://github.com/traefik/traefik/pull/10637) by [jnoordsij](https://github.com/jnoordsij))
+- **[k8s]** Improve Kubernetes support documentation ([#9974](https://github.com/traefik/traefik/pull/9974) by [rtribotte](https://github.com/rtribotte))
+- **[k8s]** Fix invalid version in docs about Gateway API on Traefik v3 ([#10474](https://github.com/traefik/traefik/pull/10474) by [mloiseleur](https://github.com/mloiseleur))
+- **[rules]** Improve ruleSyntax option documentation ([#10441](https://github.com/traefik/traefik/pull/10441) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0 ([#10666](https://github.com/traefik/traefik/pull/10666) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0-rc2 ([#10514](https://github.com/traefik/traefik/pull/10514) by [rtribotte](https://github.com/rtribotte))
+- Fix typo in migration docs ([#10478](https://github.com/traefik/traefik/pull/10478) by [Eisberge](https://github.com/Eisberge))
+- Prepare release v3.0.0 rc3 ([#10520](https://github.com/traefik/traefik/pull/10520) by [rtribotte](https://github.com/rtribotte))
+- Fix typo in dialer_test.go ([#10552](https://github.com/traefik/traefik/pull/10552) by [eltociear](https://github.com/eltociear))
+- Fix typo and improve explanation on internal resources ([#10563](https://github.com/traefik/traefik/pull/10563) by [mloiseleur](https://github.com/mloiseleur))
+- Prepare release v3.0.0-rc1 ([#10429](https://github.com/traefik/traefik/pull/10429) by [mmatur](https://github.com/mmatur))
+- Update version comment in quick-start.md ([#10383](https://github.com/traefik/traefik/pull/10383) by [matthieuwerner](https://github.com/matthieuwerner))
+- Improve migration guide ([#10319](https://github.com/traefik/traefik/pull/10319) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0 beta5 ([#10273](https://github.com/traefik/traefik/pull/10273) by [rtribotte](https://github.com/rtribotte))
+- Prepare release v3.0.0-beta4 ([#10165](https://github.com/traefik/traefik/pull/10165) by [mmatur](https://github.com/mmatur))
+- Prepare release v3.0.0-rc4 ([#10588](https://github.com/traefik/traefik/pull/10588) by [kevinpollet](https://github.com/kevinpollet))
+- Fix bad anchor on documentation ([#10041](https://github.com/traefik/traefik/pull/10041) by [mmatur](https://github.com/mmatur))
+- Prepare release v3.0.0-rc5 ([#10605](https://github.com/traefik/traefik/pull/10605) by [ldez](https://github.com/ldez))
+- Fix migration guide heading ([#9989](https://github.com/traefik/traefik/pull/9989) by [ldez](https://github.com/ldez))
+- Prepare release v3.0.0-beta3 ([#9978](https://github.com/traefik/traefik/pull/9978) by [ldez](https://github.com/ldez))
+- Fix some typos in comments ([#10626](https://github.com/traefik/traefik/pull/10626) by [hidewrong](https://github.com/hidewrong))
+- Adjust quick start ([#9790](https://github.com/traefik/traefik/pull/9790) by [svx](https://github.com/svx))
+- Mention PathPrefix matcher changes in V3 Migration Guide ([#9727](https://github.com/traefik/traefik/pull/9727) by [aofei](https://github.com/aofei))
+- Fix yaml indentation in the HTTP3 example ([#9724](https://github.com/traefik/traefik/pull/9724) by [benwaffle](https://github.com/benwaffle))
+- Add OpenTelemetry in observability overview ([#9654](https://github.com/traefik/traefik/pull/9654) by [tomMoulard](https://github.com/tomMoulard))
+- Prepare release v3.0.0-beta2 ([#9587](https://github.com/traefik/traefik/pull/9587) by [tomMoulard](https://github.com/tomMoulard))
+- Prepare release v3.0.0-beta1 ([#9577](https://github.com/traefik/traefik/pull/9577) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge current v2.11 into v3.0 ([#10651](https://github.com/traefik/traefik/pull/10651) by [ldez](https://github.com/ldez))
+- Merge current v2.11 into v3.0 ([#10632](https://github.com/traefik/traefik/pull/10632) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10604](https://github.com/traefik/traefik/pull/10604) by [ldez](https://github.com/ldez))
+- Merge branch v2.11 into v3.0 ([#10587](https://github.com/traefik/traefik/pull/10587) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.11 into v3.0 ([#10566](https://github.com/traefik/traefik/pull/10566) by [mmatur](https://github.com/mmatur))
+- Merge current v2.11 into v3.0 ([#10564](https://github.com/traefik/traefik/pull/10564) by [ldez](https://github.com/ldez))
+- Merge branch v2.11 into v3.0 ([#10519](https://github.com/traefik/traefik/pull/10519) by [rtribotte](https://github.com/rtribotte))
+- Merge v2.11 into v3.0 ([#10513](https://github.com/traefik/traefik/pull/10513) by [mmatur](https://github.com/mmatur))
+- Merge v2.11 into v3.0 ([#10417](https://github.com/traefik/traefik/pull/10417) by [mmatur](https://github.com/mmatur))
+- Merge current v2.11 into v3.0 ([#10382](https://github.com/traefik/traefik/pull/10382) by [mmatur](https://github.com/mmatur))
+- Merge back v2.11 into v3.0 ([#10377](https://github.com/traefik/traefik/pull/10377) by [mmatur](https://github.com/mmatur))
+- Merge back v2.11 into v3.0 ([#10353](https://github.com/traefik/traefik/pull/10353) by [youkoulayley](https://github.com/youkoulayley))
+- Merge current v2.11 into v3.0 ([#10328](https://github.com/traefik/traefik/pull/10328) by [mmatur](https://github.com/mmatur))
+- Merge current v2.10 into v3.0 ([#10272](https://github.com/traefik/traefik/pull/10272) by [rtribotte](https://github.com/rtribotte))
+- Merge current v2.10 into v3.0 ([#10164](https://github.com/traefik/traefik/pull/10164) by [mmatur](https://github.com/mmatur))
+- Merge current v2.10 into v3.0 ([#10038](https://github.com/traefik/traefik/pull/10038) by [mmatur](https://github.com/mmatur))
+- Merge branch v2.10 into v3.0 ([#9977](https://github.com/traefik/traefik/pull/9977) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9931](https://github.com/traefik/traefik/pull/9931) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9896](https://github.com/traefik/traefik/pull/9896) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9867](https://github.com/traefik/traefik/pull/9867) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9850](https://github.com/traefik/traefik/pull/9850) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9845](https://github.com/traefik/traefik/pull/9845) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9803](https://github.com/traefik/traefik/pull/9803) by [ldez](https://github.com/ldez))
+- Merge branch v2.10 into v3.0 ([#9793](https://github.com/traefik/traefik/pull/9793) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into v3.0 ([#9722](https://github.com/traefik/traefik/pull/9722) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.9 into v3.0 ([#9650](https://github.com/traefik/traefik/pull/9650) by [tomMoulard](https://github.com/tomMoulard))
+- Merge branch v2.9 into v3.0 ([#9632](https://github.com/traefik/traefik/pull/9632) by [kevinpollet](https://github.com/kevinpollet))
+- Merge current v2.9 into master ([#9576](https://github.com/traefik/traefik/pull/9576) by [rtribotte](https://github.com/rtribotte))
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
 ## [v3.0.0-rc5](https://github.com/traefik/traefik/tree/v3.0.0-rc4) (2024-04-11)
 [All Commits](https://github.com/traefik/traefik/compare/v3.0.0-rc4...v3.0.0-rc5)

--- a/5
+++ b/5
@@ -1,8 +1,7 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.19
+FROM alpine:3.20

-RUN apk --no-cache --no-progress add ca-certificates tzdata \
-    && rm -rf /var/cache/apk/*
+RUN apk add --no-cache --no-progress ca-certificates tzdata

 ARG TARGETPLATFORM
 COPY ./dist/$TARGETPLATFORM/traefik /
--- a/18
+++ b/18
@@ -88,7 +88,7 @@ crossbinary-default: generate generate-webui

 .PHONY: test
 #? test: Run the unit and integration tests
-test: test-unit test-integration
+test: test-ui-unit test-unit test-integration

 .PHONY: test-unit
 #? test-unit: Run the unit tests
@@ -102,15 +102,15 @@ test-integration: binary

 .PHONY: test-gateway-api-conformance
 #? test-gateway-api-conformance: Run the conformance tests
-test-gateway-api-conformance: binary
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance=true $(TESTFLAGS)
-
-## TODO: Need to be fixed to work in all situations.
-.PHONY: test-gateway-api-conformance-ci
-#? test-gateway-api-conformance-ci: Run the conformance tests
-test-gateway-api-conformance-ci:
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance=true $(TESTFLAGS)
+test-gateway-api-conformance: build-image-dirty
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance $(TESTFLAGS)

+.PHONY: test-ui-unit
+#? test-ui-unit: Run the unit tests for the webui
+test-ui-unit:
+	$(MAKE) build-webui-image
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn --cwd webui install
+	docker run --rm -v "$(PWD)/webui/static":'/src/webui/static' traefik-webui yarn --cwd webui test:unit:ci

 .PHONY: pull-images
 #? pull-images: Pull all Docker images to avoid timeout during integration tests
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@
    </picture>
 </p>

-[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
+[![Build Status SemaphoreCI](https://traefik-oss.semaphoreci.com/badges/traefik/branches/master.svg?style=shields)](https://traefik-oss.semaphoreci.com/projects/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -49,7 +49,7 @@ func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
 	var w io.Writer = os.Stderr

 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
 		w = &lumberjack.Logger{
 			Filename:   staticConfiguration.Log.FilePath,
 			MaxSize:    staticConfiguration.Log.MaxSize,
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -46,6 +46,7 @@ import (
 	"github.com/traefik/traefik/v3/pkg/tracing"
 	"github.com/traefik/traefik/v3/pkg/types"
 	"github.com/traefik/traefik/v3/pkg/version"
+	"golang.org/x/exp/maps"
 )

 func main() {
@@ -224,10 +225,21 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	}

 	// Plugins
+	pluginLogger := log.Ctx(ctx).With().Logger()
+	hasPlugins := staticConfiguration.Experimental != nil && (staticConfiguration.Experimental.Plugins != nil || staticConfiguration.Experimental.LocalPlugins != nil)
+	if hasPlugins {
+		pluginsList := maps.Keys(staticConfiguration.Experimental.Plugins)
+		pluginsList = append(pluginsList, maps.Keys(staticConfiguration.Experimental.LocalPlugins)...)
+
+		pluginLogger = pluginLogger.With().Strs("plugins", pluginsList).Logger()
+		pluginLogger.Info().Msg("Loading plugins...")
+	}

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
+		pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
+	} else if hasPlugins {
+		pluginLogger.Info().Msg("Plugins loaded.")
 	}

 	// Providers plugins
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
@@ -507,7 +507,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        traefik_service_request_duration_seconds_sum{service=~\"$service.*\",protocol=\"http\"} / \n          traefik_service_request_duration_seconds_count{service=~\"$service.*\",protocol=\"http\"},\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)\n\n",
+          "expr": "topk(15,\n    label_replace(\n        traefik_service_request_duration_seconds_sum{service=~\"$service.*\",protocol=\"http\"} / \n          traefik_service_request_duration_seconds_count{service=~\"$service.*\",protocol=\"http\"},\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)\n\n",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -606,7 +606,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -711,7 +711,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"1.2\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -806,7 +806,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\"\n)",
+              "expr": "label_replace(\n  1 - (sum by (service)\n    (rate(traefik_service_request_duration_seconds_bucket{le=\"0.3\",service=~\"$service.*\"}[5m])) / sum by (service) \n    (rate(traefik_service_request_duration_seconds_count{service=~\"$service.*\"}[5m]))\n  ) > 0,\n  \"service\", \"$1\", \"service\", \"([^@]+)@.*\"\n)",
              "legendFormat": "{{service}}",
              "range": true,
              "refId": "A"
@@ -922,7 +922,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"2..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -1022,7 +1022,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code=~\"5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -1122,7 +1122,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method,code) \n          (rate(traefik_service_requests_total{service=~\"$service.*\",code!~\"2..|5..\",protocol=\"http\"}[5m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}}[{{code}}] on {{service}}",
          "range": true,
          "refId": "A"
@@ -1222,7 +1222,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_requests_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}} on {{service}}",
          "range": true,
          "refId": "A"
@@ -1322,7 +1322,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")\n)",
+          "expr": "topk(15,\n    label_replace(\n        sum by (service,method) \n          (rate(traefik_service_responses_bytes_total{service=~\"$service.*\",protocol=\"http\"}[1m])) > 0,\n        \"service\", \"$1\", \"service\", \"([^@]+)@.*\")\n)",
          "legendFormat": "{{method}} on {{service}}",
          "range": true,
          "refId": "A"
@@ -1331,105 +1331,6 @@
      "title": "Responses Size",
      "type": "timeseries"
    },
-    {
-      "datasource": {
-        "type": "prometheus",
-        "uid": "${DS_PROMETHEUS}"
-      },
-      "description": "",
-      "fieldConfig": {
-        "defaults": {
-          "color": {
-            "mode": "palette-classic"
-          },
-          "custom": {
-            "axisCenteredZero": false,
-            "axisColorMode": "text",
-            "axisLabel": "",
-            "axisPlacement": "auto",
-            "barAlignment": 0,
-            "drawStyle": "line",
-            "fillOpacity": 0,
-            "gradientMode": "none",
-            "hideFrom": {
-              "legend": false,
-              "tooltip": false,
-              "viz": false
-            },
-            "lineInterpolation": "linear",
-            "lineWidth": 1,
-            "pointSize": 5,
-            "scaleDistribution": {
-              "type": "linear"
-            },
-            "showPoints": "auto",
-            "spanNulls": false,
-            "stacking": {
-              "group": "A",
-              "mode": "none"
-            },
-            "thresholdsStyle": {
-              "mode": "off"
-            }
-          },
-          "mappings": [],
-          "thresholds": {
-            "mode": "absolute",
-            "steps": [
-              {
-                "color": "green",
-                "value": null
-              },
-              {
-                "color": "red",
-                "value": 80
-              }
-            ]
-          },
-          "unit": "short"
-        },
-        "overrides": []
-      },
-      "gridPos": {
-        "h": 8,
-        "w": 12,
-        "x": 0,
-        "y": 39
-      },
-      "id": 2,
-      "options": {
-        "legend": {
-          "calcs": [
-            "mean",
-            "max"
-          ],
-          "displayMode": "table",
-          "placement": "right",
-          "showLegend": true,
-          "sortBy": "Max",
-          "sortDesc": true
-        },
-        "tooltip": {
-          "mode": "multi",
-          "sort": "desc"
-        }
-      },
-      "targets": [
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "editorMode": "code",
-          "expr": "label_replace(\n    sum(traefik_service_open_connections{service=~\"$service.*\"}) by (service),\n    \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")",
-          "legendFormat": "{{service}}",
-          "range": true,
-          "refId": "A"
-        }
-      ],
-      "title": "Connections per Service",
-      "type": "timeseries"
-    },
    {
      "datasource": {
        "type": "prometheus",
@@ -1520,7 +1421,7 @@
            "uid": "${DS_PROMETHEUS}"
          },
          "editorMode": "code",
-          "expr": "sum(traefik_entrypoint_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
+          "expr": "sum(traefik_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
          "legendFormat": "{{entrypoint}}",
          "range": true,
          "refId": "A"
@@ -1560,14 +1461,14 @@
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+        "definition": "label_values(traefik_open_connections, entrypoint)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "entrypoint",
        "options": [],
        "query": {
-          "query": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+          "query": "label_values(traefik_open_connections, entrypoint)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 1,
@@ -1582,18 +1483,18 @@
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_service_open_connections, service)",
+        "definition": "label_values(traefik_service_requests_total, service)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "service",
        "options": [],
        "query": {
-          "query": "label_values(traefik_service_open_connections, service)",
+          "query": "label_values(traefik_service_requests_total, service)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 2,
-        "regex": "/([^-]+-[^-]+).*/",
+        "regex": "/([^@]+)@.*/",
        "skipUrlSync": false,
        "sort": 1,
        "type": "query"
@@ -1608,6 +1509,6 @@
  "timezone": "",
  "title": "Traefik Official Kubernetes Dashboard",
  "uid": "n5bu_kv4k",
-  "version": 6,
+  "version": 7,
  "weekStart": ""
 }
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
@@ -1321,104 +1321,6 @@
          "title": "Responses Size",
          "type": "timeseries"
        },
-        {
-          "datasource": {
-            "type": "prometheus",
-            "uid": "${DS_PROMETHEUS}"
-          },
-          "description": "",
-          "fieldConfig": {
-            "defaults": {
-              "color": {
-                "mode": "palette-classic"
-              },
-              "custom": {
-                "axisCenteredZero": false,
-                "axisColorMode": "text",
-                "axisLabel": "",
-                "axisPlacement": "auto",
-                "barAlignment": 0,
-                "drawStyle": "line",
-                "fillOpacity": 0,
-                "gradientMode": "none",
-                "hideFrom": {
-                  "legend": false,
-                  "tooltip": false,
-                  "viz": false
-                },
-                "lineInterpolation": "linear",
-                "lineWidth": 1,
-                "pointSize": 5,
-                "scaleDistribution": {
-                  "type": "linear"
-                },
-                "showPoints": "auto",
-                "spanNulls": false,
-                "stacking": {
-                  "group": "A",
-                  "mode": "none"
-                },
-                "thresholdsStyle": {
-                  "mode": "off"
-                }
-              },
-              "mappings": [],
-              "thresholds": {
-                "mode": "absolute",
-                "steps": [
-                  {
-                    "color": "green"
-                  },
-                  {
-                    "color": "red",
-                    "value": 80
-                  }
-                ]
-              },
-              "unit": "short"
-            },
-            "overrides": []
-          },
-          "gridPos": {
-            "h": 8,
-            "w": 12,
-            "x": 0,
-            "y": 39
-          },
-          "id": 2,
-          "options": {
-            "legend": {
-              "calcs": [
-                "mean",
-                "max"
-              ],
-              "displayMode": "table",
-              "placement": "right",
-              "showLegend": true,
-              "sortBy": "Max",
-              "sortDesc": true
-            },
-            "tooltip": {
-              "mode": "multi",
-              "sort": "desc"
-            }
-          },
-          "targets": [
-            {
-              "datasource": {
-                "type": "prometheus",
-                "uid": "${DS_PROMETHEUS}"
-              },
-              "editorMode": "code",
-              "expr": "label_replace(\n    sum(traefik_service_open_connections{service=~\"$service.*\"}) by (service),\n    \"service\", \"$1\", \"service\", \"([^-]+-[^-]+).*\")",
-              "legendFormat": "{{service}}",
-              "range": true,
-              "refId": "A"
-            }
-          ],
-          "title": "Connections per Service",
-          "type": "timeseries"
-        },
        {
          "datasource": {
            "type": "prometheus",
@@ -1508,7 +1410,7 @@
                "uid": "${DS_PROMETHEUS}"
              },
              "editorMode": "code",
-              "expr": "sum(traefik_entrypoint_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
+              "expr": "sum(traefik_open_connections{entrypoint=~\"$entrypoint\"}) by (entrypoint)\n",
              "legendFormat": "{{entrypoint}}",
              "range": true,
              "refId": "A"
@@ -1552,14 +1454,14 @@
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+        "definition": "label_values(traefik_open_connections, entrypoint)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "entrypoint",
        "options": [],
        "query": {
-          "query": "label_values(traefik_entrypoint_open_connections, entrypoint)",
+          "query": "label_values(traefik_open_connections, entrypoint)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 1,
@@ -1574,14 +1476,14 @@
          "type": "prometheus",
          "uid": "${DS_PROMETHEUS}"
        },
-        "definition": "label_values(traefik_service_open_connections, service)",
+        "definition": "label_values(traefik_service_requests_total, service)",
        "hide": 0,
        "includeAll": true,
        "multi": false,
        "name": "service",
        "options": [],
        "query": {
-          "query": "label_values(traefik_service_open_connections, service)",
+          "query": "label_values(traefik_service_requests_total, service)",
          "refId": "StandardVariableQuery"
        },
        "refresh": 2,
@@ -1600,6 +1502,6 @@
  "timezone": "",
  "title": "Traefik Official Standalone Dashboard",
  "uid": "n5bu_kv45",
-  "version": 6,
+  "version": 7,
  "weekStart": ""
 }
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.18 as alpine
+FROM alpine:3.20

 RUN apk --no-cache --no-progress add \
    build-base \
--- a/docs/content/assets/img/middleware/ipwhitelist.png
+++ b/docs/content/assets/img/middleware/ipwhitelist.png
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,7 +15,7 @@ Let's see how.

 ### General

-This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").
+This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").

 ### Method 1: `Docker` and `make`

--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -9,7 +9,6 @@ description: "Traefik Proxy is an open source software with a thriving community

 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Manuel Zapf [@SantoDE](https://github.com/SantoDE)
-* Ludovic Fernandez [@ldez](https://github.com/ldez)
 * Julien Salleyron [@juliens](https://github.com/juliens)
 * Nicolas Mengin [@nmengin](https://github.com/nmengin)
 * Michaël Matur [@mmatur](https://github.com/mmatur)
@@ -33,6 +32,7 @@ People who have had an incredibly positive impact on the project, and are now fo
 * Daniel Tomcej [@dtomcej](https://github.com/dtomcej)
 * Timo Reimann [@timoreimann](https://github.com/timoreimann)
 * Marco Jantke [@mjantke](https://github.com/mjeri)
+* Ludovic Fernandez [@ldez](https://github.com/ldez)

 ## Maintainer's Guidelines

--- a/docs/content/deprecation/releases.md
+++ b/docs/content/deprecation/releases.md
@@ -4,30 +4,26 @@

 Below is a non-exhaustive list of versions and their maintenance status:

-| Version | Release Date | Active Support     | Security Support | 
-|---------|--------------|--------------------|------------------|
-| 2.11    | Feb 12, 2024 | Yes                | Yes              |
-| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 | No               |
-| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 | No               |
-| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 | No               |
-| 2.7     | May 24, 2022 | Ended Jun 29, 2022 | No               |
-| 2.6     | Jan 24, 2022 | Ended May 24, 2022 | No               |
-| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 | No               |
-| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 | No               |
-| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 | No               |
-| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 | No               |
-| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 | No               |
-| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 | No               |
-| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 | Contact Support  |
-
-??? example "Active Support / Security Support"
-
-    **Active support**: receives any bug fixes.
-    **Security support**: receives only critical bug and security fixes.
+| Version | Release Date | Community Support  |  
+|---------|--------------|--------------------|
+| 3.0     | Apr 29, 2024 | Yes                |
+| 2.11    | Feb 12, 2024 | Ends  Apr 29, 2025 |
+| 2.10    | Apr 24, 2023 | Ended Feb 12, 2024 |
+| 2.9     | Oct 03, 2022 | Ended Apr 24, 2023 |
+| 2.8     | Jun 29, 2022 | Ended Oct 03, 2022 |
+| 2.7     | May 24, 2022 | Ended Jun 29, 2022 |
+| 2.6     | Jan 24, 2022 | Ended May 24, 2022 |
+| 2.5     | Aug 17, 2021 | Ended Jan 24, 2022 |
+| 2.4     | Jan 19, 2021 | Ended Aug 17, 2021 |
+| 2.3     | Sep 23, 2020 | Ended Jan 19, 2021 |
+| 2.2     | Mar 25, 2020 | Ended Sep 23, 2020 |
+| 2.1     | Dec 11, 2019 | Ended Mar 25, 2020 |
+| 2.0     | Sep 16, 2019 | Ended Dec 11, 2019 |
+| 1.7     | Sep 24, 2018 | Ended Dec 31, 2021 |

 This page is maintained and updated periodically to reflect our roadmap and any decisions affecting the end of support for Traefik Proxy.

-Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v1 to v2 migration guide](../migration/v1-to-v2.md).
+Please refer to our migration guides for specific instructions on upgrading between versions, an example is the [v2 to v3 migration guide](../migration/v2-to-v3.md).

 !!! important "All target dates for end of support or feature removal announcements may be subject to change."

--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.0 --help
+# ex: docker run traefik:v3.1 --help
 ```

 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -93,7 +93,7 @@ The example below is a file provider only version (`yaml`) of what this configur
 ```yaml tab="Static configuration"
 # traefik.yml

-entrypoints:
+entryPoints:
  web:
    address: :80

--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.1/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.1/traefik.sample.toml)

 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.1
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,22 +29,17 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.0`
+    ex: `traefik:v3.1`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

 ## Use the Helm Chart

-!!! warning
-
-    The Traefik Chart from
-    [Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
-
 Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.

 Ensure that the following requirements are met:

-* Kubernetes 1.16+
+* Kubernetes 1.22+
 * Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

 Add Traefik Labs chart repository to Helm:
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -35,12 +35,18 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
@@ -130,7 +136,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v3.0
+          image: traefik:v3.1
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v3 Traefik docker image
-    image: traefik:v3.0
+    image: traefik:v3.1
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
@@ -119,6 +119,6 @@ IP: 172.27.0.4

 !!! question "Where to Go Next?"

-    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/ "Link to the docs landing page") and let Traefik work for you!
+    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the user guides](../../user-guides/docker-compose/basic-example/ "Link to the user guides") and [the documentation](/ "Link to the docs landing page") and let Traefik work for you!

 {!traefik-for-business-applications.md!}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -116,8 +116,8 @@ Please check the [configuration examples below](#configuration-examples) for mor
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    # ...
    --certificatesresolvers.myresolver.acme.email=your-email@example.com
    --certificatesresolvers.myresolver.acme.storage=acme.json
@@ -241,8 +241,8 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    # ...
    --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    ```
@@ -406,7 +406,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Open Telekom Cloud](https://cloud.telekom.de)                         | `otc`              | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT`                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/otc)              |
 | [Openstack Designate](https://docs.openstack.org/designate)            | `designate`        | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME`                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/designate)        |
 | [Oracle Cloud](https://cloud.oracle.com/home)                          | `oraclecloud`      | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID`                                      | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud)      |
-| [OVH](https://www.ovh.com)                                             | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
+| [OVH](https://www.ovh.com)                                             | `ovh`              | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`, `OVH_CLIENT_ID`, `OVH_CLIENT_SECRET`                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/ovh)              |
 | [Plesk](https://www.plesk.com)                                         | `plesk`            | `PLESK_SERVER_BASE_URL`, `PLESK_USERNAME`, `PLESK_PASSWORD`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/plesk)            |
 | [Porkbun](https://porkbun.com/)                                        | `porkbun`          | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY`                                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun)          |
 | [PowerDNS](https://www.powerdns.com)                                   | `pdns`             | `PDNS_API_KEY`, `PDNS_API_URL`                                                                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/pdns)             |
@@ -417,8 +417,9 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [RimuHosting](https://rimuhosting.com)                                 | `rimuhosting`      | `RIMUHOSTING_API_KEY`                                                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting)      |
 | [Route 53](https://aws.amazon.com/route53/)                            | `route53`          | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile.                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/route53)          |
 | [Sakura Cloud](https://cloud.sakura.ad.jp/)                            | `sakuracloud`      | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET`                                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud)      |
-| [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCALEWAY_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
+| [Scaleway](https://www.scaleway.com)                                   | `scaleway`         | `SCW_API_TOKEN`                                                                                                                                                                  | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway)         |
 | [Selectel](https://selectel.ru/en/)                                    | `selectel`         | `SELECTEL_API_TOKEN`                                                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/selectel)         |
+| [Selectel v2](https://selectel.ru/en/)                                 | `selectelv2`       | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME`                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2)       |
 | [Servercow](https://servercow.de)                                      | `servercow`        | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD`                                                                                                                                       | [Additional configuration](https://go-acme.github.io/lego/dns/servercow)        |
 | [Shellrent](https://www.shellrent.com)                                 | `shellrent`        | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent)        |
 | [Simply.com](https://www.simply.com/en/domains/)                       | `simply`           | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY`                                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/simply)           |
--- a/docs/content/https/include-acme-multiple-domains-example.md
+++ b/docs/content/https/include-acme-multiple-domains-example.md
@@ -5,22 +5,10 @@ labels:
  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
  - traefik.http.routers.blog.tls=true
  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=example.org
+  - traefik.http.routers.blog.tls.domains[0].main=example.com
  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
 ```

-```yaml tab="Docker (Swarm)"
-## Dynamic configuration
-deploy:
-  labels:
-    - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-    - traefik.http.services.blog-svc.loadbalancer.server.port=8080"
-    - traefik.http.routers.blog.tls=true
-    - traefik.http.routers.blog.tls.certresolver=myresolver
-    - traefik.http.routers.blog.tls.domains[0].main=example.org
-    - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
-```
-
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -38,7 +26,7 @@ spec:
  tls:
    certResolver: myresolver
    domains:
-    - main: example.org
+    - main: example.com
      sans:
      - '*.example.org'
 ```
@@ -52,7 +40,7 @@ http:
      tls:
        certResolver: myresolver
        domains:
-          - main: "example.org"
+          - main: "example.com"
            sans:
              - "*.example.org"
 ```
@@ -65,6 +53,6 @@ http:
    [http.routers.blog.tls]
      certResolver = "myresolver" # From static configuration
      [[http.routers.blog.tls.domains]]
-        main = "example.org"
+        main = "example.com"
        sans = ["*.example.org"]
 ```
--- a/docs/content/includes/traefik-for-business-applications.md
+++ b/docs/content/includes/traefik-for-business-applications.md
@@ -1,14 +1,10 @@
 ---

-!!! question "Using Traefik for Business Applications?"
+!!! question "Using Traefik OSS in Production? Consider Adding Advanced Capabilities."

-    If you are using Traefik in your organization, consider our enterprise-grade solutions:
+    Add API Gateway or API Management capabilities seamlessly to your existing Traefik deployments. 
+    No rip and replace. No learning curve.

-    - API Management  
-      [Explore](https://traefik.io/solutions/api-management/) // [Watch Demo Video](https://info.traefik.io/watch-traefik-hub-demo)
-    - API Gateway  
-      [Explore](https://traefik.io/solutions/api-gateway/) // [Watch Demo Video](https://info.traefik.io/watch-traefikee-demo)
-    - Ingress Controller  
-      [Kubernetes](https://traefik.io/solutions/kubernetes-ingress/) // [Docker Swarm](https://traefik.io/solutions/docker-swarm-ingress/)
-
-    These tools help businesses discover, deploy, secure, and manage microservices and APIs easily, at scale, across any environment.
+    - [Explore our API Gateway](https://traefik.io/traefik-hub-api-gateway/)
+    - [Explore our API Management](https://traefik.io/traefik-hub/)
+    - [Get 24/7/365 Commercial Support for Traefik OSS](https://info.traefik.io/request-commercial-support)
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -24,8 +24,6 @@ Developing Traefik, our main goal is to make it effortless to use, and we're sur

 !!! info

-    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the traefik community.
+    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.

-    Using Traefik in your organization? Consider [Traefik Enterprise](https://traefik.io/traefik-enterprise/ "Lino to Traefik Enterprise"), our unified API Gateway and Ingress that simplifies the discovery, security, and deployment of APIs and microservices across any environment.
-
-    See it in action in [this short video walkthrough](https://info.traefik.io/watch-traefikee-demo "Link to video walkthrough").
+    Using Traefik OSS in Production? Add enterprise-grade API Gateway and API Management capabilities to your existing deployments seamlessly. No rip and replace. No learning curve. Learn more from [this short video](https://info.traefik.io/traefik-upgrade-walkthrough)
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -10,7 +10,7 @@ Compress Allows Compressing Responses before Sending them to the Client

 ![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware supports gzip and Brotli compression.
+The Compress middleware supports Gzip, Brotli and Zstandard compression.
 The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.

 ## Configuration Examples
@@ -54,8 +54,8 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
-    If the `Accept-Encoding` request header is absent, the response won't be encoded.
+    * The `Accept-Encoding` request header contains `gzip`, and/or `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+    If the `Accept-Encoding` request header is absent and no [defaultEncoding](#defaultencoding) is configured, the response won't be encoded.
    If it is present, but its value is the empty string, then compression is disabled.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes), or is one among the [includedContentTypes options](#includedcontenttypes).
@@ -214,3 +214,44 @@ http:
  [http.middlewares.test-compress.compress]
    minResponseBodyBytes = 1200
 ```
+
+### `defaultEncoding`
+
+_Optional, Default=""_
+
+`defaultEncoding` specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`).
+
+There is no fallback on the `defaultEncoding` when the header value is empty or unsupported.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-compress
+spec:
+  compress:
+    defaultEncoding: gzip
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-compress:
+      compress:
+        defaultEncoding: gzip
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-compress.compress]
+    defaultEncoding = "gzip"
+```
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -300,7 +300,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -316,13 +316,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-auth.forwardAuth]
-    address = "https://example.com/auth"
-    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -334,6 +327,13 @@ http:
          - "State-Cookie"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-auth.forwardAuth]
+    address = "https://example.com/auth"
+    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
+```
+
 ### `tls`

 _Optional_
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -394,6 +394,10 @@ This overrides the `BrowserXssFilter` option.

 The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.

+### `contentSecurityPolicyReportOnly`
+
+The `contentSecurityPolicyReportOnly` option allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.
+
 ### `publicKey`

 The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -35,18 +35,6 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32,192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Accepts request from defined IP
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
@@ -125,20 +113,6 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 # Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
@@ -207,20 +181,6 @@ spec:
 - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-  "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Exclude from `X-Forwarded-For`
-labels:
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -359,6 +359,8 @@ http:

 Name of the header used to group incoming requests.

+!!! important "If the header is not present, rate limiting will still be applied, but all requests without the specified header will be grouped together."
+
 ```yaml tab="Docker & Swarm"
 labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -354,7 +354,7 @@ To apply a redirection:
    ```

    ```bash tab="CLI"
-    --entrypoints=Name:web Address::80 Redirect.EntryPoint:websecure
+    --entryPoints=Name:web Address::80 Redirect.EntryPoint:websecure
    --entryPoints='Name:websecure Address::443 TLS'
    ```

@@ -394,10 +394,10 @@ To apply a redirection:
    ```bash tab="CLI"
    ## static configuration

-    --entrypoints.web.address=:80
-    --entrypoints.web.http.redirections.entrypoint.to=websecure
-    --entrypoints.web.http.redirections.entrypoint.scheme=https
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.redirections.entrypoint.to=websecure
+    --entryPoints.web.http.redirections.entrypoint.scheme=https
+    --entryPoints.websecure.address=:443
    --providers.docker=true
    ```

@@ -750,8 +750,8 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
    --certificatesresolvers.myresolver.acme.email=your-email@example.com
    --certificatesresolvers.myresolver.acme.storage=acme.json
    --certificatesresolvers.myresolver.acme.tlschallenge=true
@@ -1078,7 +1078,7 @@ To activate the dashboard, you can either:
      routers:
        api:
          rule: Host(`traefik.docker.localhost`)
-          entrypoints:
+          entryPoints:
            - websecure
          service: api@internal
          middlewares:
--- a/docs/content/migration/v2-to-v3-details.md
+++ b/docs/content/migration/v2-to-v3-details.md
@@ -0,0 +1,723 @@
+---
+title: "Traefik V3 Migration Details"
+description: "Configuration changes and their details to successfully migrate from Traefik v2 to v3."
+---
+
+# Configuration Details for Migrating from Traefik v2 to v3
+
+## Static Configuration Changes
+
+### SwarmMode
+
+In v3, the provider Docker has been split into 2 providers:
+
+- Docker provider (without Swarm support)
+- Swarm provider  (Swarm support only)
+
+??? example "An example usage of v2 Docker provider with Swarm"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        swarmMode: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker]
+        swarmMode=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.swarmMode=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+In v3, the `swarmMode` should not be used with the Docker provider, and, to use Swarm, the Swarm provider should be used instead.
+
+??? example "An example usage of the Swarm provider"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      swarm:
+        endpoint: "tcp://127.0.0.1:2377"
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.swarm]
+        endpoint="tcp://127.0.0.1:2377"
+    ```
+
+    ```bash tab="CLI"
+    --providers.swarm.endpoint=tcp://127.0.0.1:2377
+    ```
+
+#### TLS.CAOptional
+
+Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      docker:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.docker.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.docker.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Docker provider static configuration.
+
+### Kubernetes Gateway API
+
+#### Experimental Channel Resources (TLSRoute and TCPRoute)
+
+In v3, the Kubernetes Gateway API provider does not enable support for the experimental channel API resources by default.
+
+##### Remediation
+
+The `experimentalChannel` option should be used to enable the support for the experimental channel API resources.
+
+??? example "An example usage of the Kubernetes Gateway API provider with experimental channel support enabled"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      kubernetesGateway:
+        experimentalChannel: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.kubernetesGateway]
+        experimentalChannel = true
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.kubernetesgateway.experimentalchannel=true
+    ```
+
+### Experimental Configuration
+
+#### HTTP3
+
+In v3, HTTP/3 is no longer an experimental feature.
+It can be enabled on entry points without the associated `experimental.http3` option, which is now removed.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Experimental `http3` option"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      http3: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        http3=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.http3=true
+    ```
+
+##### Remediation
+
+The `http3` option should be removed from the static configuration experimental section.
+To configure `http3`, please checkout the [entrypoint configuration documentation](../routing/entrypoints.md#http3_1).
+
+### Consul provider
+
+#### namespace
+
+The Consul provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Consul `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    consul:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consul]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --consul.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of Consul `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    consul:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consul]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --consul.namespaces=foobar
+    ```
+
+#### TLS.CAOptional
+
+Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      consul:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.consul.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.consul.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Consul provider static configuration.
+
+### ConsulCatalog provider
+
+#### namespace
+
+The ConsulCatalog provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 ConsulCatalog `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    consulCatalog:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consulCatalog]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --consulCatalog.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of ConsulCatalog `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    consulCatalog:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [consulCatalog]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --consulCatalog.namespaces=foobar
+    ```
+
+#### Endpoint.TLS.CAOptional
+
+ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the Endpoint.TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      consulCatalog:
+        endpoint:
+          tls: 
+            caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.consulCatalog.endpoint.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.consulCatalog.endpoint.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
+
+### Nomad provider
+
+#### namespace
+
+The Nomad provider `namespace` option was deprecated in v2 and is now removed in v3.
+It is now unsupported and would prevent Traefik to start.
+
+??? example "An example usage of v2 Nomad `namespace` option"
+
+    ```yaml tab="File (YAML)"
+    nomad:
+      namespace: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [nomad]
+        namespace=foobar
+    ```
+
+    ```bash tab="CLI"
+    --nomad.namespace=foobar
+    ```
+
+##### Remediation
+
+In v3, the `namespaces` option should be used instead of the `namespace` option.
+
+??? example "An example usage of Nomad `namespaces` option"
+
+    ```yaml tab="File (YAML)"
+    nomad:
+      namespaces:
+        - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [nomad]
+        namespaces=["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    --nomad.namespaces=foobar
+    ```
+
+#### Endpoint.TLS.CAOptional
+
+Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the Endpoint.TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      nomad:
+        endpoint:
+          tls: 
+            caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.nomad.endpoint.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.nomad.endpoint.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
+
+### Rancher v1 Provider
+
+In v3, the Rancher v1 provider has been removed because Rancher v1 is [no longer actively maintained](https://rancher.com/docs/os/v1.x/en/support/),
+and Rancher v2 is supported as a standard Kubernetes provider.
+
+??? example "An example of Traefik v2 Rancher v1 configuration"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      rancher: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.rancher]
+    ```
+
+    ```bash tab="CLI"
+    --providers.rancher=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
+
+Also, all Rancher provider related configuration should be removed from the static configuration.
+
+### Marathon provider
+
+Marathon maintenance [ended on October 31, 2021](https://github.com/mesosphere/marathon/blob/master/README.md).
+In v3, the Marathon provider has been removed.
+
+??? example "An example of v2 Marathon provider configuration"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      marathon: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.marathon]
+    ```
+
+    ```bash tab="CLI"
+    --providers.marathon=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All Marathon provider related configuration should be removed from the static configuration.
+
+### HTTP Provider
+
+#### TLS.CAOptional
+
+HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      http:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.http.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.http.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the HTTP provider static configuration.
+
+### ETCD Provider
+
+#### TLS.CAOptional
+
+ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      etcd:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.etcd.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.etcd.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the ETCD provider static configuration.
+
+### Redis Provider
+
+#### TLS.CAOptional
+
+Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
+
+??? example "An example usage of the TLS.CAOptional option"
+
+    ```yaml tab="File (YAML)"
+    providers:
+      redis:
+        tls: 
+          caOptional: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.redis.tls]
+        caOptional=true
+    ```
+
+    ```bash tab="CLI"
+    --providers.redis.tls.caOptional=true
+    ```
+
+##### Remediation
+
+The `tls.caOptional` option should be removed from the Redis provider static configuration.
+
+### InfluxDB v1
+
+InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
+In v3, the InfluxDB v1 metrics provider has been removed.
+
+??? example "An example of Traefik v2 InfluxDB v1 metrics configuration"
+
+    ```yaml tab="File (YAML)"
+    metrics:
+      influxDB: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [metrics.influxDB]
+    ```
+
+    ```bash tab="CLI"
+    --metrics.influxDB=true
+    ```
+
+This configuration is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
+
+### Pilot
+
+Traefik Pilot is no longer available since October 4th, 2022.
+
+??? example "An example of v2 Pilot configuration"
+
+    ```yaml tab="File (YAML)"
+    pilot:
+      token: foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    [pilot]
+        token=foobar
+    ```
+
+    ```bash tab="CLI"
+    --pilot.token=foobar
+    ```
+
+In v2, Pilot configuration was deprecated and ineffective,
+it is now unsupported and would prevent Traefik to start.
+
+#### Remediation
+
+All Pilot related configuration should be removed from the static configuration.
+
+## Operations Changes
+
+### Traefik RBAC Update
+
+In v3, the support of `TCPServersTransport` has been introduced.
+When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
+
+### Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
+
+### Observability
+
+#### gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.
+
+#### Tracing
+
+In v3, the tracing feature has been revamped and is now powered exclusively by [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel") (OTel).
+!!! warning "Important"
+    Traefik v3 **no** longer supports direct output formats for specific vendors such as Instana, Jaeger, Zipkin, Haystack, Datadog, and Elastic.
+    Instead, it focuses on pure OpenTelemetry implementation, providing a unified and standardized approach for observability.
+
+Here are two possible transition strategies:
+
+1. OTLP Ingestion Endpoints:
+
+    Most vendors now offer OpenTelemetry Protocol (OTLP) ingestion endpoints.
+    You can seamlessly integrate Traefik v3 with these endpoints to continue leveraging tracing capabilities.
+
+2. Legacy Stack Compatibility:
+
+    For legacy stacks that cannot immediately upgrade to the latest vendor agents supporting OTLP ingestion,
+    using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
+    This allows continued compatibility with the existing infrastructure.
+
+Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
+
+#### Internal Resources Observability
+
+In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
+To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
+Please take a look at the observability documentation for more information:
+
+- [AccessLogs](../observability/access-logs.md#addinternals)
+- [Metrics](../observability/metrics/overview.md#addinternals)
+- [Tracing](../observability/tracing/overview.md#addinternals)
+
+## Dynamic Configuration Changes
+
+### Router Rule Matchers
+
+In v3, a new rule matchers syntax has been introduced for HTTP and TCP routers.
+The default rule matchers syntax is now the v3 one, but for backward compatibility this can be configured.
+The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
+For this reason, we encourage migrating to the new syntax.
+
+By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
+
+#### New V3 Syntax Notable Changes
+
+The `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`PathPrefix` no longer uses regular expressions to match path prefixes.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+#### Remediation
+
+##### Configure the Default Syntax In Static Configuration
+
+The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
+It can be configured in the static configuration.
+
+??? example "An example configuration for the default rule matchers syntax"
+
+    ```yaml tab="File (YAML)"
+    # static configuration
+    core:
+      defaultRuleSyntax: v2
+    ```
+
+    ```toml tab="File (TOML)"
+    # static configuration
+    [core]
+        defaultRuleSyntax="v2"
+    ```
+
+    ```bash tab="CLI"
+    # static configuration
+    --core.defaultRuleSyntax=v2
+    ```
+
+##### Configure the Syntax Per Router
+
+The rule syntax can also be configured on a per-router basis.
+This allows to have heterogeneous router configurations and ease migration.
+
+??? example "An example router with syntax configuration"
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.routers.test.ruleSyntax=v2"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  routes:
+    - match: PathPrefix(`/foo`, `/bar`)
+      syntax: v2
+      kind: Rule
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.routers.test.ruleSyntax=v2"
+```
+
+```yaml tab="File (YAML)"
+http:
+  routers:
+    test:
+      ruleSyntax: v2
+```
+
+```toml tab="File (TOML)"
+[http.routers]
+  [http.routers.test]
+    ruleSyntax = "v2"
+```
+
+### IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+### Deprecated Options Removal
+
+- The `tracing.datadog.globaltag` option has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- The `preferServerCipherSuites` option has been removed.
+
+### TCP LoadBalancer `terminationDelay` option
+
+The TCP LoadBalancer `terminationDelay` option has been removed.
+This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
+
+### Kubernetes CRDs API Group `traefik.containo.us`
+
+In v3, the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
+Please use the API Group `traefik.io` instead.
+
+### Kubernetes Ingress API Group `networking.k8s.io/v1beta1`
+
+In v3, the Kubernetes Ingress API Group `networking.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122)) support has been removed.
+
+Please use the API Group `networking.k8s.io/v1` instead.
+
+### Traefik CRD API Version `apiextensions.k8s.io/v1beta1`
+
+In v3, the Traefik CRD API Version `apiextensions.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122)) support has been removed.
+
+Please use the CRD definition with the API Version `apiextensions.k8s.io/v1` instead.
--- a/docs/content/migration/v2-to-v3.md
+++ b/docs/content/migration/v2-to-v3.md
@@ -8,728 +8,70 @@ description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary c
 How to Migrate from Traefik v2 to Traefik v3.
 {: .subtitle }

-The version 3 of Traefik introduces a number of breaking changes,
-which require one to update their configuration when they migrate from v2 to v3.
-The goal of this page is to recapitulate all of these changes,
-and in particular to give examples, feature by feature, 
-of how the configuration looked like in v2,
-and how it now looks like in v3.
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.

-## Static configuration
+Here are the steps to progressively migrate from Traefik v2 to v3:

-### Docker & Docker Swarm
+1. [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)
+1. [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)
+1. [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)

-#### SwarmMode
+## Step 1: Prepare Configurations and Test v3

-In v3, the provider Docker has been split into 2 providers:
+Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3.
+Modify your configurations accordingly.

- Docker provider (without Swarm support)
- Swarm provider  (Swarm support only)
+Then, add the following snippet to the static configuration:

-??? example "An example usage of v2 Docker provider with Swarm"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        swarmMode: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker]
-        swarmMode=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.docker.swarmMode=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-##### Remediation
-
-In v3, the `swarmMode` should not be used with the Docker provider, and, to use Swarm, the Swarm provider should be used instead.
-
-??? example "An example usage of the Swarm provider"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      swarm:
-        endpoint: "tcp://127.0.0.1:2377"
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.swarm]
-        endpoint="tcp://127.0.0.1:2377"
-    ```
-
-    ```bash tab="CLI"
-    --providers.swarm.endpoint=tcp://127.0.0.1:2377
-    ```
-
-#### TLS.CAOptional
-
-Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      docker:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.docker.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.docker.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Docker provider static configuration.
-
-### Kubernetes Gateway API
-
-#### Experimental Channel Resources (TLSRoute and TCPRoute)
-
-In v3, the Kubernetes Gateway API provider does not enable support for the experimental channel API resources by default.
-
-##### Remediation
-
-The `experimentalChannel` option should be used to enable the support for the experimental channel API resources.
-
-??? example "An example usage of the Kubernetes Gateway API provider with experimental channel support enabled"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      kubernetesGateway:
-        experimentalChannel: true
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.kubernetesGateway]
-        experimentalChannel = true
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.kubernetesgateway.experimentalchannel=true
-    ```
-
-### Experimental Configuration
-
-#### HTTP3
-
-In v3, HTTP/3 is no longer an experimental feature.
-It can be enabled on entry points without the associated `experimental.http3` option, which is now removed.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Experimental `http3` option"
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      http3: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-        http3=true
-    ```
-
-    ```bash tab="CLI"
-    --experimental.http3=true
-    ```
-
-##### Remediation
-
-The `http3` option should be removed from the static configuration experimental section.
-
-### Consul provider
-
-#### namespace
-
-The Consul provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Consul `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    consul:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consul]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --consul.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of Consul `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    consul:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consul]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --consul.namespaces=foobar
-    ```
-
-#### TLS.CAOptional
-
-Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.consul.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.consul.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Consul provider static configuration.
-
-### ConsulCatalog provider
-
-#### namespace
-
-The ConsulCatalog provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 ConsulCatalog `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    consulCatalog:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consulCatalog]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --consulCatalog.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of ConsulCatalog `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    consulCatalog:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [consulCatalog]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --consulCatalog.namespaces=foobar
-    ```
-
-#### Endpoint.TLS.CAOptional
-
-ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the Endpoint.TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        endpoint:
-          tls: 
-            caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog.endpoint.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.consulCatalog.endpoint.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
-
-### Nomad provider
-
-#### namespace
-
-The Nomad provider `namespace` option was deprecated in v2 and is now removed in v3.
-It is now unsupported and would prevent Traefik to start.
-
-??? example "An example usage of v2 Nomad `namespace` option"
-
-    ```yaml tab="File (YAML)"
-    nomad:
-      namespace: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [nomad]
-        namespace=foobar
-    ```
-
-    ```bash tab="CLI"
-    --nomad.namespace=foobar
-    ```
-
-##### Remediation
-
-In v3, the `namespaces` option should be used instead of the `namespace` option.
-
-??? example "An example usage of Nomad `namespaces` option"
-
-    ```yaml tab="File (YAML)"
-    nomad:
-      namespaces:
-        - foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [nomad]
-        namespaces=["foobar"]
-    ```
-
-    ```bash tab="CLI"
-    --nomad.namespaces=foobar
-    ```
-
-#### Endpoint.TLS.CAOptional
-
-Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the Endpoint.TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      nomad:
-        endpoint:
-          tls: 
-            caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.nomad.endpoint.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.nomad.endpoint.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
-
-### Rancher v1 Provider
-
-In v3, the Rancher v1 provider has been removed because Rancher v1 is [no longer actively maintained](https://rancher.com/docs/os/v1.x/en/support/),
-and Rancher v2 is supported as a standard Kubernetes provider.
-
-??? example "An example of Traefik v2 Rancher v1 configuration"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      rancher: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.rancher]
-    ```
-
-    ```bash tab="CLI"
-    --providers.rancher=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
-
-Also, all Rancher provider related configuration should be removed from the static configuration.
-
-### Marathon provider
-
-Marathon maintenance [ended on October 31, 2021](https://github.com/mesosphere/marathon/blob/master/README.md).
-In v3, the Marathon provider has been removed.
-
-??? example "An example of v2 Marathon provider configuration"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      marathon: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.marathon]
-    ```
-
-    ```bash tab="CLI"
-    --providers.marathon=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All Marathon provider related configuration should be removed from the static configuration.
-
-### HTTP Provider
-
-#### TLS.CAOptional
-
-HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      http:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.http.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.http.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the HTTP provider static configuration.
-
-### ETCD Provider
-
-#### TLS.CAOptional
-
-ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      etcd:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.etcd.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.etcd.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the ETCD provider static configuration.
-
-### Redis Provider
-
-#### TLS.CAOptional
-
-Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://pkg.go.dev/crypto/tls#ClientAuthType).
-
-??? example "An example usage of the TLS.CAOptional option"
-
-    ```yaml tab="File (YAML)"
-    providers:
-      redis:
-        tls: 
-          caOptional: true
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.redis.tls]
-        caOptional=true
-    ```
-
-    ```bash tab="CLI"
-    --providers.redis.tls.caOptional=true
-    ```
-
-##### Remediation
-
-The `tls.caOptional` option should be removed from the Redis provider static configuration.
-
-### InfluxDB v1
-
-InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
-In v3, the InfluxDB v1 metrics provider has been removed.
-
-??? example "An example of Traefik v2 InfluxDB v1 metrics configuration"
-
-    ```yaml tab="File (YAML)"
-    metrics:
-      influxDB: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [metrics.influxDB]
-    ```
-
-    ```bash tab="CLI"
-    --metrics.influxDB=true
-    ```
-
-This configuration is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
-
-### Pilot
-
-Traefik Pilot is no longer available since October 4th, 2022.
-
-??? example "An example of v2 Pilot configuration"
-
-    ```yaml tab="File (YAML)"
-    pilot:
-      token: foobar
-    ```
-
-    ```toml tab="File (TOML)"
-    [pilot]
-        token=foobar
-    ```
-
-    ```bash tab="CLI"
-    --pilot.token=foobar
-    ```
-
-In v2, Pilot configuration was deprecated and ineffective,
-it is now unsupported and would prevent Traefik to start.
-
-#### Remediation
-
-All Pilot related configuration should be removed from the static configuration.
-
-## Dynamic configuration
-
-### Router Rule Matchers
-
-In v3, a new rule matchers syntax has been introduced for HTTP and TCP routers.
-The default rule matchers syntax is now the v3 one, but for backward compatibility this can be configured.
-The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
-For this reason, we encourage migrating to the new syntax.
-
-By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
-
-#### New V3 Syntax Notable Changes
-
-The `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
-
-`PathPrefix` no longer uses regular expressions to match path prefixes.
-
-`QueryRegexp` has been introduced to match query values using a regular expression.
-
-`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
-
-All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
-and should be explicitly combined using logical operators to mimic previous behavior.
-
-`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
-
-`HostHeader` has been removed, use `Host` instead.
-
-#### Remediation
-
-##### Configure the Default Syntax In Static Configuration
-
-The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
-It can be configured in the static configuration.
-
-??? example "An example configuration for the default rule matchers syntax"
-
-    ```yaml tab="File (YAML)"
-    # static configuration
-    core:
-      defaultRuleSyntax: v2
-    ```
-
-    ```toml tab="File (TOML)"
-    # static configuration
-    [core]
-        defaultRuleSyntax="v2"
-    ```
-
-    ```bash tab="CLI"
-    # static configuration
-    --core.defaultRuleSyntax=v2
-    ```
-
-##### Configure the Syntax Per Router
-
-The rule syntax can also be configured on a per-router basis.
-This allows to have heterogeneous router configurations and ease migration.
-
-??? example "An example router with syntax configuration"
-
-```yaml tab="Docker & Swarm"
-labels:
-  - "traefik.http.routers.test.ruleSyntax=v2"
+```yaml
+# static configuration
+core:
+  defaultRuleSyntax: v2
 ```

-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: test.route
-  namespace: default
+This snippet in the static configuration makes the [v2 format](../migration/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.

-spec:
-  routes:
-    - match: PathPrefix(`/foo`, `/bar`)
-      syntax: v2
-      kind: Rule
+Start Traefik v3 with this new configuration to test it.
+
+If you don’t get any error logs while testing, you are good to go!
+Otherwise, follow the remaining migration options highlighted in the logs.
+
+Once your Traefik test instances are starting and routing to your applications, proceed to the next step.
+
+## Step 2: Migrate Production Instances to Traefik v3
+
+We strongly advise you to follow a progressive migration strategy ([Kubernetes rolling update mechanism](https://kubernetes.io/docs/tutorials/kubernetes-basics/update/update-intro/ "Link to the Kubernetes rolling update documentation"), for example) to migrate your production instances to v3.
+
+!!! Warning
+    Ensure you have a [real-time monitoring solution](https://traefik.io/blog/capture-traefik-metrics-for-apps-on-kubernetes-with-prometheus/ "Link to the blog on capturing Traefik metrics with Prometheus") for your ingress traffic to detect issues instantly.
+
+During the progressive migration, monitor your ingress traffic for any errors. Be prepared to rollback to a working state in case of any issues.
+
+If you encounter any issues, leverage debug and access logs provided by Traefik to understand what went wrong and how to fix it.
+
+Once every Traefik instance is updated, you will be on Traefik v3!
+
+## Step 3: Progressively Migrate Dynamic Configuration
+
+!!! info
+    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
+    Enable Traefik logs to get some help if any deprecated option is in use.
+
+Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes").
+
+Then, progressively [switch each router to the v3 syntax](./v2-to-v3-details.md#configure-the-syntax-per-router "Link to configuring the syntax per router").
+
+Test and update each Ingress resource and ensure that ingress traffic is not impacted.
+
+Once a v3 Ingress resource migration is validated, deploy the resource and delete the v2 Ingress resource.
+Repeat it until all Ingress resources are migrated.
+
+Now, remove the following snippet added to the static configuration in Step 1:
+
+```yaml
+# static configuration
+core:
+  defaultRuleSyntax: v2
 ```

-```yaml tab="Consul Catalog"
- "traefik.http.routers.test.ruleSyntax=v2"
-```
-
-```yaml tab="File (YAML)"
-http:
-  routers:
-    test:
-      ruleSyntax: v2
-```
-
-```toml tab="File (TOML)"
-[http.routers]
-  [http.routers.test]
-    ruleSyntax = "v2"
-```
-
-### IPWhiteList
-
-In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
-
-### Deprecated Options Removal
-
- The `tracing.datadog.globaltag` option has been removed.
- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
- The `forceSlash` option of the StripPrefix middleware has been removed.
- The `preferServerCipherSuites` option has been removed.
-
-### TCP LoadBalancer `terminationDelay` option
-
-The TCP LoadBalancer `terminationDelay` option has been removed.
-This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
-
-### Kubernetes CRDs API Group `traefik.containo.us`
-
-In v3, the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
-Please use the API Group `traefik.io` instead.
-
-### Kubernetes Ingress API Group `networking.k8s.io/v1beta1`
-
-In v3, the Kubernetes Ingress API Group `networking.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122)) support has been removed.
-
-Please use the API Group `networking.k8s.io/v1` instead.
-
-### Traefik CRD API Version `apiextensions.k8s.io/v1beta1`
-
-In v3, the Traefik CRD API Version `apiextensions.k8s.io/v1beta1` ([removed since Kubernetes v1.22](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#customresourcedefinition-v122)) support has been removed.
-
-Please use the CRD definition with the API Version `apiextensions.k8s.io/v1` instead.
-
-## Operations
-
-### Traefik RBAC Update
-
-In v3, the support of `TCPServersTransport` has been introduced.
-When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
-
-### Content-Type Auto-Detection
-
-In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
-One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
-
-### Observability
-
-#### gRPC Metrics
-
-In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
-
-#### Tracing
-
-In v3, the tracing feature has been revamped and is now powered exclusively by [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel") (OTel).
-!!! warning "Important"
-
-    Traefik v3 **no** longer supports direct output formats for specific vendors such as Instana, Jaeger, Zipkin, Haystack, Datadog, and Elastic.
-Instead, it focuses on pure OpenTelemetry implementation, providing a unified and standardized approach for observability.
-
-Here are two possible transition strategies:
-
-1. OTLP Ingestion Endpoints:
-
-    Most vendors now offer OpenTelemetry Protocol (OTLP) ingestion endpoints.
-    You can seamlessly integrate Traefik v3 with these endpoints to continue leveraging tracing capabilities.
-
-2. Legacy Stack Compatibility:
-
-    For legacy stacks that cannot immediately upgrade to the latest vendor agents supporting OTLP ingestion,
-    using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
-    This allows continued compatibility with the existing infrastructure.
-
-Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
-
-#### Internal Resources Observability
-
-In v3, observability for internal routers or services (e.g.: `ping@internal`) is disabled by default.
-To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
-Please take a look at the observability documentation for more information:
-
- [AccessLogs](../observability/access-logs.md#addinternals)
- [Metrics](../observability/metrics/overview.md#addinternals)
- [Tracing](../observability/tracing/overview.md#addinternals)
+You are now fully migrated to Traefik v3 🎉
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -513,7 +513,7 @@ In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, a
 As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
 it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.

-In addition, the Kubernetes CRDs API Version `traefik.io/v1alpha1` will not be supported in Traefik v3 itself.
+In addition, the Kubernetes CRDs API Version `traefik.containo.us/v1alpha1` will not be supported in Traefik v3 itself.

 Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading Traefik.
 To do so, please apply the required [CRDs](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) manifests for v2.10:
@@ -553,7 +553,7 @@ The following ciphers have been removed from the default list:
 - `TLS_RSA_WITH_AES_128_GCM_SHA256`
 - `TLS_RSA_WITH_AES_256_GCM_SHA384`

-To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
+To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.

 ### Minimum TLS Version

@@ -562,7 +562,7 @@ To enable these ciphers, please set the option `CipherSuites` in your [TLS confi
 > This change can be reverted with the `tls10server=1 GODEBUG` setting.
 > (https://go.dev/doc/go1.22#crypto/tls)

-To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](https://doc.traefik.io/traefik/https/tls/#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
+To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.

 ## v2.11.1

@@ -622,7 +622,7 @@ Starting with `v2.11.2` the `<entrypoint>.transport.respondingTimeouts.tcp.linge
 ### RespondingTimeouts.TCP and RespondingTimeouts.HTTP

 Starting with `v2.11.2` the `respondingTimeouts.tcp` and `respondingTimeouts.http` sections introduced in `v2.11.1` have been removed.
-To configure responding timeouts
+To configure the responding timeouts, please use the [`respondingTimeouts`](../routing/entrypoints.md#respondingtimeouts) section.  

 ### EntryPoint.Transport.RespondingTimeouts.ReadTimeout

--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@@ -0,0 +1,53 @@
+---
+title: "Traefik Migration Documentation"
+description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions. Read the technical documentation."
+---
+
+# Migration: Steps needed between the versions
+
+## v3.0 to v3.1
+
+### Kubernetes Provider RBACs
+
+Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
+
+Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) provider RBACs), 
+the `endpoints` right has to be removed and the following `endpointslices` right has to be added.
+
+```yaml
+  ... 
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
+  ...
+```
+
+#### Gateway API: KubernetesGateway Provider
+
+In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
+It can be enabled without the associated `experimental.kubernetesgateway` option, which is now deprecated.
+
+??? example "An example of the experimental `kubernetesgateway` option"
+
+    ```yaml tab="File (YAML)"
+    experimental:
+      kubernetesgateway: true
+    ```
+
+    ```toml tab="File (TOML)"
+    [experimental]
+        kubernetesgateway=true
+    ```
+
+    ```bash tab="CLI"
+    --experimental.kubernetesgateway=true
+    ```
+
+##### Remediation
+
+The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
+To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -275,7 +275,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v3.0
+    image: traefik:v3.1
    environment:
      - TZ=US/Alaska
    command:
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -169,14 +169,14 @@ The default is not to perform compression.

 ```yaml tab="File (YAML)"
 log:
-  compress: 3
+  compress: true
 ```

 ```toml tab="File (TOML)"
 [log]
-  compress = 3
+  compress = true
 ```

 ```bash tab="CLI"
--log.compress=3
+--log.compress=true
 ```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -5,7 +5,7 @@ description: "Traefik Proxy supports these metrics backend systems: Datadog, Inf

 # Metrics

-Traefik supports these metrics backends:
+Traefik provides metrics in the [OpenTelemetry](./opentelemetry.md) format as well as the following vendor specific backends:

 - [Datadog](./datadog.md)
 - [InfluxDB2](./influxdb2.md)
@@ -46,6 +46,13 @@ addInternals = true
 | Open connections           | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
 | TLS certificates not after | Gauge |                          | The expiration date of certificates.                               |

+```opentelemetry tab="OpenTelemetry"
+traefik_config_reloads_total
+traefik_config_last_reload_success
+traefik_open_connections
+traefik_tls_certs_not_after
+```
+
 ```prom tab="Prometheus"
 traefik_config_reloads_total
 traefik_config_last_reload_success
@@ -75,13 +82,6 @@ traefik.tls.certs.notAfterTimestamp
 {prefix}.tls.certs.notAfterTimestamp
 ```

-```opentelemetry tab="OpenTelemetry"
-traefik_config_reloads_total
-traefik_config_last_reload_success
-traefik_open_connections
-traefik_tls_certs_not_after
-```
-
 ### Labels

 Here is a comprehensive list of labels that are provided by the global metrics:
@@ -91,201 +91,9 @@ Here is a comprehensive list of labels that are provided by the global metrics:
 | `entrypoint` | Entrypoint that handled the connection | "example_entrypoint" |
 | `protocol`   | Connection protocol                    | "TCP"                |

-## HTTP Metrics
+## OpenTelemetry Semantic Conventions

-### EntryPoint Metrics
-
-| Metric                | Type      | [Labels](#labels)                          | Description                                                         |
-|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
-| Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
-| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
-| Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
-| Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
-| Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_total
-traefik_entrypoint_requests_tls_total
-traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_requests_bytes_total
-traefik_entrypoint_responses_bytes_total
-```
-
-```dd tab="Datadog"
-entrypoint.request.total
-entrypoint.request.tls.total
-entrypoint.request.duration
-entrypoint.requests.bytes.total
-entrypoint.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.entrypoint.requests.total
-traefik.entrypoint.requests.tls.total
-traefik.entrypoint.request.duration
-traefik.entrypoint.requests.bytes.total
-traefik.entrypoint.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.entrypoint.request.total
-{prefix}.entrypoint.request.tls.total
-{prefix}.entrypoint.request.duration
-{prefix}.entrypoint.requests.bytes.total
-{prefix}.entrypoint.responses.bytes.total
-```
-
-```opentelemetry tab="OpenTelemetry"
-traefik_entrypoint_requests_total
-traefik_entrypoint_requests_tls_total
-traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_requests_bytes_total
-traefik_entrypoint_responses_bytes_total
-```
-
-### Router Metrics
-
-| Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
-|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
-| Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
-| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
-| Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
-| Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
-| Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
-
-```prom tab="Prometheus"
-traefik_router_requests_total
-traefik_router_requests_tls_total
-traefik_router_request_duration_seconds
-traefik_router_requests_bytes_total
-traefik_router_responses_bytes_total
-```
-
-```dd tab="Datadog"
-router.request.total
-router.request.tls.total
-router.request.duration
-router.requests.bytes.total
-router.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.router.requests.total
-traefik.router.requests.tls.total
-traefik.router.request.duration
-traefik.router.requests.bytes.total
-traefik.router.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.router.request.total
-{prefix}.router.request.tls.total
-{prefix}.router.request.duration
-{prefix}.router.requests.bytes.total
-{prefix}.router.responses.bytes.total
-```
-
-```opentelemetry tab="OpenTelemetry"
-traefik_router_requests_total
-traefik_router_requests_tls_total
-traefik_router_request_duration_seconds
-traefik_router_requests_bytes_total
-traefik_router_responses_bytes_total
-```
-
-### Service Metrics
-
-| Metric                | Type      | Labels                                  | Description                                                 |
-|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
-| Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
-| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
-| Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
-| Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
-| Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
-| Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
-| Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
-
-```prom tab="Prometheus"
-traefik_service_requests_total
-traefik_service_requests_tls_total
-traefik_service_request_duration_seconds
-traefik_service_retries_total
-traefik_service_server_up
-traefik_service_requests_bytes_total
-traefik_service_responses_bytes_total
-```
-
-```dd tab="Datadog"
-service.request.total
-router.service.tls.total
-service.request.duration
-service.retries.total
-service.server.up
-service.requests.bytes.total
-service.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.service.requests.total
-traefik.service.requests.tls.total
-traefik.service.request.duration
-traefik.service.retries.total
-traefik.service.server.up
-traefik.service.requests.bytes.total
-traefik.service.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.service.request.total
-{prefix}.service.request.tls.total
-{prefix}.service.request.duration
-{prefix}.service.retries.total
-{prefix}.service.server.up
-{prefix}.service.requests.bytes.total
-{prefix}.service.responses.bytes.total
-```
-
-```opentelemetry tab="OpenTelemetry"
-traefik_service_requests_total
-traefik_service_requests_tls_total
-traefik_service_request_duration_seconds
-traefik_service_retries_total
-traefik_service_server_up
-traefik_service_requests_bytes_total
-traefik_service_responses_bytes_total
-```
-
-### Labels
-
-Here is a comprehensive list of labels that are provided by the metrics:
-
-| Label         | Description                           | example                    |
-|---------------|---------------------------------------|----------------------------|
-| `cn`          | Certificate Common Name               | "example.com"              |
-| `code`        | Request code                          | "200"                      |
-| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
-| `method`      | Request Method                        | "GET"                      |
-| `protocol`    | Request protocol                      | "http"                     |
-| `router`      | Router that handled the request       | "example_router"           |
-| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
-| `serial`      | Certificate Serial Number             | "123..."                   |
-| `service`     | Service that handled the request      | "example_service@provider" |
-| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
-| `tls_version` | TLS version used for the request      | "1.0"                      |
-| `url`         | Service server url                    | "http://example.com"       |
-
-!!! info "`method` label value"
-
-    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
-    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
-    then the value for the method label becomes `EXTENSION_METHOD`.
-
-## Semantic Conventions for HTTP Metrics
-
-Traefik Proxy follows [official OTLP semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).
+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).

 ### HTTP Server

@@ -328,3 +136,197 @@ Here is a comprehensive list of labels that are provided by the metrics:
 | `server.address`            | Name of the local HTTP server that received the request      | "example.com" |
 | `server.port`               | Port of the local HTTP server that received the request      | "80"          |
 | `url.scheme`                | The URI scheme component identifying the used protocol       | "http"        |
+
+## HTTP Metrics
+
+On top of the official OpenTelemetry semantic conventions, Traefik provides its own metrics to monitor the incoming traffic.
+
+### EntryPoint Metrics
+
+| Metric                | Type      | [Labels](#labels)                          | Description                                                         |
+|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```
+
+```prom tab="Prometheus"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```
+
+```dd tab="Datadog"
+entrypoint.request.total
+entrypoint.request.tls.total
+entrypoint.request.duration
+entrypoint.requests.bytes.total
+entrypoint.responses.bytes.total
+```
+
+```influxdb tab="InfluxDB2"
+traefik.entrypoint.requests.total
+traefik.entrypoint.requests.tls.total
+traefik.entrypoint.request.duration
+traefik.entrypoint.requests.bytes.total
+traefik.entrypoint.responses.bytes.total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.entrypoint.request.total
+{prefix}.entrypoint.request.tls.total
+{prefix}.entrypoint.request.duration
+{prefix}.entrypoint.requests.bytes.total
+{prefix}.entrypoint.responses.bytes.total
+```
+
+### Router Metrics
+
+| Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
+|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```
+
+```prom tab="Prometheus"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```
+
+```dd tab="Datadog"
+router.request.total
+router.request.tls.total
+router.request.duration
+router.requests.bytes.total
+router.responses.bytes.total
+```
+
+```influxdb tab="InfluxDB2"
+traefik.router.requests.total
+traefik.router.requests.tls.total
+traefik.router.request.duration
+traefik.router.requests.bytes.total
+traefik.router.responses.bytes.total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.router.request.total
+{prefix}.router.request.tls.total
+{prefix}.router.request.duration
+{prefix}.router.requests.bytes.total
+{prefix}.router.responses.bytes.total
+```
+
+### Service Metrics
+
+| Metric                | Type      | Labels                                  | Description                                                 |
+|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
+| Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
+| Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
+| Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
+| Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
+| Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
+| Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
+| Responses bytes total | Count     | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
+
+```opentelemetry tab="OpenTelemetry"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```
+
+```prom tab="Prometheus"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```
+
+```dd tab="Datadog"
+service.request.total
+router.service.tls.total
+service.request.duration
+service.retries.total
+service.server.up
+service.requests.bytes.total
+service.responses.bytes.total
+```
+
+```influxdb tab="InfluxDB2"
+traefik.service.requests.total
+traefik.service.requests.tls.total
+traefik.service.request.duration
+traefik.service.retries.total
+traefik.service.server.up
+traefik.service.requests.bytes.total
+traefik.service.responses.bytes.total
+```
+
+```statsd tab="StatsD"
+# Default prefix: "traefik"
+{prefix}.service.request.total
+{prefix}.service.request.tls.total
+{prefix}.service.request.duration
+{prefix}.service.retries.total
+{prefix}.service.server.up
+{prefix}.service.requests.bytes.total
+{prefix}.service.responses.bytes.total
+```
+
+### Labels
+
+Here is a comprehensive list of labels that are provided by the metrics:
+
+| Label         | Description                           | example                    |
+|---------------|---------------------------------------|----------------------------|
+| `cn`          | Certificate Common Name               | "example.com"              |
+| `code`        | Request code                          | "200"                      |
+| `entrypoint`  | Entrypoint that handled the request   | "example_entrypoint"       |
+| `method`      | Request Method                        | "GET"                      |
+| `protocol`    | Request protocol                      | "http"                     |
+| `router`      | Router that handled the request       | "example_router"           |
+| `sans`        | Certificate Subject Alternative NameS | "example.com"              |
+| `serial`      | Certificate Serial Number             | "123..."                   |
+| `service`     | Service that handled the request      | "example_service@provider" |
+| `tls_cipher`  | TLS cipher used for the request       | "TLS_FALLBACK_SCSV"        |
+| `tls_version` | TLS version used for the request      | "1.0"                      |
+| `url`         | Service server url                    | "http://example.com"       |
+
+!!! info "`method` label value"
+
+    If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
+    or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
+    then the value for the method label becomes `EXTENSION_METHOD`.
--- a/docs/content/observability/overview.md
+++ b/docs/content/observability/overview.md
@@ -29,7 +29,7 @@ Read the [Access Logs documentation](./access-logs.md) to learn how to configure
 Traefik offers a metrics feature that provides valuable insights about the performance and usage.
 These metrics include the number of requests received, the requests duration, and more.

-Traefik supports these metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.
+On top of supporting metrics in the OpenTelemetry format, Traefik supports the following vendor specific metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.

 Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.

@@ -37,6 +37,6 @@ Read the [Metrics documentation](./metrics/overview.md) to learn how to configur

 The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.

-Traefik supports these tracing with OpenTelemetry.
+Traefik provides tracing information in the OpenTelemery format.

 Read the [Tracing documentation](./tracing/overview.md) to learn how to configure it.
--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -5,6 +5,8 @@ description: "Traefik supports several tracing backends, including OpenTelemetry

 # OpenTelemetry

+Traefik Proxy follows [official OpenTelemetry semantic conventions v1.26.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.26.0/docs/http/http-spans.md).
+
 To enable the OpenTelemetry tracer:

 ```yaml tab="File (YAML)"
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -160,3 +160,28 @@ tracing:
 ```bash tab="CLI"
 --tracing.capturedResponseHeaders[0]=X-CustomHeader
 ```
+
+#### `safeQueryParams`
+
+_Optional, Default={}_
+
+By default, all query parameters are redacted.
+Defines the list of query parameters to not redact.
+
+```yaml tab="File (YAML)"
+tracing:
+  otlp:
+    safeQueryParams:
+      - bar
+      - buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.otlp]
+    safeQueryParams = ["bar", "buz"]
+```
+
+```bash tab="CLI"
+--tracing.otlp.safeQueryParams=bar,buz
+```
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -163,7 +163,7 @@ See the [Docker API Access](#docker-api-access) section for more information.

    services:
      traefik:
-         image: traefik:v3.0 # The official v3 Traefik docker image
+         image: traefik:v3.1 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```

 ## Resource Configuration
@@ -58,7 +58,7 @@ For this reason, users can run multiple instances of Traefik at the same time to

 When using a single instance of Traefik with Let's Encrypt, you should encounter no issues. However, this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let's Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.
-Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.
+Early versions (v1.x) of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.

 If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.

@@ -183,7 +183,7 @@ _Optional, Default: ""_

 A label selector can be defined to filter on specific resource objects only,
 this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
-and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
+and has no effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.
 If left empty, Traefik processes all resource objects in the configured namespaces.

 See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
@@ -337,6 +337,30 @@ providers:
 --providers.kubernetescrd.allowexternalnameservices=true
 ```

+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the IngressRoute `nativeLB` option [documentation](../routing/providers/kubernetes-crd.md#load-balancing).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.nativeLBByDefault=true
+```
+
 ## Full Example

 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -5,7 +5,7 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf

 # Traefik & Kubernetes with Gateway API

-The Kubernetes Gateway API, The Experimental Way.
+The Kubernetes Gateway API Controller.
 {: .subtitle }

 Gateway API is the evolution of Kubernetes APIs that relate to `Services`, such as `Ingress`.
@@ -14,32 +14,7 @@ The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specifications from the Kubernetes Special Interest Groups (SIGs).

-This provider is proposed as an experimental feature and partially supports Gateway API [v1.0.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.0.0) specification.
-
-!!! warning "Enabling The Experimental Kubernetes Gateway Provider"
-
-    Since this provider is still experimental, it needs to be activated in the experimental section of the static configuration.
-
-    ```yaml tab="File (YAML)"
-    experimental:
-      kubernetesGateway: true
-
-    providers:
-      kubernetesGateway: {}
-      #...
-    ```
-
-    ```toml tab="File (TOML)"
-    [experimental]
-      kubernetesGateway = true
-
-    [providers.kubernetesGateway]
-    #...
-    ```
-
-    ```bash tab="CLI"
-    --experimental.kubernetesgateway=true --providers.kubernetesgateway=true #...
-    ```
+This provider supports Gateway API [v1.1.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.1.0) specification.

 ## Requirements

--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -80,7 +80,7 @@ When using a single instance of Traefik Proxy with Let's Encrypt, you should enc
 However, this could be a single point of failure.
 Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with Let's Encrypt enabled,
 because there is no way to ensure that the correct instance of Traefik receives the challenge request, and subsequent responses.
-Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
+Early versions (v1.x) of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
 but due to sub-optimal performance that feature was dropped in 2.0.

 If you need Let's Encrypt with high availability in a Kubernetes environment,
@@ -467,9 +467,33 @@ providers:
 --providers.kubernetesingress.allowexternalnameservices=true
 ```

+### `nativeLBByDefault`
+
+_Optional, Default: false_
+
+Defines whether to use Native Kubernetes load-balancing mode by default.
+For more information, please check out the `traefik.ingress.kubernetes.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-ingress.md#on-service).
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    nativeLBByDefault: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  nativeLBByDefault = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.nativeLBByDefault=true
+```
+
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.1/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

 {!traefik-for-business-applications.md!}
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -150,8 +150,8 @@ Below is the list of the currently supported providers in Traefik.

 !!! info "More Providers"

-    The current version of Traefik does not yet support every provider that Traefik v1.7 did.
-    See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.
+    The current version of Traefik does not yet support every provider that Traefik v2.11 did.
+    See the [previous version (v2.11)](https://doc.traefik.io/traefik/v2.11/) for more information.

 ### Configuration Reload Frequency

--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@@ -209,7 +209,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati

    services:
      traefik:
-         image: traefik:v3.0 # The official v3 Traefik docker image
+         image: traefik:v3.1 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -18,6 +18,7 @@
 - "traefik.http.middlewares.middleware05.circuitbreaker.recoveryduration=42s"
 - "traefik.http.middlewares.middleware05.circuitbreaker.responsecode=42"
 - "traefik.http.middlewares.middleware06.compress=true"
+- "traefik.http.middlewares.middleware06.compress.defaultencoding=foobar"
 - "traefik.http.middlewares.middleware06.compress.excludedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.includedcontenttypes=foobar, foobar"
 - "traefik.http.middlewares.middleware06.compress.minresponsebodybytes=42"
@@ -54,6 +55,7 @@
 - "traefik.http.middlewares.middleware12.headers.allowedhosts=foobar, foobar"
 - "traefik.http.middlewares.middleware12.headers.browserxssfilter=true"
 - "traefik.http.middlewares.middleware12.headers.contentsecuritypolicy=foobar"
+- "traefik.http.middlewares.middleware12.headers.contentsecuritypolicyreportonly=foobar"
 - "traefik.http.middlewares.middleware12.headers.contenttypenosniff=true"
 - "traefik.http.middlewares.middleware12.headers.custombrowserxssvalue=foobar"
 - "traefik.http.middlewares.middleware12.headers.customframeoptionsvalue=foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -143,6 +143,7 @@
        excludedContentTypes = ["foobar", "foobar"]
        includedContentTypes = ["foobar", "foobar"]
        minResponseBodyBytes = 42
+        defaultEncoding = "foobar"
    [http.middlewares.Middleware07]
      [http.middlewares.Middleware07.contentType]
        autoDetect = true
@@ -197,6 +198,7 @@
        browserXssFilter = true
        customBrowserXSSValue = "foobar"
        contentSecurityPolicy = "foobar"
+        contentSecurityPolicyReportOnly = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
        permissionsPolicy = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -152,6 +152,7 @@ http:
          - foobar
          - foobar
        minResponseBodyBytes: 42
+        defaultEncoding: foobar
    Middleware07:
      contentType:
        autoDetect: true
@@ -241,6 +242,7 @@ http:
        browserXssFilter: true
        customBrowserXSSValue: foobar
        contentSecurityPolicy: foobar
+        contentSecurityPolicyReportOnly: foobar
        publicKey: foobar
        referrerPolicy: foobar
        permissionsPolicy: foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -63,12 +63,12 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -88,7 +88,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -98,6 +98,67 @@ spec:
                        description: Service defines an upstream HTTP service to proxy
                          traffic to.
                        properties:
+                          healthCheck:
+                            description: Healthcheck defines health checks for ExternalName
+                              services.
+                            properties:
+                              followRedirects:
+                                description: |-
+                                  FollowRedirects defines whether redirects should be followed during the health check calls.
+                                  Default: true
+                                type: boolean
+                              headers:
+                                additionalProperties:
+                                  type: string
+                                description: Headers defines custom headers to be
+                                  sent to the health check endpoint.
+                                type: object
+                              hostname:
+                                description: Hostname defines the value of hostname
+                                  in the Host header of the health check request.
+                                type: string
+                              interval:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  Interval defines the frequency of the health check calls.
+                                  Default: 30s
+                                x-kubernetes-int-or-string: true
+                              method:
+                                description: Method defines the healthcheck method.
+                                type: string
+                              mode:
+                                description: |-
+                                  Mode defines the health check mode.
+                                  If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                  Default: http
+                                type: string
+                              path:
+                                description: Path defines the server URL path for
+                                  the health check endpoint.
+                                type: string
+                              port:
+                                description: Port defines the server URL port for
+                                  the health check endpoint.
+                                type: integer
+                              scheme:
+                                description: Scheme replaces the server URL scheme
+                                  for the health check endpoint.
+                                type: string
+                              status:
+                                description: Status defines the expected HTTP status
+                                  code of the response to the health check request.
+                                type: integer
+                              timeout:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                  Default: 5s
+                                x-kubernetes-int-or-string: true
+                            type: object
                          kind:
                            description: Kind defines the kind of the Service.
                            enum:
@@ -120,6 +181,13 @@ spec:
                              The Kubernetes Service itself does load-balance to the pods.
                              By default, NativeLB is false.
                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
                          passHostHeader:
                            description: |-
                              PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -161,7 +229,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -209,7 +277,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
@@ -219,18 +287,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -249,17 +317,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -276,12 +344,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
@@ -341,7 +409,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -354,7 +422,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -378,7 +446,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -401,6 +469,13 @@ spec:
                              The Kubernetes Service itself does load-balance to the pods.
                              By default, NativeLB is false.
                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
                          port:
                            anyOf:
                            - type: integer
@@ -412,7 +487,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -450,7 +525,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -459,18 +534,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -489,7 +564,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -581,7 +656,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -612,6 +687,13 @@ spec:
                              The Kubernetes Service itself does load-balance to the pods.
                              By default, NativeLB is false.
                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
                          port:
                            anyOf:
                            - type: integer
@@ -661,7 +743,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -687,7 +769,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -699,12 +781,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -725,7 +807,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -757,14 +839,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -814,13 +896,22 @@ spec:
                      breaker will try to recover (as soon as it is in recovering
                      state).
                    x-kubernetes-int-or-string: true
+                  responseCode:
+                    description: ResponseCode is the status code that the circuit
+                      breaker will return while it is in the open state.
+                    type: integer
                type: object
              compress:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip compression.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/compress/
                properties:
+                  defaultEncoding:
+                    description: DefaultEncoding specifies the default encoding if
+                      the `Accept-Encoding` header is not in the request or contains
+                      a wildcard (`*`).
+                    type: string
                  excludedContentTypes:
                    description: |-
                      ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
@@ -857,12 +948,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -882,7 +973,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -892,8 +983,69 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/#service
                    properties:
+                      healthCheck:
+                        description: Healthcheck defines health checks for ExternalName
+                          services.
+                        properties:
+                          followRedirects:
+                            description: |-
+                              FollowRedirects defines whether redirects should be followed during the health check calls.
+                              Default: true
+                            type: boolean
+                          headers:
+                            additionalProperties:
+                              type: string
+                            description: Headers defines custom headers to be sent
+                              to the health check endpoint.
+                            type: object
+                          hostname:
+                            description: Hostname defines the value of hostname in
+                              the Host header of the health check request.
+                            type: string
+                          interval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Interval defines the frequency of the health check calls.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                          method:
+                            description: Method defines the healthcheck method.
+                            type: string
+                          mode:
+                            description: |-
+                              Mode defines the health check mode.
+                              If defined to grpc, will use the gRPC health check protocol to probe the server.
+                              Default: http
+                            type: string
+                          path:
+                            description: Path defines the server URL path for the
+                              health check endpoint.
+                            type: string
+                          port:
+                            description: Port defines the server URL port for the
+                              health check endpoint.
+                            type: integer
+                          scheme:
+                            description: Scheme replaces the server URL scheme for
+                              the health check endpoint.
+                            type: string
+                          status:
+                            description: Status defines the expected HTTP status code
+                              of the response to the health check request.
+                            type: integer
+                          timeout:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                              Default: 5s
+                            x-kubernetes-int-or-string: true
+                        type: object
                      kind:
                        description: Kind defines the kind of the Service.
                        enum:
@@ -916,6 +1068,13 @@ spec:
                          The Kubernetes Service itself does load-balance to the pods.
                          By default, NativeLB is false.
                        type: boolean
+                      nodePortLB:
+                        description: |-
+                          NodePortLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                          It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                          By default, NodePortLB is false.
+                        type: boolean
                      passHostHeader:
                        description: |-
                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -957,7 +1116,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -1015,7 +1174,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -1043,7 +1202,7 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
@@ -1090,7 +1249,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -1150,6 +1309,10 @@ spec:
                    description: ContentSecurityPolicy defines the Content-Security-Policy
                      header value.
                    type: string
+                  contentSecurityPolicyReportOnly:
+                    description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only
+                      header value.
+                    type: string
                  contentTypeNosniff:
                    description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
                      header with the nosniff value.
@@ -1257,7 +1420,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -1270,12 +1433,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1304,12 +1467,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1341,7 +1504,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1366,7 +1529,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1475,7 +1638,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -1508,7 +1671,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1537,7 +1700,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1556,7 +1719,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1573,7 +1736,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1584,7 +1747,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1600,7 +1763,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1622,7 +1785,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1641,7 +1804,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -1678,7 +1841,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.1/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -1714,7 +1877,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1728,7 +1891,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1767,7 +1930,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
@@ -1906,7 +2069,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
@@ -2024,7 +2187,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -2049,14 +2212,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -2084,7 +2247,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#curve-preferences
                items:
                  type: string
                type: array
@@ -2140,7 +2303,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
@@ -2238,7 +2401,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -2263,6 +2426,67 @@ spec:
              mirroring:
                description: Mirroring defines the Mirroring service configuration.
                properties:
+                  healthCheck:
+                    description: Healthcheck defines health checks for ExternalName
+                      services.
+                    properties:
+                      followRedirects:
+                        description: |-
+                          FollowRedirects defines whether redirects should be followed during the health check calls.
+                          Default: true
+                        type: boolean
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers defines custom headers to be sent to
+                          the health check endpoint.
+                        type: object
+                      hostname:
+                        description: Hostname defines the value of hostname in the
+                          Host header of the health check request.
+                        type: string
+                      interval:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Interval defines the frequency of the health check calls.
+                          Default: 30s
+                        x-kubernetes-int-or-string: true
+                      method:
+                        description: Method defines the healthcheck method.
+                        type: string
+                      mode:
+                        description: |-
+                          Mode defines the health check mode.
+                          If defined to grpc, will use the gRPC health check protocol to probe the server.
+                          Default: http
+                        type: string
+                      path:
+                        description: Path defines the server URL path for the health
+                          check endpoint.
+                        type: string
+                      port:
+                        description: Port defines the server URL port for the health
+                          check endpoint.
+                        type: integer
+                      scheme:
+                        description: Scheme replaces the server URL scheme for the
+                          health check endpoint.
+                        type: string
+                      status:
+                        description: Status defines the expected HTTP status code
+                          of the response to the health check request.
+                        type: integer
+                      timeout:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                          Default: 5s
+                        x-kubernetes-int-or-string: true
+                    type: object
                  kind:
                    description: Kind defines the kind of the Service.
                    enum:
@@ -2282,6 +2506,67 @@ spec:
                    items:
                      description: MirrorService holds the mirror configuration.
                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                          type: object
                        kind:
                          description: Kind defines the kind of the Service.
                          enum:
@@ -2304,6 +2589,13 @@ spec:
                            The Kubernetes Service itself does load-balance to the pods.
                            By default, NativeLB is false.
                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
                        passHostHeader:
                          description: |-
                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -2350,7 +2642,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2410,6 +2702,13 @@ spec:
                      The Kubernetes Service itself does load-balance to the pods.
                      By default, NativeLB is false.
                    type: boolean
+                  nodePortLB:
+                    description: |-
+                      NodePortLB controls, when creating the load-balancer,
+                      whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                      It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                      By default, NodePortLB is false.
+                    type: boolean
                  passHostHeader:
                    description: |-
                      PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -2450,7 +2749,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -2502,6 +2801,67 @@ spec:
                      description: Service defines an upstream HTTP service to proxy
                        traffic to.
                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                          type: object
                        kind:
                          description: Kind defines the kind of the Service.
                          enum:
@@ -2524,6 +2884,13 @@ spec:
                            The Kubernetes Service itself does load-balance to the pods.
                            By default, NativeLB is false.
                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
                        passHostHeader:
                          description: |-
                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -2565,7 +2932,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2612,7 +2979,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
@@ -8,12 +8,19 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
+      - nodes
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@@ -15,12 +15,18 @@ rules:
      - ""
    resources:
      - services
-      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - list
+      - watch
  - apiGroups:
      - gateway.networking.k8s.io
    resources:
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -25,10 +25,10 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v3.0
+          image: traefik:v3.1
          args:
-            - --entrypoints.web.address=:80
-            - --entrypoints.websecure.address=:443
+            - --entryPoints.web.address=:80
+            - --entryPoints.websecure.address=:443
            - --experimental.kubernetesgateway
            - --providers.kubernetesgateway

--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -21,6 +21,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware05/circuitBreaker/fallbackDuration` | `42s` |
 | `traefik/http/middlewares/Middleware05/circuitBreaker/recoveryDuration` | `42s` |
 | `traefik/http/middlewares/Middleware05/circuitBreaker/responseCode` | `42` |
+| `traefik/http/middlewares/Middleware06/compress/defaultEncoding` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware06/compress/includedContentTypes/0` | `foobar` |
@@ -70,6 +71,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware12/headers/allowedHosts/1` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/browserXssFilter` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicy` | `foobar` |
+| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicyReportOnly` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/contentTypeNosniff` | `true` |
 | `traefik/http/middlewares/Middleware12/headers/customBrowserXSSValue` | `foobar` |
 | `traefik/http/middlewares/Middleware12/headers/customFrameOptionsValue` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -63,12 +63,12 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -88,7 +88,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -98,6 +98,67 @@ spec:
                        description: Service defines an upstream HTTP service to proxy
                          traffic to.
                        properties:
+                          healthCheck:
+                            description: Healthcheck defines health checks for ExternalName
+                              services.
+                            properties:
+                              followRedirects:
+                                description: |-
+                                  FollowRedirects defines whether redirects should be followed during the health check calls.
+                                  Default: true
+                                type: boolean
+                              headers:
+                                additionalProperties:
+                                  type: string
+                                description: Headers defines custom headers to be
+                                  sent to the health check endpoint.
+                                type: object
+                              hostname:
+                                description: Hostname defines the value of hostname
+                                  in the Host header of the health check request.
+                                type: string
+                              interval:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  Interval defines the frequency of the health check calls.
+                                  Default: 30s
+                                x-kubernetes-int-or-string: true
+                              method:
+                                description: Method defines the healthcheck method.
+                                type: string
+                              mode:
+                                description: |-
+                                  Mode defines the health check mode.
+                                  If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                  Default: http
+                                type: string
+                              path:
+                                description: Path defines the server URL path for
+                                  the health check endpoint.
+                                type: string
+                              port:
+                                description: Port defines the server URL port for
+                                  the health check endpoint.
+                                type: integer
+                              scheme:
+                                description: Scheme replaces the server URL scheme
+                                  for the health check endpoint.
+                                type: string
+                              status:
+                                description: Status defines the expected HTTP status
+                                  code of the response to the health check request.
+                                type: integer
+                              timeout:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                  Default: 5s
+                                x-kubernetes-int-or-string: true
+                            type: object
                          kind:
                            description: Kind defines the kind of the Service.
                            enum:
@@ -120,6 +181,13 @@ spec:
                              The Kubernetes Service itself does load-balance to the pods.
                              By default, NativeLB is false.
                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
                          passHostHeader:
                            description: |-
                              PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -161,7 +229,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -209,7 +277,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
@@ -219,18 +287,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -249,17 +317,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -276,12 +344,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -56,7 +56,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -103,6 +103,13 @@ spec:
                              The Kubernetes Service itself does load-balance to the pods.
                              By default, NativeLB is false.
                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
                          port:
                            anyOf:
                            - type: integer
@@ -114,7 +121,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.1/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -152,7 +159,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -161,18 +168,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.1/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -191,7 +198,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.1/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -74,6 +74,13 @@ spec:
                              The Kubernetes Service itself does load-balance to the pods.
                              By default, NativeLB is false.
                            type: boolean
+                          nodePortLB:
+                            description: |-
+                              NodePortLB controls, when creating the load-balancer,
+                              whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                              It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                              By default, NodePortLB is false.
+                            type: boolean
                          port:
                            anyOf:
                            - type: integer
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -45,7 +45,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -57,12 +57,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -83,7 +83,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -115,14 +115,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -172,13 +172,22 @@ spec:
                      breaker will try to recover (as soon as it is in recovering
                      state).
                    x-kubernetes-int-or-string: true
+                  responseCode:
+                    description: ResponseCode is the status code that the circuit
+                      breaker will return while it is in the open state.
+                    type: integer
                type: object
              compress:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip compression.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/compress/
                properties:
+                  defaultEncoding:
+                    description: DefaultEncoding specifies the default encoding if
+                      the `Accept-Encoding` header is not in the request or contains
+                      a wildcard (`*`).
+                    type: string
                  excludedContentTypes:
                    description: |-
                      ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
@@ -215,12 +224,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -240,7 +249,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -250,8 +259,69 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/errorpages/#service
                    properties:
+                      healthCheck:
+                        description: Healthcheck defines health checks for ExternalName
+                          services.
+                        properties:
+                          followRedirects:
+                            description: |-
+                              FollowRedirects defines whether redirects should be followed during the health check calls.
+                              Default: true
+                            type: boolean
+                          headers:
+                            additionalProperties:
+                              type: string
+                            description: Headers defines custom headers to be sent
+                              to the health check endpoint.
+                            type: object
+                          hostname:
+                            description: Hostname defines the value of hostname in
+                              the Host header of the health check request.
+                            type: string
+                          interval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Interval defines the frequency of the health check calls.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                          method:
+                            description: Method defines the healthcheck method.
+                            type: string
+                          mode:
+                            description: |-
+                              Mode defines the health check mode.
+                              If defined to grpc, will use the gRPC health check protocol to probe the server.
+                              Default: http
+                            type: string
+                          path:
+                            description: Path defines the server URL path for the
+                              health check endpoint.
+                            type: string
+                          port:
+                            description: Port defines the server URL port for the
+                              health check endpoint.
+                            type: integer
+                          scheme:
+                            description: Scheme replaces the server URL scheme for
+                              the health check endpoint.
+                            type: string
+                          status:
+                            description: Status defines the expected HTTP status code
+                              of the response to the health check request.
+                            type: integer
+                          timeout:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                              Default: 5s
+                            x-kubernetes-int-or-string: true
+                        type: object
                      kind:
                        description: Kind defines the kind of the Service.
                        enum:
@@ -274,6 +344,13 @@ spec:
                          The Kubernetes Service itself does load-balance to the pods.
                          By default, NativeLB is false.
                        type: boolean
+                      nodePortLB:
+                        description: |-
+                          NodePortLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                          It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                          By default, NodePortLB is false.
+                        type: boolean
                      passHostHeader:
                        description: |-
                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -315,7 +392,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -373,7 +450,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -401,7 +478,7 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
@@ -448,7 +525,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -508,6 +585,10 @@ spec:
                    description: ContentSecurityPolicy defines the Content-Security-Policy
                      header value.
                    type: string
+                  contentSecurityPolicyReportOnly:
+                    description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Only
+                      header value.
+                    type: string
                  contentTypeNosniff:
                    description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
                      header with the nosniff value.
@@ -615,7 +696,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -628,12 +709,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -662,12 +743,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -699,7 +780,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -724,7 +805,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -833,7 +914,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -866,7 +947,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -895,7 +976,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -914,7 +995,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -931,7 +1012,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -942,7 +1023,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -958,7 +1039,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -980,7 +1061,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -999,7 +1080,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.1/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -55,7 +55,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.0/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.1/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
@@ -21,7 +21,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
@@ -21,7 +21,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.1/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -44,14 +44,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -79,7 +79,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.1/https/tls/#curve-preferences
                items:
                  type: string
                type: array
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
@@ -21,7 +21,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.1/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
@@ -22,7 +22,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -47,6 +47,67 @@ spec:
              mirroring:
                description: Mirroring defines the Mirroring service configuration.
                properties:
+                  healthCheck:
+                    description: Healthcheck defines health checks for ExternalName
+                      services.
+                    properties:
+                      followRedirects:
+                        description: |-
+                          FollowRedirects defines whether redirects should be followed during the health check calls.
+                          Default: true
+                        type: boolean
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers defines custom headers to be sent to
+                          the health check endpoint.
+                        type: object
+                      hostname:
+                        description: Hostname defines the value of hostname in the
+                          Host header of the health check request.
+                        type: string
+                      interval:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Interval defines the frequency of the health check calls.
+                          Default: 30s
+                        x-kubernetes-int-or-string: true
+                      method:
+                        description: Method defines the healthcheck method.
+                        type: string
+                      mode:
+                        description: |-
+                          Mode defines the health check mode.
+                          If defined to grpc, will use the gRPC health check protocol to probe the server.
+                          Default: http
+                        type: string
+                      path:
+                        description: Path defines the server URL path for the health
+                          check endpoint.
+                        type: string
+                      port:
+                        description: Port defines the server URL port for the health
+                          check endpoint.
+                        type: integer
+                      scheme:
+                        description: Scheme replaces the server URL scheme for the
+                          health check endpoint.
+                        type: string
+                      status:
+                        description: Status defines the expected HTTP status code
+                          of the response to the health check request.
+                        type: integer
+                      timeout:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                          Default: 5s
+                        x-kubernetes-int-or-string: true
+                    type: object
                  kind:
                    description: Kind defines the kind of the Service.
                    enum:
@@ -66,6 +127,67 @@ spec:
                    items:
                      description: MirrorService holds the mirror configuration.
                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                          type: object
                        kind:
                          description: Kind defines the kind of the Service.
                          enum:
@@ -88,6 +210,13 @@ spec:
                            The Kubernetes Service itself does load-balance to the pods.
                            By default, NativeLB is false.
                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
                        passHostHeader:
                          description: |-
                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -134,7 +263,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -194,6 +323,13 @@ spec:
                      The Kubernetes Service itself does load-balance to the pods.
                      By default, NativeLB is false.
                    type: boolean
+                  nodePortLB:
+                    description: |-
+                      NodePortLB controls, when creating the load-balancer,
+                      whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                      It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                      By default, NodePortLB is false.
+                    type: boolean
                  passHostHeader:
                    description: |-
                      PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -234,7 +370,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -286,6 +422,67 @@ spec:
                      description: Service defines an upstream HTTP service to proxy
                        traffic to.
                      properties:
+                        healthCheck:
+                          description: Healthcheck defines health checks for ExternalName
+                            services.
+                          properties:
+                            followRedirects:
+                              description: |-
+                                FollowRedirects defines whether redirects should be followed during the health check calls.
+                                Default: true
+                              type: boolean
+                            headers:
+                              additionalProperties:
+                                type: string
+                              description: Headers defines custom headers to be sent
+                                to the health check endpoint.
+                              type: object
+                            hostname:
+                              description: Hostname defines the value of hostname
+                                in the Host header of the health check request.
+                              type: string
+                            interval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Interval defines the frequency of the health check calls.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
+                            method:
+                              description: Method defines the healthcheck method.
+                              type: string
+                            mode:
+                              description: |-
+                                Mode defines the health check mode.
+                                If defined to grpc, will use the gRPC health check protocol to probe the server.
+                                Default: http
+                              type: string
+                            path:
+                              description: Path defines the server URL path for the
+                                health check endpoint.
+                              type: string
+                            port:
+                              description: Port defines the server URL port for the
+                                health check endpoint.
+                              type: integer
+                            scheme:
+                              description: Scheme replaces the server URL scheme for
+                                the health check endpoint.
+                              type: string
+                            status:
+                              description: Status defines the expected HTTP status
+                                code of the response to the health check request.
+                              type: integer
+                            timeout:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                                Default: 5s
+                              x-kubernetes-int-or-string: true
+                          type: object
                        kind:
                          description: Kind defines the kind of the Service.
                          enum:
@@ -308,6 +505,13 @@ spec:
                            The Kubernetes Service itself does load-balance to the pods.
                            By default, NativeLB is false.
                          type: boolean
+                        nodePortLB:
+                          description: |-
+                            NodePortLB controls, when creating the load-balancer,
+                            whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                            It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                            By default, NodePortLB is false.
+                          type: boolean
                        passHostHeader:
                          description: |-
                            PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
@@ -349,7 +553,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.1/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -396,7 +600,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -211,17 +211,35 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)

 `--experimental.kubernetesgateway`:  
-Allow the Kubernetes gateway api provider usage. (Default: ```false```)
+(Deprecated) Allow the Kubernetes gateway api provider usage. (Default: ```false```)

 `--experimental.localplugins.<name>`:  
 Local plugins configuration. (Default: ```false```)

 `--experimental.localplugins.<name>.modulename`:  
-plugin's module name.
+Plugin's module name.
+
+`--experimental.localplugins.<name>.settings`:  
+Plugin's settings (works only for wasm plugins).
+
+`--experimental.localplugins.<name>.settings.envs`:  
+Environment variables to forward to the wasm guest.
+
+`--experimental.localplugins.<name>.settings.mounts`:  
+Directory to mount to the wasm guest.

 `--experimental.plugins.<name>.modulename`:  
 plugin's module name.

+`--experimental.plugins.<name>.settings`:  
+Plugin's settings (works only for wasm plugins).
+
+`--experimental.plugins.<name>.settings.envs`:  
+Environment variables to forward to the wasm guest.
+
+`--experimental.plugins.<name>.settings.mounts`:  
+Directory to mount to the wasm guest.
+
 `--experimental.plugins.<name>.version`:  
 plugin's version.

@@ -339,6 +357,9 @@ Enable metrics on services. (Default: ```true```)
 `--metrics.otlp.explicitboundaries`:  
 Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000```)

+`--metrics.otlp.grpc`:  
+gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `--metrics.otlp.grpc.endpoint`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)

@@ -360,6 +381,9 @@ TLS insecure skip verify (Default: ```false```)
 `--metrics.otlp.grpc.tls.key`:  
 TLS key

+`--metrics.otlp.http`:  
+HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `--metrics.otlp.http.endpoint`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)

@@ -714,6 +738,9 @@ Kubernetes label selector to use.
 `--providers.kubernetescrd.namespaces`:  
 Kubernetes namespaces.

+`--providers.kubernetescrd.nativelbbydefault`:  
+Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
+
 `--providers.kubernetescrd.throttleduration`:  
 Ingress refresh throttle duration (Default: ```0```)

@@ -795,6 +822,9 @@ Kubernetes Ingress label selector to use.
 `--providers.kubernetesingress.namespaces`:  
 Kubernetes namespaces.

+`--providers.kubernetesingress.nativelbbydefault`:  
+Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
+
 `--providers.kubernetesingress.throttleduration`:  
 Ingress refresh throttle duration (Default: ```0```)

@@ -1050,6 +1080,9 @@ Defines additional attributes (key:value) on all spans.
 `--tracing.otlp`:  
 Settings for OpenTelemetry. (Default: ```false```)

+`--tracing.otlp.grpc`:  
+gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `--tracing.otlp.grpc.endpoint`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)

@@ -1071,6 +1104,9 @@ TLS insecure skip verify (Default: ```false```)
 `--tracing.otlp.grpc.tls.key`:  
 TLS key

+`--tracing.otlp.http`:  
+HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `--tracing.otlp.http.endpoint`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)

@@ -1089,6 +1125,9 @@ TLS insecure skip verify (Default: ```false```)
 `--tracing.otlp.http.tls.key`:  
 TLS key

+`--tracing.safequeryparams`:  
+Query params to not redact.
+
 `--tracing.samplerate`:  
 Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -211,17 +211,35 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)

 `TRAEFIK_EXPERIMENTAL_KUBERNETESGATEWAY`:  
-Allow the Kubernetes gateway api provider usage. (Default: ```false```)
+(Deprecated) Allow the Kubernetes gateway api provider usage. (Default: ```false```)

 `TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>`:  
 Local plugins configuration. (Default: ```false```)

 `TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_MODULENAME`:  
-plugin's module name.
+Plugin's module name.
+
+`TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS`:  
+Plugin's settings (works only for wasm plugins).
+
+`TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_ENVS`:  
+Environment variables to forward to the wasm guest.
+
+`TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_MOUNTS`:  
+Directory to mount to the wasm guest.

 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_MODULENAME`:  
 plugin's module name.

+`TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS`:  
+Plugin's settings (works only for wasm plugins).
+
+`TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS_ENVS`:  
+Environment variables to forward to the wasm guest.
+
+`TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS_MOUNTS`:  
+Directory to mount to the wasm guest.
+
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_VERSION`:  
 plugin's version.

@@ -339,6 +357,9 @@ Enable metrics on services. (Default: ```true```)
 `TRAEFIK_METRICS_OTLP_EXPLICITBOUNDARIES`:  
 Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000```)

+`TRAEFIK_METRICS_OTLP_GRPC`:  
+gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `TRAEFIK_METRICS_OTLP_GRPC_ENDPOINT`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)

@@ -360,6 +381,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_METRICS_OTLP_GRPC_TLS_KEY`:  
 TLS key

+`TRAEFIK_METRICS_OTLP_HTTP`:  
+HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `TRAEFIK_METRICS_OTLP_HTTP_ENDPOINT`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)

@@ -714,6 +738,9 @@ Kubernetes label selector to use.
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_NAMESPACES`:  
 Kubernetes namespaces.

+`TRAEFIK_PROVIDERS_KUBERNETESCRD_NATIVELBBYDEFAULT`:  
+Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_THROTTLEDURATION`:  
 Ingress refresh throttle duration (Default: ```0```)

@@ -795,6 +822,9 @@ Kubernetes Ingress label selector to use.
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NAMESPACES`:  
 Kubernetes namespaces.

+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_NATIVELBBYDEFAULT`:  
+Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_THROTTLEDURATION`:  
 Ingress refresh throttle duration (Default: ```0```)

@@ -1050,6 +1080,9 @@ Defines additional attributes (key:value) on all spans.
 `TRAEFIK_TRACING_OTLP`:  
 Settings for OpenTelemetry. (Default: ```false```)

+`TRAEFIK_TRACING_OTLP_GRPC`:  
+gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `TRAEFIK_TRACING_OTLP_GRPC_ENDPOINT`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)

@@ -1071,6 +1104,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_TRACING_OTLP_GRPC_TLS_KEY`:  
 TLS key

+`TRAEFIK_TRACING_OTLP_HTTP`:  
+HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
+
 `TRAEFIK_TRACING_OTLP_HTTP_ENDPOINT`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)

@@ -1089,6 +1125,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_TRACING_OTLP_HTTP_TLS_KEY`:  
 TLS key

+`TRAEFIK_TRACING_SAFEQUERYPARAMS`:  
+Query params to not redact.
+
 `TRAEFIK_TRACING_SAMPLERATE`:  
 Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -124,6 +124,7 @@
    allowEmptyServices = true
    allowExternalNameServices = true
    disableIngressClassLookup = true
+    nativeLBByDefault = true
    [providers.kubernetesIngress.ingressEndpoint]
      ip = "foobar"
      hostname = "foobar"
@@ -139,6 +140,7 @@
    ingressClass = "foobar"
    throttleDuration = "42s"
    allowEmptyServices = true
+    nativeLBByDefault = true
  [providers.kubernetesGateway]
    endpoint = "foobar"
    token = "foobar"
@@ -390,6 +392,7 @@
  serviceName = "foobar"
  capturedRequestHeaders = ["foobar", "foobar"]
  capturedResponseHeaders = ["foobar", "foobar"]
+  safeQueryParams = ["foobar", "foobar"]
  sampleRate = 42.0
  addInternals = true
  [tracing.globalAttributes]
@@ -471,14 +474,26 @@
    [experimental.plugins.Descriptor0]
      moduleName = "foobar"
      version = "foobar"
+      [experimental.plugins.Descriptor0.settings]
+        envs = ["foobar", "foobar"]
+        mounts = ["foobar", "foobar"]
    [experimental.plugins.Descriptor1]
      moduleName = "foobar"
      version = "foobar"
+      [experimental.plugins.Descriptor1.settings]
+        envs = ["foobar", "foobar"]
+        mounts = ["foobar", "foobar"]
  [experimental.localPlugins]
    [experimental.localPlugins.LocalDescriptor0]
      moduleName = "foobar"
+      [experimental.localPlugins.LocalDescriptor0.settings]
+        envs = ["foobar", "foobar"]
+        mounts = ["foobar", "foobar"]
    [experimental.localPlugins.LocalDescriptor1]
      moduleName = "foobar"
+      [experimental.localPlugins.LocalDescriptor1.settings]
+        envs = ["foobar", "foobar"]
+        mounts = ["foobar", "foobar"]

 [core]
  defaultRuleSyntax = "foobar"
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -141,6 +141,7 @@ providers:
    allowEmptyServices: true
    allowExternalNameServices: true
    disableIngressClassLookup: true
+    nativeLBByDefault: true
  kubernetesCRD:
    endpoint: foobar
    token: foobar
@@ -154,6 +155,7 @@ providers:
    ingressClass: foobar
    throttleDuration: 42s
    allowEmptyServices: true
+    nativeLBByDefault: true
  kubernetesGateway:
    endpoint: foobar
    token: foobar
@@ -432,6 +434,9 @@ tracing:
  capturedResponseHeaders:
    - foobar
    - foobar
+  safeQueryParams:
+    - foobar
+    - foobar
  sampleRate: 42
  addInternals: true
  otlp:
@@ -510,14 +515,42 @@ experimental:
    Descriptor0:
      moduleName: foobar
      version: foobar
+      settings:
+        envs:
+          - foobar
+          - foobar
+        mounts:
+          - foobar
+          - foobar
    Descriptor1:
      moduleName: foobar
      version: foobar
+      settings:
+        envs:
+          - foobar
+          - foobar
+        mounts:
+          - foobar
+          - foobar
  localPlugins:
    LocalDescriptor0:
      moduleName: foobar
+      settings:
+        envs:
+          - foobar
+          - foobar
+        mounts:
+          - foobar
+          - foobar
    LocalDescriptor1:
      moduleName: foobar
+      settings:
+        envs:
+          - foobar
+          - foobar
+        mounts:
+          - foobar
+          - foobar
  kubernetesGateway: true
 core:
  defaultRuleSyntax: foobar
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -227,8 +227,8 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
    ```

    ```bash tab="CLI"
-    --entrypoints.specificIPv4.address=192.168.2.7:8888
-    --entrypoints.specificIPv6.address=[2001:db8::1]:8888
+    --entryPoints.specificIPv4.address=192.168.2.7:8888
+    --entryPoints.specificIPv6.address=[2001:db8::1]:8888
    ```

    Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
@@ -270,8 +270,8 @@ reloading the static configuration without any service downtime.
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.web.reusePort=true
+    --entryPoints.web.address=:80
+    --entryPoints.web.reusePort=true
    ```

    Now it is possible to run multiple Traefik processes with the same EntryPoint configuration.
@@ -298,10 +298,10 @@ reloading the static configuration without any service downtime.
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.web.reusePort=true
-    --entrypoints.privateWeb.address=192.168.1.2:80
-    --entrypoints.privateWeb.reusePort=true
+    --entryPoints.web.address=:80
+    --entryPoints.web.reusePort=true
+    --entryPoints.privateWeb.address=192.168.1.2:80
+    --entryPoints.privateWeb.reusePort=true
    ```

    Requests to `192.168.1.2:80` will only be handled by routers that have `privateWeb` as the entry point.
@@ -349,9 +349,9 @@ EntryPoints in this list are used (by default) on HTTP and TCP routers that do n
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    --entrypoints.websecure.asDefault=true
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    --entryPoints.websecure.asDefault=true
    ```

 ### HTTP/2
@@ -401,7 +401,7 @@ entryPoints:
 ```

 ```bash tab="CLI"
--entrypoints.name.http3
+--entryPoints.name.http3
 ```

 ??? info "HTTP/3 uses UDP+TLS"
@@ -433,7 +433,7 @@ It can be used to override the authority in the `alt-svc` header, for example if
    ```
    
    ```bash tab="CLI"
-    --entrypoints.name.http3.advertisedport=443
+    --entryPoints.name.http3.advertisedport=443
    ```

 ### Forwarded Headers
@@ -748,7 +748,7 @@ entryPoints:
  [entryPoints.name]
    address = ":8888"
    [entryPoints.name.transport]
-      keepAliveMaxTime = 42s
+      keepAliveMaxTime = "42s"
 ```

 ```bash tab="CLI"
@@ -870,10 +870,10 @@ This whole section is dedicated to options, keyed by entry point, that will appl
    ```

    ```bash tab="CLI"
-    --entrypoints.web.address=:80
-    --entrypoints.web.http.redirections.entryPoint.to=websecure
-    --entrypoints.web.http.redirections.entryPoint.scheme=https
-    --entrypoints.websecure.address=:443
+    --entryPoints.web.address=:80
+    --entryPoints.web.http.redirections.entryPoint.to=websecure
+    --entryPoints.web.http.redirections.entryPoint.scheme=https
+    --entryPoints.websecure.address=:443
    ```

 #### `entryPoint`
@@ -908,7 +908,7 @@ This section is a convenience to enable (permanent) redirecting of all incoming
    ```

    ```bash tab="CLI"
-    --entrypoints.foo.http.redirections.entryPoint.to=websecure
+    --entryPoints.foo.http.redirections.entryPoint.to=websecure
    ```

 ??? info "`entryPoint.scheme`"
@@ -938,7 +938,7 @@ This section is a convenience to enable (permanent) redirecting of all incoming
    ```

    ```bash tab="CLI"
-    --entrypoints.foo.http.redirections.entryPoint.scheme=https
+    --entryPoints.foo.http.redirections.entryPoint.scheme=https
    ```

 ??? info "`entryPoint.permanent`"
@@ -968,7 +968,7 @@ This section is a convenience to enable (permanent) redirecting of all incoming
    ```

    ```bash tab="CLI"
-    --entrypoints.foo.http.redirections.entrypoint.permanent=true
+    --entryPoints.foo.http.redirections.entrypoint.permanent=true
    ```

 ??? info "`entryPoint.priority`"
@@ -998,7 +998,7 @@ This section is a convenience to enable (permanent) redirecting of all incoming
    ```

    ```bash tab="CLI"
-    --entrypoints.foo.http.redirections.entrypoint.priority=10
+    --entryPoints.foo.http.redirections.entrypoint.priority=10
    ```

 ### EncodeQuerySemicolons
@@ -1026,8 +1026,8 @@ entryPoints:
 ```

 ```bash tab="CLI"
--entrypoints.websecure.address=:443
--entrypoints.websecure.http.encodequerysemicolons=true
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.encodequerysemicolons=true
 ```

 #### Examples
@@ -1062,8 +1062,8 @@ entryPoints:
 ```

 ```bash tab="CLI"
--entrypoints.websecure.address=:443
--entrypoints.websecure.http.middlewares=auth@file,strip@file
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.middlewares=auth@file,strip@file
 ```

 ### TLS
@@ -1109,13 +1109,13 @@ entryPoints:
 ```

 ```bash tab="CLI"
--entrypoints.websecure.address=:443
--entrypoints.websecure.http.tls.options=foobar
--entrypoints.websecure.http.tls.certResolver=leresolver
--entrypoints.websecure.http.tls.domains[0].main=example.com
--entrypoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
--entrypoints.websecure.http.tls.domains[1].main=test.com
--entrypoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls.options=foobar
+--entryPoints.websecure.http.tls.certResolver=leresolver
+--entryPoints.websecure.http.tls.domains[0].main=example.com
+--entryPoints.websecure.http.tls.domains[0].sans=foo.example.com,bar.example.com
+--entryPoints.websecure.http.tls.domains[1].main=test.com
+--entryPoints.websecure.http.tls.domains[1].sans=foo.test.com,bar.test.com
 ```

 ??? example "Let's Encrypt"
@@ -1138,8 +1138,8 @@ entryPoints:
    ```

    ```bash tab="CLI"
-    --entrypoints.websecure.address=:443
-    --entrypoints.websecure.http.tls.certResolver=leresolver
+    --entryPoints.websecure.address=:443
+    --entryPoints.websecure.http.tls.certResolver=leresolver
    ```

 ## UDP Options
@@ -1170,8 +1170,30 @@ entryPoints:
 ```

 ```bash tab="CLI"
-entrypoints.foo.address=:8000/udp
-entrypoints.foo.udp.timeout=10s
+--entryPoints.foo.address=:8000/udp
+--entryPoints.foo.udp.timeout=10s
 ```

 {!traefik-for-business-applications.md!}
+
+## Systemd Socket Activation
+
+Traefik supports [systemd socket activation](https://www.freedesktop.org/software/systemd/man/latest/systemd-socket-activate.html).
+
+When a socket activation file descriptor name matches an EntryPoint name, the corresponding file descriptor will be used as the TCP listener for the matching EntryPoint.
+
+```bash
+systemd-socket-activate -l 80 -l 443 --fdname web:websecure  ./traefik --entrypoints.web --entrypoints.websecure
+```
+
+!!! warning "EntryPoint Address"
+
+    When a socket activation file descriptor name matches an EntryPoint name its address configuration is ignored.     
+
+!!! warning "TCP Only"
+
+    Socket activation is not yet supported with UDP entryPoints.
+
+!!! warning "Docker Support"
+
+    Socket activation is not supported by Docker but works with Podman containers.
--- a/docs/content/routing/providers/kubernetes-crd.md
+++ b/docs/content/routing/providers/kubernetes-crd.md
@@ -48,14 +48,14 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.0
+              image: traefik:v3.1
              args:
                - --log.level=DEBUG
                - --api
                - --api.insecure
-                - --entrypoints.web.address=:80
-                - --entrypoints.tcpep.address=:8000
-                - --entrypoints.udpep.address=:9000/udp
+                - --entryPoints.web.address=:80
+                - --entryPoints.tcpep.address=:8000
+                - --entryPoints.udpep.address=:9000/udp
                - --providers.kubernetescrd
              ports:
                - name: web
@@ -342,6 +342,9 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
            flushInterval: 1ms
          scheme: https
          serversTransport: transport   # [10]
+          healthCheck:                  # [11]
+            path: /health
+            interval: 15s
          sticky:
            cookie:
              httpOnly: true
@@ -351,16 +354,17 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
              maxAge: 42  
          strategy: RoundRobin
          weight: 10
-          nativeLB: true                # [11]
-      tls:                              # [12]
-        secretName: supersecret         # [13]
-        options:                        # [14]
-          name: opt                     # [15]
-          namespace: default            # [16]
-        certResolver: foo               # [17]
-        domains:                        # [18]
-        - main: example.net             # [19]
-          sans:                         # [20]
+          nativeLB: true                # [12]
+          nodePortLB: true              # [13]
+      tls:                              # [14]
+        secretName: supersecret         # [15]
+        options:                        # [16]
+          name: opt                     # [17]
+          namespace: default            # [18]
+        certResolver: foo               # [19]
+        domains:                        # [20]
+        - main: example.net             # [21]
+          sans:                         # [22]
          - a.example.net
          - b.example.net
    ```
@@ -377,16 +381,18 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
 | [8]  | `routes[n].services`           | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup)                                                                     |
 | [9]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       |
 | [10] | `services[n].serversTransport` | Defines the reference to a [ServersTransport](#kind-serverstransport). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
-| [11] | `services[n].nativeLB`         | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                     |
-| [12] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
-| [13] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
-| [14] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
-| [15] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
-| [16] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
-| [17] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
-| [18] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
-| [19] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
-| [20] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |
+| [11] | `services[n].healthCheck`      | Defines the HealthCheck when service references a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.                                                                                                                                |
+| [12] | `services[n].nativeLB`         | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                     |
+| [13] | `services[n].nodePortLB`       | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.                                                                                                                               |
+| [14] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
+| [15] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
+| [16] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
+| [17] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
+| [18] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
+| [19] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
+| [20] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
+| [21] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
+| [22] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |

 ??? example "Declaring an IngressRoute"

@@ -899,15 +905,15 @@ More information in the dedicated [mirroring](../services/index.md#mirroring-ser
    
    spec:
      mirroring:
-        name: svc1
+        name: svc1                      # svc1 receives 100% of the traffic
        port: 80
        mirrors:
-          - name: svc2
+          - name: svc2                  # svc2 receives a copy of 20% of this traffic
            port: 80
            percent: 20
-          - name: svc3
+          - name: svc3                  # svc3 receives a copy of 15% of this traffic
            kind: TraefikService
-            percent: 20
+            percent: 15
    ```
    
    ```yaml tab="Mirroring Traefik Service"
@@ -920,15 +926,15 @@ More information in the dedicated [mirroring](../services/index.md#mirroring-ser
    
    spec:
      mirroring:
-        name: wrr1
+        name: wrr1                      # wrr1 receives 100% of the traffic
        kind: TraefikService
-         mirrors:
-           - name: svc2
-             port: 80
-             percent: 20
-           - name: svc3
-             kind: TraefikService
-             percent: 20
+        mirrors:
+          - name: svc2                  # svc2 receives a copy of 20% of this traffic
+            port: 80
+            percent: 20
+          - name: svc3                  # svc3 receives a copy of 10% of this traffic
+            kind: TraefikService
+            percent: 10
    ```

    ```yaml tab="K8s Service"
@@ -1149,18 +1155,20 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
            version: 1                # [12]
          serversTransport: transport # [13]
          nativeLB: true              # [14]
-      tls:                            # [15]
-        secretName: supersecret       # [16]
-        options:                      # [17]
-          name: opt                   # [18]
-          namespace: default          # [19]
-        certResolver: foo             # [20]
-        domains:                      # [21]
-        - main: example.net           # [22]
-          sans:                       # [23]
+          nodePortLB: true            # [15]
+
+      tls:                            # [16]
+        secretName: supersecret       # [17]
+        options:                      # [18]
+          name: opt                   # [19]
+          namespace: default          # [20]
+        certResolver: foo             # [21]
+        domains:                      # [22]
+        - main: example.net           # [23]
+          sans:                       # [24]
          - a.example.net
          - b.example.net
-        passthrough: false            # [24]
+        passthrough: false            # [25]
    ```

 | Ref  | Attribute                           | Purpose                                                                                                                                                                                                                                                                                                                                                                              |
@@ -1179,16 +1187,17 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
 | [12] | `services[n].proxyProtocol.version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version                                                                                                                                                                                                                                                                                                            |
 | [13] | `services[n].serversTransport`      | Defines the reference to a [ServersTransportTCP](#kind-serverstransporttcp). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)).                                                                                   |
 | [14] | `services[n].nativeLB`              | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                                                                                                             |
-| [15] | `tls`                               | Defines [TLS](../routers/index.md#tls_1) certificate configuration                                                                                                                                                                                                                                                                                                                   |
-| [16] | `tls.secretName`                    | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                                                                                                                 |
-| [17] | `tls.options`                       | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                                                                                                              |
-| [18] | `tls.options.name`                  | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                                                                                                        |
-| [19] | `tls.options.namespace`             | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                                                                                                                   |
-| [20] | `tls.certResolver`                  | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1)                                                                                                                                                                                                                                                                                                        |
-| [21] | `tls.domains`                       | List of [domains](../routers/index.md#domains_1)                                                                                                                                                                                                                                                                                                                                     |
-| [22] | `tls.domains[n].main`               | Defines the main domain name                                                                                                                                                                                                                                                                                                                                                         |
-| [23] | `tls.domains[n].sans`               | List of SANs (alternative domains)                                                                                                                                                                                                                                                                                                                                                   |
-| [24] | `tls.passthrough`                   | If `true`, delegates the TLS termination to the backend                                                                                                                                                                                                                                                                                                                              |
+| [15] | `services[n].nodePortLB`            | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is                                                                                                                                                                                                                                 |
+| [16] | `tls`                               | Defines [TLS](../routers/index.md#tls_1) certificate configuration                                                                                                                                                                                                                                                                                                                   |
+| [17] | `tls.secretName`                    | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                                                                                                                 |
+| [18] | `tls.options`                       | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                                                                                                              |
+| [19] | `tls.options.name`                  | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                                                                                                        |
+| [20] | `tls.options.namespace`             | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                                                                                                                   |
+| [21] | `tls.certResolver`                  | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1)                                                                                                                                                                                                                                                                                                        |
+| [22] | `tls.domains`                       | List of [domains](../routers/index.md#domains_1)                                                                                                                                                                                                                                                                                                                                     |
+| [23] | `tls.domains[n].main`               | Defines the main domain name                                                                                                                                                                                                                                                                                                                                                         |
+| [24] | `tls.domains[n].sans`               | List of SANs (alternative domains)                                                                                                                                                                                                                                                                                                                                                   |
+| [25] | `tls.passthrough`                   | If `true`, delegates the TLS termination to the backend                                                                                                                                                                                                                                                                                                                              |

 ??? example "Declaring an IngressRouteTCP"

@@ -1433,17 +1442,19 @@ Register the `IngressRouteUDP` [kind](../../reference/dynamic-configuration/kube
          port: 8080                # [5]
          weight: 10                # [6]
          nativeLB: true            # [7]
+          nodePortLB: true          # [8]
    ```

-| Ref | Attribute                     | Purpose                                                                                                                                                  |
-|-----|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1] | `entryPoints`                 | List of [entrypoints](../routers/index.md#entrypoints_1) names                                                                                           |
-| [2] | `routes`                      | List of routes                                                                                                                                           |
-| [3] | `routes[n].services`          | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup)  |
-| [4] | `services[n].name`            | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                             |
-| [5] | `services[n].port`            | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.   |
-| [6] | `services[n].weight`          | Defines the weight to apply to the server load balancing                                                                                                 |
-| [7] | `services[n].nativeLB`        | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. |
+| Ref | Attribute                     | Purpose                                                                                                                                                        |
+|-----|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1] | `entryPoints`                 | List of [entrypoints](../routers/index.md#entrypoints_1) names                                                                                                 |
+| [2] | `routes`                      | List of routes                                                                                                                                                 |
+| [3] | `routes[n].services`          | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup)        |
+| [4] | `services[n].name`            | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)                                                   |
+| [5] | `services[n].port`            | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.         |
+| [6] | `services[n].weight`          | Defines the weight to apply to the server load balancing                                                                                                       |
+| [7] | `services[n].nativeLB`        | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.       |
+| [8] | `services[n].nodePortLB`      | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. |

 ??? example "Declaring an IngressRouteUDP"

--- a/docs/content/routing/providers/kubernetes-gateway.md
+++ b/docs/content/routing/providers/kubernetes-gateway.md
@@ -5,7 +5,7 @@ description: "The Kubernetes Gateway API can be used as a provider for routing a

 # Traefik & Kubernetes

-The Kubernetes Gateway API, The Experimental Way.
+The Kubernetes Gateway API Controller.
 {: .subtitle }

 ## Configuration Examples
@@ -234,7 +234,7 @@ Kubernetes cluster before creating `HTTPRoute` objects.
            - headers:                          # [11]
                name: foo                       # [12]
                value: bar                      # [13]
-        - backendRefs:                          # [14]
+          backendRefs:                          # [14]
            - name: whoamitcp                   # [15]
              weight: 1                         # [16]
              port: 8080                        # [17]
@@ -273,7 +273,7 @@ Kubernetes cluster before creating `HTTPRoute` objects.
 | [6]  | `rules`                 | A list of HTTP matchers, filters and actions.                                                                                                                               |
 | [7]  | `matches`               | Conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. |
 | [8]  | `path`                  | An HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided.                                                           |
-| [9]  | `type`                  | Type of match against the path Value (supported types: `Exact`, `Prefix`).                                                                                                  |
+| [9]  | `type`                  | Type of match against the path Value (supported types: `Exact`, `PathPrefix`, and `RegularExpression`).                                                                     |
 | [10] | `value`                 | The value of the HTTP path to match against.                                                                                                                                |
 | [11] | `headers`               | Conditions to select a HTTP route by matching HTTP request headers.                                                                                                         |
 | [12] | `name`                  | Name of the HTTP header to be matched.                                                                                                                                      |
--- a/docs/content/routing/providers/kubernetes-ingress.md
+++ b/docs/content/routing/providers/kubernetes-ingress.md
@@ -29,12 +29,18 @@ which in turn will create the resulting routers, services, handlers, etc.
          - ""
        resources:
          - services
-          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - list
+          - watch
      - apiGroups:
          - extensions
          - networking.k8s.io
@@ -124,9 +130,9 @@ which in turn will create the resulting routers, services, handlers, etc.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.0
+              image: traefik:v3.1
              args:
-                - --entrypoints.web.address=:80
+                - --entryPoints.web.address=:80
                - --providers.kubernetesingress
              ports:
                - name: web
@@ -287,6 +293,16 @@ which in turn will create the resulting routers, services, handlers, etc.
    traefik.ingress.kubernetes.io/service.nativelb: "true"
    ```

+??? info "`traefik.ingress.kubernetes.io/service.nodeportlb`"
+
+    Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+    It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+    By default, NodePortLB is false.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.nodeportlb: "true"
+    ```
+
 ??? info "`traefik.ingress.kubernetes.io/service.serversscheme`"

    Overrides the default scheme.
@@ -381,8 +397,8 @@ TLS can be enabled through the [HTTP options](../entrypoints.md#tls) of an Entry

 ```bash tab="CLI"
 # Static configuration
--entrypoints.websecure.address=:443
--entrypoints.websecure.http.tls
+--entryPoints.websecure.address=:443
+--entryPoints.websecure.http.tls
 ```

 ```yaml tab="File (YAML)"
@@ -417,12 +433,19 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          - ""
        resources:
          - services
-          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - list
+          - watch
      - apiGroups:
          - extensions
          - networking.k8s.io
@@ -512,10 +535,10 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.0
+              image: traefik:v3.1
              args:
-                - --entrypoints.websecure.address=:443
-                - --entrypoints.websecure.http.tls
+                - --entryPoints.websecure.address=:443
+                - --entryPoints.websecure.http.tls
                - --providers.kubernetesingress
              ports:
                - name: websecure
@@ -602,12 +625,19 @@ For more options, please refer to the available [annotations](#on-ingress).
          - ""
        resources:
          - services
-          - endpoints
          - secrets
        verbs:
          - get
          - list
          - watch
+      - apiGroups:
+          - discovery.k8s.io
+        resources:
+          - endpointslices
+        verbs:
+          - get
+          - list
+          - watch
      - apiGroups:
          - extensions
          - networking.k8s.io
@@ -698,9 +728,9 @@ For more options, please refer to the available [annotations](#on-ingress).
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.0
+              image: traefik:v3.1
              args:
-                - --entrypoints.websecure.address=:443
+                - --entryPoints.websecure.address=:443
                - --providers.kubernetesingress
              ports:
                - name: websecure
@@ -822,7 +852,7 @@ TLS certificates can be managed in Secrets objects.
    whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.

    One alternative is to use an `ExternalName` service to forward requests to the Kubernetes service through DNS.
-    To do so, one must [allow external name services](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#allowexternalnameservices "Link to docs about allowing external name services").
+    To do so, one must [allow external name services](../providers/kubernetes-ingress/#allowexternalnameservices "Link to docs about allowing external name services").

 Traefik automatically requests endpoint information based on the service provided in the ingress spec.
 Although Traefik will connect directly to the endpoints (pods),
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@@ -146,9 +146,9 @@ If you want to limit the router scope to a set of entry points, set the `entryPo

    ```bash tab="CLI"
    ## Static configuration
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    --entrypoints.other.address=:9090
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    --entryPoints.other.address=:9090
    ```

 ??? example "Listens to Specific EntryPoints"
@@ -204,9 +204,9 @@ If you want to limit the router scope to a set of entry points, set the `entryPo

    ```bash tab="CLI"
    ## Static configuration
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    --entrypoints.other.address=:9090
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    --entryPoints.other.address=:9090
    ```

 ### Rule
@@ -368,7 +368,7 @@ Path are always starting with a `/`, except for `PathRegexp`.
    [case-insensitively](https://en.wikipedia.org/wiki/Case_sensitivity):

    ```yaml
-    HostRegexp(`(?i)^/products`)
+    PathRegexp(`(?i)^/products`)
    ```

 #### Query and QueryRegexp
@@ -827,7 +827,7 @@ http:
 ```

 !!! info "Multiple Hosts in a Rule"
-    The rule ```Host(`test1.example.com`,`test2.example.com`)``` will request a certificate with the main domain `test1.example.com` and SAN `test2.example.com`.
+    The rule ```Host(`test1.example.com`) || Host(`test2.example.com`)``` will request a certificate with the main domain `test1.example.com` and SAN `test2.example.com`.

 #### `domains`

@@ -959,9 +959,9 @@ If you want to limit the router scope to a set of entry points, set the entry po

    ```bash tab="CLI"
    ## Static configuration
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    --entrypoints.other.address=:9090
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    --entryPoints.other.address=:9090
    ```

 ??? example "Listens to Specific EntryPoints"
@@ -1023,9 +1023,9 @@ If you want to limit the router scope to a set of entry points, set the entry po

    ```bash tab="CLI"
    ## Static configuration
-    --entrypoints.web.address=:80
-    --entrypoints.websecure.address=:443
-    --entrypoints.other.address=:9090
+    --entryPoints.web.address=:80
+    --entryPoints.websecure.address=:443
+    --entryPoints.other.address=:9090
    ```

 ### Rule
@@ -1610,9 +1610,9 @@ If one wants to limit the router scope to a set of EntryPoints, one should set t

    ```bash tab="CLI"
    ## Static configuration
-    --entrypoints.web.address=":80"
-    --entrypoints.other.address=":9090/udp"
-    --entrypoints.streaming.address=":9191/udp"
+    --entryPoints.web.address=":80"
+    --entryPoints.other.address=":9090/udp"
+    --entryPoints.streaming.address=":9191/udp"
    ```

 ??? example "Listens to Specific EntryPoints"
@@ -1667,9 +1667,9 @@ If one wants to limit the router scope to a set of EntryPoints, one should set t

    ```bash tab="CLI"
    ## Static configuration
-    --entrypoints.web.address=":80"
-    --entrypoints.other.address=":9090/udp"
-    --entrypoints.streaming.address=":9191/udp"
+    --entryPoints.web.address=":80"
+    --entryPoints.other.address=":9090/udp"
+    --entryPoints.streaming.address=":9191/udp"
    ```

 ### Services
--- a/docs/content/user-guides/crd-acme/03-deployments.yml
+++ b/docs/content/user-guides/crd-acme/03-deployments.yml
@@ -26,12 +26,12 @@ spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
-          image: traefik:v3.0
+          image: traefik:v3.1
          args:
            - --api.insecure
            - --accesslog
-            - --entrypoints.web.Address=:8000
-            - --entrypoints.websecure.Address=:4443
+            - --entryPoints.web.Address=:8000
+            - --entryPoints.websecure.Address=:4443
            - --providers.kubernetescrd
            - --certificatesresolvers.myresolver.acme.tlschallenge
            - --certificatesresolvers.myresolver.acme.email=foo@you.com
--- a/docs/content/user-guides/crd-acme/index.md
+++ b/docs/content/user-guides/crd-acme/index.md
@@ -49,10 +49,10 @@ and the RBAC authorization resources which will be referenced through the `servi

 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```

 ### Services
@@ -60,7 +60,7 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/con
 Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami).

 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/02-services.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/user-guides/crd-acme/02-services.yml
 ```

 ```yaml
@@ -73,7 +73,7 @@ Next, the deployments, i.e. the actual pods behind the services.
 Again, one pod for Traefik, and one for the whoami app.

 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/03-deployments.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/user-guides/crd-acme/03-deployments.yml
 ```

 ```yaml
@@ -100,7 +100,7 @@ Look it up.
 We can now finally apply the actual ingressRoutes, with:

 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/04-ingressroutes.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/user-guides/crd-acme/04-ingressroutes.yml
 ```

 ```yaml
@@ -126,7 +126,7 @@ Nowadays, TLS v1.0 and v1.1 are deprecated.
 In order to force TLS v1.2 or later on all your IngressRoute, you can define the `default` TLSOption:

 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/user-guides/crd-acme/05-tlsoption.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.1/docs/content/user-guides/crd-acme/05-tlsoption.yml
 ```

 ```yaml
--- a/docs/content/user-guides/crd-acme/k3s.yml
+++ b/docs/content/user-guides/crd-acme/k3s.yml
@@ -26,5 +26,5 @@ node:
    - K3S_CLUSTER_SECRET=somethingtotallyrandom
  volumes:
    # this is where you would place a alternative traefik image (saved as a .tar file with
-    # 'docker save'), if you want to use it, instead of the traefik:v3.0 image.
+    # 'docker save'), if you want to use it, instead of the traefik:v3.1 image.
    - /somewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images
--- a/docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml
@@ -3,15 +3,15 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v3.0"
+    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
--- a/docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml
+++ b/docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml
@@ -13,15 +13,15 @@ secrets:
 services:

  traefik:
-    image: "traefik:v3.0"
+    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
--- a/docs/content/user-guides/docker-compose/acme-dns/index.md
+++ b/docs/content/user-guides/docker-compose/acme-dns/index.md
@@ -5,7 +5,7 @@ description: "Learn how to create a certificate with the Let's Encrypt DNS chall

 # Docker-compose with Let's Encrypt: DNS Challenge

-This guide aim to demonstrate how to create a certificate with the Let's Encrypt DNS challenge to use https on a simple service exposed with Traefik.  
+This guide aims to demonstrate how to create a certificate with the Let's Encrypt DNS challenge to use https on a simple service exposed with Traefik.  
 Please also read the [basic example](../basic-example) for details on how to expose such a service.  

 ## Prerequisite
@@ -64,7 +64,7 @@ What changed between the initial setup:
 ```yaml
 command:
  # Traefik will listen to incoming request on the port 443 (https)
-  - "--entrypoints.websecure.address=:443"
+  - "--entryPoints.websecure.address=:443"
 ports:
  - "443:443"
 ```
--- a/docs/content/user-guides/docker-compose/acme-http/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-http/docker-compose.yml
@@ -3,15 +3,15 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v3.0"
+    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
--- a/docs/content/user-guides/docker-compose/acme-http/index.md
+++ b/docs/content/user-guides/docker-compose/acme-http/index.md
@@ -5,7 +5,7 @@ description: "Learn how to create a certificate with the Let's Encrypt HTTP chal

 # Docker-compose with Let's Encrypt : HTTP Challenge

-This guide aim to demonstrate how to create a certificate with the Let's Encrypt HTTP challenge to use https on a simple service exposed with Traefik.  
+This guide aims to demonstrate how to create a certificate with the Let's Encrypt HTTP challenge to use https on a simple service exposed with Traefik.  
 Please also read the [basic example](../basic-example) for details on how to expose such a service.  

 ## Prerequisite
@@ -50,7 +50,7 @@ What changed between the basic example:
 ```yaml
 command:
  # Traefik will listen to incoming request on the port 443 (https)
-  - "--entrypoints.websecure.address=:443"
+  - "--entryPoints.websecure.address=:443"
 ports:
  - "443:443"
 ```
--- a/docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml
@@ -3,14 +3,14 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v3.0"
+    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
--- a/docs/content/user-guides/docker-compose/acme-tls/index.md
+++ b/docs/content/user-guides/docker-compose/acme-tls/index.md
@@ -5,7 +5,7 @@ description: "Learn how to create a certificate with the Let's Encrypt TLS chall

 # Docker-compose with Let's Encrypt: TLS Challenge

-This guide aim to demonstrate how to create a certificate with the Let's Encrypt TLS challenge to use https on a simple service exposed with Traefik.  
+This guide aims to demonstrate how to create a certificate with the Let's Encrypt TLS challenge to use https on a simple service exposed with Traefik.  
 Please also read the [basic example](../basic-example) for details on how to expose such a service.  

 ## Prerequisite
@@ -50,7 +50,7 @@ What changed between the basic example:
 ```yaml
 command:
  # Traefik will listen to incoming request on the port 443 (https)
-  - "--entrypoints.websecure.address=:443"
+  - "--entryPoints.websecure.address=:443"
 ports:
  - "443:443"
 ```
--- a/docs/content/user-guides/docker-compose/basic-example/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/basic-example/docker-compose.yml
@@ -3,14 +3,14 @@ version: "3.3"
 services:

  traefik:
-    image: "traefik:v3.0"
+    image: "traefik:v3.1"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
+      - "--entryPoints.web.address=:80"
    ports:
      - "80:80"
      - "8080:8080"
--- a/docs/content/user-guides/docker-compose/basic-example/index.md
+++ b/docs/content/user-guides/docker-compose/basic-example/index.md
@@ -31,7 +31,7 @@ Create a `docker-compose.yml` file with the following content:
    services:

      traefik:
-        image: "traefik:v3.0"
+        image: "traefik:v3.1"
        ...
        networks:
          - traefiknet
@@ -86,7 +86,7 @@ Second, you define an entry point, along with the exposure of the matching port
 ```yaml
 command:
  # Traefik will listen to incoming request on the port 80 (HTTP)
-  - "--entrypoints.web.address=:80"
+  - "--entryPoints.web.address=:80"

 ports:
  - "80:80"
--- a/docs/docs.Dockerfile
+++ b/docs/docs.Dockerfile
@@ -1,10 +1,12 @@
-FROM alpine:3.14
+FROM alpine:3.20

-ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/root/.local/bin
+ENV PATH="${PATH}:/venv/bin"

 COPY requirements.txt /mkdocs/
 WORKDIR /mkdocs
 VOLUME /mkdocs

 RUN apk --no-cache --no-progress add py3-pip gcc musl-dev python3-dev \
-  && pip3 install --user -r requirements.txt
+  && python3 -m venv /venv \
+  && source /venv/bin/activate \
+  && pip3 install -r requirements.txt
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -172,7 +172,10 @@ nav:
          - 'HTTP Challenge': 'user-guides/docker-compose/acme-http/index.md'
          - 'DNS Challenge': 'user-guides/docker-compose/acme-dns/index.md'
  - 'Migration':
-      - 'Traefik v2 to v3': 'migration/v2-to-v3.md'
+      - 'Traefik v3 minor migrations': 'migration/v3.md'
+      - 'Traefik v2 to v3':
+        - 'Migration guide': 'migration/v2-to-v3.md'
+        - 'Configuration changes for v3': 'migration/v2-to-v3-details.md'
      - 'Traefik v2 minor migrations': 'migration/v2.md'
      - 'Traefik v1 to v2': 'migration/v1-to-v2.md'
  - 'Contributing':
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,45 +1,23 @@
-mkdocs==1.2.2
+markdown-include==0.5.1
+mkdocs==1.2.4
+mkdocs-exclude==1.0.2
 mkdocs-traefiklabs>=100.0.7

-appdirs==1.4.4
-CacheControl==0.12.6
-certifi==2020.12.5
-chardet==4.0.0
-click==8.0.4
-colorama==0.4.4
-contextlib2==0.6.0
-distlib==0.3.1
-distro==1.5.0
-ghp-import==2.0.2
-html5lib==1.1
-idna==3.2
-importlib-metadata==4.11.3
-Jinja2==3.0.0
-lockfile==0.12.2
+click==8.1.7
+colorama==0.4.6
+ghp-import==2.1.0
+importlib_metadata==7.1.0
+Jinja2==3.1.3
 Markdown==3.3.6
-markdown-include==0.5.1
-MarkupSafe==2.1.1
+MarkupSafe==2.1.5
 mergedeep==1.3.4
-mkdocs-bootswatch==1.0
-mkdocs-exclude==1.0.2
-mkdocs-material-extensions==1.0.3
-msgpack==1.0.2
-ordered-set==4.0.2
-packaging==20.9
-pep517==0.10.0
-progress==1.5
-Pygments==2.11.2
+mkdocs-material-extensions==1.3.1
+packaging==24.0
+Pygments==2.18.0
 pymdown-extensions==7.0
-pyparsing==2.4.7
-python-dateutil==2.8.2
+python-dateutil==2.9.0.post0
 PyYAML==6.0.1
-pyyaml-env-tag==0.1
-requests==2.25.1
-retrying==1.3.3
-six==1.15.0
-toml==0.10.2
-urllib3==1.26.5
-watchdog==2.1.7
-webencodings==0.5.1
-zipp==3.7.0
-
+pyyaml_env_tag==0.1
+six==1.16.0
+watchdog==4.0.0
+zipp==3.18.1
--- a/docs/runtime.txt
+++ b/docs/runtime.txt
@@ -1 +0,0 @@
-3.7
--- a/go.mod
+++ b/go.mod
@@ -1,37 +1,38 @@
 module github.com/traefik/traefik/v3

-go 1.22
+go 1.22.4

 require (
-	github.com/BurntSushi/toml v1.3.2
+	github.com/BurntSushi/toml v1.4.0
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000
 	github.com/andybalholm/brotli v1.0.6
 	github.com/aws/aws-sdk-go v1.44.327
-	github.com/cenkalti/backoff/v4 v4.2.1
+	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
 	github.com/docker/cli v24.0.9+incompatible
-	github.com/docker/docker v24.0.9+incompatible
-	github.com/docker/go-connections v0.4.0
+	github.com/docker/docker v25.0.5+incompatible
+	github.com/docker/go-connections v0.5.0
 	github.com/fatih/structs v1.1.0
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/go-acme/lego/v4 v4.16.1
+	github.com/go-acme/lego/v4 v4.17.4
 	github.com/go-kit/kit v0.10.1-0.20200915143503-439c4d2ed3ea
-	github.com/golang/protobuf v1.5.3
+	github.com/golang/protobuf v1.5.4
 	github.com/google/go-github/v28 v28.1.1
 	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/websocket v1.5.1
 	github.com/hashicorp/consul/api v1.26.1
-	github.com/hashicorp/go-hclog v1.5.0
+	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.7.5
+	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/go-version v1.6.0
 	github.com/hashicorp/nomad/api v0.0.0-20240122103822-8a4bd61caf74
 	github.com/http-wasm/http-wasm-host-go v0.6.0
 	github.com/influxdata/influxdb-client-go/v2 v2.7.0
 	github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d
+	github.com/juliens/wasm-goexport v0.0.6
 	github.com/klauspost/compress v1.17.2
 	github.com/kvtools/consul v1.0.2
 	github.com/kvtools/etcdv3 v1.0.2
@@ -39,7 +40,7 @@ require (
 	github.com/kvtools/valkeyrie v1.0.0
 	github.com/kvtools/zookeeper v1.0.2
 	github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f
-	github.com/miekg/dns v1.1.58
+	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/hashstructure v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
@@ -47,17 +48,20 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pires/go-proxyproto v0.6.1
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
-	github.com/prometheus/client_golang v1.17.0
+	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.5.0
-	github.com/quic-go/quic-go v0.42.0
+	github.com/quic-go/quic-go v0.45.1
 	github.com/rs/zerolog v1.29.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spiffe/go-spiffe/v2 v2.1.1
-	github.com/stretchr/testify v1.8.4
+	github.com/stealthrocket/wasi-go v0.8.0
+	github.com/stealthrocket/wazergo v0.19.1
+	github.com/stretchr/testify v1.9.0
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
-	github.com/tailscale/tscert v0.0.0-20220316030059-54bbcb9f74e2
-	github.com/testcontainers/testcontainers-go v0.27.0
-	github.com/tetratelabs/wazero v1.5.0
+	github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046
+	github.com/testcontainers/testcontainers-go v0.30.0
+	github.com/testcontainers/testcontainers-go/modules/k3s v0.30.0
+	github.com/tetratelabs/wazero v1.7.2
 	github.com/tidwall/gjson v1.17.0
 	github.com/traefik/grpc-web v0.16.0
 	github.com/traefik/paerser v0.2.0
@@ -66,59 +70,60 @@ require (
 	github.com/unrolled/secure v1.0.9
 	github.com/vulcand/oxy/v2 v2.0.0-20230427132221-be5cf38f3c1c
 	github.com/vulcand/predicate v1.2.0
-	go.opentelemetry.io/collector/pdata v1.2.0
-	go.opentelemetry.io/contrib/propagators/autoprop v0.49.0
-	go.opentelemetry.io/otel v1.24.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.24.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.24.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0
-	go.opentelemetry.io/otel/metric v1.24.0
-	go.opentelemetry.io/otel/sdk v1.24.0
-	go.opentelemetry.io/otel/sdk/metric v1.24.0
-	go.opentelemetry.io/otel/trace v1.24.0
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
-	golang.org/x/mod v0.17.0
-	golang.org/x/net v0.24.0
-	golang.org/x/sys v0.19.0
-	golang.org/x/text v0.14.0
+	go.opentelemetry.io/collector/pdata v1.10.0
+	go.opentelemetry.io/contrib/propagators/autoprop v0.52.0
+	go.opentelemetry.io/otel v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/metric v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/sdk v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/sdk/metric v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	go.opentelemetry.io/otel/trace v1.27.1-0.20240624175855-921eb701b175 // For security reason we need to follow semconv v1.26.0 and we can't wait for opentelemetry-go-sdk v1.28.0.
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
+	golang.org/x/mod v0.18.0
+	golang.org/x/net v0.26.0
+	golang.org/x/sys v0.21.0
+	golang.org/x/text v0.16.0
 	golang.org/x/time v0.5.0
-	golang.org/x/tools v0.20.0
-	google.golang.org/grpc v1.61.1
+	golang.org/x/tools v0.22.0
+	google.golang.org/grpc v1.64.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.28.4
-	k8s.io/apiextensions-apiserver v0.28.3
-	k8s.io/apimachinery v0.28.4
-	k8s.io/client-go v0.28.4
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
+	k8s.io/api v0.30.0
+	k8s.io/apiextensions-apiserver v0.30.0
+	k8s.io/apimachinery v0.30.0
+	k8s.io/client-go v0.30.0
+	k8s.io/utils v0.0.0-20240423183400-0849a56e8f22
 	mvdan.cc/xurls/v2 v2.5.0
-	sigs.k8s.io/controller-runtime v0.16.3
-	sigs.k8s.io/gateway-api v1.0.0
+	sigs.k8s.io/controller-runtime v0.18.0
+	sigs.k8s.io/gateway-api v1.1.0
+	sigs.k8s.io/yaml v1.4.0
 )

 require (
-	cloud.google.com/go/compute v1.23.3 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.1.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.12.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
 	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
@@ -127,31 +132,31 @@ require (
 	github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang v1.2.2 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.61.1755 // indirect
-	github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.62.712 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.34.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.37.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.18 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.38.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.40.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
+	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bytedance/sonic v1.10.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/civo/civogo v0.3.11 // indirect
-	github.com/cloudflare/cloudflare-go v0.86.0 // indirect
-	github.com/containerd/containerd v1.7.11 // indirect
+	github.com/cloudflare/cloudflare-go v0.97.0 // indirect
+	github.com/containerd/containerd v1.7.12 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
@@ -161,34 +166,37 @@ require (
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/dnsimple/dnsimple-go v1.2.0 // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/distribution/reference v0.5.0 // indirect
+	github.com/dnsimple/dnsimple-go v1.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
-	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exoscale/egoscale v0.102.3 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-playground/validator/v10 v10.15.1 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-resty/resty/v2 v2.11.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
-	github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
+	github.com/gofrs/flock v0.8.1 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -196,18 +204,19 @@ require (
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/google/uuid v1.4.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
-	github.com/gophercloud/gophercloud v1.0.0 // indirect
-	github.com/gophercloud/utils v0.0.0-20210216074907-f6de111f2eae // indirect
+	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
+	github.com/gophercloud/gophercloud v1.12.0 // indirect
+	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
@@ -236,7 +245,6 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -244,15 +252,17 @@ require (
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
 	github.com/nrdcg/auroradns v1.1.0 // indirect
-	github.com/nrdcg/bunny-go v0.0.0-20230728143221-c9dda82568d9 // indirect
-	github.com/nrdcg/desec v0.7.0 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20240207213615-dde5bf4577a3 // indirect
+	github.com/nrdcg/desec v0.8.0 // indirect
 	github.com/nrdcg/dnspod-go v0.4.0 // indirect
 	github.com/nrdcg/freemyip v0.2.0 // indirect
 	github.com/nrdcg/goinwx v0.10.0 // indirect
@@ -264,36 +274,39 @@ require (
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/onsi/ginkgo/v2 v2.17.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
-	github.com/opencontainers/runc v1.1.7 // indirect
-	github.com/oracle/oci-go-sdk v24.3.0+incompatible // indirect
-	github.com/ovh/go-ovh v1.4.3 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
+	github.com/oracle/oci-go-sdk/v65 v65.63.1 // indirect
+	github.com/ovh/go-ovh v1.5.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.9 // indirect
-	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/pquerna/otp v1.4.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/redis/go-redis/v9 v9.2.1 // indirect
 	github.com/rs/cors v1.7.0 // indirect
-	github.com/sacloud/api-client-go v0.2.8 // indirect
-	github.com/sacloud/go-http v0.1.6 // indirect
-	github.com/sacloud/iaas-api-go v1.11.1 // indirect
-	github.com/sacloud/packages-go v0.0.9 // indirect
-	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.22 // indirect
-	github.com/shirou/gopsutil/v3 v3.23.11 // indirect
+	github.com/sacloud/api-client-go v0.2.10 // indirect
+	github.com/sacloud/go-http v0.1.8 // indirect
+	github.com/sacloud/iaas-api-go v1.12.0 // indirect
+	github.com/sacloud/packages-go v0.0.10 // indirect
+	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.27 // indirect
+	github.com/selectel/domains-go v1.1.0 // indirect
+	github.com/selectel/go-selvpcclient/v3 v3.1.1 // indirect
+	github.com/shirou/gopsutil/v3 v3.23.12 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
-	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9 // indirect
-	github.com/softlayer/softlayer-go v1.1.3 // indirect
+	github.com/softlayer/softlayer-go v1.1.5 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
+	github.com/sony/gobreaker v0.5.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.1 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.490 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.490 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.898 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.898 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
@@ -302,47 +315,46 @@ require (
 	github.com/ultradns/ultradns-go-sdk v1.6.1-20231103022937-8589b6a // indirect
 	github.com/vinyldns/go-vinyldns v0.9.16 // indirect
 	github.com/vultr/govultr/v2 v2.17.2 // indirect
-	github.com/yandex-cloud/go-genproto v0.0.0-20220805142335-27b56ddae16f // indirect
-	github.com/yandex-cloud/go-sdk v0.0.0-20220805164847-cf028e604997 // indirect
+	github.com/yandex-cloud/go-genproto v0.0.0-20240318083951-4fe6125f286e // indirect
+	github.com/yandex-cloud/go-sdk v0.0.0-20240318084659-dfa50323a0b4 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	github.com/zeebo/errs v1.2.2 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.9 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.9 // indirect
+	go.etcd.io/etcd/api/v3 v3.5.10 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.10 // indirect
+	go.etcd.io/etcd/client/v3 v3.5.10 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/propagators/aws v1.24.0 // indirect
-	go.opentelemetry.io/contrib/propagators/b3 v1.24.0 // indirect
-	go.opentelemetry.io/contrib/propagators/jaeger v1.24.0 // indirect
-	go.opentelemetry.io/contrib/propagators/ot v1.24.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/contrib/propagators/aws v1.27.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.27.0 // indirect
+	go.opentelemetry.io/contrib/propagators/jaeger v1.27.0 // indirect
+	go.opentelemetry.io/contrib/propagators/ot v1.27.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/ratelimit v0.2.0 // indirect
+	go.uber.org/ratelimit v0.3.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/arch v0.4.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/oauth2 v0.16.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/term v0.19.0 // indirect
-	google.golang.org/api v0.149.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20231212172506-995d672761c0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	google.golang.org/api v0.172.0 // indirect
+	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240624140628-dc46fd24d27d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240624140628-dc46fd24d27d // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/h2non/gock.v1 v1.0.16 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/ns1/ns1-go.v2 v2.7.13 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )

 // Containous forks
@@ -361,3 +373,5 @@ exclude github.com/tencentcloud/tencentcloud-sdk-go v3.0.83+incompatible

 // https://github.com/docker/compose/blob/v2.19.0/go.mod#L12
 replace github.com/cucumber/godog => github.com/cucumber/godog v0.13.0
+
+replace github.com/http-wasm/http-wasm-host-go => github.com/traefik/http-wasm-host-go v0.0.0-20240618100324-3c53dcaa1a70
--- a/go.sum
+++ b/go.sum
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Romain	876899be4b	Prepare release v3.1.0 rc3	2024-07-02 17:18:03 +02:00
romain	89108972b6	Merge branch v3.0 into v3.1	2024-07-02 16:33:29 +02:00
Kevin Pollet	d42e75bb2e	Prepare release v3.0.4	2024-07-02 15:42:03 +02:00
kevinpollet	8d016f5e16	Merge branch v2.11 into v3.0	2024-07-02 14:43:56 +02:00
Kevin Pollet	927f0bc01a	Prepare release v2.11.6	2024-07-02 14:22:03 +02:00
Michael	900784a95a	Disable QUIC 0-RTT Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2024-07-02 10:48:04 +02:00
ciacon	98c624bf1a	Fix a typo in the ACME docker-compose docs	2024-07-01 17:12:04 +02:00
Michael	f3479f532b	Fix ECS config for OIDC + IRSA	2024-07-01 16:50:04 +02:00
Jeroen De Meerleer	8946dd1898	Remove interface names from IPv6	2024-07-01 16:26:04 +02:00
Kevin Pollet	2a0cfda90b	Do not disable Gateway API provider if not enabled in experimental	2024-07-01 14:10:03 +02:00
Stephan Hochdörfer	12fae2ebb8	Fix typo in keepAliveMaxTime docs	2024-07-01 14:08:04 +02:00
Kevin Pollet	9758b1ce36	Prepare release v3.1.0-rc2	2024-06-28 10:42:03 +02:00
Julien Salleyron	fe4cca6e9c	Fix build only linux and darwin support wazergo	2024-06-28 10:16:03 +02:00
Romain	b1b4e6b918	Prepare release v3.1.0-rc1	2024-06-27 16:28:03 +02:00
Michael	8cb1829698	Upgrade to OpenTelemetry Semantic Conventions v1.26.0	2024-06-27 14:14:03 +02:00
mmatur	2f9905061e	Merge current v3.0 into master	2024-06-27 10:17:11 +02:00
mmatur	0a7a6afd59	Merge current v2.11 into v3.0	2024-06-26 17:44:51 +02:00
Kevin Pollet	b577b3a6ba	Fix conformance tests report format	2024-06-26 16:30:05 +02:00
Michael	230019eccf	feat: add logs for plugins load Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2024-06-26 16:08:04 +02:00
Dylan Rodgers	2090baa938	Update Advanced Capabilities Callout	2024-06-26 09:30:04 +02:00
Julien Salleyron	b7de043991	Support systemd socket-activation Co-authored-by: Michael <michael.matur@gmail.com>	2024-06-25 16:30:04 +02:00
Nicolas Mengin	9e0800f938	Fix the Kubernetes GatewayAPI documentation	2024-06-25 14:20:04 +02:00
Julien Salleyron	e7d1a98c5e	Enhance wasm plugins Co-authored-by: Michael <[michael.matur@gmail.com](mailto:michael.matur@gmail.com)>	2024-06-25 09:58:04 +02:00
Romain	6f1bd54d86	Fix some documentation links Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-06-24 11:22:03 +02:00
Romain	983940ae60	KubernetesGateway provider out of experimental Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-06-24 10:36:03 +02:00
Kevin Pollet	6d8407893d	Bump Gateway API to v1.1.0 Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-06-22 05:46:03 +02:00
Jesper Noordsij	a8a92eb2a5	Migrate to EndpointSlices API	2024-06-21 14:56:03 +02:00
Emile Vauge	2798e18e18	Update maintainers	2024-06-21 11:10:04 +02:00
mmatur	61defcdd66	Merge current v3.0 into master	2024-06-21 09:15:28 +02:00
mmatur	ec638a741e	Merge current v2.11 into v3.0	2024-06-21 08:55:31 +02:00
Michael	097e71ad24	fix: readme badge	2024-06-21 08:54:03 +02:00
Emile Vauge	eabcb3e1c0	Update maintainers	2024-06-19 17:18:03 +02:00
Kevin Pollet	53a8bd76f2	Prepare release v3.0.3	2024-06-18 16:10:06 +02:00
kevinpollet	0e89c48e38	Merge branch v2.11 into v3.0	2024-06-18 14:05:42 +02:00
Romain	385ff5055c	Prepare release v2.11.5	2024-06-18 12:00:04 +02:00
Kevin Pollet	b4f99ae3ac	Support HTTPRoute method and query param matching	2024-06-18 09:48:04 +02:00
Manuel Zapf	a696f7c654	Add HTTPUrlRewrite Filter in Gateway API	2024-06-13 17:06:04 +02:00
Romain	3ca667a3d4	Support HTTPRoute redirect port and scheme Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-06-13 11:16:04 +02:00
mmatur	27af1fb478	Merge current v3.0 into master	2024-06-13 10:40:32 +02:00
mmatur	e322184a98	Merge current v2.11 into v3.0	2024-06-13 10:22:18 +02:00
Michael	69424a16a5	fix: etcd image no more compatible	2024-06-13 10:20:04 +02:00
Nicolas Mengin	f9f22b7b70	Update the supported versions table	2024-06-12 12:06:04 +02:00
Antoine Aflalo	b795f128d7	Add support for Zstandard to the Compression middleware	2024-06-12 11:38:04 +02:00
Ludovic Fernandez	6706bb1612	Update go-acme/lego to v4.17.4	2024-06-12 09:08:03 +02:00
mmatur	3f48e6f8ef	Merge current 'v3.0' into master	2024-06-11 09:50:40 +02:00
Kevin Pollet	8ea339816a	Prepare release v3.0.2	2024-06-10 16:34:04 +02:00
kevinpollet	00b1d8b0bc	Merge branch v2.11 into v3.0	2024-06-10 15:35:51 +02:00
Romain	21c6edcf58	Prepare release v2.11.4	2024-06-10 15:16:04 +02:00
Michel Loiseleur	5c48e3c96c	chore(ci): improve webui build and lint	2024-06-07 16:56:04 +02:00
Dmitry Romashov	c23c3e0ed3	Run UI tests on the CI	2024-06-07 11:06:05 +02:00
Roman Donchenko	b37aaea36d	Headers middleware: support Content-Security-Policy-Report-Only	2024-06-07 09:24:04 +02:00
Fernandez Ludovic	67f0700377	Merge branch v3.0 into master	2024-06-06 17:38:32 +02:00
Ludovic Fernandez	778dc22e14	Support Accept-Encoding header weights with Compress middleware	2024-06-06 16:42:04 +02:00
Henrik Norlin	cdf0c8b3ec	Add user guides link to getting started	2024-06-06 15:46:03 +02:00
Anas	359477c583	Update v2 > v3 migration guide	2024-06-06 15:22:04 +02:00
Romain	28d40e7f3c	Fix HTTPRoute Redirect Filter with port and scheme Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-06-06 10:56:03 +02:00
Jesper Noordsij	b368e71337	Bump Docker images use for documentation to Alpine 3.20	2024-06-05 16:58:05 +02:00
Pinghao Wu	dc752c7847	grafana: traefik-kubernetes: fix service name label_replace	2024-06-05 16:38:05 +02:00
Romain	6155c900be	Passing the correct status code when compression is disabled within the Brotli handler Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-06-05 15:04:04 +02:00
Fernandez Ludovic	6ca4c5da5c	Merge branch v2.11 into v3.0	2024-06-05 00:05:37 +02:00
Romain	7eac92f49c	Support Gateway API reference grant for HTTPRoute backends Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-06-04 14:16:04 +02:00
Ilia Lazebnik	e6b1b05fdf	bump otel dependencies	2024-06-04 10:04:04 +02:00
Kevin Pollet	b452f37e08	Fix default value of Healthcheck for ExternalName services	2024-06-04 09:32:04 +02:00
Yevhen Kolomeiko	8cff718c53	Update metrics in traefik-kubernetes.json grafana dashboard	2024-06-03 14:32:04 +02:00
Cornelius Roemer	bfda5e607f	Remove helm default repo warning as repo has been long deprecated	2024-05-30 17:46:04 +02:00
Marc Mognol	7fc56454ea	Add HealthCheck for KubernetesCRD ExternalName services	2024-05-30 17:18:05 +02:00
Kevin Pollet	c0a2e6b4b6	Compute HTTPRoute priorities Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-05-30 09:14:04 +02:00
Dusty Gutzmann	0f0cc420e1	docs(ratelimit requestheader): add note concerning behavior if header is missing Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-05-29 10:40:05 +02:00
Ludovic Fernandez	9250b5937d	Update go-acme/lego to v4.17.3	2024-05-29 09:16:07 +02:00
Kevin Pollet	e9bd2b45ac	Fix route attachments to gateways Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-05-28 14:30:04 +02:00
R. P. Taylor	4406c337d4	fix .com and .org domain in documentation	2024-05-27 15:12:03 +02:00
Ludovic Fernandez	ed10bc5833	chore: update linter	2024-05-27 09:46:08 +02:00
Landry Benguigui	e33bd6874f	Append to log file if it exists	2024-05-24 14:24:03 +02:00
Dimitris Mavrommatis	6e61fe0de1	Support RegularExpression for path matching	2024-05-23 20:08:03 +02:00
Jesper Noordsij	05828bab07	Bump Dockerfile Alpine to v3.20	2024-05-23 16:24:04 +02:00
Kevin Pollet	0e215f9b61	Support invalid HTTPRoute status Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-05-22 17:20:04 +02:00
kevinpollet	7fdb1ff8af	Merge branch v3.0 into master	2024-05-22 16:01:03 +02:00
Kevin Pollet	736f37cb58	Prepare release v3.0.1	2024-05-22 15:08:04 +02:00
kevinpollet	cff71ee496	Merge branch v2.11 into v3.0	2024-05-21 16:24:57 +02:00
Kevin Pollet	f02b223639	Prepare release v2.11.3	2024-05-21 16:16:05 +02:00
Dmitry Romashov	d4d23dce72	Fix UI unit tests	2024-05-21 15:26:04 +02:00
Romain	5e4dc783c7	Allow empty configuration for OpenTelemetry metrics and tracing	2024-05-21 10:42:04 +02:00
David	440cb11250	Add support for IP White list	2024-05-21 09:24:08 +02:00
Fontany--Legall Brandon	42920595ad	Display of Content Security Policy values getting out of screen	2024-05-17 16:18:04 +02:00
Nicolas Mengin	e68e647fd9	Fix OTel documentation	2024-05-16 09:52:06 +02:00
Michael	8b558646fc	fix: remove providers not more support in documentation	2024-05-15 16:26:04 +02:00
Michael	f8e45a0b29	fix: doc consistency forwardauth	2024-05-15 15:52:04 +02:00
HalloTschuess	d65de8fe6c	Fix rule syntax version for all internal routers	2024-05-15 10:46:04 +02:00
BreadInvasion	5f2c00b438	Fixed typo in PathRegexp explanation	2024-05-15 10:20:04 +02:00
Landry Benguigui	c2c1c3e09e	Fix the rule syntax mechanism for TCP	2024-05-14 09:42:04 +02:00
Michael	d8a778b5cd	Fix log.compress value	2024-05-13 15:44:03 +02:00
Michel Loiseleur	d8cf90dade	Improve mirroring example on Kubernetes	2024-05-13 15:42:04 +02:00
Marc Mognol	6a06560318	Change log level from Warning to Info when ExternalName services is enabled	2024-05-13 09:06:03 +02:00
Ludovic Fernandez	a4aad5ce5c	fix: router documentation example	2024-05-13 08:54:03 +02:00
Romain	15973f5503	Remove deadlines when handling PostgreSQL connections	2024-05-06 15:46:04 +02:00
Yewolf	a4150409c8	Add link to the new http3 config in migration	2024-05-06 14:50:04 +02:00
Romain	aee515b930	Regenerate v3.0.0 changelog	2024-05-02 18:42:03 +02:00
Kevin Pollet	05d2c86074	Set Gateway HTTPRoute status Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-05-01 06:38:03 +02:00
Kevin Pollet	b0d19bd466	Bump tscert dependency to 28a91b69a046 Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-04-30 02:20:04 +02:00
Romain	d99d2f95e6	Prepare release v3.0.0	2024-04-29 16:06:04 +02:00
Prajith	8d2a2ff08f	Native Kubernetes service load-balancing at the provider level	2024-04-29 12:20:04 +02:00
Jesper Noordsij	73e5dbbfe5	Update Kubernetes version for v3 Helm chart	2024-04-29 10:44:03 +02:00
Marvin Stenger	ee3e7cbbec	chore: patch migration/v2.md	2024-04-25 14:54:04 +02:00
Fernandez Ludovic	9d8fd24730	Merge branch v3.0 into master	2024-04-23 13:25:25 +02:00
Fernandez Ludovic	f5d451d816	Merge branch v2.11 into v3.0	2024-04-22 17:30:39 +02:00
Jesper Noordsij	f84e00e481	Consistent entryPoints capitalization in CLI flag usage	2024-04-22 17:24:04 +02:00
Jesper Noordsij	fe0af1ec4b	Use latest Ubuntu (LTS) image consistenly across GitHub workflow	2024-04-22 17:04:05 +02:00
Ludovic Fernandez	95312d5324	Adds the missing circuit-breaker response code for CRD	2024-04-19 11:26:05 +02:00
Sid Karunaratne	e3729ec600	Fix HTTPRoute path type	2024-04-19 11:06:04 +02:00
Sid Karunaratne	20d6c19c30	Fix HTTPRoute use of backendRefs	2024-04-19 10:44:04 +02:00
Kevin Pollet	7a7b03eb01	Fix unfinished migration sentence for v2.11.2	2024-04-18 16:24:04 +02:00
Dmitry Romashov	ea4f307fcd	Fix provider icon size	2024-04-18 16:04:04 +02:00
kevinpollet	a6b00608d2	Merge branch v2.11 into v3.0	2024-04-18 15:34:01 +02:00
hidewrong	7b649e2f0c	Fix some typos in comments	2024-04-18 15:14:04 +02:00
Romain	52e95deee3	In cluster Gateway API Conformance Tests Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-04-17 15:22:04 +02:00
Romain	70968bc6a9	Remove deadlines for non-TLS connections Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-04-15 17:02:06 +02:00
Fernandez Ludovic	1ffbffb26a	Merge branch v3.0 into master	2024-04-03 20:32:20 +02:00
Joris Vergeer	c1ef742977	Allow to use internal node IPs for NodePort services	2024-02-27 10:54:04 +01:00
kevinpollet	73769af0fe	Merge branch v3.0 into master	2024-02-27 09:30:21 +01:00
mmatur	063f8fae79	Merge current v3.0 into master	2024-02-08 17:03:01 +01:00
mmatur	4e831b920e	Merge v3.0' into master	2024-02-08 16:14:39 +01:00
mmatur	6c19a9cb8f	Merge current v3.0 into master	2024-01-19 14:34:31 +01:00
Jeremy Fleischman	0ee377bc9f	Instruct people to send enhancements to the v3 branch	2023-09-18 22:08:05 +02:00
mmatur	4f6c15cc14	Merge branch v3.0 into master	2023-07-24 14:00:27 +02:00
Fernandez Ludovic	7d66f439eb	chore: fix PyYAML version	2023-07-19 21:39:14 +02:00
Fernandez Ludovic	60bc47d00e	Merge branch v3.0 into master	2023-06-05 19:46:59 +02:00
Fernandez Ludovic	cf1cbb24df	Merge branch v3.0 into master	2023-05-17 11:45:55 +02:00
Fernandez Ludovic	619045eb4b	Merge branch v3.0 into master	2023-04-26 14:04:43 +02:00
Fernandez Ludovic	8174860770	Merge branch v3.0 into master	2023-03-22 16:54:12 +01:00