Prepare release v3.3.0-rc2

Fix fenced server status computation
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
2025-10-19 07:33:17 +03:00 · 2024-12-20 11:52:04 +01:00 · 2024-12-20 11:26:04 +01:00 · 2024-12-16 15:30:05 +01:00 · 2024-12-16 11:30:15 +01:00 · 2024-12-16 11:20:04 +01:00
167 changed files with 6489 additions and 1395 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
 # These are supported funding model platforms
 github: traefik
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ env:
  CGO_ENABLED: 0
  VERSION: ${{ github.ref_name }}
  TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: munster
+  CODENAME: saintnectaire
 jobs:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,64 @@
 ## [v3.3.0-rc2](https://github.com/traefik/traefik/tree/v3.3.0-rc2) (2024-12-20)
 [All Commits](https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.3.0-rc2)
 **Bug fixes:**
 - **[k8s/ingress,k8s/crd]** Fix fenced server status computation ([#11361](https://github.com/traefik/traefik/pull/11361) by [kevinpollet](https://github.com/kevinpollet))
 ## [v3.3.0-rc1](https://github.com/traefik/traefik/tree/v3.3.0-rc1) (2024-12-16)
 [All Commits](https://github.com/traefik/traefik/compare/v3.2.0-rc1...v3.3.0-rc1)
 **Enhancements:**
 - **[acme]** Add options to control ACME propagation checks ([#11241](https://github.com/traefik/traefik/pull/11241) by [ldez](https://github.com/ldez))
 - **[api]** Add support dump API endpoint ([#11328](https://github.com/traefik/traefik/pull/11328) by [mmatur](https://github.com/mmatur))
 - **[http]** Set Host header in HTTP provider request ([#11237](https://github.com/traefik/traefik/pull/11237) by [nikonhub](https://github.com/nikonhub))
 - **[k8s/crd,k8s]** Make the IngressRoute kind optional ([#11177](https://github.com/traefik/traefik/pull/11177) by [skirtan1](https://github.com/skirtan1))
 - **[logs,accesslogs]** OpenTelemetry Logs and Access Logs ([#11319](https://github.com/traefik/traefik/pull/11319) by [rtribotte](https://github.com/rtribotte))
 - **[logs,accesslogs]** Add experimental flag for OTLP logs integration ([#11335](https://github.com/traefik/traefik/pull/11335) by [kevinpollet](https://github.com/kevinpollet))
 - **[metrics,tracing,accesslogs]** Manage observability at entrypoint and router level ([#11308](https://github.com/traefik/traefik/pull/11308) by [rtribotte](https://github.com/rtribotte))
 - **[middleware,authentication]** Add an option to preserve the ForwardAuth Server Location header ([#11318](https://github.com/traefik/traefik/pull/11318) by [Nelwhix](https://github.com/Nelwhix))
 - **[middleware,authentication]** Only calculate basic auth hashes once for concurrent requests ([#11143](https://github.com/traefik/traefik/pull/11143) by [michelheusschen](https://github.com/michelheusschen))
 - **[middleware,authentication]** Send request body to authorization server for forward auth ([#11097](https://github.com/traefik/traefik/pull/11097) by [kyo-ke](https://github.com/kyo-ke))
 - **[plugins]** Add AbortOnPluginFailure option to abort startup on plugin load failure ([#11228](https://github.com/traefik/traefik/pull/11228) by [bmagic](https://github.com/bmagic))
 - **[sticky-session]** Configurable path for sticky cookies ([#11166](https://github.com/traefik/traefik/pull/11166) by [IIpragmaII](https://github.com/IIpragmaII))
 - **[sticky-session,k8s/ingress,k8s/crd,k8s]** Support serving endpoints ([#11121](https://github.com/traefik/traefik/pull/11121) by [BZValoche](https://github.com/BZValoche))
 - **[webui,api]** Configurable API &amp; Dashboard base path ([#11250](https://github.com/traefik/traefik/pull/11250) by [rtribotte](https://github.com/rtribotte))
 **Misc:**
 - Merge branch v3.2 into master ([#11340](https://github.com/traefik/traefik/pull/11340) by [kevinpollet](https://github.com/kevinpollet))
 - Merge branch v3.2 into master ([#11293](https://github.com/traefik/traefik/pull/11293) by [kevinpollet](https://github.com/kevinpollet))
 - Merge branch v3.2 into master ([#11239](https://github.com/traefik/traefik/pull/11239) by [kevinpollet](https://github.com/kevinpollet))
 - Merge branch v3.2 into master ([#11187](https://github.com/traefik/traefik/pull/11187) by [kevinpollet](https://github.com/kevinpollet))
 ## [v3.2.3](https://github.com/traefik/traefik/tree/v3.2.3) (2024-12-16)
 [All Commits](https://github.com/traefik/traefik/compare/v3.2.2...v3.2.3)
 **Documentation:**
 - Update reference install documentation with current chart default ([#11332](https://github.com/traefik/traefik/pull/11332) by [mloiseleur](https://github.com/mloiseleur))
 **Misc:**
 - Merge branch v2.11 into v3.2 ([#11346](https://github.com/traefik/traefik/pull/11346) by [kevinpollet](https://github.com/kevinpollet))
 - Merge branch v2.11 into v3.2 ([#11337](https://github.com/traefik/traefik/pull/11337) by [kevinpollet](https://github.com/kevinpollet))
 ## [v2.11.16](https://github.com/traefik/traefik/tree/v2.11.16) (2024-12-16)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.15...v2.11.16)
 **Bug fixes:**
 - **[server]** Update golang.org/x dependencies ([#11336](https://github.com/traefik/traefik/pull/11336) by [rtribotte](https://github.com/rtribotte))
 ## [v3.2.2](https://github.com/traefik/traefik/tree/v3.2.2) (2024-12-10)
 [All Commits](https://github.com/traefik/traefik/compare/v3.2.1...v3.2.2)
 **Bug fixes:**
 - **[docker,docker/swarm]** Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* ([#11247](https://github.com/traefik/traefik/pull/11247) by [anchal00](https://github.com/anchal00))
 - **[k8s/gatewayapi]** Update sigs.k8s.io/gateway-api to v1.2.1 ([#11314](https://github.com/traefik/traefik/pull/11314) by [kevinpollet](https://github.com/kevinpollet))
 - **[plugins]** Fix WASM settings ([#11321](https://github.com/traefik/traefik/pull/11321) by [juliens](https://github.com/juliens))
 - **[rules]** Fix models mechanism for default rule syntax ([#11300](https://github.com/traefik/traefik/pull/11300) by [rtribotte](https://github.com/rtribotte))
 **Documentation:**
 - Move callout to the entrypoint page footer ([#11305](https://github.com/traefik/traefik/pull/11305) by [kevinpollet](https://github.com/kevinpollet))
 - Fix incorrect links in v3 migration sections ([#11297](https://github.com/traefik/traefik/pull/11297) by [kevinpollet](https://github.com/kevinpollet))
 - New Install Reference Documentation ([#11213](https://github.com/traefik/traefik/pull/11213) by [sheddy-traefik](https://github.com/sheddy-traefik))
 ## [v2.11.15](https://github.com/traefik/traefik/tree/v2.11.15) (2024-12-06)
 [All Commits](https://github.com/traefik/traefik/compare/v2.11.14...v2.11.15)
--- a/2
+++ b/2
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM alpine:3.20
+FROM alpine:3.21
 RUN apk add --no-cache --no-progress ca-certificates tzdata
--- a/2
+++ b/2
@@ -101,7 +101,7 @@ test-integration: binary
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.2" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.3" $(TESTFLAGS)
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui
--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -1,6 +1,8 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"io"
 	stdlog "log"
 	"os"
@@ -20,12 +22,21 @@ func init() {
 	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
 }
-func setupLogger(staticConfiguration *static.Configuration) {
+func setupLogger(staticConfiguration *static.Configuration) error {
 	// Validate that the experimental flag is set up at this point,
 	// rather than validating the static configuration before the setupLogger call.
 	// This ensures that validation messages are not logged using an un-configured logger.
 	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil &&
 		(staticConfiguration.Experimental == nil || !staticConfiguration.Experimental.OTLPLogs) {
 		return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
 	}
 	// configure log format
 	w := getLogWriter(staticConfiguration)
 	// configure log level
 	logLevel := getLogLevel(staticConfiguration)
 	zerolog.SetGlobalLevel(logLevel)
 	// create logger
 	logCtx := zerolog.New(w).With().Timestamp()
@@ -34,8 +45,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
 	}
 	log.Logger = logCtx.Logger().Level(logLevel)
 	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
 		var err error
 		log.Logger, err = logs.SetupOTelLogger(log.Logger, staticConfiguration.Log.OTLP)
 		if err != nil {
 			return fmt.Errorf("setting up OpenTelemetry logger: %w", err)
 		}
 	}
 	zerolog.DefaultContextLogger = &log.Logger
 	zerolog.SetGlobalLevel(logLevel)
 	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
 	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
@@ -43,11 +62,16 @@ func setupLogger(staticConfiguration *static.Configuration) {
 	// configure default standard log.
 	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
 	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
 	return nil
 }
 func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
-	var w io.Writer = os.Stdout
+	if staticConfiguration.Log != nil && staticConfiguration.Log.OTLP != nil {
 		return io.Discard
 	}
 	var w io.Writer = os.Stdout
 	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
 		_, _ = os.OpenFile(staticConfiguration.Log.FilePath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o666)
 		w = &lumberjack.Logger{
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -90,7 +90,9 @@ Complete documentation is available at https://traefik.io`,
 }
 func runCmd(staticConfiguration *static.Configuration) error {
-	setupLogger(staticConfiguration)
+	if err := setupLogger(staticConfiguration); err != nil {
 		return fmt.Errorf("setting up logger: %w", err)
 	}
 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment
@@ -238,6 +240,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	}
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil && staticConfiguration.Experimental != nil && staticConfiguration.Experimental.AbortOnPluginFailure {
 		return nil, fmt.Errorf("plugin: failed to create plugin builder: %w", err)
 	}
 	if err != nil {
 		pluginLogger.Err(err).Msg("Plugins are disabled because an error has occurred.")
 	} else if hasPlugins {
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 RUN apk --no-cache --no-progress add \
    build-base \
@@ -14,7 +14,7 @@ RUN apk --no-cache --no-progress add \
    ruby-json \
    zlib-dev
-RUN gem install nokogiri --version 1.15.3 --no-document -- --use-system-libraries
+RUN gem install nokogiri --version 1.16.8 --no-document -- --use-system-libraries
 RUN gem install html-proofer --version 5.0.7 --no-document -- --use-system-libraries
 # After Ruby, some NodeJS YAY!
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.2 --help
+# ex: docker run traefik:v3.3 --help
 ```
 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.yml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.2/traefik.sample.toml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.toml)
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.2
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.3
 ```
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.2`
+    ex: `traefik:v3.3`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -154,7 +154,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v3.2
+          image: traefik:v3.3
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -20,7 +20,7 @@ version: '3'
 services:
  reverse-proxy:
    # The official v3 Traefik docker image
-    image: traefik:v3.2
+    image: traefik:v3.3
    # Enables the web UI and tells Traefik to listen to docker
    command: --api.insecure=true --providers.docker
    ports:
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -496,7 +496,7 @@ certificatesResolvers:
 --certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
 ```
-#### `delayBeforeCheck`
+#### `propagation.delayBeforeChecks`
 By default, the `provider` verifies the TXT record _before_ letting ACME verify.
@@ -511,7 +511,9 @@ certificatesResolvers:
      # ...
      dnsChallenge:
        # ...
-        delayBeforeCheck: 2s
+        propagation:
          # ...
          delayBeforeChecks: 2s
 ```
 ```toml tab="File (TOML)"
@@ -519,19 +521,21 @@ certificatesResolvers:
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
-    delayBeforeCheck = "2s"
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
      # ...
      delayBeforeChecks = "2s"
 ```
 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.dnschallenge.delayBeforeCheck=2s
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
 ```
-#### `disablePropagationCheck`
+#### `propagation.disableChecks`
-**Not recommended**
+Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready. 
-Disable the TXT records propagation checks before notifying ACME that the DNS challenge is ready. 
+Please note that disabling checks can prevent the challenge to succeed.
 ```yaml tab="File (YAML)"
 certificatesResolvers:
@@ -540,7 +544,9 @@ certificatesResolvers:
      # ...
      dnsChallenge:
        # ...
-        disablePropagationCheck: true
+        propagation:
          # ...
          disableChecks: true
 ```
 ```toml tab="File (TOML)"
@@ -548,12 +554,90 @@ certificatesResolvers:
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
-    disablePropagationCheck = true
+    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
      # ...
      disableChecks = true
 ```
 ```bash tab="CLI"
 # ...
--certificatesresolvers.myresolver.acme.dnschallenge.disablePropagationCheck=true
+--certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
 ```
 #### `propagation.requireAllRNS`
 Requires the challenge TXT record to be propagated to all recursive nameservers.
 !!! note
    If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
    it is recommended to check all recursive nameservers instead.
 ```yaml tab="File (YAML)"
 certificatesResolvers:
  myresolver:
    acme:
      # ...
      dnsChallenge:
        # ...
        propagation:
          # ...
          requireAllRNS: true
 ```
 ```toml tab="File (TOML)"
 [certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
      # ...
      requireAllRNS = true
 ```
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
 ```
 #### `propagation.disableANSChecks`
 Disables the challenge TXT record propagation checks against authoritative nameservers.
 This option will skip the propagation check against the nameservers of the authority (SOA).
 It should be used only if the nameservers of the authority are not reachable.
 !!! note
    If you have disabled authoritative nameservers checks,
    it is recommended to check all recursive nameservers instead.
 ```yaml tab="File (YAML)"
 certificatesResolvers:
  myresolver:
    acme:
      # ...
      dnsChallenge:
        # ...
        propagation:
          # ...
          disableANSChecks: true
 ```
 ```toml tab="File (TOML)"
 [certificatesResolvers.myresolver.acme]
  # ...
  [certificatesResolvers.myresolver.acme.dnsChallenge]
    # ...
    [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
      # ...
      disableANSChecks = true
 ```
 ```bash tab="CLI"
 # ...
 --certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
 ```
 #### Wildcard Domains
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -334,6 +334,98 @@ http:
    addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
 ```
 ### `forwardBody`
 _Optional, Default=false_
 Set the `forwardBody` option to `true` to send Body.
 !!! info
    As body is read inside Traefik before forwarding, this breaks streaming.
 ```yaml tab="Docker & Swarm"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
 spec:
  forwardAuth:
    address: https://example.com/auth
    forwardBody: true
 ```
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
 ```
 ```yaml tab="File (YAML)"
 http:
  middlewares:
    test-auth:
      forwardAuth:
        address: "https://example.com/auth"
        forwardBody: true
 ```
 ```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.test-auth.forwardAuth]
    address = "https://example.com/auth"
    forwardBody = true
 ```
 ### `maxBodySize`
 _Optional, Default=-1_
 Set the `maxBodySize` to limit the body size in bytes.
 If body is bigger than this, it returns a 401 (unauthorized).
 Default is `-1`, which means no limit.
 ```yaml tab="Docker & Swarm"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
 spec:
  forwardAuth:
    address: https://example.com/auth
    forwardBody: true
    maxBodySize: 1000
 ```
 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
 ```
 ```yaml tab="File (YAML)"
 http:
  middlewares:
    test-auth:
      forwardAuth:
        address: "https://example.com/auth"
        maxBodySize: 1000
 ```
 ```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.test-auth.forwardAuth]
    address = "https://example.com/auth"
    forwardBody = true
    maxBodySize = 1000
 ```
 ### `tls`
 _Optional_
@@ -613,4 +705,46 @@ http:
  headerField = "X-WebAuth-User"
 ```
 ### `preserveLocationHeader`
 _Optional, Default=false_
 `preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
 ```yaml tab="Docker & Swarm"
 labels:
  - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
 spec:
  forwardAuth:
    # ...
    preserveLocationHeader: true
 ```
 ```json tab="Consul Catalog"
 - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
 ```
 ```yaml tab="File (YAML)"
 http:
  middlewares:
    test-auth:
      forwardAuth:
        # ...
        preserveLocationHeader: true
 ```
 ```toml tab="File (TOML)"
 [http.middlewares.test-auth.forwardAuth]
  # ...
  preserveLocationHeader = true
 ```
 {!traefik-for-business-applications.md!}
--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@@ -86,7 +86,7 @@ This update adds only new optional fields.
 CRDs can be updated with this command:
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 ```
 ### Kubernetes Gateway Provider Standard Channel
@@ -120,7 +120,7 @@ the `grcroutes` and `grpcroutes/status` rights have to be added.
 !!! warning "Breaking changes"
    Because of a breaking change introduced in Kubernetes Gateway [v1.2.0-rc1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.2.0-rc1),
-    Traefik v3.2 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
+    Traefik v3.3 only supports Kubernetes Gateway v1.2.x when experimental channel features are enabled.
 Starting with v3.2, the Kubernetes Gateway Provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/).
@@ -167,3 +167,16 @@ Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#
 In `v3.2.2`, the `traefik.docker.network` and `traefik.docker.lbswarm` labels have been deprecated,
 please use the `traefik.swarm.network` and `traefik.swarm.lbswarm` labels instead.
 ## v3.2 to v3.3
 ### ACME DNS Certificate Resolver
 In `v3.3`, the `acme.dnsChallenge.delaybeforecheck` and `acme.dnsChallenge.disablepropagationcheck` options of the ACME certificate resolver are deprecated, 
 please use respectively `acme.dnsChallenge.propagation.delayBeforeCheck` and `acme.dnsChallenge.propagation.disableAllChecks` options instead.
 ### Tracing Global Attributes
 In `v3.3`, the `tracing.globalAttributes` option has been deprecated, please use the `tracing.resourceAttributes` option instead.
 The `tracing.globalAttributes` option is misleading as its name does not reflect the operation of adding resource attributes to be sent to the collector,
 and will be removed in the next major version.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -30,7 +30,7 @@ accessLog: {}
 _Optional, Default="false"_
-Enables accessLogs for internal resources (e.g.: `ping@internal`).
+Enables access logs for internal resources (e.g.: `ping@internal`).
 ```yaml tab="File (YAML)"
 accesslog:
@@ -294,7 +294,7 @@ version: "3.7"
 services:
  traefik:
-    image: traefik:v3.2
+    image: traefik:v3.3
    environment:
      - TZ=US/Alaska
    command:
@@ -306,4 +306,418 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
 ```
 ## OpenTelemetry
 !!! warning "Experimental Feature"
    The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
    ```yaml tab="File (YAML)"
    experimental:
      otlpLogs: true
    ```
    ```toml tab="File (TOML)"
    [experimental.otlpLogs]
    ```
    ```bash tab="CLI"
    --experimental.otlpLogs=true
    ```
 To enable the OpenTelemetry Logger for access logs:
 ```yaml tab="File (YAML)"
 accesslog:
  otlp: {}
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp]
 ```
 ```bash tab="CLI"
 --accesslog.otlp=true
 ```
 !!! info "Default protocol"
    The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
 ### HTTP configuration
 _Optional_
 This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http: {}
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http]
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http=true
 ```
 #### `endpoint`
 _Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
 URL of the OpenTelemetry Collector to send access logs to.
 !!! info "Insecure mode"
    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http:
      endpoint: https://collector:4318/v1/logs
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http]
  endpoint = "https://collector:4318/v1/logs"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http.endpoint=https://collector:4318/v1/logs
 ```
 #### `headers`
 _Optional, Default={}_
 Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http:
      headers:
        foo: bar
        baz: buz
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http.headers]
  foo = "bar"
  baz = "buz"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz
 ```
 #### `tls`
 _Optional_
 Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
 ##### `ca`
 _Optional_
 `ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
 it defaults to the system bundle.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http:
      tls:
        ca: path/to/ca.crt
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http.tls]
  ca = "path/to/ca.crt"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http.tls.ca=path/to/ca.crt
 ```
 ##### `cert`
 _Optional_
 `cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `key` option is required.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http.tls.cert=path/to/foo.cert
 --accesslog.otlp.http.tls.key=path/to/foo.key
 ```
 ##### `key`
 _Optional_
 `key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `cert` option is required.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http.tls.cert=path/to/foo.cert
 --accesslog.otlp.http.tls.key=path/to/foo.key
 ```
 ##### `insecureSkipVerify`
 _Optional, Default=false_
 If `insecureSkipVerify` is `true`,
 the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    http:
      tls:
        insecureSkipVerify: true
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.http.tls]
  insecureSkipVerify = true
 ```
 ```bash tab="CLI"
 --accesslog.otlp.http.tls.insecureSkipVerify=true
 ```
 ### gRPC configuration
 _Optional_
 This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc: {}
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc]
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc=true
 ```
 #### `endpoint`
 _Required, Default="localhost:4317", Format="`<host>:<port>`"_
 Address of the OpenTelemetry Collector to send access logs to.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      endpoint: localhost:4317
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc]
  endpoint = "localhost:4317"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.endpoint=localhost:4317
 ```
 #### `insecure`
 _Optional, Default=false_
 Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      insecure: true
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc]
  insecure = true
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.insecure=true
 ```
 #### `headers`
 _Optional, Default={}_
 Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      headers:
        foo: bar
        baz: buz
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc.headers]
  foo = "bar"
  baz = "buz"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz
 ```
 #### `tls`
 _Optional_
 Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
 ##### `ca`
 _Optional_
 `ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
 it defaults to the system bundle.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      tls:
        ca: path/to/ca.crt
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc.tls]
  ca = "path/to/ca.crt"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.tls.ca=path/to/ca.crt
 ```
 ##### `cert`
 _Optional_
 `cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `key` option is required.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.tls.cert=path/to/foo.cert
 --accesslog.otlp.grpc.tls.key=path/to/foo.key
 ```
 ##### `key`
 _Optional_
 `key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `cert` option is required.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.tls.cert=path/to/foo.cert
 --accesslog.otlp.grpc.tls.key=path/to/foo.key
 ```
 ##### `insecureSkipVerify`
 _Optional, Default=false_
 If `insecureSkipVerify` is `true`,
 the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
 ```yaml tab="File (YAML)"
 accesslog:
  otlp:
    grpc:
      tls:
        insecureSkipVerify: true
 ```
 ```toml tab="File (TOML)"
 [accesslog.otlp.grpc.tls]
  insecureSkipVerify = true
 ```
 ```bash tab="CLI"
 --accesslog.otlp.grpc.tls.insecureSkipVerify=true
 ```
 {!traefik-for-business-applications.md!}
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -181,4 +181,418 @@ log:
 --log.compress=true
 ```
 ## OpenTelemetry
 !!! warning "Experimental Feature"
    The OpenTelemetry logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
    ```yaml tab="File (YAML)"
    experimental:
      otlpLogs: true
    ```
    ```toml tab="File (TOML)"
    [experimental.otlpLogs]
    ```
    ```bash tab="CLI"
    --experimental.otlpLogs=true
    ```
 To enable the OpenTelemetry Logger for logs:
 ```yaml tab="File (YAML)"
 log:
  otlp: {}
 ```
 ```toml tab="File (TOML)"
 [log.otlp]
 ```
 ```bash tab="CLI"
 --log.otlp=true
 ```
 !!! info "Default protocol"
    The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
 ### HTTP configuration
 _Optional_
 This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http: {}
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http]
 ```
 ```bash tab="CLI"
 --log.otlp.http=true
 ```
 #### `endpoint`
 _Optional, Default="`https://localhost:4318/v1/logs`", Format="`<scheme>://<host>:<port><path>`"_
 URL of the OpenTelemetry Collector to send logs to.
 !!! info "Insecure mode"
    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http:
      endpoint: https://collector:4318/v1/logs
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http]
  endpoint = "https://collector:4318/v1/logs"
 ```
 ```bash tab="CLI"
 --log.otlp.http.endpoint=https://collector:4318/v1/logs
 ```
 #### `headers`
 _Optional, Default={}_
 Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http:
      headers:
        foo: bar
        baz: buz
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http.headers]
  foo = "bar"
  baz = "buz"
 ```
 ```bash tab="CLI"
 --log.otlp.http.headers.foo=bar --log.otlp.http.headers.baz=buz
 ```
 #### `tls`
 _Optional_
 Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
 ##### `ca`
 _Optional_
 `ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
 it defaults to the system bundle.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http:
      tls:
        ca: path/to/ca.crt
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http.tls]
  ca = "path/to/ca.crt"
 ```
 ```bash tab="CLI"
 --log.otlp.http.tls.ca=path/to/ca.crt
 ```
 ##### `cert`
 _Optional_
 `cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `key` option is required.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --log.otlp.http.tls.cert=path/to/foo.cert
 --log.otlp.http.tls.key=path/to/foo.key
 ```
 ##### `key`
 _Optional_
 `key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `cert` option is required.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --log.otlp.http.tls.cert=path/to/foo.cert
 --log.otlp.http.tls.key=path/to/foo.key
 ```
 ##### `insecureSkipVerify`
 _Optional, Default=false_
 If `insecureSkipVerify` is `true`,
 the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    http:
      tls:
        insecureSkipVerify: true
 ```
 ```toml tab="File (TOML)"
 [log.otlp.http.tls]
  insecureSkipVerify = true
 ```
 ```bash tab="CLI"
 --log.otlp.http.tls.insecureSkipVerify=true
 ```
 ### gRPC configuration
 _Optional_
 This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc: {}
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc]
 ```
 ```bash tab="CLI"
 --log.otlp.grpc=true
 ```
 #### `endpoint`
 _Required, Default="localhost:4317", Format="`<host>:<port>`"_
 Address of the OpenTelemetry Collector to send logs to.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      endpoint: localhost:4317
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc]
  endpoint = "localhost:4317"
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.endpoint=localhost:4317
 ```
 #### `insecure`
 _Optional, Default=false_
 Allows exporter to send logs to the OpenTelemetry Collector without using a secured protocol.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      insecure: true
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc]
  insecure = true
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.insecure=true
 ```
 #### `headers`
 _Optional, Default={}_
 Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      headers:
        foo: bar
        baz: buz
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc.headers]
  foo = "bar"
  baz = "buz"
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.headers.foo=bar --log.otlp.grpc.headers.baz=buz
 ```
 #### `tls`
 _Optional_
 Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
 ##### `ca`
 _Optional_
 `ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
 it defaults to the system bundle.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      tls:
        ca: path/to/ca.crt
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc.tls]
  ca = "path/to/ca.crt"
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.tls.ca=path/to/ca.crt
 ```
 ##### `cert`
 _Optional_
 `cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `key` option is required.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.tls.cert=path/to/foo.cert
 --log.otlp.grpc.tls.key=path/to/foo.key
 ```
 ##### `key`
 _Optional_
 `key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
 When using this option, setting the `cert` option is required.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      tls:
        cert: path/to/foo.cert
        key: path/to/foo.key
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc.tls]
  cert = "path/to/foo.cert"
  key = "path/to/foo.key"
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.tls.cert=path/to/foo.cert
 --log.otlp.grpc.tls.key=path/to/foo.key
 ```
 ##### `insecureSkipVerify`
 _Optional, Default=false_
 If `insecureSkipVerify` is `true`,
 the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
 ```yaml tab="File (YAML)"
 log:
  otlp:
    grpc:
      tls:
        insecureSkipVerify: true
 ```
 ```toml tab="File (TOML)"
 [log.otlp.grpc.tls]
  insecureSkipVerify = true
 ```
 ```bash tab="CLI"
 --log.otlp.grpc.tls.insecureSkipVerify=true
 ```
 {!traefik-for-business-applications.md!}
--- a/docs/content/observability/metrics/datadog.md
+++ b/docs/content/observability/metrics/datadog.md
@@ -68,6 +68,7 @@ metrics:
 ```bash tab="CLI"
 --metrics.datadog.addEntryPointsLabels=true
 ```
 #### `addRoutersLabels`
 _Optional, Default=false_
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -23,7 +23,7 @@ metrics:
 !!! info "Default protocol"
-    The OpenTelemetry exporter will export metrics to the collector using HTTP by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
+    The OpenTelemetry exporter will export metrics to the collector using HTTPS by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
 #### `addEntryPointsLabels`
@@ -184,25 +184,29 @@ metrics:
 #### `endpoint`
-_Required, Default="http://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
+_Optional, Default="https://localhost:4318/v1/metrics", Format="`<scheme>://<host>:<port><path>`"_
 URL of the OpenTelemetry Collector to send metrics to.
 !!! info "Insecure mode"
    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
 ```yaml tab="File (YAML)"
 metrics:
  otlp:
    http:
-      endpoint: http://localhost:4318/v1/metrics
+      endpoint: https://collector:4318/v1/metrics
 ```
 ```toml tab="File (TOML)"
 [metrics]
  [metrics.otlp.http]
-    endpoint = "http://localhost:4318/v1/metrics"
+    endpoint = "https://collector:4318/v1/metrics"
 ```
 ```bash tab="CLI"
--metrics.otlp.http.endpoint=http://localhost:4318/v1/metrics
+--metrics.otlp.http.endpoint=https://collector:4318/v1/metrics
 ```
 #### `headers`
--- a/docs/content/observability/overview.md
+++ b/docs/content/observability/overview.md
@@ -5,16 +5,80 @@ description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the
 # Overview
-Traefik's Observability system
+Traefik’s observability features include logs, access logs, metrics, and tracing. You can configure these options globally or at more specific levels, such as per router or per entry point.
 {: .subtitle }
-## Logs
+## Configuration Example
 Enable access logs, metrics, and tracing globally
 ```yaml tab="File (YAML)"
 accessLog: {}
 metrics:
  otlp: {}
 tracing: {}
 ```
 ```yaml tab="File (TOML)"
 [accessLog]
 [metrics]
  [metrics.otlp]
 [tracing]
 ```
 ```bash tab="CLI"
 --accesslog=true
 --metrics.otlp=true
 --tracing=true
 ```
 You can disable access logs, metrics, and tracing for a specific entrypoint attached to a router:
 ```yaml tab="File (YAML)"
 # Static Configuration
 entryPoints:
  EntryPoint0:
    address: ':8000/udp'
    observability:
      accessLogs: false
      tracing: false
      metrics: false
 ```
 ```toml tab="File (TOML)"
 # Static Configuration
 [entryPoints.EntryPoint0]
  address = ":8000/udp"
    [entryPoints.EntryPoint0.observability]
      accessLogs = false
      tracing = false
      metrics = false
 ```
 ```bash tab="CLI"
 # Static Configuration
 --entryPoints.EntryPoint0.address=:8000/udp
 --entryPoints.EntryPoint0.observability.accessLogs=false
 --entryPoints.EntryPoint0.observability.metrics=false
 --entryPoints.EntryPoint0.observability.tracing=false
 ```
 !!!note "Default Behavior"
    A router with its own observability configuration will override the global default.
 ## Configuration Options
 ### Logs
 Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).
 Read the [Logs documentation](./logs.md) to learn how to configure it.
-## Access Logs
+### Access Logs
 Access logs are a key part of observability in Traefik.
@@ -24,7 +88,7 @@ including the source IP address, requested URL, response status code, and more.
 Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.
-## Metrics
+### Metrics
 Traefik offers a metrics feature that provides valuable insights about the performance and usage.
 These metrics include the number of requests received, the requests duration, and more.
@@ -33,7 +97,7 @@ On top of supporting metrics in the OpenTelemetry format, Traefik supports the f
 Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.
-## Tracing
+### Tracing
 The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.
--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -25,7 +25,7 @@ tracing:
 !!! info "Default protocol"
-    The OpenTelemetry trace exporter will export traces to the collector using HTTP by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
+    The OpenTelemetry trace exporter will export traces to the collector using HTTPS by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
 !!! info "Trace sampling"
@@ -72,25 +72,29 @@ tracing:
 #### `endpoint`
-_Required, Default="http://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
+_Optional, Default="https://localhost:4318/v1/traces", Format="`<scheme>://<host>:<port><path>`"_
 URL of the OpenTelemetry Collector to send spans to.
 !!! info "Insecure mode"
    To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
 ```yaml tab="File (YAML)"
 tracing:
  otlp:
    http:
-      endpoint: http://localhost:4318/v1/traces
+      endpoint: https://collector:4318/v1/traces
 ```
 ```toml tab="File (TOML)"
 [tracing]
  [tracing.otlp.http]
-    endpoint = "http://localhost:4318/v1/traces"
+    endpoint = "https://collector:4318/v1/traces"
 ```
 ```bash tab="CLI"
--tracing.otlp.http.endpoint=http://localhost:4318/v1/traces
+--tracing.otlp.http.endpoint=https://collector:4318/v1/traces
 ```
 #### `headers`
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -92,29 +92,29 @@ tracing:
 --tracing.sampleRate=0.2
 ```
-#### `globalAttributes`
+#### `resourceAttributes`
 _Optional, Default=empty_
-Applies a list of shared key:value attributes on all spans.
+Defines additional resource attributes to be sent to the collector.
 ```yaml tab="File (YAML)"
 tracing:
-  globalAttributes:
+  resourceAttributes:
    attr1: foo
    attr2: bar
 ```
 ```toml tab="File (TOML)"
 [tracing]
-  [tracing.globalAttributes]
+  [tracing.resourceAttributes]
    attr1 = "foo"
    attr2 = "bar"
 ```
 ```bash tab="CLI"
--tracing.globalAttributes.attr1=foo
+--tracing.resourceAttributes.attr1=foo
--tracing.globalAttributes.attr2=bar
+--tracing.resourceAttributes.attr2=bar
 ```
 #### `capturedRequestHeaders`
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@@ -145,34 +145,35 @@ All the following endpoints must be accessed with a `GET` HTTP request.
    curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
    ```
-| Path                           | Description                                                                                 |
+| Path                           | Description                                                                                         |
-|--------------------------------|---------------------------------------------------------------------------------------------|
+|--------------------------------|-----------------------------------------------------------------------------------------------------|
-| `/api/http/routers`            | Lists all the HTTP routers information.                                                     |
+| `/api/http/routers`            | Lists all the HTTP routers information.                                                             |
-| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                             |
+| `/api/http/routers/{name}`     | Returns the information of the HTTP router specified by `name`.                                     |
-| `/api/http/services`           | Lists all the HTTP services information.                                                    |
+| `/api/http/services`           | Lists all the HTTP services information.                                                            |
-| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                            |
+| `/api/http/services/{name}`    | Returns the information of the HTTP service specified by `name`.                                    |
-| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                 |
+| `/api/http/middlewares`        | Lists all the HTTP middlewares information.                                                         |
-| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                         |
+| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`.                                 |
-| `/api/tcp/routers`             | Lists all the TCP routers information.                                                      |
+| `/api/tcp/routers`             | Lists all the TCP routers information.                                                              |
-| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                              |
+| `/api/tcp/routers/{name}`      | Returns the information of the TCP router specified by `name`.                                      |
-| `/api/tcp/services`            | Lists all the TCP services information.                                                     |
+| `/api/tcp/services`            | Lists all the TCP services information.                                                             |
-| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                             |
+| `/api/tcp/services/{name}`     | Returns the information of the TCP service specified by `name`.                                     |
-| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                  |
+| `/api/tcp/middlewares`         | Lists all the TCP middlewares information.                                                          |
-| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                          |
+| `/api/tcp/middlewares/{name}`  | Returns the information of the TCP middleware specified by `name`.                                  |
-| `/api/udp/routers`             | Lists all the UDP routers information.                                                      |
+| `/api/udp/routers`             | Lists all the UDP routers information.                                                              |
-| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                              |
+| `/api/udp/routers/{name}`      | Returns the information of the UDP router specified by `name`.                                      |
-| `/api/udp/services`            | Lists all the UDP services information.                                                     |
+| `/api/udp/services`            | Lists all the UDP services information.                                                             |
-| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                             |
+| `/api/udp/services/{name}`     | Returns the information of the UDP service specified by `name`.                                     |
-| `/api/entrypoints`             | Lists all the entry points information.                                                     |
+| `/api/entrypoints`             | Lists all the entry points information.                                                             |
-| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                             |
+| `/api/entrypoints/{name}`      | Returns the information of the entry point specified by `name`.                                     |
-| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers. |
+| `/api/overview`                | Returns statistic information about http and tcp as well as enabled features and providers.         |
-| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.  |
+| `/api/support-dump`            | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
-| `/api/version`                 | Returns information about Traefik version.                                                  |
+| `/api/rawdata`                 | Returns information about dynamic configurations, errors, status and dependency relations.          |
-| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                          |
+| `/api/version`                 | Returns information about Traefik version.                                                          |
-| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.       |
+| `/debug/vars`                  | See the [expvar](https://golang.org/pkg/expvar/) Go documentation.                                  |
-| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.   |
+| `/debug/pprof/`                | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation.               |
-| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.   |
+| `/debug/pprof/cmdline`         | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation.           |
-| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.     |
+| `/debug/pprof/profile`         | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation.           |
-| `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.       |
+| `/debug/pprof/symbol`          | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation.             |
 | `/debug/pprof/trace`           | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation.               |
 {!traefik-for-business-applications.md!}
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -87,8 +87,44 @@ rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashb
 ??? example "Dashboard Dynamic Configuration Examples"
    --8<-- "content/operations/include-dashboard-examples.md"
 ### Custom API Base Path
 As shown above, by default Traefik exposes its API and Dashboard under the `/` base path,
 which means that respectively the API is served under the `/api` path,
 and the dashboard under the `/dashboard` path.
 However, it is possible to configure this base path:
 ```yaml tab="File (YAML)"
 api:
  # Customizes the base path:
  # - Serving API under `/traefik/api`
  # - Serving Dashboard under `/traefik/dashboard`
  basePath: /traefik
 ```
 ```toml tab="File (TOML)"
 [api]
  # Customizes the base path:
  # - Serving API under `/traefik/api`
  # - Serving Dashboard under `/traefik/dashboard`
  basePath = "/traefik"
 ```
 ```bash tab="CLI"
 # Customizes the base path:
 # - Serving API under `/traefik/api`
 # - Serving Dashboard under `/traefik/dashboard`
 --api.basePath=/traefik
 ```
 ??? example "Dashboard Under Custom Path Dynamic Configuration Examples"
    --8<-- "content/operations/include-dashboard-custom-path-examples.md"
 ## Insecure Mode
 !!! warning "Please note that this mode is incompatible with the [custom API base path option](#custom-api-base-path)."
 When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
 at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
--- a/docs/content/operations/include-dashboard-custom-path-examples.md
+++ b/docs/content/operations/include-dashboard-custom-path-examples.md
@@ -0,0 +1,83 @@
 ```yaml tab="Docker & Swarm"
 # Dynamic Configuration
 labels:
  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
  - "traefik.http.routers.dashboard.service=api@internal"
  - "traefik.http.routers.dashboard.middlewares=auth"
  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 ```yaml tab="Docker (Swarm)"
 # Dynamic Configuration
 deploy:
  labels:
    - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
    - "traefik.http.routers.dashboard.service=api@internal"
    - "traefik.http.routers.dashboard.middlewares=auth"
    - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
    # Dummy service for Swarm port detection. The port can be any valid integer value.
    - "traefik.http.services.dummy-svc.loadbalancer.server.port=9999"
 ```
 ```yaml tab="Kubernetes CRD"
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: traefik-dashboard
 spec:
  routes:
  - match: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService
    middlewares:
      - name: auth
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth
 spec:
  basicAuth:
    secret: secretName # Kubernetes secret named "secretName"
 ```
 ```yaml tab="Consul Catalog"
 # Dynamic Configuration
 - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
 - "traefik.http.routers.dashboard.service=api@internal"
 - "traefik.http.routers.dashboard.middlewares=auth"
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:
  routers:
    dashboard:
      rule: Host(`traefik.example.com`) && PathPrefix(`/traefik`)
      service: api@internal
      middlewares:
        - auth
  middlewares:
    auth:
      basicAuth:
        users:
          - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
          - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```
 ```toml tab="File (TOML)"
 # Dynamic Configuration
 [http.routers.my-api]
  rule = "Host(`traefik.example.com`) && PathPrefix(`/traefik`)"
  service = "api@internal"
  middlewares = ["auth"]
 [http.middlewares.auth.basicAuth]
  users = [
    "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
    "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
  ]
 ```
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -166,7 +166,7 @@ See the [Docker API Access](#docker-api-access) section for more information.
    services:
      traefik:
-         image: traefik:v3.2 # The official v3 Traefik docker image
+         image: traefik:v3.3 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```
 ## Resource Configuration
--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@@ -34,7 +34,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
    ```bash
    # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
    ```
 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -526,6 +526,6 @@ providers:
 ### Further
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.2/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.3/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 {!traefik-for-business-applications.md!}
--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@@ -212,7 +212,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
    services:
      traefik:
-         image: traefik:v3.2 # The official v3 Traefik docker image
+         image: traefik:v3.3 # The official v3 Traefik docker image
         ports:
           - "80:80"
         volumes:
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@@ -38,7 +38,10 @@
 - "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.forwardbody=true"
 - "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.maxbodysize=42"
 - "traefik.http.middlewares.middleware10.forwardauth.preservelocationheader=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
@@ -147,6 +150,9 @@
 - "traefik.http.middlewares.middleware25.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.routers.router0.entrypoints=foobar, foobar"
 - "traefik.http.routers.router0.middlewares=foobar, foobar"
 - "traefik.http.routers.router0.observability.accesslogs=true"
 - "traefik.http.routers.router0.observability.metrics=true"
 - "traefik.http.routers.router0.observability.tracing=true"
 - "traefik.http.routers.router0.priority=42"
 - "traefik.http.routers.router0.rule=foobar"
 - "traefik.http.routers.router0.rulesyntax=foobar"
@@ -160,6 +166,9 @@
 - "traefik.http.routers.router0.tls.options=foobar"
 - "traefik.http.routers.router1.entrypoints=foobar, foobar"
 - "traefik.http.routers.router1.middlewares=foobar, foobar"
 - "traefik.http.routers.router1.observability.accesslogs=true"
 - "traefik.http.routers.router1.observability.metrics=true"
 - "traefik.http.routers.router1.observability.tracing=true"
 - "traefik.http.routers.router1.priority=42"
 - "traefik.http.routers.router1.rule=foobar"
 - "traefik.http.routers.router1.rulesyntax=foobar"
@@ -191,6 +200,7 @@
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
 - "traefik.http.services.service02.loadbalancer.server.port=foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@@ -20,6 +20,10 @@
        [[http.routers.Router0.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
      [http.routers.Router0.observability]
        accessLogs = true
        tracing = true
        metrics = true
    [http.routers.Router1]
      entryPoints = ["foobar", "foobar"]
      middlewares = ["foobar", "foobar"]
@@ -38,6 +42,10 @@
        [[http.routers.Router1.tls.domains]]
          main = "foobar"
          sans = ["foobar", "foobar"]
      [http.routers.Router1.observability]
        accessLogs = true
        tracing = true
        metrics = true
  [http.services]
    [http.services.Service01]
      [http.services.Service01.failover]
@@ -55,6 +63,7 @@
            httpOnly = true
            sameSite = "foobar"
            maxAge = 42
            path = "foobar"
        [[http.services.Service02.loadBalancer.servers]]
          url = "foobar"
@@ -112,6 +121,7 @@
            httpOnly = true
            sameSite = "foobar"
            maxAge = 42
            path = "foobar"
        [http.services.Service04.weighted.healthCheck]
  [http.middlewares]
    [http.middlewares.Middleware01]
@@ -172,6 +182,9 @@
        authRequestHeaders = ["foobar", "foobar"]
        addAuthCookiesToResponse = ["foobar", "foobar"]
        headerField = "foobar"
        forwardBody = true
        maxBodySize = 42
        preserveLocationHeader = true
        [http.middlewares.Middleware10.forwardAuth.tls]
          ca = "foobar"
          cert = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@@ -25,6 +25,10 @@ http:
            sans:
              - foobar
              - foobar
      observability:
        accessLogs: true
        tracing: true
        metrics: true
    Router1:
      entryPoints:
        - foobar
@@ -48,6 +52,10 @@ http:
            sans:
              - foobar
              - foobar
      observability:
        accessLogs: true
        tracing: true
        metrics: true
  services:
    Service01:
      failover:
@@ -63,6 +71,7 @@ http:
            httpOnly: true
            sameSite: foobar
            maxAge: 42
            path: foobar
        servers:
          - url: foobar
            weight: 42
@@ -113,6 +122,7 @@ http:
            httpOnly: true
            sameSite: foobar
            maxAge: 42
            path: foobar
        healthCheck: {}
  middlewares:
    Middleware01:
@@ -199,6 +209,9 @@ http:
          - foobar
          - foobar
        headerField: foobar
        forwardBody: true
        maxBodySize: 42
        preserveLocationHeader: true
    Middleware11:
      grpcWeb:
        allowOrigins:
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -57,18 +57,19 @@ spec:
                      description: |-
                        Kind defines the kind of the route.
                        Rule is the only supported kind.
                        If not defined, defaults to Rule.
                      enum:
                      - Rule
                      type: string
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -85,10 +86,22 @@ spec:
                        - name
                        type: object
                      type: array
                    observability:
                      description: |-
                        Observability defines the observability configuration for a router.
                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
                      properties:
                        accessLogs:
                          type: boolean
                        metrics:
                          type: boolean
                        tracing:
                          type: boolean
                      type: object
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -229,7 +242,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -241,13 +254,19 @@ spec:
                                    type: boolean
                                  maxAge:
                                    description: |-
-                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      MaxAge defines the number of seconds until the cookie expires.
                                      When set to a negative number, the cookie expires immediately.
                                      When set to zero, the cookie never expires.
                                    type: integer
                                  name:
                                    description: Name defines the Cookie name.
                                    type: string
                                  path:
                                    description: |-
                                      Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                      When not provided the cookie will be sent on every request to the domain.
                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                    type: string
                                  sameSite:
                                    description: |-
                                      SameSite defines the same site policy.
@@ -277,28 +296,27 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
                  - match
                  type: object
                type: array
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -317,17 +335,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -344,12 +362,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
@@ -409,7 +427,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -422,7 +440,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -446,7 +464,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -487,7 +505,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -525,7 +543,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -534,18 +552,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -564,7 +582,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -656,7 +674,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -743,7 +761,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -769,7 +787,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -781,12 +799,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -807,7 +825,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -839,14 +857,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -905,7 +923,7 @@ spec:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
@@ -954,12 +972,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -979,7 +997,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -989,7 +1007,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -1122,7 +1140,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -1133,13 +1151,19 @@ spec:
                                type: boolean
                              maxAge:
                                description: |-
-                                  MaxAge indicates the number of seconds until the cookie expires.
+                                  MaxAge defines the number of seconds until the cookie expires.
                                  When set to a negative number, the cookie expires immediately.
                                  When set to zero, the cookie never expires.
                                type: integer
                              name:
                                description: Name defines the Cookie name.
                                type: string
                              path:
                                description: |-
                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                  When not provided the cookie will be sent on every request to the domain.
                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                type: string
                              sameSite:
                                description: |-
                                  SameSite defines the same site policy.
@@ -1180,7 +1204,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -1208,8 +1232,22 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  forwardBody:
                    description: ForwardBody defines whether to send the request body
                      to the authentication server.
                    type: boolean
                  maxBodySize:
                    description: MaxBodySize defines the maximum body size in bytes
                      allowed to be forwarded to the authentication server.
                    format: int64
                    type: integer
                  preserveLocationHeader:
                    description: PreserveLocationHeader defines whether to forward
                      the Location header to the client as is or prefix it with the
                      domain name of the authentication server.
                    type: boolean
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
@@ -1255,7 +1293,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -1426,7 +1464,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -1439,12 +1477,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1479,12 +1517,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1521,7 +1559,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1551,7 +1589,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1660,7 +1698,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -1693,7 +1731,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1728,7 +1766,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1747,7 +1785,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1764,7 +1802,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1775,7 +1813,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1791,7 +1829,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1813,7 +1851,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1832,7 +1870,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -1869,7 +1907,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -1905,7 +1943,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1919,7 +1957,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1958,7 +1996,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
@@ -2097,7 +2135,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
@@ -2215,7 +2253,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -2240,14 +2278,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -2275,7 +2313,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
                items:
                  type: string
                type: array
@@ -2331,7 +2369,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
@@ -2429,7 +2467,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -2675,7 +2713,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2686,13 +2724,19 @@ spec:
                                  type: boolean
                                maxAge:
                                  description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                    When set to a negative number, the cookie expires immediately.
                                    When set to zero, the cookie never expires.
                                  type: integer
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                path:
                                  description: |-
                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                    When not provided the cookie will be sent on every request to the domain.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                  type: string
                                sameSite:
                                  description: |-
                                    SameSite defines the same site policy.
@@ -2782,7 +2826,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -2793,13 +2837,19 @@ spec:
                            type: boolean
                          maxAge:
                            description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                              When set to a negative number, the cookie expires immediately.
                              When set to zero, the cookie never expires.
                            type: integer
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          path:
                            description: |-
                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                              When not provided the cookie will be sent on every request to the domain.
                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                            type: string
                          sameSite:
                            description: |-
                              SameSite defines the same site policy.
@@ -2965,7 +3015,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2976,13 +3026,19 @@ spec:
                                  type: boolean
                                maxAge:
                                  description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                    When set to a negative number, the cookie expires immediately.
                                    When set to zero, the cookie never expires.
                                  type: integer
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                path:
                                  description: |-
                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                    When not provided the cookie will be sent on every request to the domain.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                  type: string
                                sameSite:
                                  description: |-
                                    SameSite defines the same site policy.
@@ -3012,7 +3068,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -3023,13 +3079,19 @@ spec:
                            type: boolean
                          maxAge:
                            description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                              When set to a negative number, the cookie expires immediately.
                              When set to zero, the cookie never expires.
                            type: integer
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          path:
                            description: |-
                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                              When not provided the cookie will be sent on every request to the domain.
                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                            type: string
                          sameSite:
                            description: |-
                              SameSite defines the same site policy.
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -25,7 +25,7 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v3.2
+          image: traefik:v3.3
          args:
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@@ -48,7 +48,10 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/forwardBody` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
@@ -173,6 +176,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
 | `traefik/http/routers/Router0/middlewares/0` | `foobar` |
 | `traefik/http/routers/Router0/middlewares/1` | `foobar` |
 | `traefik/http/routers/Router0/observability/accessLogs` | `true` |
 | `traefik/http/routers/Router0/observability/metrics` | `true` |
 | `traefik/http/routers/Router0/observability/tracing` | `true` |
 | `traefik/http/routers/Router0/priority` | `42` |
 | `traefik/http/routers/Router0/rule` | `foobar` |
 | `traefik/http/routers/Router0/ruleSyntax` | `foobar` |
@@ -189,6 +195,9 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/routers/Router1/entryPoints/1` | `foobar` |
 | `traefik/http/routers/Router1/middlewares/0` | `foobar` |
 | `traefik/http/routers/Router1/middlewares/1` | `foobar` |
 | `traefik/http/routers/Router1/observability/accessLogs` | `true` |
 | `traefik/http/routers/Router1/observability/metrics` | `true` |
 | `traefik/http/routers/Router1/observability/tracing` | `true` |
 | `traefik/http/routers/Router1/priority` | `42` |
 | `traefik/http/routers/Router1/rule` | `foobar` |
 | `traefik/http/routers/Router1/ruleSyntax` | `foobar` |
@@ -266,6 +275,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/maxAge` | `42` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/name` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/path` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/sameSite` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/secure` | `true` |
 | `traefik/http/services/Service03/mirroring/healthCheck` | `` |
@@ -284,6 +294,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service04/weighted/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/maxAge` | `42` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/name` | `foobar` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/path` | `foobar` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/sameSite` | `foobar` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/secure` | `true` |
 | `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -57,18 +57,19 @@ spec:
                      description: |-
                        Kind defines the kind of the route.
                        Rule is the only supported kind.
                        If not defined, defaults to Rule.
                      enum:
                      - Rule
                      type: string
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -85,10 +86,22 @@ spec:
                        - name
                        type: object
                      type: array
                    observability:
                      description: |-
                        Observability defines the observability configuration for a router.
                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
                      properties:
                        accessLogs:
                          type: boolean
                        metrics:
                          type: boolean
                        tracing:
                          type: boolean
                      type: object
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -229,7 +242,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -241,13 +254,19 @@ spec:
                                    type: boolean
                                  maxAge:
                                    description: |-
-                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      MaxAge defines the number of seconds until the cookie expires.
                                      When set to a negative number, the cookie expires immediately.
                                      When set to zero, the cookie never expires.
                                    type: integer
                                  name:
                                    description: Name defines the Cookie name.
                                    type: string
                                  path:
                                    description: |-
                                      Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                      When not provided the cookie will be sent on every request to the domain.
                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                    type: string
                                  sameSite:
                                    description: |-
                                      SameSite defines the same site policy.
@@ -277,28 +296,27 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
                  - match
                  type: object
                type: array
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -317,17 +335,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -344,12 +362,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -56,7 +56,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -121,7 +121,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -159,7 +159,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -168,18 +168,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -198,7 +198,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
--- a/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -45,7 +45,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -57,12 +57,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -83,7 +83,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -115,14 +115,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -181,7 +181,7 @@ spec:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
@@ -230,12 +230,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -255,7 +255,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -265,7 +265,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -398,7 +398,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -409,13 +409,19 @@ spec:
                                type: boolean
                              maxAge:
                                description: |-
-                                  MaxAge indicates the number of seconds until the cookie expires.
+                                  MaxAge defines the number of seconds until the cookie expires.
                                  When set to a negative number, the cookie expires immediately.
                                  When set to zero, the cookie never expires.
                                type: integer
                              name:
                                description: Name defines the Cookie name.
                                type: string
                              path:
                                description: |-
                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                  When not provided the cookie will be sent on every request to the domain.
                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                type: string
                              sameSite:
                                description: |-
                                  SameSite defines the same site policy.
@@ -456,7 +462,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -484,8 +490,22 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  forwardBody:
                    description: ForwardBody defines whether to send the request body
                      to the authentication server.
                    type: boolean
                  maxBodySize:
                    description: MaxBodySize defines the maximum body size in bytes
                      allowed to be forwarded to the authentication server.
                    format: int64
                    type: integer
                  preserveLocationHeader:
                    description: PreserveLocationHeader defines whether to forward
                      the Location header to the client as is or prefix it with the
                      domain name of the authentication server.
                    type: boolean
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
@@ -531,7 +551,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -702,7 +722,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -715,12 +735,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -755,12 +775,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -797,7 +817,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -827,7 +847,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -936,7 +956,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -969,7 +989,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1004,7 +1024,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1023,7 +1043,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1040,7 +1060,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1051,7 +1071,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1067,7 +1087,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1089,7 +1109,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1108,7 +1128,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
--- a/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -55,7 +55,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
@@ -21,7 +21,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
@@ -21,7 +21,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -44,14 +44,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -79,7 +79,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
                items:
                  type: string
                type: array
--- a/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml
@@ -21,7 +21,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
--- a/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml
@@ -22,7 +22,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -268,7 +268,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -279,13 +279,19 @@ spec:
                                  type: boolean
                                maxAge:
                                  description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                    When set to a negative number, the cookie expires immediately.
                                    When set to zero, the cookie never expires.
                                  type: integer
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                path:
                                  description: |-
                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                    When not provided the cookie will be sent on every request to the domain.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                  type: string
                                sameSite:
                                  description: |-
                                    SameSite defines the same site policy.
@@ -375,7 +381,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -386,13 +392,19 @@ spec:
                            type: boolean
                          maxAge:
                            description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                              When set to a negative number, the cookie expires immediately.
                              When set to zero, the cookie never expires.
                            type: integer
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          path:
                            description: |-
                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                              When not provided the cookie will be sent on every request to the domain.
                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                            type: string
                          sameSite:
                            description: |-
                              SameSite defines the same site policy.
@@ -558,7 +570,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -569,13 +581,19 @@ spec:
                                  type: boolean
                                maxAge:
                                  description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                    When set to a negative number, the cookie expires immediately.
                                    When set to zero, the cookie never expires.
                                  type: integer
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                path:
                                  description: |-
                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                    When not provided the cookie will be sent on every request to the domain.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                  type: string
                                sameSite:
                                  description: |-
                                    SameSite defines the same site policy.
@@ -605,7 +623,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -616,13 +634,19 @@ spec:
                            type: boolean
                          maxAge:
                            description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                              When set to a negative number, the cookie expires immediately.
                              When set to zero, the cookie never expires.
                            type: integer
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          path:
                            description: |-
                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                              When not provided the cookie will be sent on every request to the domain.
                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                            type: string
                          sameSite:
                            description: |-
                              SameSite defines the same site policy.
--- a/docs/content/reference/install-configuration/entrypoints.md
+++ b/docs/content/reference/install-configuration/entrypoints.md
@@ -47,7 +47,7 @@ additionalArguments:
 !!! tip 
-      In the Helm Chart, the entryPoints `web` (port 80), `websecure` (port 443), `traefik` (port 9000) and `metrics` (port 9100) are created by default.
+      In the Helm Chart, the entryPoints `web` (port 80), `websecure` (port 443), `traefik` (port 8080) and `metrics` (port 9100) are created by default.
      The entryPoints `web`, `websecure` are exposed by default using a Service.
      The default behaviors can be overridden in the Helm Chart.
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -39,9 +39,66 @@ Keep access logs with status codes in the specified range.
 `--accesslog.format`:  
 Access log format: json | common (Default: ```common```)
 `--accesslog.otlp`:  
 Settings for OpenTelemetry. (Default: ```false```)
 `--accesslog.otlp.grpc`:  
 gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
 `--accesslog.otlp.grpc.endpoint`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 `--accesslog.otlp.grpc.headers.<name>`:  
 Headers sent with payload.
 `--accesslog.otlp.grpc.insecure`:  
 Disables client transport security for the exporter. (Default: ```false```)
 `--accesslog.otlp.grpc.tls.ca`:  
 TLS CA
 `--accesslog.otlp.grpc.tls.cert`:  
 TLS cert
 `--accesslog.otlp.grpc.tls.insecureskipverify`:  
 TLS insecure skip verify (Default: ```false```)
 `--accesslog.otlp.grpc.tls.key`:  
 TLS key
 `--accesslog.otlp.http`:  
 HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
 `--accesslog.otlp.http.endpoint`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
 `--accesslog.otlp.http.headers.<name>`:  
 Headers sent with payload.
 `--accesslog.otlp.http.tls.ca`:  
 TLS CA
 `--accesslog.otlp.http.tls.cert`:  
 TLS cert
 `--accesslog.otlp.http.tls.insecureskipverify`:  
 TLS insecure skip verify (Default: ```false```)
 `--accesslog.otlp.http.tls.key`:  
 TLS key
 `--accesslog.otlp.resourceattributes.<name>`:  
 Defines additional resource attributes (key:value).
 `--accesslog.otlp.servicename`:  
 Set the name for this service. (Default: ```traefik```)
 `--api`:  
 Enable api/dashboard. (Default: ```false```)
 `--api.basepath`:  
 Defines the base path where the API and Dashboard will be exposed. (Default: ```/```)
 `--api.dashboard`:  
 Activate dashboard. (Default: ```true```)
@@ -76,10 +133,25 @@ Certificates' duration in hours. (Default: ```2160```)
 Activate DNS-01 Challenge. (Default: ```false```)
 `--certificatesresolvers.<name>.acme.dnschallenge.delaybeforecheck`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
 `--certificatesresolvers.<name>.acme.dnschallenge.disablepropagationcheck`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
 `--certificatesresolvers.<name>.acme.dnschallenge.propagation`:  
 DNS propagation checks configuration (Default: ```false```)
 `--certificatesresolvers.<name>.acme.dnschallenge.propagation.delaybeforechecks`:  
 Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
 `--certificatesresolvers.<name>.acme.dnschallenge.propagation.disableanschecks`:  
 Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
 `--certificatesresolvers.<name>.acme.dnschallenge.propagation.disablechecks`:  
 Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
 `--certificatesresolvers.<name>.acme.dnschallenge.propagation.requireallrns`:  
 Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
 `--certificatesresolvers.<name>.acme.dnschallenge.provider`:  
 Use a DNS-01 based challenge provider rather than HTTPS.
@@ -192,6 +264,15 @@ HTTP/3 configuration. (Default: ```false```)
 `--entrypoints.<name>.http3.advertisedport`:  
 UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
 `--entrypoints.<name>.observability.accesslogs`:  
 (Default: ```true```)
 `--entrypoints.<name>.observability.metrics`:  
 (Default: ```true```)
 `--entrypoints.<name>.observability.tracing`:  
 (Default: ```true```)
 `--entrypoints.<name>.proxyprotocol`:  
 Proxy-Protocol configuration. (Default: ```false```)
@@ -228,8 +309,11 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 `--entrypoints.<name>.udp.timeout`:  
 Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)
 `--experimental.abortonpluginfailure`:  
 Defines whether all plugins must be loaded successfully for Traefik to start. (Default: ```false```)
 `--experimental.fastproxy`:  
-Enable the FastProxy implementation. (Default: ```false```)
+Enables the FastProxy implementation. (Default: ```false```)
 `--experimental.fastproxy.debug`:  
 Enable debug mode for the FastProxy implementation. (Default: ```false```)
@@ -252,6 +336,9 @@ Environment variables to forward to the wasm guest.
 `--experimental.localplugins.<name>.settings.mounts`:  
 Directory to mount to the wasm guest.
 `--experimental.otlplogs`:  
 Enables the OpenTelemetry logs integration. (Default: ```false```)
 `--experimental.plugins.<name>.modulename`:  
 plugin's module name.
@@ -312,6 +399,60 @@ Maximum size in megabytes of the log file before it gets rotated. (Default: ```0
 `--log.nocolor`:  
 When using the 'common' format, disables the colorized output. (Default: ```false```)
 `--log.otlp`:  
 Settings for OpenTelemetry. (Default: ```false```)
 `--log.otlp.grpc`:  
 gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
 `--log.otlp.grpc.endpoint`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 `--log.otlp.grpc.headers.<name>`:  
 Headers sent with payload.
 `--log.otlp.grpc.insecure`:  
 Disables client transport security for the exporter. (Default: ```false```)
 `--log.otlp.grpc.tls.ca`:  
 TLS CA
 `--log.otlp.grpc.tls.cert`:  
 TLS cert
 `--log.otlp.grpc.tls.insecureskipverify`:  
 TLS insecure skip verify (Default: ```false```)
 `--log.otlp.grpc.tls.key`:  
 TLS key
 `--log.otlp.http`:  
 HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
 `--log.otlp.http.endpoint`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
 `--log.otlp.http.headers.<name>`:  
 Headers sent with payload.
 `--log.otlp.http.tls.ca`:  
 TLS CA
 `--log.otlp.http.tls.cert`:  
 TLS cert
 `--log.otlp.http.tls.insecureskipverify`:  
 TLS insecure skip verify (Default: ```false```)
 `--log.otlp.http.tls.key`:  
 TLS key
 `--log.otlp.resourceattributes.<name>`:  
 Defines additional resource attributes (key:value).
 `--log.otlp.servicename`:  
 Set the name for this service. (Default: ```traefik```)
 `--metrics.addinternals`:  
 Enables metrics for internal services (ping, dashboard, etc...). (Default: ```false```)
@@ -1117,7 +1258,7 @@ Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
 Defines the allowed SPIFFE trust domain.
 `--tracing`:  
-OpenTracing configuration. (Default: ```false```)
+Tracing configuration. (Default: ```false```)
 `--tracing.addinternals`:  
 Enables tracing for internal services (ping, dashboard, etc...). (Default: ```false```)
@@ -1129,7 +1270,7 @@ Request headers to add as attributes for server and client spans.
 Response headers to add as attributes for server and client spans.
 `--tracing.globalattributes.<name>`:  
-Defines additional attributes (key:value) on all spans.
+(Deprecated) Defines additional resource attributes (key:value).
 `--tracing.otlp`:  
 Settings for OpenTelemetry. (Default: ```false```)
@@ -1179,6 +1320,9 @@ TLS insecure skip verify (Default: ```false```)
 `--tracing.otlp.http.tls.key`:  
 TLS key
 `--tracing.resourceattributes.<name>`:  
 Defines additional resource attributes (key:value).
 `--tracing.safequeryparams`:  
 Query params to not redact.
@@ -1186,4 +1330,4 @@ Query params to not redact.
 Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
 `--tracing.servicename`:  
-Set the name for this service. (Default: ```traefik```)
+Sets the name for this service. (Default: ```traefik```)
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -39,9 +39,66 @@ Keep access logs with status codes in the specified range.
 `TRAEFIK_ACCESSLOG_FORMAT`:  
 Access log format: json | common (Default: ```common```)
 `TRAEFIK_ACCESSLOG_OTLP`:  
 Settings for OpenTelemetry. (Default: ```false```)
 `TRAEFIK_ACCESSLOG_OTLP_GRPC`:  
 gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_ENDPOINT`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_HEADERS_<NAME>`:  
 Headers sent with payload.
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_INSECURE`:  
 Disables client transport security for the exporter. (Default: ```false```)
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_CA`:  
 TLS CA
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_CERT`:  
 TLS cert
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_INSECURESKIPVERIFY`:  
 TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_KEY`:  
 TLS key
 `TRAEFIK_ACCESSLOG_OTLP_HTTP`:  
 HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
 `TRAEFIK_ACCESSLOG_OTLP_HTTP_ENDPOINT`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
 `TRAEFIK_ACCESSLOG_OTLP_HTTP_HEADERS_<NAME>`:  
 Headers sent with payload.
 `TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_CA`:  
 TLS CA
 `TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_CERT`:  
 TLS cert
 `TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_INSECURESKIPVERIFY`:  
 TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_KEY`:  
 TLS key
 `TRAEFIK_ACCESSLOG_OTLP_RESOURCEATTRIBUTES_<NAME>`:  
 Defines additional resource attributes (key:value).
 `TRAEFIK_ACCESSLOG_OTLP_SERVICENAME`:  
 Set the name for this service. (Default: ```traefik```)
 `TRAEFIK_API`:  
 Enable api/dashboard. (Default: ```false```)
 `TRAEFIK_API_BASEPATH`:  
 Defines the base path where the API and Dashboard will be exposed. (Default: ```/```)
 `TRAEFIK_API_DASHBOARD`:  
 Activate dashboard. (Default: ```true```)
@@ -76,10 +133,25 @@ Certificates' duration in hours. (Default: ```2160```)
 Activate DNS-01 Challenge. (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DELAYBEFORECHECK`:  
-Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
+(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:  
-Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
+(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION`:  
 DNS propagation checks configuration (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DELAYBEFORECHECKS`:  
 Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLEANSCHECKS`:  
 Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_DISABLECHECKS`:  
 Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROPAGATION_REQUIREALLRNS`:  
 Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_PROVIDER`:  
 Use a DNS-01 based challenge provider rather than HTTPS.
@@ -192,6 +264,15 @@ Subject alternative names.
 `TRAEFIK_ENTRYPOINTS_<NAME>_HTTP_TLS_OPTIONS`:  
 Default TLS options for the routers linked to the entry point.
 `TRAEFIK_ENTRYPOINTS_<NAME>_OBSERVABILITY_ACCESSLOGS`:  
 (Default: ```true```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_OBSERVABILITY_METRICS`:  
 (Default: ```true```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_OBSERVABILITY_TRACING`:  
 (Default: ```true```)
 `TRAEFIK_ENTRYPOINTS_<NAME>_PROXYPROTOCOL`:  
 Proxy-Protocol configuration. (Default: ```false```)
@@ -228,8 +309,11 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 `TRAEFIK_ENTRYPOINTS_<NAME>_UDP_TIMEOUT`:  
 Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)
 `TRAEFIK_EXPERIMENTAL_ABORTONPLUGINFAILURE`:  
 Defines whether all plugins must be loaded successfully for Traefik to start. (Default: ```false```)
 `TRAEFIK_EXPERIMENTAL_FASTPROXY`:  
-Enable the FastProxy implementation. (Default: ```false```)
+Enables the FastProxy implementation. (Default: ```false```)
 `TRAEFIK_EXPERIMENTAL_FASTPROXY_DEBUG`:  
 Enable debug mode for the FastProxy implementation. (Default: ```false```)
@@ -252,6 +336,9 @@ Environment variables to forward to the wasm guest.
 `TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_MOUNTS`:  
 Directory to mount to the wasm guest.
 `TRAEFIK_EXPERIMENTAL_OTLPLOGS`:  
 Enables the OpenTelemetry logs integration. (Default: ```false```)
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_MODULENAME`:  
 plugin's module name.
@@ -312,6 +399,60 @@ Maximum size in megabytes of the log file before it gets rotated. (Default: ```0
 `TRAEFIK_LOG_NOCOLOR`:  
 When using the 'common' format, disables the colorized output. (Default: ```false```)
 `TRAEFIK_LOG_OTLP`:  
 Settings for OpenTelemetry. (Default: ```false```)
 `TRAEFIK_LOG_OTLP_GRPC`:  
 gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
 `TRAEFIK_LOG_OTLP_GRPC_ENDPOINT`:  
 Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
 `TRAEFIK_LOG_OTLP_GRPC_HEADERS_<NAME>`:  
 Headers sent with payload.
 `TRAEFIK_LOG_OTLP_GRPC_INSECURE`:  
 Disables client transport security for the exporter. (Default: ```false```)
 `TRAEFIK_LOG_OTLP_GRPC_TLS_CA`:  
 TLS CA
 `TRAEFIK_LOG_OTLP_GRPC_TLS_CERT`:  
 TLS cert
 `TRAEFIK_LOG_OTLP_GRPC_TLS_INSECURESKIPVERIFY`:  
 TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_LOG_OTLP_GRPC_TLS_KEY`:  
 TLS key
 `TRAEFIK_LOG_OTLP_HTTP`:  
 HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
 `TRAEFIK_LOG_OTLP_HTTP_ENDPOINT`:  
 Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
 `TRAEFIK_LOG_OTLP_HTTP_HEADERS_<NAME>`:  
 Headers sent with payload.
 `TRAEFIK_LOG_OTLP_HTTP_TLS_CA`:  
 TLS CA
 `TRAEFIK_LOG_OTLP_HTTP_TLS_CERT`:  
 TLS cert
 `TRAEFIK_LOG_OTLP_HTTP_TLS_INSECURESKIPVERIFY`:  
 TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_LOG_OTLP_HTTP_TLS_KEY`:  
 TLS key
 `TRAEFIK_LOG_OTLP_RESOURCEATTRIBUTES_<NAME>`:  
 Defines additional resource attributes (key:value).
 `TRAEFIK_LOG_OTLP_SERVICENAME`:  
 Set the name for this service. (Default: ```traefik```)
 `TRAEFIK_METRICS_ADDINTERNALS`:  
 Enables metrics for internal services (ping, dashboard, etc...). (Default: ```false```)
@@ -1117,7 +1258,7 @@ Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
 Defines the allowed SPIFFE trust domain.
 `TRAEFIK_TRACING`:  
-OpenTracing configuration. (Default: ```false```)
+Tracing configuration. (Default: ```false```)
 `TRAEFIK_TRACING_ADDINTERNALS`:  
 Enables tracing for internal services (ping, dashboard, etc...). (Default: ```false```)
@@ -1129,7 +1270,7 @@ Request headers to add as attributes for server and client spans.
 Response headers to add as attributes for server and client spans.
 `TRAEFIK_TRACING_GLOBALATTRIBUTES_<NAME>`:  
-Defines additional attributes (key:value) on all spans.
+(Deprecated) Defines additional resource attributes (key:value).
 `TRAEFIK_TRACING_OTLP`:  
 Settings for OpenTelemetry. (Default: ```false```)
@@ -1179,6 +1320,9 @@ TLS insecure skip verify (Default: ```false```)
 `TRAEFIK_TRACING_OTLP_HTTP_TLS_KEY`:  
 TLS key
 `TRAEFIK_TRACING_RESOURCEATTRIBUTES_<NAME>`:  
 Defines additional resource attributes (key:value).
 `TRAEFIK_TRACING_SAFEQUERYPARAMS`:  
 Query params to not redact.
@@ -1186,4 +1330,4 @@ Query params to not redact.
 Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
 `TRAEFIK_TRACING_SERVICENAME`:  
-Set the name for this service. (Default: ```traefik```)
+Sets the name for this service. (Default: ```traefik```)
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@@ -77,6 +77,10 @@
      advertisedPort = 42
    [entryPoints.EntryPoint0.udp]
      timeout = "42s"
    [entryPoints.EntryPoint0.observability]
      accessLogs = true
      tracing = true
      metrics = true
 [providers]
  providersThrottleDuration = "42s"
@@ -294,6 +298,7 @@
      name1 = "foobar"
 [api]
  basePath = "foobar"
  insecure = true
  dashboard = true
  debug = true
@@ -380,6 +385,32 @@
  maxAge = 42
  maxBackups = 42
  compress = true
  [log.otlp]
    serviceName = "foobar"
    [log.otlp.resourceAttributes]
      name0 = "foobar"
      name1 = "foobar"
    [log.otlp.grpc]
      endpoint = "foobar"
      insecure = true
      [log.otlp.grpc.tls]
        ca = "foobar"
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
      [log.otlp.grpc.headers]
        name0 = "foobar"
        name1 = "foobar"
    [log.otlp.http]
      endpoint = "foobar"
      [log.otlp.http.tls]
        ca = "foobar"
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
      [log.otlp.http.headers]
        name0 = "foobar"
        name1 = "foobar"
 [accessLog]
  filePath = "foobar"
@@ -400,6 +431,32 @@
      [accessLog.fields.headers.names]
        name0 = "foobar"
        name1 = "foobar"
  [accessLog.otlp]
    serviceName = "foobar"
    [accessLog.otlp.resourceAttributes]
      name0 = "foobar"
      name1 = "foobar"
    [accessLog.otlp.grpc]
      endpoint = "foobar"
      insecure = true
      [accessLog.otlp.grpc.tls]
        ca = "foobar"
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
      [accessLog.otlp.grpc.headers]
        name0 = "foobar"
        name1 = "foobar"
    [accessLog.otlp.http]
      endpoint = "foobar"
      [accessLog.otlp.http.tls]
        ca = "foobar"
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
      [accessLog.otlp.http.headers]
        name0 = "foobar"
        name1 = "foobar"
 [tracing]
  serviceName = "foobar"
@@ -408,7 +465,7 @@
  safeQueryParams = ["foobar", "foobar"]
  sampleRate = 42.0
  addInternals = true
-  [tracing.globalAttributes]
+  [tracing.resourceAttributes]
    name0 = "foobar"
    name1 = "foobar"
  [tracing.otlp]
@@ -433,6 +490,9 @@
      [tracing.otlp.http.headers]
        name0 = "foobar"
        name1 = "foobar"
  [tracing.globalAttributes]
    name0 = "foobar"
    name1 = "foobar"
 [hostResolver]
  cnameFlattening = true
@@ -456,9 +516,14 @@
        hmacEncoded = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
        provider = "foobar"
        delayBeforeCheck = "42s"
        resolvers = ["foobar", "foobar"]
        delayBeforeCheck = "42s"
        disablePropagationCheck = true
        [certificatesResolvers.CertificateResolver0.acme.dnsChallenge.propagation]
          disableChecks = true
          disableANSChecks = true
          requireAllRNS = true
          delayBeforeChecks = "42s"
      [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
@@ -479,15 +544,22 @@
        hmacEncoded = "foobar"
      [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
        provider = "foobar"
        delayBeforeCheck = "42s"
        resolvers = ["foobar", "foobar"]
        delayBeforeCheck = "42s"
        disablePropagationCheck = true
        [certificatesResolvers.CertificateResolver1.acme.dnsChallenge.propagation]
          disableChecks = true
          disableANSChecks = true
          requireAllRNS = true
          delayBeforeChecks = "42s"
      [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
    [certificatesResolvers.CertificateResolver1.tailscale]
 [experimental]
  abortOnPluginFailure = true
  otlplogs = true
  kubernetesGateway = true
  [experimental.plugins]
    [experimental.plugins.Descriptor0]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@@ -91,6 +91,10 @@ entryPoints:
      advertisedPort: 42
    udp:
      timeout: 42s
    observability:
      accessLogs: true
      tracing: true
      metrics: true
 providers:
  providersThrottleDuration: 42s
  docker:
@@ -330,6 +334,7 @@ providers:
      name0: foobar
      name1: foobar
 api:
  basePath: foobar
  insecure: true
  dashboard: true
  debug: true
@@ -417,6 +422,32 @@ log:
  maxAge: 42
  maxBackups: 42
  compress: true
  otlp:
    serviceName: foobar
    resourceAttributes:
      name0: foobar
      name1: foobar
    grpc:
      endpoint: foobar
      insecure: true
      tls:
        ca: foobar
        cert: foobar
        key: foobar
        insecureSkipVerify: true
      headers:
        name0: foobar
        name1: foobar
    http:
      endpoint: foobar
      tls:
        ca: foobar
        cert: foobar
        key: foobar
        insecureSkipVerify: true
      headers:
        name0: foobar
        name1: foobar
 accessLog:
  filePath: foobar
  format: foobar
@@ -438,9 +469,35 @@ accessLog:
        name1: foobar
  bufferingSize: 42
  addInternals: true
  otlp:
    serviceName: foobar
    resourceAttributes:
      name0: foobar
      name1: foobar
    grpc:
      endpoint: foobar
      insecure: true
      tls:
        ca: foobar
        cert: foobar
        key: foobar
        insecureSkipVerify: true
      headers:
        name0: foobar
        name1: foobar
    http:
      endpoint: foobar
      tls:
        ca: foobar
        cert: foobar
        key: foobar
        insecureSkipVerify: true
      headers:
        name0: foobar
        name1: foobar
 tracing:
  serviceName: foobar
-  globalAttributes:
+  resourceAttributes:
    name0: foobar
    name1: foobar
  capturedRequestHeaders:
@@ -476,6 +533,9 @@ tracing:
      headers:
        name0: foobar
        name1: foobar
  globalAttributes:
    name0: foobar
    name1: foobar
 hostResolver:
  cnameFlattening: true
  resolvConfig: foobar
@@ -499,10 +559,15 @@ certificatesResolvers:
      caServerName: foobar
      dnsChallenge:
        provider: foobar
        delayBeforeCheck: 42s
        resolvers:
          - foobar
          - foobar
        propagation:
          disableChecks: true
          disableANSChecks: true
          requireAllRNS: true
          delayBeforeChecks: 42s
        delayBeforeCheck: 42s
        disablePropagationCheck: true
      httpChallenge:
        entryPoint: foobar
@@ -526,10 +591,15 @@ certificatesResolvers:
      caServerName: foobar
      dnsChallenge:
        provider: foobar
        delayBeforeCheck: 42s
        resolvers:
          - foobar
          - foobar
        propagation:
          disableChecks: true
          disableANSChecks: true
          requireAllRNS: true
          delayBeforeChecks: 42s
        delayBeforeCheck: 42s
        disablePropagationCheck: true
      httpChallenge:
        entryPoint: foobar
@@ -576,8 +646,10 @@ experimental:
        mounts:
          - foobar
          - foobar
  abortOnPluginFailure: true
  fastProxy:
    debug: true
  otlplogs: true
  kubernetesGateway: true
 core:
  defaultRuleSyntax: foobar
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@@ -1259,4 +1259,104 @@ systemd-socket-activate -l 80 -l 443 --fdname web:websecure  ./traefik --entrypo
    Socket activation is not supported by Docker but works with Podman containers.
 ## Observability Options
 This section is dedicated to options to control observability for an EntryPoint.
 !!! info "Note that you must first enable access-logs, tracing, and/or metrics."
 !!! warning "AddInternals option"
    By default, and for any type of signals (access-logs, metrics and tracing),
    Traefik disables observability for internal resources.
    The observability options described below cannot interfere with the `AddInternals` ones,
    and will be ignored.
    For instance, if a router exposes the `api@internal` service and `metrics.AddInternals` is false,
    it will never produces metrics, even if the EntryPoint observability configuration enables metrics.
 ### AccessLogs
 _Optional, Default=true_
 AccessLogs defines whether a router attached to this EntryPoint produces access-logs by default.
 Nonetheless, a router defining its own observability configuration will opt-out from this default.
 ```yaml tab="File (YAML)"
 entryPoints:
  foo:
    address: ':8000/udp'
    observability:
      accessLogs: false
 ```
 ```toml tab="File (TOML)"
 [entryPoints.foo]
  address = ":8000/udp"
    [entryPoints.foo.observability]
      accessLogs = false
 ```
 ```bash tab="CLI"
 --entryPoints.foo.address=:8000/udp
 --entryPoints.foo.observability.accessLogs=false
 ```
 ### Metrics
 _Optional, Default=true_
 Metrics defines whether a router attached to this EntryPoint produces metrics by default.
 Nonetheless, a router defining its own observability configuration will opt-out from this default.
 ```yaml tab="File (YAML)"
 entryPoints:
  foo:
    address: ':8000/udp'
    observability:
      metrics: false
 ```
 ```toml tab="File (TOML)"
 [entryPoints.foo]
  address = ":8000/udp"
    [entryPoints.foo.observability]
      metrics = false
 ```
 ```bash tab="CLI"
 --entryPoints.foo.address=:8000/udp
 --entryPoints.foo.observability.metrics=false
 ```
 ### Tracing
 _Optional, Default=true_
 Tracing defines whether a router attached to this EntryPoint produces traces by default.
 Nonetheless, a router defining its own observability configuration will opt-out from this default.
 ```yaml tab="File (YAML)"
 entryPoints:
  foo:
    address: ':8000/udp'
    observability:
      tracing: false
 ```
 ```toml tab="File (TOML)"
 [entryPoints.foo]
  address = ":8000/udp"
    [entryPoints.foo.observability]
      tracing = false
 ```
 ```bash tab="CLI"
 --entryPoints.foo.address=:8000/udp
 --entryPoints.foo.observability.tracing=false
 ```
 {!traefik-for-business-applications.md!}
--- a/docs/content/routing/providers/consul-catalog.md
+++ b/docs/content/routing/providers/consul-catalog.md
@@ -111,6 +111,30 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
    traefik.http.routers.myrouter.tls.options=foobar
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.accesslogs=true
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.metrics=true
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.tracing=true
    ```
 ??? info "`traefik.http.routers.<router_name>.priority`"
    See [priority](../routers/index.md#priority) for more information.
@@ -265,6 +289,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
    traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    ```yaml
    traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
--- a/docs/content/routing/providers/docker.md
+++ b/docs/content/routing/providers/docker.md
@@ -224,6 +224,30 @@ For example, to change the rule, you could add the label ```traefik.http.routers
    - "traefik.http.routers.myrouter.tls.options=foobar"
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    ```yaml
    - "traefik.http.routers.myrouter.observability.accesslogs=true"
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    ```yaml
    - "traefik.http.routers.myrouter.observability.metrics=true"
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    ```yaml
    - "traefik.http.routers.myrouter.observability.tracing=true"
    ```
 ??? info "`traefik.http.routers.<router_name>.priority`"
    See [priority](../routers/index.md#priority) for more information.
@@ -380,6 +404,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar"
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    ```yaml
    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar"
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
--- a/docs/content/routing/providers/ecs.md
+++ b/docs/content/routing/providers/ecs.md
@@ -111,6 +111,30 @@ For example, to change the rule, you could add the label ```traefik.http.routers
    traefik.http.routers.myrouter.tls.options=foobar
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.accesslogs=true
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.metrics=true
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.tracing=true
    ```
 ??? info "`traefik.http.routers.<router_name>.priority`"
    See [priority](../routers/index.md#priority) for more information.
@@ -267,6 +291,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
    traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    ```yaml
    traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
--- a/docs/content/routing/providers/kubernetes-crd.md
+++ b/docs/content/routing/providers/kubernetes-crd.md
@@ -48,7 +48,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.2
+              image: traefik:v3.3
              args:
                - --log.level=DEBUG
                - --api
@@ -332,17 +332,21 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
        middlewares:                    # [5]
        - name: middleware1             # [6]
          namespace: default            # [7]
-        services:                       # [8]
+        observability:                  # [8]
          accesslogs: true              # [9]    
          metrics: true                 # [10]
          tracing: true                 # [11]
        services:                       # [12]
        - kind: Service
          name: foo
          namespace: default
          passHostHeader: true
-          port: 80                      # [9]
+          port: 80                      # [13]
          responseForwarding:
            flushInterval: 1ms
          scheme: https
-          serversTransport: transport   # [10]
+          serversTransport: transport   # [14]
-          healthCheck:                  # [11]
+          healthCheck:                  # [15]
            path: /health
            interval: 15s
          sticky:
@@ -352,19 +356,20 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
              secure: true
              sameSite: none
              maxAge: 42  
              path: /foo
          strategy: RoundRobin
          weight: 10
-          nativeLB: true                # [12]
+          nativeLB: true                # [16]
-          nodePortLB: true              # [13]
+          nodePortLB: true              # [17]
-      tls:                              # [14]
+      tls:                              # [18]
-        secretName: supersecret         # [15]
+        secretName: supersecret         # [19]
-        options:                        # [16]
+        options:                        # [20]
-          name: opt                     # [17]
+          name: opt                     # [21]
-          namespace: default            # [18]
+          namespace: default            # [22]
-        certResolver: foo               # [19]
+        certResolver: foo               # [23]
-        domains:                        # [20]
+        domains:                        # [24]
-        - main: example.net             # [21]
+        - main: example.net             # [25]
-          sans:                         # [22]
+          sans:                         # [26]
          - a.example.net
          - b.example.net
    ```
@@ -377,22 +382,26 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
 | [4]  | `routes[n].priority`           | Defines the [priority](../routers/index.md#priority) to disambiguate rules of the same length, for route matching                                                                                                                                                                            |
 | [5]  | `routes[n].middlewares`        | List of reference to [Middleware](#kind-middleware)                                                                                                                                                                                                                                          |
 | [6]  | `middlewares[n].name`          | Defines the [Middleware](#kind-middleware) name                                                                                                                                                                                                                                              |
-| [7]  | `middlewares[n].namespace`     | Defines the [Middleware](#kind-middleware) namespace. It can be omitted when the Middleware is in the IngressRoute namespace.                                                                                                                                                                    |
+| [7]  | `middlewares[n].namespace`     | Defines the [Middleware](#kind-middleware) namespace. It can be omitted when the Middleware is in the IngressRoute namespace.                                                                                                                                                                |
-| [8]  | `routes[n].services`           | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup)                                                                     |
+| [8]  | `routes[n].observability`      | Defines the route observability configuration.                                                                                                                                                                                                                                               |
-| [9]  | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       |
+| [9]  | `observability.accesslogs`     | Defines whether the route will produce [access-logs](../routers/index.md#accesslogs).                                                                                                                                                                                                        |
-| [10] | `services[n].serversTransport` | Defines the reference to a [ServersTransport](#kind-serverstransport). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
+| [10] | `observability.metrics`        | Defines whether the route will produce [metrics](../routers/index.md#metrics).                                                                                                                                                                                                               |
-| [11] | `services[n].healthCheck`      | Defines the HealthCheck when service references a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.                                                                                                                                |
+| [11] | `observability.tracing`        | Defines whether the route will produce [traces](../routers/index.md#tracing).                                                                                                                                                                                                                |
-| [12] | `services[n].nativeLB`         | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                     |
+| [12] | `routes[n].services`           | List of any combination of [TraefikService](#kind-traefikservice) and reference to a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) (See below for `ExternalName Service` setup)                                                                     |
-| [13] | `services[n].nodePortLB`       | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.                                                                                                                               |
+| [13] | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       |
-| [14] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
+| [14] | `services[n].serversTransport` | Defines the reference to a [ServersTransport](#kind-serverstransport). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
-| [15] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
+| [15] | `services[n].healthCheck`      | Defines the HealthCheck when service references a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.                                                                                                                               |
-| [16] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
+| [16] | `services[n].nativeLB`         | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                     |
-| [17] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
+| [17] | `services[n].nodePortLB`       | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.                                                                                                                               |
-| [18] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
+| [18] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
-| [19] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
+| [19] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
-| [20] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
+| [20] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
-| [21] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
+| [21] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
-| [22] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |
+| [22] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
 | [23] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
 | [24] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
 | [25] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
 | [26] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |
 ??? example "Declaring an IngressRoute"
@@ -981,6 +990,9 @@ More information in the dedicated [mirroring](../services/index.md#mirroring-ser
 As explained in the section about [Sticky sessions](../../services/#sticky-sessions), for stickiness to work all the way,
 it must be specified at each load-balancing level.
 When stickiness is enabled, Traefik uses Kubernetes [serving](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/#serving) endpoints status to detect and mark servers as fenced.
 Fenced servers can still process requests tied to sticky cookies, while they are terminating.
 For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two `whoami` services,
 and there is a second level because each whoami service is a `replicaset` and is thus handled as a load-balancer of servers.
--- a/docs/content/routing/providers/kubernetes-ingress.md
+++ b/docs/content/routing/providers/kubernetes-ingress.md
@@ -130,7 +130,7 @@ which in turn will create the resulting routers, services, handlers, etc.
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.2
+              image: traefik:v3.3
              args:
                - --entryPoints.web.address=:80
                - --providers.kubernetesingress
@@ -288,6 +288,30 @@ which in turn will create the resulting routers, services, handlers, etc.
    traefik.ingress.kubernetes.io/router.tls.options: foobar@file
    ```
 ??? info "`traefik.ingress.kubernetes.io/router.observability.accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    ```yaml
    traefik.ingress.kubernetes.io/router.observability.accesslogs: true
    ```
 ??? info "`traefik.ingress.kubernetes.io/router.observability.metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    ```yaml
    traefik.ingress.kubernetes.io/router.observability.metrics: true
    ```
 ??? info "`traefik.ingress.kubernetes.io/router.observability.tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    ```yaml
    traefik.ingress.kubernetes.io/router.observability.tracing: true
    ```
 #### On Service
 ??? info "`traefik.ingress.kubernetes.io/service.nativelb`"
@@ -383,6 +407,19 @@ which in turn will create the resulting routers, services, handlers, etc.
    traefik.ingress.kubernetes.io/service.sticky.cookie.maxage: 42
    ```
 ??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    ```yaml
    traefik.ingress.kubernetes.io/service.sticky.cookie.path: /foobar
    ```
 ## Stickiness and load-balancing
 When stickiness is enabled, Traefik uses Kubernetes [serving](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/#serving) endpoints status to detect and mark servers as fenced.
 Fenced servers can still process requests tied to sticky cookies, while they are terminating.
 ## Path Types on Kubernetes 1.18+
 If the Kubernetes cluster version is 1.18+,
@@ -543,7 +580,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.2
+              image: traefik:v3.3
              args:
                - --entryPoints.websecure.address=:443
                - --entryPoints.websecure.http.tls
@@ -736,7 +773,7 @@ For more options, please refer to the available [annotations](#on-ingress).
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.2
+              image: traefik:v3.3
              args:
                - --entryPoints.websecure.address=:443
                - --providers.kubernetesingress
--- a/docs/content/routing/providers/kv.md
+++ b/docs/content/routing/providers/kv.md
@@ -95,6 +95,30 @@ A Story of key & values
    |---------------------------------------------|----------|
    | `traefik/http/routers/myrouter/tls/options` | `foobar` |
 ??? info "`traefik/http/routers/<router_name>/observability/accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    | Key (Path)                                               | Value  |
    |----------------------------------------------------------|--------|
    | `traefik/http/routers/myrouter/observability/accesslogs` | `true` |
 ??? info "`traefik/http/routers/<router_name>/observability/metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    | Key (Path)                                            | Value  |
    |-------------------------------------------------------|--------|
    | `traefik/http/routers/myrouter/observability/metrics` | `true` |
 ??? info "`traefik/http/routers/<router_name>/observability/tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    | Key (Path)                                            | Value  |
    |-------------------------------------------------------|--------|
    | `traefik/http/routers/myrouter/observability/tracing` | `true` |
 ??? info "`traefik/http/routers/<router_name>/priority`"
    See [priority](../routers/index.md#priority) for more information.
@@ -228,6 +252,14 @@ A Story of key & values
    |-------------------------------------------------------------------|----------|
    | `traefik/http/services/myservice/loadbalancer/sticky/cookie/name` | `foobar` |
 ??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    | Key (Path)                                                        | Value     |
    |-------------------------------------------------------------------|-----------|
    | `traefik/http/services/myservice/loadbalancer/sticky/cookie/path` | `/foobar` |
 ??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/secure`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -320,6 +352,12 @@ A Story of key & values
    |----------------------------------------------------------------------|-------|
    | `traefik/http/services/<service_name>/weighted/sticky/cookie/maxage` | `42`  |
 ??? info "`traefik/http/services/<service_name>/weighted/sticky/cookie/path`"
    | Key (Path)                                                           | Value     |
    |----------------------------------------------------------------------|-----------|
    | `traefik/http/services/<service_name>/weighted/sticky/cookie/path`   | `/foobar` |
 ### Middleware
 More information about available middlewares in the dedicated [middlewares section](../../middlewares/overview.md).
--- a/docs/content/routing/providers/marathon.md
+++ b/docs/content/routing/providers/marathon.md
--- a/docs/content/routing/providers/nomad.md
+++ b/docs/content/routing/providers/nomad.md
@@ -111,6 +111,30 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
    traefik.http.routers.myrouter.tls.options=foobar
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.accesslogs=true
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.metrics=true
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    ```yaml
    traefik.http.routers.myrouter.observability.tracing=true
    ```
 ??? info "`traefik.http.routers.<router_name>.priority`"
    See [priority](../routers/index.md#priority) for more information.
@@ -281,6 +305,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
    traefik.http.services.myservice.loadbalancer.sticky.cookie.maxage=42
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    ```yaml
    traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
    See [response forwarding](../services/index.md#response-forwarding) for more information.
--- a/docs/content/routing/providers/service-by-label.md
+++ b/docs/content/routing/providers/service-by-label.md
@@ -7,7 +7,8 @@ There are, however, exceptions when using label-based configurations:
 and a label defines a service (e.g. implicitly through a loadbalancer server port value),
 but the router does not specify any service,
 then that service is automatically assigned to the router.
-1. If a label defines a router (e.g. through a router Rule) but no service is defined,
+
 2. If a label defines a router (e.g. through a router Rule) but no service is defined,
 then a service is automatically created and assigned to the router.
 !!! info ""
--- a/docs/content/routing/providers/swarm.md
+++ b/docs/content/routing/providers/swarm.md
@@ -235,6 +235,30 @@ For example, to change the rule, you could add the label ```traefik.http.routers
    - "traefik.http.routers.myrouter.tls.options=foobar"
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.accesslogs`"
    See accesslogs [option](../routers/index.md#accesslogs) for more information.
    ```yaml
    - "traefik.http.routers.myrouter.observability.accesslogs=true"
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.metrics`"
    See metrics [option](../routers/index.md#metrics) for more information.
    ```yaml
    - "traefik.http.routers.myrouter.observability.metrics=true"
    ```
 ??? info "`traefik.http.routers.<router_name>.observability.tracing`"
    See tracing [option](../routers/index.md#tracing) for more information.
    ```yaml
    - "traefik.http.routers.myrouter.observability.tracing=true"
    ```
 ??? info "`traefik.http.routers.<router_name>.priority`"
    See [priority](../routers/index.md#priority) for more information.
@@ -394,6 +418,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar"
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
    ```yaml
    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar"
    ```
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure`"
    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@@ -877,6 +877,117 @@ The [supported `provider` table](../../https/acme.md#providers) indicates if the
 !!! warning "Double Wildcard Certificates"
    It is not possible to request a double wildcard certificate for a domain (for example `*.*.local.com`).
 ### Observability
 The Observability section defines a per router behavior regarding access-logs, metrics or tracing.
 The default router observability configuration is inherited from the attached EntryPoints and can be configured with the observability [options](../../routing/entrypoints.md#observability-options).
 However, a router defining its own observability configuration will opt-out from these defaults.
 !!! info "Note that to enable router-level observability, you must first enable access-logs, tracing, and/or metrics."
 !!! warning "AddInternals option"
    By default, and for any type of signals (access-logs, metrics and tracing),
    Traefik disables observability for internal resources.
    The observability options described below cannot interfere with the `AddInternals` ones,
    and will be ignored.
    For instance, if a router exposes the `api@internal` service and `metrics.AddInternals` is false,
    it will never produces metrics, even if the router observability configuration enables metrics.
 #### `accessLogs`
 _Optional_
 The `accessLogs` option controls whether the router will produce access-logs.
 ??? example "Disable access-logs for a router using the [File Provider](../../providers/file.md)"
    ```yaml tab="YAML"
    ## Dynamic configuration
    http:
      routers:
        my-router:
          rule: "Path(`/foo`)"
          service: service-foo
          observability:
            accessLogs: false
    ```
    ```toml tab="TOML"
    ## Dynamic configuration
    [http.routers]
      [http.routers.my-router]
        rule = "Path(`/foo`)"
        service = "service-foo"
        [http.routers.my-router.observability]
          accessLogs = false
    ```
 #### `metrics`
 _Optional_
 The `metrics` option controls whether the router will produce metrics.
 !!! warning "Metrics layers"
    When metrics layers are not enabled with the `addEntryPointsLabels`, `addRoutersLabels` and/or `addServicesLabels` options,
    enabling metrics for a router will not enable them.
 ??? example "Disable metrics for a router using the [File Provider](../../providers/file.md)"
    ```yaml tab="YAML"
    ## Dynamic configuration
    http:
      routers:
        my-router:
          rule: "Path(`/foo`)"
          service: service-foo
          observability:
            metrics: false
    ```
    ```toml tab="TOML"
    ## Dynamic configuration
    [http.routers]
      [http.routers.my-router]
        rule = "Path(`/foo`)"
        service = "service-foo"
        [http.routers.my-router.observability]
          metrics = false
    ```
 #### `tracing`
 _Optional_
 The `tracing` option controls whether the router will produce traces.
 ??? example "Disable tracing for a router using the [File Provider](../../providers/file.md)"
    ```yaml tab="YAML"
    ## Dynamic configuration
    http:
      routers:
        my-router:
          rule: "Path(`/foo`)"
          service: service-foo
          observability:
            tracing: false
    ```
    ```toml tab="TOML"
    ## Dynamic configuration
    [http.routers]
      [http.routers.my-router]
        rule = "Path(`/foo`)"
        service = "service-foo"
        [http.routers.my-router.observability]
          tracing = false
    ```
 ## Configuring TCP Routers
 !!! warning "The character `@` is not authorized in the router name"
--- a/docs/content/user-guides/crd-acme/03-deployments.yml
+++ b/docs/content/user-guides/crd-acme/03-deployments.yml
@@ -26,7 +26,7 @@ spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
-          image: traefik:v3.2
+          image: traefik:v3.3
          args:
            - --api.insecure
            - --accesslog
--- a/docs/content/user-guides/crd-acme/index.md
+++ b/docs/content/user-guides/crd-acme/index.md
@@ -49,10 +49,10 @@ and the RBAC authorization resources which will be referenced through the `servi
 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```
 ### Services
@@ -60,7 +60,7 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/con
 Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami).
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/user-guides/crd-acme/02-services.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/02-services.yml
 ```
 ```yaml
@@ -73,7 +73,7 @@ Next, the deployments, i.e. the actual pods behind the services.
 Again, one pod for Traefik, and one for the whoami app.
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/user-guides/crd-acme/03-deployments.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/03-deployments.yml
 ```
 ```yaml
@@ -100,7 +100,7 @@ Look it up.
 We can now finally apply the actual ingressRoutes, with:
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/user-guides/crd-acme/04-ingressroutes.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/04-ingressroutes.yml
 ```
 ```yaml
@@ -126,7 +126,7 @@ Nowadays, TLS v1.0 and v1.1 are deprecated.
 In order to force TLS v1.2 or later on all your IngressRoute, you can define the `default` TLSOption:
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/user-guides/crd-acme/05-tlsoption.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/05-tlsoption.yml
 ```
 ```yaml
--- a/docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:
  traefik:
-    image: "traefik:v3.2"
+    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml
+++ b/docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml
@@ -13,7 +13,7 @@ secrets:
 services:
  traefik:
-    image: "traefik:v3.2"
+    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/acme-http/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-http/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:
  traefik:
-    image: "traefik:v3.2"
+    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:
  traefik:
-    image: "traefik:v3.2"
+    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/basic-example/docker-compose.yml
+++ b/docs/content/user-guides/docker-compose/basic-example/docker-compose.yml
@@ -3,7 +3,7 @@ version: "3.3"
 services:
  traefik:
-    image: "traefik:v3.2"
+    image: "traefik:v3.3"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
--- a/docs/content/user-guides/docker-compose/basic-example/index.md
+++ b/docs/content/user-guides/docker-compose/basic-example/index.md
@@ -31,7 +31,7 @@ Create a `docker-compose.yml` file with the following content:
    services:
      traefik:
-        image: "traefik:v3.2"
+        image: "traefik:v3.3"
        ...
        networks:
          - traefiknet
--- a/docs/docs.Dockerfile
+++ b/docs/docs.Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.20
+FROM alpine:3.21
 ENV PATH="${PATH}:/venv/bin"
--- a/go.mod
+++ b/go.mod
@@ -51,7 +51,7 @@ require (
 	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.6.1
 	github.com/quic-go/quic-go v0.48.2
-	github.com/rs/zerolog v1.29.0
+	github.com/rs/zerolog v1.33.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spiffe/go-spiffe/v2 v2.1.1
 	github.com/stealthrocket/wasi-go v0.8.0
@@ -72,22 +72,28 @@ require (
 	github.com/vulcand/oxy/v2 v2.0.0
 	github.com/vulcand/predicate v1.2.0
 	go.opentelemetry.io/collector/pdata v1.10.0
 	go.opentelemetry.io/contrib/bridges/otellogrus v0.7.0
 	go.opentelemetry.io/contrib/propagators/autoprop v0.53.0
-	go.opentelemetry.io/otel v1.29.0
+	go.opentelemetry.io/otel v1.32.0
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0
-	go.opentelemetry.io/otel/metric v1.29.0
+	go.opentelemetry.io/otel/log v0.8.0
-	go.opentelemetry.io/otel/sdk v1.28.0
+	go.opentelemetry.io/otel/metric v1.32.0
 	go.opentelemetry.io/otel/sdk v1.32.0
 	go.opentelemetry.io/otel/sdk/log v0.8.0
 	go.opentelemetry.io/otel/sdk/metric v1.28.0
-	go.opentelemetry.io/otel/trace v1.29.0
+	go.opentelemetry.io/otel/trace v1.32.0
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // No tag on the repo.
 	golang.org/x/mod v0.21.0
 	golang.org/x/net v0.30.0
-	golang.org/x/sys v0.26.0
+	golang.org/x/sync v0.10.0
-	golang.org/x/text v0.19.0
+	golang.org/x/sys v0.28.0
 	golang.org/x/text v0.21.0
 	golang.org/x/time v0.7.0
 	golang.org/x/tools v0.25.0
 	google.golang.org/grpc v1.67.1
@@ -218,7 +224,7 @@ require (
 	github.com/gophercloud/gophercloud v1.14.1 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
 	github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 // indirect
 	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -358,14 +364,13 @@ require (
 	go.uber.org/ratelimit v0.3.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/arch v0.4.0 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/term v0.25.0 // indirect
 	google.golang.org/api v0.204.0 // indirect
 	google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/h2non/gock.v1 v1.0.16 // indirect
--- a/go.sum
+++ b/go.sum
@@ -262,7 +262,6 @@ github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03V
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
@@ -576,8 +575,8 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmg
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 h1:ad0vkEBuk23VJzZR9nkLVG0YAoN9coASF1GusYX6AlU=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0/go.mod h1:igFoXX2ELCW06bol23DWPB5BEWfZISOzSP5K2sbLea0=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
@@ -818,6 +817,7 @@ github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOA
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
@@ -1046,13 +1046,13 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/cors v1.7.0 h1:+88SsELBHx5r+hZ8TCkggzSstaWNbDvThkVK8H6f9ik=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
-github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
-github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sacloud/api-client-go v0.2.10 h1:+rv3jDohD+pkdYwOTBiB+jZsM0xK3AxadXRzhp3q66c=
@@ -1288,6 +1288,8 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/collector/pdata v1.10.0 h1:oLyPLGvPTQrcRT64ZVruwvmH/u3SHTfNo01pteS4WOE=
 go.opentelemetry.io/collector/pdata v1.10.0/go.mod h1:IHxHsp+Jq/xfjORQMDJjSH6jvedOSTOyu3nbxqhWSYE=
 go.opentelemetry.io/contrib/bridges/otellogrus v0.7.0 h1:vPSzn6dQvdPq9ZiXFs+jUSJnzoKJkADD9yBdx/a1WgI=
 go.opentelemetry.io/contrib/bridges/otellogrus v0.7.0/go.mod h1:yZFNJIjn97IBhuMB3tTGPti9xasYLIdh3ChZIzyhz8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
 go.opentelemetry.io/contrib/propagators/autoprop v0.53.0 h1:4zaVLcJ5mvYw0vlk63TX62qS4qty/4jAY1BKZ1usu18=
@@ -1300,8 +1302,12 @@ go.opentelemetry.io/contrib/propagators/jaeger v1.28.0 h1:xQ3ktSVS128JWIaN1DiPGI
 go.opentelemetry.io/contrib/propagators/jaeger v1.28.0/go.mod h1:O9HIyI2kVBrFoEwQZ0IN6PHXykGoit4mZV2aEjkTRH4=
 go.opentelemetry.io/contrib/propagators/ot v1.28.0 h1:rmlG+2pc5k5M7Y7izDrxAHZUIwDERdGMTD9oMV7llMk=
 go.opentelemetry.io/contrib/propagators/ot v1.28.0/go.mod h1:MNgXIn+UrMbNGpd7xyckyo2LCHIgCdmdjEE7YNZGG+w=
-go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
+go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
-go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
+go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0 h1:U2guen0GhqH8o/G2un8f/aG/y++OuW6MyCo6hT9prXk=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.28.0/go.mod h1:yeGZANgEcpdx/WK0IvvRFC+2oLiMS2u4L/0Rj2M2Qr0=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.28.0 h1:aLmmtjRke7LPDQ3lvpFz+kNEH43faFhzW7v8BFIEydg=
@@ -1312,14 +1318,18 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6Z
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 h1:j9+03ymgYhPKmeXGk5Zu+cIZOlVzd9Zv7QIiyItjFBU=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0/go.mod h1:Y5+XiUG4Emn1hTfciPzGPJaSI+RpDts6BnCIir0SLqk=
-go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
+go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk=
-go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
+go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
 go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
 go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
 go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs=
 go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo=
 go.opentelemetry.io/otel/sdk/metric v1.28.0 h1:OkuaKgKrgAbYrrY0t92c+cC+2F6hsFNnCQArXCKlg08=
 go.opentelemetry.io/otel/sdk/metric v1.28.0/go.mod h1:cWPjykihLAPvXKi4iZc1dpER3Jdq2Z0YLse3moQUCpg=
-go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
+go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
-go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
+go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
 go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
@@ -1381,8 +1391,8 @@ golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIi
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1508,8 +1518,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1597,11 +1607,12 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1613,8 +1624,8 @@ golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1631,8 +1642,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1770,10 +1781,10 @@ google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxH
 google.golang.org/genproto v0.0.0-20210917145530-b395a37504d4/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU=
 google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38/go.mod h1:xBI+tzfqGGN2JBeSebfKXFSdBpWVQ7sLW40PTupVRm4=
-google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U=
+google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g=
-google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4=
+google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
--- a/integration/conformance-reports/v1.2.1/experimental-v3.3-default-report.yaml
+++ b/integration/conformance-reports/v1.2.1/experimental-v3.3-default-report.yaml
@@ -8,7 +8,7 @@ implementation:
  organization: traefik
  project: traefik
  url: https://traefik.io/
-  version: v3.2
+  version: v3.3
 kind: ConformanceReport
 mode: default
 profiles:
--- a/integration/fixtures/k8s/01-traefik-crd.yml
+++ b/integration/fixtures/k8s/01-traefik-crd.yml
@@ -43,7 +43,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -57,18 +57,19 @@ spec:
                      description: |-
                        Kind defines the kind of the route.
                        Rule is the only supported kind.
                        If not defined, defaults to Rule.
                      enum:
                      - Rule
                      type: string
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -85,10 +86,22 @@ spec:
                        - name
                        type: object
                      type: array
                    observability:
                      description: |-
                        Observability defines the observability configuration for a router.
                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#observability
                      properties:
                        accessLogs:
                          type: boolean
                        metrics:
                          type: boolean
                        tracing:
                          type: boolean
                      type: object
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
                      type: integer
                    services:
                      description: |-
@@ -229,7 +242,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -241,13 +254,19 @@ spec:
                                    type: boolean
                                  maxAge:
                                    description: |-
-                                      MaxAge indicates the number of seconds until the cookie expires.
+                                      MaxAge defines the number of seconds until the cookie expires.
                                      When set to a negative number, the cookie expires immediately.
                                      When set to zero, the cookie never expires.
                                    type: integer
                                  name:
                                    description: Name defines the Cookie name.
                                    type: string
                                  path:
                                    description: |-
                                      Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                      When not provided the cookie will be sent on every request to the domain.
                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                    type: string
                                  sameSite:
                                    description: |-
                                      SameSite defines the same site policy.
@@ -277,28 +296,27 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
                      type: string
                  required:
                  - kind
                  - match
                  type: object
                type: array
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -317,17 +335,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
                        type: string
                    required:
                    - name
@@ -344,12 +362,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
                        type: string
                    required:
                    - name
@@ -409,7 +427,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -422,7 +440,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -446,7 +464,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
@@ -487,7 +505,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
@@ -525,7 +543,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
                      type: string
                  required:
                  - match
@@ -534,18 +552,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -564,7 +582,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -656,7 +674,7 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
                  Default: all.
                items:
                  type: string
@@ -743,7 +761,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
        properties:
          apiVersion:
            description: |-
@@ -769,7 +787,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -781,12 +799,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -807,7 +825,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -839,14 +857,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -905,7 +923,7 @@ spec:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
@@ -954,12 +972,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -979,7 +997,7 @@ spec:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
                properties:
                  query:
                    description: |-
@@ -989,7 +1007,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -1122,7 +1140,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -1133,13 +1151,19 @@ spec:
                                type: boolean
                              maxAge:
                                description: |-
-                                  MaxAge indicates the number of seconds until the cookie expires.
+                                  MaxAge defines the number of seconds until the cookie expires.
                                  When set to a negative number, the cookie expires immediately.
                                  When set to zero, the cookie never expires.
                                type: integer
                              name:
                                description: Name defines the Cookie name.
                                type: string
                              path:
                                description: |-
                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                  When not provided the cookie will be sent on every request to the domain.
                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                type: string
                              sameSite:
                                description: |-
                                  SameSite defines the same site policy.
@@ -1180,7 +1204,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -1208,8 +1232,22 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
                    type: string
                  forwardBody:
                    description: ForwardBody defines whether to send the request body
                      to the authentication server.
                    type: boolean
                  maxBodySize:
                    description: MaxBodySize defines the maximum body size in bytes
                      allowed to be forwarded to the authentication server.
                    format: int64
                    type: integer
                  preserveLocationHeader:
                    description: PreserveLocationHeader defines whether to forward
                      the Location header to the client as is or prefix it with the
                      domain name of the authentication server.
                    type: boolean
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
@@ -1255,7 +1293,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -1426,7 +1464,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -1439,12 +1477,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1479,12 +1517,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1521,7 +1559,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -1551,7 +1589,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1660,7 +1698,7 @@ spec:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
                properties:
                  average:
                    description: |-
@@ -1693,7 +1731,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1728,7 +1766,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1747,7 +1785,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1764,7 +1802,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1775,7 +1813,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1791,7 +1829,7 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
@@ -1813,7 +1851,7 @@ spec:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1832,7 +1870,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -1869,7 +1907,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -1905,7 +1943,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1919,7 +1957,7 @@ spec:
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
                  Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -1958,7 +1996,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
        properties:
          apiVersion:
            description: |-
@@ -2097,7 +2135,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
        properties:
          apiVersion:
            description: |-
@@ -2215,7 +2253,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
        properties:
          apiVersion:
            description: |-
@@ -2240,14 +2278,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
                items:
                  type: string
                type: array
@@ -2275,7 +2313,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
                items:
                  type: string
                type: array
@@ -2331,7 +2369,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
        properties:
          apiVersion:
            description: |-
@@ -2429,7 +2467,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
        properties:
          apiVersion:
            description: |-
@@ -2675,7 +2713,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2686,13 +2724,19 @@ spec:
                                  type: boolean
                                maxAge:
                                  description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                    When set to a negative number, the cookie expires immediately.
                                    When set to zero, the cookie never expires.
                                  type: integer
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                path:
                                  description: |-
                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                    When not provided the cookie will be sent on every request to the domain.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                  type: string
                                sameSite:
                                  description: |-
                                    SameSite defines the same site policy.
@@ -2782,7 +2826,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -2793,13 +2837,19 @@ spec:
                            type: boolean
                          maxAge:
                            description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                              When set to a negative number, the cookie expires immediately.
                              When set to zero, the cookie never expires.
                            type: integer
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          path:
                            description: |-
                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                              When not provided the cookie will be sent on every request to the domain.
                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                            type: string
                          sameSite:
                            description: |-
                              SameSite defines the same site policy.
@@ -2965,7 +3015,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -2976,13 +3026,19 @@ spec:
                                  type: boolean
                                maxAge:
                                  description: |-
-                                    MaxAge indicates the number of seconds until the cookie expires.
+                                    MaxAge defines the number of seconds until the cookie expires.
                                    When set to a negative number, the cookie expires immediately.
                                    When set to zero, the cookie never expires.
                                  type: integer
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                path:
                                  description: |-
                                    Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                                    When not provided the cookie will be sent on every request to the domain.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                                  type: string
                                sameSite:
                                  description: |-
                                    SameSite defines the same site policy.
@@ -3012,7 +3068,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -3023,13 +3079,19 @@ spec:
                            type: boolean
                          maxAge:
                            description: |-
-                              MaxAge indicates the number of seconds until the cookie expires.
+                              MaxAge defines the number of seconds until the cookie expires.
                              When set to a negative number, the cookie expires immediately.
                              When set to zero, the cookie never expires.
                            type: integer
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          path:
                            description: |-
                              Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
                              When not provided the cookie will be sent on every request to the domain.
                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
                            type: string
                          sameSite:
                            description: |-
                              SameSite defines the same site policy.
--- a/pkg/api/dashboard/dashboard.go
+++ b/pkg/api/dashboard/dashboard.go
@@ -1,36 +1,88 @@
 package dashboard
 import (
 	"fmt"
 	"io/fs"
 	"net/http"
 	"strings"
 	"text/template"
 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v3/webui"
 )
 type indexTemplateData struct {
 	APIUrl string
 }
 // Handler expose dashboard routes.
 type Handler struct {
 	BasePath string
 	assets fs.FS // optional assets, to override the webui.FS default
 }
 func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	assets := h.assets
 	if assets == nil {
 		assets = webui.FS
 	}
 	// allow iframes from traefik domains only
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
 	w.Header().Set("Content-Security-Policy", "frame-src 'self' https://traefik.io https://*.traefik.io;")
 	// The content type must be guessed by the file server.
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 	w.Header().Del("Content-Type")
 	if r.RequestURI == "/" {
 		indexTemplate, err := template.ParseFS(assets, "index.html")
 		if err != nil {
 			log.Error().Err(err).Msg("Unable to parse index template")
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return
 		}
 		apiPath := strings.TrimSuffix(h.BasePath, "/") + "/api/"
 		if err = indexTemplate.Execute(w, indexTemplateData{APIUrl: apiPath}); err != nil {
 			log.Error().Err(err).Msg("Unable to render index template")
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return
 		}
 		return
 	}
 	http.FileServerFS(assets).ServeHTTP(w, r)
 }
 // Append adds dashboard routes on the given router, optionally using the given
 // assets (or webui.FS otherwise).
-func Append(router *mux.Router, customAssets fs.FS) {
+func Append(router *mux.Router, basePath string, customAssets fs.FS) error {
 	assets := customAssets
 	if assets == nil {
 		assets = webui.FS
 	}
 	indexTemplate, err := template.ParseFS(assets, "index.html")
 	if err != nil {
 		return fmt.Errorf("parsing index template: %w", err)
 	}
 	dashboardPath := strings.TrimSuffix(basePath, "/") + "/dashboard/"
 	// Expose dashboard
 	router.Methods(http.MethodGet).
-		Path("/").
+		Path(basePath).
 		HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 			prefix := strings.TrimSuffix(req.Header.Get("X-Forwarded-Prefix"), "/")
-			http.Redirect(resp, req, prefix+"/dashboard/", http.StatusFound)
+			http.Redirect(resp, req, prefix+dashboardPath, http.StatusFound)
 		})
 	router.Methods(http.MethodGet).
-		PathPrefix("/dashboard/").
+		Path(dashboardPath).
 		HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// allow iframes from our domains only
 			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
@@ -40,22 +92,26 @@ func Append(router *mux.Router, customAssets fs.FS) {
 			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 			w.Header().Del("Content-Type")
-			http.StripPrefix("/dashboard/", http.FileServerFS(assets)).ServeHTTP(w, r)
+			apiPath := strings.TrimSuffix(basePath, "/") + "/api/"
 			if err = indexTemplate.Execute(w, indexTemplateData{APIUrl: apiPath}); err != nil {
 				log.Error().Err(err).Msg("Unable to render index template")
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 				return
 			}
 		})
-}
+
-
+	router.Methods(http.MethodGet).
-func (g Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+		PathPrefix(dashboardPath).
-	assets := g.assets
+		HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-	if assets == nil {
+			// allow iframes from traefik domains only
-		assets = webui.FS
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
-	}
+			w.Header().Set("Content-Security-Policy", "frame-src 'self' https://traefik.io https://*.traefik.io;")
-	// allow iframes from our domains only
+
-	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
+			// The content type must be guessed by the file server.
-	w.Header().Set("Content-Security-Policy", "frame-src 'self' https://traefik.io https://*.traefik.io;")
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
-
+			w.Header().Del("Content-Type")
-	// The content type must be guessed by the file server.
+
-	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+			http.StripPrefix(dashboardPath, http.FileServerFS(assets)).ServeHTTP(w, r)
-	w.Header().Del("Content-Type")
+		})
-
+	return nil
 	http.FileServerFS(assets).ServeHTTP(w, r)
 }
--- a/pkg/api/handler.go
+++ b/pkg/api/handler.go
@@ -78,38 +78,42 @@ func New(staticConfig static.Configuration, runtimeConfig *runtime.Configuration
 func (h Handler) createRouter() *mux.Router {
 	router := mux.NewRouter().UseEncodedPath()
 	apiRouter := router.PathPrefix(h.staticConfig.API.BasePath).Subrouter().UseEncodedPath()
 	if h.staticConfig.API.Debug {
-		DebugHandler{}.Append(router)
+		DebugHandler{}.Append(apiRouter)
 	}
-	router.Methods(http.MethodGet).Path("/api/rawdata").HandlerFunc(h.getRuntimeConfiguration)
+	apiRouter.Methods(http.MethodGet).Path("/api/rawdata").HandlerFunc(h.getRuntimeConfiguration)
 	// Experimental endpoint
-	router.Methods(http.MethodGet).Path("/api/overview").HandlerFunc(h.getOverview)
+	apiRouter.Methods(http.MethodGet).Path("/api/overview").HandlerFunc(h.getOverview)
-	router.Methods(http.MethodGet).Path("/api/entrypoints").HandlerFunc(h.getEntryPoints)
+	apiRouter.Methods(http.MethodGet).Path("/api/support-dump").HandlerFunc(h.getSupportDump)
 	router.Methods(http.MethodGet).Path("/api/entrypoints/{entryPointID}").HandlerFunc(h.getEntryPoint)
-	router.Methods(http.MethodGet).Path("/api/http/routers").HandlerFunc(h.getRouters)
+	apiRouter.Methods(http.MethodGet).Path("/api/entrypoints").HandlerFunc(h.getEntryPoints)
-	router.Methods(http.MethodGet).Path("/api/http/routers/{routerID}").HandlerFunc(h.getRouter)
+	apiRouter.Methods(http.MethodGet).Path("/api/entrypoints/{entryPointID}").HandlerFunc(h.getEntryPoint)
 	router.Methods(http.MethodGet).Path("/api/http/services").HandlerFunc(h.getServices)
 	router.Methods(http.MethodGet).Path("/api/http/services/{serviceID}").HandlerFunc(h.getService)
 	router.Methods(http.MethodGet).Path("/api/http/middlewares").HandlerFunc(h.getMiddlewares)
 	router.Methods(http.MethodGet).Path("/api/http/middlewares/{middlewareID}").HandlerFunc(h.getMiddleware)
-	router.Methods(http.MethodGet).Path("/api/tcp/routers").HandlerFunc(h.getTCPRouters)
+	apiRouter.Methods(http.MethodGet).Path("/api/http/routers").HandlerFunc(h.getRouters)
-	router.Methods(http.MethodGet).Path("/api/tcp/routers/{routerID}").HandlerFunc(h.getTCPRouter)
+	apiRouter.Methods(http.MethodGet).Path("/api/http/routers/{routerID}").HandlerFunc(h.getRouter)
-	router.Methods(http.MethodGet).Path("/api/tcp/services").HandlerFunc(h.getTCPServices)
+	apiRouter.Methods(http.MethodGet).Path("/api/http/services").HandlerFunc(h.getServices)
-	router.Methods(http.MethodGet).Path("/api/tcp/services/{serviceID}").HandlerFunc(h.getTCPService)
+	apiRouter.Methods(http.MethodGet).Path("/api/http/services/{serviceID}").HandlerFunc(h.getService)
-	router.Methods(http.MethodGet).Path("/api/tcp/middlewares").HandlerFunc(h.getTCPMiddlewares)
+	apiRouter.Methods(http.MethodGet).Path("/api/http/middlewares").HandlerFunc(h.getMiddlewares)
-	router.Methods(http.MethodGet).Path("/api/tcp/middlewares/{middlewareID}").HandlerFunc(h.getTCPMiddleware)
+	apiRouter.Methods(http.MethodGet).Path("/api/http/middlewares/{middlewareID}").HandlerFunc(h.getMiddleware)
-	router.Methods(http.MethodGet).Path("/api/udp/routers").HandlerFunc(h.getUDPRouters)
+	apiRouter.Methods(http.MethodGet).Path("/api/tcp/routers").HandlerFunc(h.getTCPRouters)
-	router.Methods(http.MethodGet).Path("/api/udp/routers/{routerID}").HandlerFunc(h.getUDPRouter)
+	apiRouter.Methods(http.MethodGet).Path("/api/tcp/routers/{routerID}").HandlerFunc(h.getTCPRouter)
-	router.Methods(http.MethodGet).Path("/api/udp/services").HandlerFunc(h.getUDPServices)
+	apiRouter.Methods(http.MethodGet).Path("/api/tcp/services").HandlerFunc(h.getTCPServices)
-	router.Methods(http.MethodGet).Path("/api/udp/services/{serviceID}").HandlerFunc(h.getUDPService)
+	apiRouter.Methods(http.MethodGet).Path("/api/tcp/services/{serviceID}").HandlerFunc(h.getTCPService)
 	apiRouter.Methods(http.MethodGet).Path("/api/tcp/middlewares").HandlerFunc(h.getTCPMiddlewares)
 	apiRouter.Methods(http.MethodGet).Path("/api/tcp/middlewares/{middlewareID}").HandlerFunc(h.getTCPMiddleware)
-	version.Handler{}.Append(router)
+	apiRouter.Methods(http.MethodGet).Path("/api/udp/routers").HandlerFunc(h.getUDPRouters)
 	apiRouter.Methods(http.MethodGet).Path("/api/udp/routers/{routerID}").HandlerFunc(h.getUDPRouter)
 	apiRouter.Methods(http.MethodGet).Path("/api/udp/services").HandlerFunc(h.getUDPServices)
 	apiRouter.Methods(http.MethodGet).Path("/api/udp/services/{serviceID}").HandlerFunc(h.getUDPService)
 	version.Handler{}.Append(apiRouter)
 	return router
 }
--- a/pkg/api/handler_support_dump.go
+++ b/pkg/api/handler_support_dump.go
@@ -0,0 +1,96 @@
 package api
 import (
 	"archive/tar"
 	"compress/gzip"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v3/pkg/redactor"
 	"github.com/traefik/traefik/v3/pkg/version"
 )
 func (h Handler) getSupportDump(rw http.ResponseWriter, req *http.Request) {
 	logger := log.Ctx(req.Context())
 	staticConfig, err := redactor.Anonymize(h.staticConfig)
 	if err != nil {
 		logger.Error().Err(err).Msg("Unable to anonymize and marshal static configuration")
 		writeError(rw, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	runtimeConfig, err := json.Marshal(h.runtimeConfiguration)
 	if err != nil {
 		logger.Error().Err(err).Msg("Unable to marshal runtime configuration")
 		writeError(rw, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	tVersion, err := json.Marshal(struct {
 		Version   string    `json:"version"`
 		Codename  string    `json:"codename"`
 		StartDate time.Time `json:"startDate"`
 	}{
 		Version:   version.Version,
 		Codename:  version.Codename,
 		StartDate: version.StartDate,
 	})
 	if err != nil {
 		logger.Error().Err(err).Msg("Unable to marshal version")
 		writeError(rw, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	rw.Header().Set("Content-Type", "application/gzip")
 	rw.Header().Set("Content-Disposition", "attachment; filename=support-dump.tar.gz")
 	// Create gzip writer.
 	gw := gzip.NewWriter(rw)
 	defer gw.Close()
 	// Create tar writer.
 	tw := tar.NewWriter(gw)
 	defer tw.Close()
 	// Add configuration files to the archive.
 	if err := addFile(tw, "version.json", tVersion); err != nil {
 		logger.Error().Err(err).Msg("Unable to archive version file")
 		writeError(rw, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if err := addFile(tw, "static-config.json", []byte(staticConfig)); err != nil {
 		logger.Error().Err(err).Msg("Unable to archive static configuration")
 		writeError(rw, err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if err := addFile(tw, "runtime-config.json", runtimeConfig); err != nil {
 		logger.Error().Err(err).Msg("Unable to archive runtime configuration")
 		writeError(rw, err.Error(), http.StatusInternalServerError)
 		return
 	}
 }
 func addFile(tw *tar.Writer, name string, content []byte) error {
 	header := &tar.Header{
 		Name:    name,
 		Mode:    0o600,
 		Size:    int64(len(content)),
 		ModTime: time.Now(),
 	}
 	if err := tw.WriteHeader(header); err != nil {
 		return fmt.Errorf("writing tar header: %w", err)
 	}
 	if _, err := tw.Write(content); err != nil {
 		return fmt.Errorf("writing tar content: %w", err)
 	}
 	return nil
 }
--- a/pkg/api/handler_support_dump_test.go
+++ b/pkg/api/handler_support_dump_test.go
@@ -0,0 +1,144 @@
 package api
 import (
 	"archive/tar"
 	"compress/gzip"
 	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/traefik/traefik/v3/pkg/config/dynamic"
 	"github.com/traefik/traefik/v3/pkg/config/runtime"
 	"github.com/traefik/traefik/v3/pkg/config/static"
 )
 func TestHandler_SupportDump(t *testing.T) {
 	testCases := []struct {
 		desc       string
 		path       string
 		confStatic static.Configuration
 		confDyn    runtime.Configuration
 		validate   func(t *testing.T, files map[string][]byte)
 	}{
 		{
 			desc:       "empty configurations",
 			path:       "/api/support-dump",
 			confStatic: static.Configuration{API: &static.API{}, Global: &static.Global{}},
 			confDyn:    runtime.Configuration{},
 			validate: func(t *testing.T, files map[string][]byte) {
 				t.Helper()
 				require.Contains(t, files, "static-config.json")
 				require.Contains(t, files, "runtime-config.json")
 				require.Contains(t, files, "version.json")
 				// Verify version.json contains version information
 				assert.Contains(t, string(files["version.json"]), `"version":"dev"`)
 				assert.JSONEq(t, `{"global":{},"api":{}}`, string(files["static-config.json"]))
 				assert.Equal(t, `{}`, string(files["runtime-config.json"]))
 			},
 		},
 		{
 			desc: "with configuration data",
 			path: "/api/support-dump",
 			confStatic: static.Configuration{
 				API:    &static.API{},
 				Global: &static.Global{},
 				EntryPoints: map[string]*static.EntryPoint{
 					"web": {Address: ":80"},
 				},
 			},
 			confDyn: runtime.Configuration{
 				Services: map[string]*runtime.ServiceInfo{
 					"test-service": {
 						Service: &dynamic.Service{
 							LoadBalancer: &dynamic.ServersLoadBalancer{
 								Servers: []dynamic.Server{{URL: "http://127.0.0.1:8080"}},
 							},
 						},
 						Status: runtime.StatusEnabled,
 					},
 				},
 			},
 			validate: func(t *testing.T, files map[string][]byte) {
 				t.Helper()
 				require.Contains(t, files, "static-config.json")
 				require.Contains(t, files, "runtime-config.json")
 				require.Contains(t, files, "version.json")
 				// Verify version.json contains version information
 				assert.Contains(t, string(files["version.json"]), `"version":"dev"`)
 				// Verify static config contains entry points
 				assert.Contains(t, string(files["static-config.json"]), `"entryPoints":{"web":{"address":"xxxx","http":{}}}`)
 				// Verify runtime config contains services
 				assert.Contains(t, string(files["runtime-config.json"]), `"services":`)
 				assert.Contains(t, string(files["runtime-config.json"]), `"test-service"`)
 			},
 		},
 	}
 	for _, test := range testCases {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			handler := New(test.confStatic, &test.confDyn)
 			server := httptest.NewServer(handler.createRouter())
 			resp, err := http.DefaultClient.Get(server.URL + test.path)
 			require.NoError(t, err)
 			assert.Equal(t, http.StatusOK, resp.StatusCode)
 			assert.Equal(t, "application/gzip", resp.Header.Get("Content-Type"))
 			assert.Equal(t, `attachment; filename=support-dump.tar.gz`, resp.Header.Get("Content-Disposition"))
 			// Extract and validate the tar.gz contents.
 			files, err := extractTarGz(resp.Body)
 			require.NoError(t, err)
 			test.validate(t, files)
 		})
 	}
 }
 // extractTarGz reads a tar.gz archive and returns a map of filename to contents
 func extractTarGz(r io.Reader) (map[string][]byte, error) {
 	files := make(map[string][]byte)
 	gzr, err := gzip.NewReader(r)
 	if err != nil {
 		return nil, err
 	}
 	defer gzr.Close()
 	tr := tar.NewReader(gzr)
 	for {
 		header, err := tr.Next()
 		if errors.Is(err, io.EOF) {
 			break
 		}
 		if err != nil {
 			return nil, err
 		}
 		if header.Typeflag != tar.TypeReg {
 			continue
 		}
 		contents, err := io.ReadAll(tr)
 		if err != nil {
 			return nil, err
 		}
 		files[header.Name] = contents
 	}
 	return files, nil
 }
--- a/pkg/cli/deprecation.go
+++ b/pkg/cli/deprecation.go
@@ -194,7 +194,7 @@ func (c *configuration) deprecationNotice(logger zerolog.Logger) bool {
 	if c.Pilot != nil {
 		incompatible = true
 		logger.Error().Msg("Pilot configuration has been removed in v3, please remove all Pilot-related static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#pilot")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#pilot")
 	}
 	incompatibleExperimental := c.Experimental.deprecationNotice(logger)
@@ -227,13 +227,13 @@ func (p *providers) deprecationNotice(logger zerolog.Logger) bool {
 	if p.Marathon != nil {
 		incompatible = true
 		logger.Error().Msg("Marathon provider has been removed in v3, please remove all Marathon-related static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#marathon-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#marathon-provider")
 	}
 	if p.Rancher != nil {
 		incompatible = true
 		logger.Error().Msg("Rancher provider has been removed in v3, please remove all Rancher-related static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#rancher-v1-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#rancher-v1-provider")
 	}
 	dockerIncompatible := p.Docker.deprecationNotice(logger)
@@ -275,14 +275,14 @@ func (d *docker) deprecationNotice(logger zerolog.Logger) bool {
 	if d.SwarmMode != nil {
 		incompatible = true
 		logger.Error().Msg("Docker provider `swarmMode` option has been removed in v3, please use the Swarm Provider instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#docker-docker-swarm")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#docker-docker-swarm")
 	}
 	if d.TLS != nil && d.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tlscaoptional")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional")
 	}
 	return incompatible
@@ -323,7 +323,7 @@ func (e *etcd) deprecationNotice(logger zerolog.Logger) bool {
 		incompatible = true
 		logger.Error().Msg("ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tlscaoptional_3")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_3")
 	}
 	return incompatible
@@ -344,7 +344,7 @@ func (r *redis) deprecationNotice(logger zerolog.Logger) bool {
 		incompatible = true
 		logger.Error().Msg("Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tlscaoptional_4")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_4")
 	}
 	return incompatible
@@ -365,14 +365,14 @@ func (c *consul) deprecationNotice(logger zerolog.Logger) bool {
 	if c.Namespace != nil {
 		incompatible = true
 		logger.Error().Msg("Consul provider `namespace` option has been removed, please use the `namespaces` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#consul-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#consul-provider")
 	}
 	if c.TLS != nil && c.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tlscaoptional_1")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_1")
 	}
 	return incompatible
@@ -397,14 +397,14 @@ func (c *consulCatalog) deprecationNotice(logger zerolog.Logger) bool {
 	if c.Namespace != nil {
 		incompatible = true
 		logger.Error().Msg("ConsulCatalog provider `namespace` option has been removed, please use the `namespaces` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#consulcatalog-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#consulcatalog-provider")
 	}
 	if c.Endpoint != nil && c.Endpoint.TLS != nil && c.Endpoint.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("ConsulCatalog provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#endpointtlscaoptional")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#endpointtlscaoptional")
 	}
 	return incompatible
@@ -425,14 +425,14 @@ func (n *nomad) deprecationNotice(logger zerolog.Logger) bool {
 	if n.Namespace != nil {
 		incompatible = true
 		logger.Error().Msg("Nomad provider `namespace` option has been removed, please use the `namespaces` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#nomad-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#nomad-provider")
 	}
 	if n.Endpoint != nil && n.Endpoint.TLS != nil && n.Endpoint.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("Nomad provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#endpointtlscaoptional_1")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#endpointtlscaoptional_1")
 	}
 	return incompatible
@@ -453,7 +453,7 @@ func (h *http) deprecationNotice(logger zerolog.Logger) bool {
 		incompatible = true
 		logger.Error().Msg("HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tlscaoptional_2")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_2")
 	}
 	return incompatible
@@ -471,7 +471,7 @@ func (i *ingress) deprecationNotice(logger zerolog.Logger) {
 	if i.DisableIngressClassLookup != nil {
 		logger.Error().Msg("Kubernetes Ingress provider `disableIngressClassLookup` option has been deprecated in v3.1, and will be removed in the next major version." +
 			"Please use the `disableClusterScopeResources` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v3/#ingressclasslookup")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v3/#ingressclasslookup")
 	}
 }
@@ -488,7 +488,7 @@ func (e *experimental) deprecationNotice(logger zerolog.Logger) bool {
 	if e.HTTP3 != nil {
 		logger.Error().Msg("HTTP3 is not an experimental feature in v3 and the associated enablement has been removed." +
 			"Please remove its usage from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3-details/#http3")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3-details/#http3")
 		return true
 	}
@@ -496,20 +496,23 @@ func (e *experimental) deprecationNotice(logger zerolog.Logger) bool {
 	if e.KubernetesGateway != nil {
 		logger.Error().Msg("KubernetesGateway provider is not an experimental feature starting with v3.1." +
 			"Please remove its usage from the static configuration." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v3/#gateway-api-kubernetesgateway-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v3/#gateway-api-kubernetesgateway-provider")
 	}
 	return false
 }
 //
 type tracing struct {
-	SpanNameLimit *int           `json:"spanNameLimit,omitempty" toml:"spanNameLimit,omitempty" yaml:"spanNameLimit,omitempty"`
+	SpanNameLimit    *int              `json:"spanNameLimit,omitempty" toml:"spanNameLimit,omitempty" yaml:"spanNameLimit,omitempty"`
-	Jaeger        map[string]any `json:"jaeger,omitempty" toml:"jaeger,omitempty" yaml:"jaeger,omitempty" label:"allowEmpty" file:"allowEmpty"`
+	GlobalAttributes map[string]string `json:"globalAttributes,omitempty" toml:"globalAttributes,omitempty" yaml:"globalAttributes,omitempty" export:"true"`
-	Zipkin        map[string]any `json:"zipkin,omitempty" toml:"zipkin,omitempty" yaml:"zipkin,omitempty" label:"allowEmpty" file:"allowEmpty"`
+	Jaeger           map[string]any    `json:"jaeger,omitempty" toml:"jaeger,omitempty" yaml:"jaeger,omitempty" label:"allowEmpty" file:"allowEmpty"`
-	Datadog       map[string]any `json:"datadog,omitempty" toml:"datadog,omitempty" yaml:"datadog,omitempty" label:"allowEmpty" file:"allowEmpty"`
+	Zipkin           map[string]any    `json:"zipkin,omitempty" toml:"zipkin,omitempty" yaml:"zipkin,omitempty" label:"allowEmpty" file:"allowEmpty"`
-	Instana       map[string]any `json:"instana,omitempty" toml:"instana,omitempty" yaml:"instana,omitempty" label:"allowEmpty" file:"allowEmpty"`
+	Datadog          map[string]any    `json:"datadog,omitempty" toml:"datadog,omitempty" yaml:"datadog,omitempty" label:"allowEmpty" file:"allowEmpty"`
-	Haystack      map[string]any `json:"haystack,omitempty" toml:"haystack,omitempty" yaml:"haystack,omitempty" label:"allowEmpty" file:"allowEmpty"`
+	Instana          map[string]any    `json:"instana,omitempty" toml:"instana,omitempty" yaml:"instana,omitempty" label:"allowEmpty" file:"allowEmpty"`
-	Elastic       map[string]any `json:"elastic,omitempty" toml:"elastic,omitempty" yaml:"elastic,omitempty" label:"allowEmpty" file:"allowEmpty"`
+	Haystack         map[string]any    `json:"haystack,omitempty" toml:"haystack,omitempty" yaml:"haystack,omitempty" label:"allowEmpty" file:"allowEmpty"`
 	Elastic          map[string]any    `json:"elastic,omitempty" toml:"elastic,omitempty" yaml:"elastic,omitempty" label:"allowEmpty" file:"allowEmpty"`
 }
 func (t *tracing) deprecationNotice(logger zerolog.Logger) bool {
@@ -520,49 +523,57 @@ func (t *tracing) deprecationNotice(logger zerolog.Logger) bool {
 	if t.SpanNameLimit != nil {
 		incompatible = true
 		logger.Error().Msg("SpanNameLimit option for Tracing has been removed in v3, as Span names are now of a fixed length." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	if t.GlobalAttributes != nil {
 		log.Warn().Msgf("tracing.globalAttributes option is now deprecated, please use tracing.resourceAttributes instead.")
 		logger.Error().Msg("`tracing.globalAttributes` option has been deprecated in v3.3, and will be removed in the next major version." +
 			"Please use the `tracing.resourceAttributes` option instead." +
 			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v3/#tracing-global-attributes")
 	}
 	if t.Jaeger != nil {
 		incompatible = true
 		logger.Error().Msg("Jaeger Tracing backend has been removed in v3, please remove all Jaeger-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	if t.Zipkin != nil {
 		incompatible = true
 		logger.Error().Msg("Zipkin Tracing backend has been removed in v3, please remove all Zipkin-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	if t.Datadog != nil {
 		incompatible = true
 		logger.Error().Msg("Datadog Tracing backend has been removed in v3, please remove all Datadog-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	if t.Instana != nil {
 		incompatible = true
 		logger.Error().Msg("Instana Tracing backend has been removed in v3, please remove all Instana-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	if t.Haystack != nil {
 		incompatible = true
 		logger.Error().Msg("Haystack Tracing backend has been removed in v3, please remove all Haystack-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	if t.Elastic != nil {
 		incompatible = true
 		logger.Error().Msg("Elastic Tracing backend has been removed in v3, please remove all Elastic-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.2/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
 	}
 	return incompatible
--- a/pkg/config/dynamic/http_config.go
+++ b/pkg/config/dynamic/http_config.go
@@ -21,6 +21,11 @@ const (
 	// DefaultFlushInterval is the default value for the ResponseForwarding flush interval.
 	DefaultFlushInterval = ptypes.Duration(100 * time.Millisecond)
 	// MirroringDefaultMirrorBody is the Mirroring.MirrorBody option default value.
 	MirroringDefaultMirrorBody = true
 	// MirroringDefaultMaxBodySize is the Mirroring.MaxBodySize option default value.
 	MirroringDefaultMaxBodySize int64 = -1
 )
 // +k8s:deepcopy-gen=true
@@ -36,11 +41,12 @@ type HTTPConfiguration struct {
 // +k8s:deepcopy-gen=true
-// Model is a set of default router's values.
+// Model holds model configuration.
 type Model struct {
-	Middlewares       []string         `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
+	Middlewares       []string                  `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
-	TLS               *RouterTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
+	TLS               *RouterTLSConfig          `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
-	DefaultRuleSyntax string           `json:"-" toml:"-" yaml:"-" label:"-" file:"-" kv:"-" export:"true"`
+	Observability     RouterObservabilityConfig `json:"observability,omitempty" toml:"observability,omitempty" yaml:"observability,omitempty" export:"true"`
 	DefaultRuleSyntax string                    `json:"-" toml:"-" yaml:"-" label:"-" file:"-" kv:"-" export:"true"`
 }
 // +k8s:deepcopy-gen=true
@@ -57,14 +63,15 @@ type Service struct {
 // Router holds the router configuration.
 type Router struct {
-	EntryPoints []string         `json:"entryPoints,omitempty" toml:"entryPoints,omitempty" yaml:"entryPoints,omitempty" export:"true"`
+	EntryPoints   []string                   `json:"entryPoints,omitempty" toml:"entryPoints,omitempty" yaml:"entryPoints,omitempty" export:"true"`
-	Middlewares []string         `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
+	Middlewares   []string                   `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
-	Service     string           `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
+	Service       string                     `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
-	Rule        string           `json:"rule,omitempty" toml:"rule,omitempty" yaml:"rule,omitempty"`
+	Rule          string                     `json:"rule,omitempty" toml:"rule,omitempty" yaml:"rule,omitempty"`
-	RuleSyntax  string           `json:"ruleSyntax,omitempty" toml:"ruleSyntax,omitempty" yaml:"ruleSyntax,omitempty" export:"true"`
+	RuleSyntax    string                     `json:"ruleSyntax,omitempty" toml:"ruleSyntax,omitempty" yaml:"ruleSyntax,omitempty" export:"true"`
-	Priority    int              `json:"priority,omitempty" toml:"priority,omitempty,omitzero" yaml:"priority,omitempty" export:"true"`
+	Priority      int                        `json:"priority,omitempty" toml:"priority,omitempty,omitzero" yaml:"priority,omitempty" export:"true"`
-	TLS         *RouterTLSConfig `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
+	TLS           *RouterTLSConfig           `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
-	DefaultRule bool             `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
+	Observability *RouterObservabilityConfig `json:"observability,omitempty" toml:"observability,omitempty" yaml:"observability,omitempty" export:"true"`
 	DefaultRule   bool                       `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
 }
 // +k8s:deepcopy-gen=true
@@ -78,6 +85,15 @@ type RouterTLSConfig struct {
 // +k8s:deepcopy-gen=true
 // RouterObservabilityConfig holds the observability configuration for a router.
 type RouterObservabilityConfig struct {
 	AccessLogs *bool `json:"accessLogs,omitempty" toml:"accessLogs,omitempty" yaml:"accessLogs,omitempty" export:"true"`
 	Tracing    *bool `json:"tracing,omitempty" toml:"tracing,omitempty" yaml:"tracing,omitempty" export:"true"`
 	Metrics    *bool `json:"metrics,omitempty" toml:"metrics,omitempty" yaml:"metrics,omitempty" export:"true"`
 }
 // +k8s:deepcopy-gen=true
 // Mirroring holds the Mirroring configuration.
 type Mirroring struct {
 	Service     string          `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
@@ -89,9 +105,9 @@ type Mirroring struct {
 // SetDefaults Default values for a WRRService.
 func (m *Mirroring) SetDefaults() {
-	defaultMirrorBody := true
+	defaultMirrorBody := MirroringDefaultMirrorBody
 	m.MirrorBody = &defaultMirrorBody
-	var defaultMaxBodySize int64 = -1
+	defaultMaxBodySize := MirroringDefaultMaxBodySize
 	m.MaxBodySize = &defaultMaxBodySize
 }
@@ -175,10 +191,20 @@ type Cookie struct {
 	// SameSite defines the same site policy.
 	// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
 	SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty" export:"true"`
-	// MaxAge indicates the number of seconds until the cookie expires.
+	// MaxAge defines the number of seconds until the cookie expires.
 	// When set to a negative number, the cookie expires immediately.
 	// When set to zero, the cookie never expires.
 	MaxAge int `json:"maxAge,omitempty" toml:"maxAge,omitempty" yaml:"maxAge,omitempty" export:"true"`
 	// Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
 	// When not provided the cookie will be sent on every request to the domain.
 	// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
 	Path *string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"`
 }
 // SetDefaults set the default values for a Cookie.
 func (c *Cookie) SetDefaults() {
 	defaultPath := "/"
 	c.Path = &defaultPath
 }
 // +k8s:deepcopy-gen=true
@@ -247,6 +273,7 @@ type Server struct {
 	URL          string `json:"url,omitempty" toml:"url,omitempty" yaml:"url,omitempty" label:"-"`
 	Weight       *int   `json:"weight,omitempty" toml:"weight,omitempty" yaml:"weight,omitempty" label:"weight" export:"true"`
 	PreservePath bool   `json:"preservePath,omitempty" toml:"preservePath,omitempty" yaml:"preservePath,omitempty" label:"-" export:"true"`
 	Fenced       bool   `json:"fenced,omitempty" toml:"-" yaml:"-" label:"-" file:"-" kv:"-"`
 	Scheme       string `json:"-" toml:"-" yaml:"-" file:"-"`
 	Port         string `json:"-" toml:"-" yaml:"-" file:"-"`
 }
--- a/pkg/config/dynamic/middlewares.go
+++ b/pkg/config/dynamic/middlewares.go
@@ -9,6 +9,9 @@ import (
 	"github.com/traefik/traefik/v3/pkg/ip"
 )
 // ForwardAuthDefaultMaxBodySize is the ForwardAuth.MaxBodySize option default value.
 const ForwardAuthDefaultMaxBodySize int64 = -1
 // +k8s:deepcopy-gen=true
 // Middleware holds the Middleware configuration.
@@ -73,7 +76,7 @@ type ContentType struct {
 // AddPrefix holds the add prefix middleware configuration.
 // This middleware updates the path of a request before forwarding it.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
 type AddPrefix struct {
 	// Prefix is the string to add before the current path in the requested URL.
 	// It should include a leading slash (/).
@@ -84,7 +87,7 @@ type AddPrefix struct {
 // BasicAuth holds the basic auth middleware configuration.
 // This middleware restricts access to your services to known users.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
 type BasicAuth struct {
 	// Users is an array of authorized users.
 	// Each user must be declared using the name:hashed-password format.
@@ -99,7 +102,7 @@ type BasicAuth struct {
 	// Default: false.
 	RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
 	// HeaderField defines a header field to store the authenticated user.
-	// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+	// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
 	HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
 }
@@ -107,7 +110,7 @@ type BasicAuth struct {
 // Buffering holds the buffering middleware configuration.
 // This middleware retries or limits the size of requests that can be forwarded to backends.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytes
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
 type Buffering struct {
 	// MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
 	// If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
@@ -125,7 +128,7 @@ type Buffering struct {
 	MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"`
 	// RetryExpression defines the retry conditions.
 	// It is a logical combination of functions with operators AND (&&) and OR (||).
-	// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpression
+	// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
 	RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"`
 }
@@ -142,7 +145,7 @@ type Chain struct {
 // CircuitBreaker holds the circuit breaker middleware configuration.
 // This middleware protects the system from stacking requests to unhealthy services, resulting in cascading failures.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/circuitbreaker/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/circuitbreaker/
 type CircuitBreaker struct {
 	// Expression defines the expression that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling the services.
 	Expression string `json:"expression,omitempty" toml:"expression,omitempty" yaml:"expression,omitempty" export:"true"`
@@ -191,7 +194,7 @@ func (c *Compress) SetDefaults() {
 // DigestAuth holds the digest auth middleware configuration.
 // This middleware restricts access to your services to known users.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
 type DigestAuth struct {
 	// Users defines the authorized users.
 	// Each user should be declared using the name:realm:encoded-password format.
@@ -204,7 +207,7 @@ type DigestAuth struct {
 	// Default: traefik.
 	Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
 	// HeaderField defines a header field to store the authenticated user.
-	// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfield
+	// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
 	HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
 }
@@ -230,7 +233,7 @@ type ErrorPage struct {
 // ForwardAuth holds the forward auth middleware configuration.
 // This middleware delegates the request authentication to a Service.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
 type ForwardAuth struct {
 	// Address defines the authentication server address.
 	Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
@@ -241,7 +244,7 @@ type ForwardAuth struct {
 	// AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
 	AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"`
 	// AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-	// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregex
+	// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
 	AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"`
 	// AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
 	// If not set or empty then all request headers are passed.
@@ -251,6 +254,17 @@ type ForwardAuth struct {
 	// HeaderField defines a header field to store the authenticated user.
 	// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#headerfield
 	HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
 	// ForwardBody defines whether to send the request body to the authentication server.
 	ForwardBody bool `json:"forwardBody,omitempty" toml:"forwardBody,omitempty" yaml:"forwardBody,omitempty" export:"true"`
 	// MaxBodySize defines the maximum body size in bytes allowed to be forwarded to the authentication server.
 	MaxBodySize *int64 `json:"maxBodySize,omitempty" toml:"maxBodySize,omitempty" yaml:"maxBodySize,omitempty" export:"true"`
 	// PreserveLocationHeader defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.
 	PreserveLocationHeader bool `json:"preserveLocationHeader,omitempty" toml:"preserveLocationHeader,omitempty" yaml:"preserveLocationHeader,omitempty" export:"true"`
 }
 func (f *ForwardAuth) SetDefaults() {
 	defaultMaxBodySize := ForwardAuthDefaultMaxBodySize
 	f.MaxBodySize = &defaultMaxBodySize
 }
 // +k8s:deepcopy-gen=true
@@ -271,7 +285,7 @@ type ClientTLS struct {
 // Headers holds the headers middleware configuration.
 // This middleware manages the requests and responses headers.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheaders
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
 type Headers struct {
 	// CustomRequestHeaders defines the header names and values to apply to the request.
 	CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"`
@@ -400,7 +414,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
 // +k8s:deepcopy-gen=true
 // IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategy
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
 type IPStrategy struct {
 	// Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
 	Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
@@ -454,7 +468,7 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
 // IPWhiteList holds the IP whitelist middleware configuration.
 // This middleware limits allowed requests based on the client IP.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipwhitelist/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipwhitelist/
 // Deprecated: please use IPAllowList instead.
 type IPWhiteList struct {
 	// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation). Required.
@@ -466,7 +480,7 @@ type IPWhiteList struct {
 // IPAllowList holds the IP allowlist middleware configuration.
 // This middleware limits allowed requests based on the client IP.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
 type IPAllowList struct {
 	// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
 	SourceRange []string    `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
@@ -480,7 +494,7 @@ type IPAllowList struct {
 // InFlightReq holds the in-flight request middleware configuration.
 // This middleware limits the number of requests being processed and served concurrently.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
 type InFlightReq struct {
 	// Amount defines the maximum amount of allowed simultaneous in-flight request.
 	// The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
@@ -488,7 +502,7 @@ type InFlightReq struct {
 	// SourceCriterion defines what criterion is used to group requests as originating from a common source.
 	// If several strategies are defined at the same time, an error will be raised.
 	// If none are set, the default is to use the requestHost.
-	// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterion
+	// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
 	SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"`
 }
@@ -496,7 +510,7 @@ type InFlightReq struct {
 // PassTLSClientCert holds the pass TLS client cert middleware configuration.
 // This middleware adds the selected data from the passed client TLS certificate to a header.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
 type PassTLSClientCert struct {
 	// PEM sets the X-Forwarded-Tls-Client-Cert header with the certificate.
 	PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"`
@@ -552,7 +566,7 @@ func (r *RateLimit) SetDefaults() {
 // RedirectRegex holds the redirect regex middleware configuration.
 // This middleware redirects a request using regex matching and replacement.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regex
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
 type RedirectRegex struct {
 	// Regex defines the regex used to match and capture elements from the request URL.
 	Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"`
@@ -566,7 +580,7 @@ type RedirectRegex struct {
 // RedirectScheme holds the redirect scheme middleware configuration.
 // This middleware redirects requests from a scheme/port to another.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
 type RedirectScheme struct {
 	// Scheme defines the scheme of the new URL.
 	Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"`
@@ -580,7 +594,7 @@ type RedirectScheme struct {
 // ReplacePath holds the replace path middleware configuration.
 // This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
 type ReplacePath struct {
 	// Path defines the path to use as replacement in the request URL.
 	Path string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"`
@@ -590,7 +604,7 @@ type ReplacePath struct {
 // ReplacePathRegex holds the replace path regex middleware configuration.
 // This middleware replaces the path of a URL using regex matching and replacement.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
 type ReplacePathRegex struct {
 	// Regex defines the regular expression used to match and capture the path from the request URL.
 	Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
@@ -603,7 +617,7 @@ type ReplacePathRegex struct {
 // Retry holds the retry middleware configuration.
 // This middleware reissues requests a given number of times to a backend server if that server does not reply.
 // As soon as the server answers, the middleware stops retrying, regardless of the response status.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
 type Retry struct {
 	// Attempts defines how many times the request should be retried.
 	Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"`
@@ -619,7 +633,7 @@ type Retry struct {
 // StripPrefix holds the strip prefix middleware configuration.
 // This middleware removes the specified prefixes from the URL path.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
 type StripPrefix struct {
 	// Prefixes defines the prefixes to strip from the request URL.
 	Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
@@ -634,7 +648,7 @@ type StripPrefix struct {
 // StripPrefixRegex holds the strip prefix regex middleware configuration.
 // This middleware removes the matching prefixes from the URL path.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
 type StripPrefixRegex struct {
 	// Regex defines the regular expression to match the path prefix from the request URL.
 	Regex []string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
--- a/pkg/config/dynamic/tcp_config.go
+++ b/pkg/config/dynamic/tcp_config.go
@@ -125,7 +125,7 @@ type TCPServer struct {
 // +k8s:deepcopy-gen=true
 // ProxyProtocol holds the PROXY Protocol configuration.
-// More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocol
+// More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
 type ProxyProtocol struct {
 	// Version defines the PROXY Protocol version to use.
 	Version int `json:"version,omitempty" toml:"version,omitempty" yaml:"version,omitempty" export:"true"`
--- a/pkg/config/dynamic/tcp_middlewares.go
+++ b/pkg/config/dynamic/tcp_middlewares.go
@@ -15,7 +15,7 @@ type TCPMiddleware struct {
 // TCPInFlightConn holds the TCP InFlightConn middleware configuration.
 // This middleware prevents services from being overwhelmed with high load,
 // by limiting the number of allowed simultaneous connections for one IP.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/inflightconn/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/inflightconn/
 type TCPInFlightConn struct {
 	// Amount defines the maximum amount of allowed simultaneous connections.
 	// The middleware closes the connection if there are already amount connections opened.
@@ -35,7 +35,7 @@ type TCPIPWhiteList struct {
 // TCPIPAllowList holds the TCP IPAllowList middleware configuration.
 // This middleware limits allowed requests based on the client IP.
-// More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/
+// More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
 type TCPIPAllowList struct {
 	// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
 	SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
--- a/pkg/config/dynamic/zz_generated.deepcopy.go
+++ b/pkg/config/dynamic/zz_generated.deepcopy.go
@@ -266,6 +266,11 @@ func (in *ContentType) DeepCopy() *ContentType {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Cookie) DeepCopyInto(out *Cookie) {
 	*out = *in
 	if in.Path != nil {
 		in, out := &in.Path, &out.Path
 		*out = new(string)
 		**out = **in
 	}
 	return
 }
@@ -365,6 +370,11 @@ func (in *ForwardAuth) DeepCopyInto(out *ForwardAuth) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 	if in.MaxBodySize != nil {
 		in, out := &in.MaxBodySize, &out.MaxBodySize
 		*out = new(int64)
 		**out = **in
 	}
 	return
 }
@@ -1018,6 +1028,7 @@ func (in *Model) DeepCopyInto(out *Model) {
 		*out = new(RouterTLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	in.Observability.DeepCopyInto(&out.Observability)
 	return
 }
@@ -1244,6 +1255,11 @@ func (in *Router) DeepCopyInto(out *Router) {
 		*out = new(RouterTLSConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Observability != nil {
 		in, out := &in.Observability, &out.Observability
 		*out = new(RouterObservabilityConfig)
 		(*in).DeepCopyInto(*out)
 	}
 	return
 }
@@ -1257,6 +1273,37 @@ func (in *Router) DeepCopy() *Router {
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouterObservabilityConfig) DeepCopyInto(out *RouterObservabilityConfig) {
 	*out = *in
 	if in.AccessLogs != nil {
 		in, out := &in.AccessLogs, &out.AccessLogs
 		*out = new(bool)
 		**out = **in
 	}
 	if in.Tracing != nil {
 		in, out := &in.Tracing, &out.Tracing
 		*out = new(bool)
 		**out = **in
 	}
 	if in.Metrics != nil {
 		in, out := &in.Metrics, &out.Metrics
 		*out = new(bool)
 		**out = **in
 	}
 	return
 }
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouterObservabilityConfig.
 func (in *RouterObservabilityConfig) DeepCopy() *RouterObservabilityConfig {
 	if in == nil {
 		return nil
 	}
 	out := new(RouterObservabilityConfig)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouterTCPTLSConfig) DeepCopyInto(out *RouterTCPTLSConfig) {
 	*out = *in
@@ -1515,7 +1562,7 @@ func (in *Sticky) DeepCopyInto(out *Sticky) {
 	if in.Cookie != nil {
 		in, out := &in.Cookie, &out.Cookie
 		*out = new(Cookie)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }
--- a/pkg/config/label/label_test.go
+++ b/pkg/config/label/label_test.go
@@ -51,6 +51,8 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.insecureskipverify":                  "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.key":                                 "foobar",
 		"traefik.http.middlewares.Middleware7.forwardauth.trustforwardheader":                      "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.forwardbody":                             "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.maxbodysize":                             "42",
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolallowcredentials":               "true",
 		"traefik.http.middlewares.Middleware8.headers.allowedhosts":                                "foobar, fiibar",
 		"traefik.http.middlewares.Middleware8.headers.accesscontrolallowheaders":                   "X-foobar, X-fiibar",
@@ -173,6 +175,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.services.Service0.loadbalancer.server.port":                      "8080",
 		"traefik.http.services.Service0.loadbalancer.sticky.cookie.name":               "foobar",
 		"traefik.http.services.Service0.loadbalancer.sticky.cookie.secure":             "true",
 		"traefik.http.services.Service0.loadbalancer.sticky.cookie.path":               "/foobar",
 		"traefik.http.services.Service0.loadbalancer.serversTransport":                 "foobar",
 		"traefik.http.services.Service1.loadbalancer.healthcheck.headers.name0":        "foobar",
 		"traefik.http.services.Service1.loadbalancer.healthcheck.headers.name1":        "foobar",
@@ -571,6 +574,8 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
 						ForwardBody: true,
 						MaxBodySize: pointer(int64(42)),
 					},
 				},
 				"Middleware8": {
@@ -673,6 +678,7 @@ func TestDecodeConfiguration(t *testing.T) {
 								Name:     "foobar",
 								Secure:   true,
 								HTTPOnly: false,
 								Path:     func(v string) *string { return &v }("/foobar"),
 							},
 						},
 						Servers: []dynamic.Server{
@@ -878,6 +884,11 @@ func TestEncodeConfiguration(t *testing.T) {
 					Rule:     "foobar",
 					Priority: 42,
 					TLS:      &dynamic.RouterTLSConfig{},
 					Observability: &dynamic.RouterObservabilityConfig{
 						AccessLogs: pointer(true),
 						Tracing:    pointer(true),
 						Metrics:    pointer(true),
 					},
 				},
 				"Router1": {
 					EntryPoints: []string{
@@ -891,6 +902,11 @@ func TestEncodeConfiguration(t *testing.T) {
 					Service:  "foobar",
 					Rule:     "foobar",
 					Priority: 42,
 					Observability: &dynamic.RouterObservabilityConfig{
 						AccessLogs: pointer(true),
 						Tracing:    pointer(true),
 						Metrics:    pointer(true),
 					},
 				},
 			},
 			Middlewares: map[string]*dynamic.Middleware{
@@ -1102,6 +1118,8 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
 						ForwardBody: true,
 						MaxBodySize: pointer(int64(42)),
 					},
 				},
 				"Middleware8": {
@@ -1195,6 +1213,7 @@ func TestEncodeConfiguration(t *testing.T) {
 							Cookie: &dynamic.Cookie{
 								Name:     "foobar",
 								HTTPOnly: true,
 								Path:     func(v string) *string { return &v }("/foobar"),
 							},
 						},
 						Servers: []dynamic.Server{
@@ -1302,12 +1321,15 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.Address":                                 "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders":                     "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthRequestHeaders":                      "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.ForwardBody":                             "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.MaxBodySize":                             "42",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA":                                  "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional":                          "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert":                                "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify":                  "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key":                                 "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TrustForwardHeader":                      "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.PreserveLocationHeader":                  "false",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowCredentials":               "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowHeaders":                   "X-foobar, X-fiibar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.AccessControlAllowMethods":                   "GET, PUT",
@@ -1402,17 +1424,23 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware20.Plugin.tomato.aaa":                                  "foo1",
 		"traefik.HTTP.Middlewares.Middleware20.Plugin.tomato.bbb":                                  "foo2",
-		"traefik.HTTP.Routers.Router0.EntryPoints": "foobar, fiibar",
+		"traefik.HTTP.Routers.Router0.EntryPoints":              "foobar, fiibar",
-		"traefik.HTTP.Routers.Router0.Middlewares": "foobar, fiibar",
+		"traefik.HTTP.Routers.Router0.Middlewares":              "foobar, fiibar",
-		"traefik.HTTP.Routers.Router0.Priority":    "42",
+		"traefik.HTTP.Routers.Router0.Priority":                 "42",
-		"traefik.HTTP.Routers.Router0.Rule":        "foobar",
+		"traefik.HTTP.Routers.Router0.Rule":                     "foobar",
-		"traefik.HTTP.Routers.Router0.Service":     "foobar",
+		"traefik.HTTP.Routers.Router0.Service":                  "foobar",
-		"traefik.HTTP.Routers.Router0.TLS":         "true",
+		"traefik.HTTP.Routers.Router0.TLS":                      "true",
-		"traefik.HTTP.Routers.Router1.EntryPoints": "foobar, fiibar",
+		"traefik.HTTP.Routers.Router0.Observability.AccessLogs": "true",
-		"traefik.HTTP.Routers.Router1.Middlewares": "foobar, fiibar",
+		"traefik.HTTP.Routers.Router0.Observability.Tracing":    "true",
-		"traefik.HTTP.Routers.Router1.Priority":    "42",
+		"traefik.HTTP.Routers.Router0.Observability.Metrics":    "true",
-		"traefik.HTTP.Routers.Router1.Rule":        "foobar",
+		"traefik.HTTP.Routers.Router1.EntryPoints":              "foobar, fiibar",
-		"traefik.HTTP.Routers.Router1.Service":     "foobar",
+		"traefik.HTTP.Routers.Router1.Middlewares":              "foobar, fiibar",
 		"traefik.HTTP.Routers.Router1.Priority":                 "42",
 		"traefik.HTTP.Routers.Router1.Rule":                     "foobar",
 		"traefik.HTTP.Routers.Router1.Service":                  "foobar",
 		"traefik.HTTP.Routers.Router1.Observability.AccessLogs": "true",
 		"traefik.HTTP.Routers.Router1.Observability.Tracing":    "true",
 		"traefik.HTTP.Routers.Router1.Observability.Metrics":    "true",
 		"traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name0":        "foobar",
 		"traefik.HTTP.Services.Service0.LoadBalancer.HealthCheck.Headers.name1":        "foobar",
@@ -1432,6 +1460,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Services.Service0.LoadBalancer.Sticky.Cookie.HTTPOnly":           "true",
 		"traefik.HTTP.Services.Service0.LoadBalancer.Sticky.Cookie.Secure":             "false",
 		"traefik.HTTP.Services.Service0.LoadBalancer.Sticky.Cookie.MaxAge":             "0",
 		"traefik.HTTP.Services.Service0.LoadBalancer.Sticky.Cookie.Path":               "/foobar",
 		"traefik.HTTP.Services.Service0.LoadBalancer.ServersTransport":                 "foobar",
 		"traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name0":        "foobar",
 		"traefik.HTTP.Services.Service1.LoadBalancer.HealthCheck.Headers.name1":        "foobar",
--- a/pkg/config/static/entrypoints.go
+++ b/pkg/config/static/entrypoints.go
@@ -23,6 +23,7 @@ type EntryPoint struct {
 	HTTP2            *HTTP2Config          `description:"HTTP/2 configuration." json:"http2,omitempty" toml:"http2,omitempty" yaml:"http2,omitempty" export:"true"`
 	HTTP3            *HTTP3Config          `description:"HTTP/3 configuration." json:"http3,omitempty" toml:"http3,omitempty" yaml:"http3,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	UDP              *UDPConfig            `description:"UDP configuration." json:"udp,omitempty" toml:"udp,omitempty" yaml:"udp,omitempty"`
 	Observability    *ObservabilityConfig  `description:"Observability configuration." json:"observability,omitempty" toml:"observability,omitempty" yaml:"observability,omitempty" export:"true"`
 }
 // GetAddress strips any potential protocol part of the address field of the
@@ -59,6 +60,8 @@ func (ep *EntryPoint) SetDefaults() {
 	ep.HTTP.SetDefaults()
 	ep.HTTP2 = &HTTP2Config{}
 	ep.HTTP2.SetDefaults()
 	ep.Observability = &ObservabilityConfig{}
 	ep.Observability.SetDefaults()
 }
 // HTTPConfig is the HTTP configuration of an entry point.
@@ -158,3 +161,17 @@ type UDPConfig struct {
 func (u *UDPConfig) SetDefaults() {
 	u.Timeout = ptypes.Duration(DefaultUDPTimeout)
 }
 // ObservabilityConfig holds the observability configuration for an entry point.
 type ObservabilityConfig struct {
 	AccessLogs bool `json:"accessLogs,omitempty" toml:"accessLogs,omitempty" yaml:"accessLogs,omitempty" export:"true"`
 	Tracing    bool `json:"tracing,omitempty" toml:"tracing,omitempty" yaml:"tracing,omitempty" export:"true"`
 	Metrics    bool `json:"metrics,omitempty" toml:"metrics,omitempty" yaml:"metrics,omitempty" export:"true"`
 }
 // SetDefaults sets the default values.
 func (o *ObservabilityConfig) SetDefaults() {
 	o.AccessLogs = true
 	o.Tracing = true
 	o.Metrics = true
 }
--- a/pkg/config/static/experimental.go
+++ b/pkg/config/static/experimental.go
@@ -4,10 +4,11 @@ import "github.com/traefik/traefik/v3/pkg/plugins"
 // Experimental experimental Traefik features.
 type Experimental struct {
-	Plugins      map[string]plugins.Descriptor      `description:"Plugins configuration." json:"plugins,omitempty" toml:"plugins,omitempty" yaml:"plugins,omitempty" export:"true"`
+	Plugins              map[string]plugins.Descriptor      `description:"Plugins configuration." json:"plugins,omitempty" toml:"plugins,omitempty" yaml:"plugins,omitempty" export:"true"`
-	LocalPlugins map[string]plugins.LocalDescriptor `description:"Local plugins configuration." json:"localPlugins,omitempty" toml:"localPlugins,omitempty" yaml:"localPlugins,omitempty" export:"true"`
+	LocalPlugins         map[string]plugins.LocalDescriptor `description:"Local plugins configuration." json:"localPlugins,omitempty" toml:"localPlugins,omitempty" yaml:"localPlugins,omitempty" export:"true"`
-
+	AbortOnPluginFailure bool                               `description:"Defines whether all plugins must be loaded successfully for Traefik to start." json:"abortOnPluginFailure,omitempty" toml:"abortOnPluginFailure,omitempty" yaml:"abortOnPluginFailure,omitempty" export:"true"`
-	FastProxy *FastProxyConfig `description:"Enable the FastProxy implementation." json:"fastProxy,omitempty" toml:"fastProxy,omitempty" yaml:"fastProxy,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	FastProxy            *FastProxyConfig                   `description:"Enables the FastProxy implementation." json:"fastProxy,omitempty" toml:"fastProxy,omitempty" yaml:"fastProxy,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	OTLPLogs             bool                               `description:"Enables the OpenTelemetry logs integration." json:"otlplogs,omitempty" toml:"otlplogs,omitempty" yaml:"otlplogs,omitempty" export:"true"`
 	// Deprecated: KubernetesGateway provider is not an experimental feature starting with v3.1. Please remove its usage from the static configuration.
 	KubernetesGateway bool `description:"(Deprecated) Allow the Kubernetes gateway api provider usage." json:"kubernetesGateway,omitempty" toml:"kubernetesGateway,omitempty" yaml:"kubernetesGateway,omitempty" export:"true"`
--- a/pkg/config/static/static_config.go
+++ b/pkg/config/static/static_config.go
@@ -3,6 +3,7 @@ package static
 import (
 	"errors"
 	"fmt"
 	"path"
 	"strings"
 	"time"
@@ -27,7 +28,6 @@ import (
 	"github.com/traefik/traefik/v3/pkg/provider/kv/zk"
 	"github.com/traefik/traefik/v3/pkg/provider/nomad"
 	"github.com/traefik/traefik/v3/pkg/provider/rest"
 	"github.com/traefik/traefik/v3/pkg/tracing/opentelemetry"
 	"github.com/traefik/traefik/v3/pkg/types"
 )
@@ -68,7 +68,7 @@ type Configuration struct {
 	Log       *types.TraefikLog `description:"Traefik log settings." json:"log,omitempty" toml:"log,omitempty" yaml:"log,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	AccessLog *types.AccessLog  `description:"Access log settings." json:"accessLog,omitempty" toml:"accessLog,omitempty" yaml:"accessLog,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
-	Tracing   *Tracing          `description:"OpenTracing configuration." json:"tracing,omitempty" toml:"tracing,omitempty" yaml:"tracing,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	Tracing   *Tracing          `description:"Tracing configuration." json:"tracing,omitempty" toml:"tracing,omitempty" yaml:"tracing,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	HostResolver *types.HostResolverConfig `description:"Enable CNAME Flattening." json:"hostResolver,omitempty" toml:"hostResolver,omitempty" yaml:"hostResolver,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
@@ -145,16 +145,18 @@ type TLSClientConfig struct {
 // API holds the API configuration.
 type API struct {
-	Insecure           bool `description:"Activate API directly on the entryPoint named traefik." json:"insecure,omitempty" toml:"insecure,omitempty" yaml:"insecure,omitempty" export:"true"`
+	BasePath           string `description:"Defines the base path where the API and Dashboard will be exposed." json:"basePath,omitempty" toml:"basePath,omitempty" yaml:"basePath,omitempty" export:"true"`
-	Dashboard          bool `description:"Activate dashboard." json:"dashboard,omitempty" toml:"dashboard,omitempty" yaml:"dashboard,omitempty" export:"true"`
+	Insecure           bool   `description:"Activate API directly on the entryPoint named traefik." json:"insecure,omitempty" toml:"insecure,omitempty" yaml:"insecure,omitempty" export:"true"`
-	Debug              bool `description:"Enable additional endpoints for debugging and profiling." json:"debug,omitempty" toml:"debug,omitempty" yaml:"debug,omitempty" export:"true"`
+	Dashboard          bool   `description:"Activate dashboard." json:"dashboard,omitempty" toml:"dashboard,omitempty" yaml:"dashboard,omitempty" export:"true"`
-	DisableDashboardAd bool `description:"Disable ad in the dashboard." json:"disableDashboardAd,omitempty" toml:"disableDashboardAd,omitempty" yaml:"disableDashboardAd,omitempty" export:"true"`
+	Debug              bool   `description:"Enable additional endpoints for debugging and profiling." json:"debug,omitempty" toml:"debug,omitempty" yaml:"debug,omitempty" export:"true"`
 	DisableDashboardAd bool   `description:"Disable ad in the dashboard." json:"disableDashboardAd,omitempty" toml:"disableDashboardAd,omitempty" yaml:"disableDashboardAd,omitempty" export:"true"`
 	// TODO: Re-enable statistics
 	// Statistics      *types.Statistics `description:"Enable more detailed statistics." json:"statistics,omitempty" toml:"statistics,omitempty" yaml:"statistics,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 }
 // SetDefaults sets the default values.
 func (a *API) SetDefaults() {
 	a.BasePath = "/"
 	a.Dashboard = true
 }
@@ -197,15 +199,17 @@ func (a *LifeCycle) SetDefaults() {
 // Tracing holds the tracing configuration.
 type Tracing struct {
-	ServiceName             string            `description:"Set the name for this service." json:"serviceName,omitempty" toml:"serviceName,omitempty" yaml:"serviceName,omitempty" export:"true"`
+	ServiceName             string             `description:"Sets the name for this service." json:"serviceName,omitempty" toml:"serviceName,omitempty" yaml:"serviceName,omitempty" export:"true"`
-	GlobalAttributes        map[string]string `description:"Defines additional attributes (key:value) on all spans." json:"globalAttributes,omitempty" toml:"globalAttributes,omitempty" yaml:"globalAttributes,omitempty" export:"true"`
+	ResourceAttributes      map[string]string  `description:"Defines additional resource attributes (key:value)." json:"resourceAttributes,omitempty" toml:"resourceAttributes,omitempty" yaml:"resourceAttributes,omitempty" export:"true"`
-	CapturedRequestHeaders  []string          `description:"Request headers to add as attributes for server and client spans." json:"capturedRequestHeaders,omitempty" toml:"capturedRequestHeaders,omitempty" yaml:"capturedRequestHeaders,omitempty" export:"true"`
+	CapturedRequestHeaders  []string           `description:"Request headers to add as attributes for server and client spans." json:"capturedRequestHeaders,omitempty" toml:"capturedRequestHeaders,omitempty" yaml:"capturedRequestHeaders,omitempty" export:"true"`
-	CapturedResponseHeaders []string          `description:"Response headers to add as attributes for server and client spans." json:"capturedResponseHeaders,omitempty" toml:"capturedResponseHeaders,omitempty" yaml:"capturedResponseHeaders,omitempty" export:"true"`
+	CapturedResponseHeaders []string           `description:"Response headers to add as attributes for server and client spans." json:"capturedResponseHeaders,omitempty" toml:"capturedResponseHeaders,omitempty" yaml:"capturedResponseHeaders,omitempty" export:"true"`
-	SafeQueryParams         []string          `description:"Query params to not redact." json:"safeQueryParams,omitempty" toml:"safeQueryParams,omitempty" yaml:"safeQueryParams,omitempty" export:"true"`
+	SafeQueryParams         []string           `description:"Query params to not redact." json:"safeQueryParams,omitempty" toml:"safeQueryParams,omitempty" yaml:"safeQueryParams,omitempty" export:"true"`
-	SampleRate              float64           `description:"Sets the rate between 0.0 and 1.0 of requests to trace." json:"sampleRate,omitempty" toml:"sampleRate,omitempty" yaml:"sampleRate,omitempty" export:"true"`
+	SampleRate              float64            `description:"Sets the rate between 0.0 and 1.0 of requests to trace." json:"sampleRate,omitempty" toml:"sampleRate,omitempty" yaml:"sampleRate,omitempty" export:"true"`
-	AddInternals            bool              `description:"Enables tracing for internal services (ping, dashboard, etc...)." json:"addInternals,omitempty" toml:"addInternals,omitempty" yaml:"addInternals,omitempty" export:"true"`
+	AddInternals            bool               `description:"Enables tracing for internal services (ping, dashboard, etc...)." json:"addInternals,omitempty" toml:"addInternals,omitempty" yaml:"addInternals,omitempty" export:"true"`
 	OTLP                    *types.OTelTracing `description:"Settings for OpenTelemetry." json:"otlp,omitempty" toml:"otlp,omitempty" yaml:"otlp,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
-	OTLP *opentelemetry.Config `description:"Settings for OpenTelemetry." json:"otlp,omitempty" toml:"otlp,omitempty" yaml:"otlp,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
+	// Deprecated: please use ResourceAttributes instead.
 	GlobalAttributes map[string]string `description:"(Deprecated) Defines additional resource attributes (key:value)." json:"globalAttributes,omitempty" toml:"globalAttributes,omitempty" yaml:"globalAttributes,omitempty" export:"true"`
 }
 // SetDefaults sets the default values.
@@ -213,7 +217,7 @@ func (t *Tracing) SetDefaults() {
 	t.ServiceName = "traefik"
 	t.SampleRate = 1.0
-	t.OTLP = &opentelemetry.Config{}
+	t.OTLP = &types.OTelTracing{}
 	t.OTLP.SetDefaults()
 }
@@ -267,6 +271,10 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		}
 	}
 	if c.Tracing != nil && c.Tracing.GlobalAttributes != nil && c.Tracing.ResourceAttributes == nil {
 		c.Tracing.ResourceAttributes = c.Tracing.GlobalAttributes
 	}
 	if c.Providers.Docker != nil {
 		if c.Providers.Docker.HTTPClientTimeout < 0 {
 			c.Providers.Docker.HTTPClientTimeout = 0
@@ -303,6 +311,36 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		c.Providers.KubernetesIngress.DefaultRuleSyntax = c.Core.DefaultRuleSyntax
 	}
 	for _, resolver := range c.CertificatesResolvers {
 		if resolver.ACME == nil {
 			continue
 		}
 		if resolver.ACME.DNSChallenge == nil {
 			continue
 		}
 		if resolver.ACME.DNSChallenge.DisablePropagationCheck {
 			log.Warn().Msgf("disablePropagationCheck is now deprecated, please use propagation.disableAllChecks instead.")
 			if resolver.ACME.DNSChallenge.Propagation == nil {
 				resolver.ACME.DNSChallenge.Propagation = &acmeprovider.Propagation{}
 			}
 			resolver.ACME.DNSChallenge.Propagation.DisableChecks = true
 		}
 		if resolver.ACME.DNSChallenge.DelayBeforeCheck > 0 {
 			log.Warn().Msgf("delayBeforeCheck is now deprecated, please use propagation.delayBeforeCheck instead.")
 			if resolver.ACME.DNSChallenge.Propagation == nil {
 				resolver.ACME.DNSChallenge.Propagation = &acmeprovider.Propagation{}
 			}
 			resolver.ACME.DNSChallenge.Propagation.DelayBeforeChecks = resolver.ACME.DNSChallenge.DelayBeforeCheck
 		}
 	}
 	c.initACMEProvider()
 }
@@ -348,6 +386,26 @@ func (c *Configuration) ValidateConfiguration() error {
 		}
 	}
 	if c.AccessLog != nil && c.AccessLog.OTLP != nil {
 		if c.Experimental == nil || !c.Experimental.OTLPLogs {
 			return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP access logging")
 		}
 		if c.AccessLog.OTLP.GRPC != nil && c.AccessLog.OTLP.GRPC.TLS != nil && c.AccessLog.OTLP.GRPC.Insecure {
 			return errors.New("access logs OTLP GRPC: TLS and Insecure options are mutually exclusive")
 		}
 	}
 	if c.Log != nil && c.Log.OTLP != nil {
 		if c.Experimental == nil || !c.Experimental.OTLPLogs {
 			return errors.New("the experimental OTLPLogs feature must be enabled to use OTLP logging")
 		}
 		if c.Log.OTLP.GRPC != nil && c.Log.OTLP.GRPC.TLS != nil && c.Log.OTLP.GRPC.Insecure {
 			return errors.New("logs OTLP GRPC: TLS and Insecure options are mutually exclusive")
 		}
 	}
 	if c.Tracing != nil && c.Tracing.OTLP != nil {
 		if c.Tracing.OTLP.GRPC != nil && c.Tracing.OTLP.GRPC.TLS != nil && c.Tracing.OTLP.GRPC.Insecure {
 			return errors.New("tracing OTLP GRPC: TLS and Insecure options are mutually exclusive")
@@ -360,6 +418,10 @@ func (c *Configuration) ValidateConfiguration() error {
 		}
 	}
 	if c.API != nil && !path.IsAbs(c.API.BasePath) {
 		return errors.New("API basePath must be a valid absolute path")
 	}
 	return nil
 }
--- a/pkg/config/static/static_config_test.go
+++ b/pkg/config/static/static_config_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/traefik/traefik/v3/pkg/provider/acme"
 )
 func TestHasEntrypoint(t *testing.T) {
@@ -37,3 +38,253 @@ func TestHasEntrypoint(t *testing.T) {
 		})
 	}
 }
 func TestConfiguration_SetEffectiveConfiguration(t *testing.T) {
 	testCases := []struct {
 		desc     string
 		conf     *Configuration
 		expected *Configuration
 	}{
 		{
 			desc: "empty",
 			conf: &Configuration{
 				Providers: &Providers{},
 			},
 			expected: &Configuration{
 				EntryPoints: EntryPoints{"http": &EntryPoint{
 					Address:         ":80",
 					AllowACMEByPass: false,
 					ReusePort:       false,
 					AsDefault:       false,
 					Transport: &EntryPointsTransport{
 						LifeCycle: &LifeCycle{
 							GraceTimeOut: 10000000000,
 						},
 						RespondingTimeouts: &RespondingTimeouts{
 							ReadTimeout: 60000000000,
 							IdleTimeout: 180000000000,
 						},
 					},
 					ProxyProtocol:    nil,
 					ForwardedHeaders: &ForwardedHeaders{},
 					HTTP: HTTPConfig{
 						MaxHeaderBytes: 1048576,
 					},
 					HTTP2: &HTTP2Config{
 						MaxConcurrentStreams: 250,
 					},
 					HTTP3: nil,
 					UDP: &UDPConfig{
 						Timeout: 3000000000,
 					},
 					Observability: &ObservabilityConfig{
 						AccessLogs: true,
 						Tracing:    true,
 						Metrics:    true,
 					},
 				}},
 				Providers: &Providers{},
 			},
 		},
 		{
 			desc: "ACME simple",
 			conf: &Configuration{
 				Providers: &Providers{},
 				CertificatesResolvers: map[string]CertificateResolver{
 					"foo": {
 						ACME: &acme.Configuration{
 							DNSChallenge: &acme.DNSChallenge{
 								Provider: "bar",
 							},
 						},
 					},
 				},
 			},
 			expected: &Configuration{
 				EntryPoints: EntryPoints{"http": &EntryPoint{
 					Address:         ":80",
 					AllowACMEByPass: false,
 					ReusePort:       false,
 					AsDefault:       false,
 					Transport: &EntryPointsTransport{
 						LifeCycle: &LifeCycle{
 							GraceTimeOut: 10000000000,
 						},
 						RespondingTimeouts: &RespondingTimeouts{
 							ReadTimeout: 60000000000,
 							IdleTimeout: 180000000000,
 						},
 					},
 					ProxyProtocol:    nil,
 					ForwardedHeaders: &ForwardedHeaders{},
 					HTTP: HTTPConfig{
 						MaxHeaderBytes: 1048576,
 					},
 					HTTP2: &HTTP2Config{
 						MaxConcurrentStreams: 250,
 					},
 					HTTP3: nil,
 					UDP: &UDPConfig{
 						Timeout: 3000000000,
 					},
 					Observability: &ObservabilityConfig{
 						AccessLogs: true,
 						Tracing:    true,
 						Metrics:    true,
 					},
 				}},
 				Providers: &Providers{},
 				CertificatesResolvers: map[string]CertificateResolver{
 					"foo": {
 						ACME: &acme.Configuration{
 							CAServer: "https://acme-v02.api.letsencrypt.org/directory",
 							DNSChallenge: &acme.DNSChallenge{
 								Provider: "bar",
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			desc: "ACME deprecation DelayBeforeCheck",
 			conf: &Configuration{
 				Providers: &Providers{},
 				CertificatesResolvers: map[string]CertificateResolver{
 					"foo": {
 						ACME: &acme.Configuration{
 							DNSChallenge: &acme.DNSChallenge{
 								Provider:         "bar",
 								DelayBeforeCheck: 123,
 							},
 						},
 					},
 				},
 			},
 			expected: &Configuration{
 				EntryPoints: EntryPoints{"http": &EntryPoint{
 					Address:         ":80",
 					AllowACMEByPass: false,
 					ReusePort:       false,
 					AsDefault:       false,
 					Transport: &EntryPointsTransport{
 						LifeCycle: &LifeCycle{
 							GraceTimeOut: 10000000000,
 						},
 						RespondingTimeouts: &RespondingTimeouts{
 							ReadTimeout: 60000000000,
 							IdleTimeout: 180000000000,
 						},
 					},
 					ProxyProtocol:    nil,
 					ForwardedHeaders: &ForwardedHeaders{},
 					HTTP: HTTPConfig{
 						MaxHeaderBytes: 1048576,
 					},
 					HTTP2: &HTTP2Config{
 						MaxConcurrentStreams: 250,
 					},
 					HTTP3: nil,
 					UDP: &UDPConfig{
 						Timeout: 3000000000,
 					},
 					Observability: &ObservabilityConfig{
 						AccessLogs: true,
 						Tracing:    true,
 						Metrics:    true,
 					},
 				}},
 				Providers: &Providers{},
 				CertificatesResolvers: map[string]CertificateResolver{
 					"foo": {
 						ACME: &acme.Configuration{
 							CAServer: "https://acme-v02.api.letsencrypt.org/directory",
 							DNSChallenge: &acme.DNSChallenge{
 								Provider:         "bar",
 								DelayBeforeCheck: 123,
 								Propagation: &acme.Propagation{
 									DelayBeforeChecks: 123,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 		{
 			desc: "ACME deprecation DisablePropagationCheck",
 			conf: &Configuration{
 				Providers: &Providers{},
 				CertificatesResolvers: map[string]CertificateResolver{
 					"foo": {
 						ACME: &acme.Configuration{
 							DNSChallenge: &acme.DNSChallenge{
 								Provider:                "bar",
 								DisablePropagationCheck: true,
 							},
 						},
 					},
 				},
 			},
 			expected: &Configuration{
 				EntryPoints: EntryPoints{"http": &EntryPoint{
 					Address:         ":80",
 					AllowACMEByPass: false,
 					ReusePort:       false,
 					AsDefault:       false,
 					Transport: &EntryPointsTransport{
 						LifeCycle: &LifeCycle{
 							GraceTimeOut: 10000000000,
 						},
 						RespondingTimeouts: &RespondingTimeouts{
 							ReadTimeout: 60000000000,
 							IdleTimeout: 180000000000,
 						},
 					},
 					ProxyProtocol:    nil,
 					ForwardedHeaders: &ForwardedHeaders{},
 					HTTP: HTTPConfig{
 						MaxHeaderBytes: 1048576,
 					},
 					HTTP2: &HTTP2Config{
 						MaxConcurrentStreams: 250,
 					},
 					HTTP3: nil,
 					UDP: &UDPConfig{
 						Timeout: 3000000000,
 					},
 					Observability: &ObservabilityConfig{
 						AccessLogs: true,
 						Tracing:    true,
 						Metrics:    true,
 					},
 				}},
 				Providers: &Providers{},
 				CertificatesResolvers: map[string]CertificateResolver{
 					"foo": {
 						ACME: &acme.Configuration{
 							CAServer: "https://acme-v02.api.letsencrypt.org/directory",
 							DNSChallenge: &acme.DNSChallenge{
 								Provider:                "bar",
 								DisablePropagationCheck: true,
 								Propagation: &acme.Propagation{
 									DisableChecks: true,
 								},
 							},
 						},
 					},
 				},
 			},
 		},
 	}
 	for _, test := range testCases {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()
 			test.conf.SetEffectiveConfiguration()
 			assert.Equal(t, test.expected, test.conf)
 		})
 	}
 }
--- a/pkg/logs/otel.go
+++ b/pkg/logs/otel.go
@@ -0,0 +1,120 @@
 package logs
 import (
 	"encoding/json"
 	"fmt"
 	"reflect"
 	"time"
 	"github.com/rs/zerolog"
 	"github.com/traefik/traefik/v3/pkg/types"
 	otellog "go.opentelemetry.io/otel/log"
 )
 // SetupOTelLogger sets up the OpenTelemetry logger.
 func SetupOTelLogger(logger zerolog.Logger, config *types.OTelLog) (zerolog.Logger, error) {
 	if config == nil {
 		return logger, nil
 	}
 	provider, err := config.NewLoggerProvider()
 	if err != nil {
 		return zerolog.Logger{}, fmt.Errorf("setting up OpenTelemetry logger provider: %w", err)
 	}
 	return logger.Hook(&otelLoggerHook{logger: provider.Logger("traefik")}), nil
 }
 // otelLoggerHook is a zerolog hook that forwards logs to OpenTelemetry.
 type otelLoggerHook struct {
 	logger otellog.Logger
 }
 // Run forwards the log message to OpenTelemetry.
 func (h *otelLoggerHook) Run(e *zerolog.Event, level zerolog.Level, message string) {
 	if level == zerolog.Disabled {
 		return
 	}
 	// Discard the event to avoid double logging.
 	e.Discard()
 	var record otellog.Record
 	record.SetTimestamp(time.Now().UTC())
 	record.SetSeverity(otelLogSeverity(level))
 	record.SetBody(otellog.StringValue(message))
 	// See https://github.com/rs/zerolog/issues/493.
 	// This is a workaround to get the log fields from the event.
 	// At the moment there's no way to get the log fields from the event, so we use reflection to get the buffer and parse it.
 	logData := make(map[string]any)
 	eventBuffer := fmt.Sprintf("%s}", reflect.ValueOf(e).Elem().FieldByName("buf"))
 	if err := json.Unmarshal([]byte(eventBuffer), &logData); err != nil {
 		record.AddAttributes(otellog.String("parsing_error", fmt.Sprintf("parsing log fields: %s", err)))
 		h.logger.Emit(e.GetCtx(), record)
 		return
 	}
 	recordAttributes := make([]otellog.KeyValue, 0, len(logData))
 	for k, v := range logData {
 		if k == "level" {
 			continue
 		}
 		if k == "time" {
 			eventTimestamp, ok := v.(string)
 			if !ok {
 				continue
 			}
 			t, err := time.Parse(time.RFC3339, eventTimestamp)
 			if err == nil {
 				record.SetTimestamp(t)
 				continue
 			}
 		}
 		var attributeValue otellog.Value
 		switch v := v.(type) {
 		case string:
 			attributeValue = otellog.StringValue(v)
 		case int:
 			attributeValue = otellog.IntValue(v)
 		case int64:
 			attributeValue = otellog.Int64Value(v)
 		case float64:
 			attributeValue = otellog.Float64Value(v)
 		case bool:
 			attributeValue = otellog.BoolValue(v)
 		case []byte:
 			attributeValue = otellog.BytesValue(v)
 		default:
 			attributeValue = otellog.StringValue(fmt.Sprintf("%v", v))
 		}
 		recordAttributes = append(recordAttributes, otellog.KeyValue{
 			Key:   k,
 			Value: attributeValue,
 		})
 	}
 	record.AddAttributes(recordAttributes...)
 	h.logger.Emit(e.GetCtx(), record)
 }
 func otelLogSeverity(level zerolog.Level) otellog.Severity {
 	switch level {
 	case zerolog.TraceLevel:
 		return otellog.SeverityTrace
 	case zerolog.DebugLevel:
 		return otellog.SeverityDebug
 	case zerolog.InfoLevel:
 		return otellog.SeverityInfo
 	case zerolog.WarnLevel:
 		return otellog.SeverityWarn
 	case zerolog.ErrorLevel:
 		return otellog.SeverityError
 	case zerolog.FatalLevel:
 		return otellog.SeverityFatal
 	case zerolog.PanicLevel:
 		return otellog.SeverityFatal4
 	default:
 		return otellog.SeverityUndefined
 	}
 }
--- a/pkg/logs/otel_test.go
+++ b/pkg/logs/otel_test.go
@@ -0,0 +1,197 @@
 package logs
 import (
 	"compress/gzip"
 	"context"
 	"encoding/json"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"testing"
 	"time"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/traefik/traefik/v3/pkg/types"
 	"go.opentelemetry.io/collector/pdata/plog/plogotlp"
 	"go.opentelemetry.io/otel/trace"
 )
 func TestLog(t *testing.T) {
 	tests := []struct {
 		desc     string
 		level    zerolog.Level
 		assertFn func(*testing.T, string)
 		noLog    bool
 	}{
 		{
 			desc:  "no level log",
 			level: zerolog.NoLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityUndefined Severity = 0 // UNDEFINED
 				assert.NotContains(t, log, `"severityNumber"`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "trace log",
 			level: zerolog.TraceLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityTrace1 Severity = 1 // TRACE
 				assert.Contains(t, log, `"severityNumber":1`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "debug log",
 			level: zerolog.DebugLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityDebug1 Severity = 5 // DEBUG
 				assert.Contains(t, log, `"severityNumber":5`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "info log",
 			level: zerolog.InfoLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityInfo1 Severity = 9  // INFO
 				assert.Contains(t, log, `"severityNumber":9`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "warn log",
 			level: zerolog.WarnLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityWarn1 Severity = 13 // WARN
 				assert.Contains(t, log, `"severityNumber":13`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "error log",
 			level: zerolog.ErrorLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityError1 Severity = 17 // ERROR
 				assert.Contains(t, log, `"severityNumber":17`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "fatal log",
 			level: zerolog.FatalLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityFatal Severity = 21 // FATAL
 				assert.Contains(t, log, `"severityNumber":21`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 		{
 			desc:  "panic log",
 			level: zerolog.PanicLevel,
 			assertFn: func(t *testing.T, log string) {
 				t.Helper()
 				// SeverityFatal4 Severity = 24 // FATAL
 				assert.Contains(t, log, `"severityNumber":24`)
 				assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 				assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 				assert.Regexp(t, `"body":{"stringValue":"test"}`, log)
 				assert.Regexp(t, `{"key":"foo","value":{"stringValue":"bar"}}`, log)
 				assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 			},
 		},
 	}
 	logCh := make(chan string)
 	collector := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gzr, err := gzip.NewReader(r.Body)
 		require.NoError(t, err)
 		body, err := io.ReadAll(gzr)
 		require.NoError(t, err)
 		req := plogotlp.NewExportRequest()
 		err = req.UnmarshalProto(body)
 		require.NoError(t, err)
 		marshalledReq, err := json.Marshal(req)
 		require.NoError(t, err)
 		logCh <- string(marshalledReq)
 	}))
 	t.Cleanup(collector.Close)
 	for _, test := range tests {
 		t.Run(test.desc, func(t *testing.T) {
 			config := &types.OTelLog{
 				ServiceName:        "test",
 				ResourceAttributes: map[string]string{"resource": "attribute"},
 				HTTP: &types.OTelHTTP{
 					Endpoint: collector.URL,
 				},
 			}
 			out := zerolog.MultiLevelWriter(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339})
 			logger := zerolog.New(out).With().Caller().Logger()
 			logger, err := SetupOTelLogger(logger, config)
 			require.NoError(t, err)
 			ctx := trace.ContextWithSpanContext(context.Background(), trace.NewSpanContext(trace.SpanContextConfig{
 				TraceID: trace.TraceID{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8},
 				SpanID:  trace.SpanID{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8},
 			}))
 			logger = logger.With().Ctx(ctx).Logger()
 			logger.WithLevel(test.level).Str("foo", "bar").Msg("test")
 			select {
 			case <-time.After(5 * time.Second):
 				t.Error("Log not exported")
 			case log := <-logCh:
 				if test.assertFn != nil {
 					test.assertFn(t, log)
 				}
 			}
 		})
 	}
 }
--- a/pkg/metrics/opentelemetry.go
+++ b/pkg/metrics/opentelemetry.go
@@ -237,7 +237,7 @@ func newOpenTelemetryMeterProvider(ctx context.Context, config *types.OTLP) (*sd
 	return meterProvider, nil
 }
-func newHTTPExporter(ctx context.Context, config *types.OtelHTTP) (sdkmetric.Exporter, error) {
+func newHTTPExporter(ctx context.Context, config *types.OTelHTTP) (sdkmetric.Exporter, error) {
 	endpoint, err := url.Parse(config.Endpoint)
 	if err != nil {
 		return nil, fmt.Errorf("invalid collector endpoint %q: %w", config.Endpoint, err)
@@ -269,7 +269,7 @@ func newHTTPExporter(ctx context.Context, config *types.OtelHTTP) (sdkmetric.Exp
 	return otlpmetrichttp.New(ctx, opts...)
 }
-func newGRPCExporter(ctx context.Context, config *types.OtelGRPC) (sdkmetric.Exporter, error) {
+func newGRPCExporter(ctx context.Context, config *types.OTelGRPC) (sdkmetric.Exporter, error) {
 	host, port, err := net.SplitHostPort(config.Endpoint)
 	if err != nil {
 		return nil, fmt.Errorf("invalid collector endpoint %q: %w", config.Endpoint, err)
--- a/pkg/metrics/opentelemetry_test.go
+++ b/pkg/metrics/opentelemetry_test.go
@@ -327,7 +327,7 @@ func TestOpenTelemetry(t *testing.T) {
 			var cfg types.OTLP
 			(&cfg).SetDefaults()
 			cfg.AddRoutersLabels = true
-			cfg.HTTP = &types.OtelHTTP{
+			cfg.HTTP = &types.OTelHTTP{
 				Endpoint: ts.URL,
 			}
 			cfg.PushInterval = ptypes.Duration(10 * time.Millisecond)
--- a/pkg/middlewares/accesslog/logger.go
+++ b/pkg/middlewares/accesslog/logger.go
@@ -23,6 +23,7 @@ import (
 	"github.com/traefik/traefik/v3/pkg/middlewares/capture"
 	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
 	"github.com/traefik/traefik/v3/pkg/types"
 	"go.opentelemetry.io/contrib/bridges/otellogrus"
 )
 type key string
@@ -52,6 +53,7 @@ func (n noopCloser) Close() error {
 }
 type handlerParams struct {
 	ctx          context.Context
 	logDataTable *LogData
 }
@@ -106,6 +108,16 @@ func NewHandler(config *types.AccessLog) (*Handler, error) {
 		Level:     logrus.InfoLevel,
 	}
 	if config.OTLP != nil {
 		otelLoggerProvider, err := config.OTLP.NewLoggerProvider()
 		if err != nil {
 			return nil, fmt.Errorf("setting up OpenTelemetry logger provider: %w", err)
 		}
 		logger.Hooks.Add(otellogrus.NewHook("traefik", otellogrus.WithLoggerProvider(otelLoggerProvider)))
 		logger.Out = io.Discard
 	}
 	// Transform header names to a canonical form, to be used as is without further transformations,
 	// and transform field names to lower case, to enable case-insensitive lookup.
 	if config.Fields != nil {
@@ -150,7 +162,7 @@ func NewHandler(config *types.AccessLog) (*Handler, error) {
 		go func() {
 			defer logHandler.wg.Done()
 			for handlerParams := range logHandler.logHandlerChan {
-				logHandler.logTheRoundTrip(handlerParams.logDataTable)
+				logHandler.logTheRoundTrip(handlerParams.ctx, handlerParams.logDataTable)
 			}
 		}()
 	}
@@ -256,12 +268,13 @@ func (h *Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request, next http
 		if h.config.BufferingSize > 0 {
 			h.logHandlerChan <- handlerParams{
 				ctx:          req.Context(),
 				logDataTable: logDataTable,
 			}
 			return
 		}
-		h.logTheRoundTrip(logDataTable)
+		h.logTheRoundTrip(req.Context(), logDataTable)
 	}()
 	next.ServeHTTP(rw, reqWithDataTable)
@@ -313,7 +326,7 @@ func usernameIfPresent(theURL *url.URL) string {
 }
 // Logging handler to log frontend name, backend name, and elapsed time.
-func (h *Handler) logTheRoundTrip(logDataTable *LogData) {
+func (h *Handler) logTheRoundTrip(ctx context.Context, logDataTable *LogData) {
 	core := logDataTable.Core
 	retryAttempts, ok := core[RetryAttempts].(int)
@@ -359,7 +372,7 @@ func (h *Handler) logTheRoundTrip(logDataTable *LogData) {
 		h.mu.Lock()
 		defer h.mu.Unlock()
-		h.logger.WithFields(fields).Println()
+		h.logger.WithContext(ctx).WithFields(fields).Println()
 	}
 }
--- a/pkg/middlewares/accesslog/logger_test.go
+++ b/pkg/middlewares/accesslog/logger_test.go
@@ -2,6 +2,7 @@ package accesslog
 import (
 	"bytes"
 	"compress/gzip"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
@@ -25,6 +26,8 @@ import (
 	ptypes "github.com/traefik/paerser/types"
 	"github.com/traefik/traefik/v3/pkg/middlewares/capture"
 	"github.com/traefik/traefik/v3/pkg/types"
 	"go.opentelemetry.io/collector/pdata/plog/plogotlp"
 	"go.opentelemetry.io/otel/trace"
 )
 const delta float64 = 1e-10
@@ -49,6 +52,75 @@ var (
 	testStart               = time.Now()
 )
 func TestOTelAccessLog(t *testing.T) {
 	logCh := make(chan string)
 	collector := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		gzr, err := gzip.NewReader(r.Body)
 		require.NoError(t, err)
 		body, err := io.ReadAll(gzr)
 		require.NoError(t, err)
 		req := plogotlp.NewExportRequest()
 		err = req.UnmarshalProto(body)
 		require.NoError(t, err)
 		marshalledReq, err := json.Marshal(req)
 		require.NoError(t, err)
 		logCh <- string(marshalledReq)
 	}))
 	t.Cleanup(collector.Close)
 	config := &types.AccessLog{
 		OTLP: &types.OTelLog{
 			ServiceName:        "test",
 			ResourceAttributes: map[string]string{"resource": "attribute"},
 			HTTP: &types.OTelHTTP{
 				Endpoint: collector.URL,
 			},
 		},
 	}
 	logHandler, err := NewHandler(config)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		err := logHandler.Close()
 		require.NoError(t, err)
 	})
 	req := &http.Request{
 		Header: map[string][]string{},
 		URL: &url.URL{
 			Path: testPath,
 		},
 	}
 	ctx := trace.ContextWithSpanContext(context.Background(), trace.NewSpanContext(trace.SpanContextConfig{
 		TraceID: trace.TraceID{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8},
 		SpanID:  trace.SpanID{0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8},
 	}))
 	req = req.WithContext(ctx)
 	chain := alice.New()
 	chain = chain.Append(capture.Wrap)
 	chain = chain.Append(WrapHandler(logHandler))
 	handler, err := chain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		rw.WriteHeader(http.StatusOK)
 	}))
 	require.NoError(t, err)
 	handler.ServeHTTP(httptest.NewRecorder(), req)
 	select {
 	case <-time.After(5 * time.Second):
 		t.Error("AccessLog not exported")
 	case log := <-logCh:
 		assert.Regexp(t, `{"key":"resource","value":{"stringValue":"attribute"}}`, log)
 		assert.Regexp(t, `{"key":"service.name","value":{"stringValue":"test"}}`, log)
 		assert.Regexp(t, `{"key":"DownstreamStatus","value":{"intValue":"200"}}`, log)
 		assert.Regexp(t, `"traceId":"01020304050607080000000000000000","spanId":"0102030405060708"`, log)
 	}
 }
 func TestLogRotation(t *testing.T) {
 	fileName := filepath.Join(t.TempDir(), "traefik.log")
 	rotatedFileName := fileName + ".rotated"
--- a/pkg/middlewares/auth/basic_auth.go
+++ b/pkg/middlewares/auth/basic_auth.go
@@ -13,6 +13,7 @@ import (
 	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
 	"github.com/traefik/traefik/v3/pkg/middlewares/observability"
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/singleflight"
 )
 const (
@@ -26,6 +27,9 @@ type basicAuth struct {
 	headerField  string
 	removeHeader bool
 	name         string
 	checkSecret       func(password, secret string) bool
 	singleflightGroup *singleflight.Group
 }
 // NewBasic creates a basicAuth middleware.
@@ -38,11 +42,13 @@ func NewBasic(ctx context.Context, next http.Handler, authConfig dynamic.BasicAu
 	}
 	ba := &basicAuth{
-		next:         next,
+		next:              next,
-		users:        users,
+		users:             users,
-		headerField:  authConfig.HeaderField,
+		headerField:       authConfig.HeaderField,
-		removeHeader: authConfig.RemoveHeader,
+		removeHeader:      authConfig.RemoveHeader,
-		name:         name,
+		name:              name,
 		checkSecret:       goauth.CheckSecret,
 		singleflightGroup: new(singleflight.Group),
 	}
 	realm := defaultRealm
@@ -64,10 +70,7 @@ func (b *basicAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	user, password, ok := req.BasicAuth()
 	if ok {
-		secret := b.auth.Secrets(user, b.auth.Realm)
+		ok = b.checkPassword(user, password)
 		if secret == "" || !goauth.CheckSecret(password, secret) {
 			ok = false
 		}
 	}
 	logData := accesslog.GetLogData(req)
@@ -97,6 +100,20 @@ func (b *basicAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	b.next.ServeHTTP(rw, req)
 }
 func (b *basicAuth) checkPassword(user, password string) bool {
 	secret := b.auth.Secrets(user, b.auth.Realm)
 	if secret == "" {
 		return false
 	}
 	key := password + secret
 	match, _, _ := b.singleflightGroup.Do(key, func() (any, error) {
 		return b.checkSecret(password, secret), nil
 	})
 	return match.(bool)
 }
 func (b *basicAuth) secretBasic(user, realm string) string {
 	if secret, ok := b.users[user]; ok {
 		return secret
--- a/pkg/middlewares/auth/basic_auth_test.go
+++ b/pkg/middlewares/auth/basic_auth_test.go
@@ -7,7 +7,9 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"sync"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -167,6 +169,50 @@ func TestBasicAuthHeaderPresent(t *testing.T) {
 	assert.Equal(t, "traefik\n", string(body))
 }
 func TestBasicAuthConcurrentHashOnce(t *testing.T) {
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintln(w, "traefik")
 	})
 	auth := dynamic.BasicAuth{
 		Users: []string{"test:$2a$04$.8sTYfcxbSplCtoxt5TdJOgpBYkarKtZYsYfYxQ1edbYRuO1DNi0e"},
 	}
 	authMiddleware, err := NewBasic(context.Background(), next, auth, "authName")
 	require.NoError(t, err)
 	hashCount := 0
 	ba := authMiddleware.(*basicAuth)
 	ba.checkSecret = func(password, secret string) bool {
 		hashCount++
 		// delay to ensure the second request arrives
 		time.Sleep(time.Millisecond)
 		return true
 	}
 	ts := httptest.NewServer(authMiddleware)
 	defer ts.Close()
 	var wg sync.WaitGroup
 	wg.Add(2)
 	for range 2 {
 		go func() {
 			defer wg.Done()
 			req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
 			req.SetBasicAuth("test", "test")
 			res, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			defer res.Body.Close()
 			assert.Equal(t, http.StatusOK, res.StatusCode, "they should be equal")
 		}()
 	}
 	wg.Wait()
 	assert.Equal(t, 1, hashCount)
 }
 func TestBasicAuthUsersFromFile(t *testing.T) {
 	testCases := []struct {
 		desc            string
--- a/pkg/middlewares/auth/forward.go
+++ b/pkg/middlewares/auth/forward.go
@@ -1,12 +1,14 @@
 package auth
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"regexp"
 	"strings"
 	"time"
@@ -22,13 +24,13 @@ import (
 	"go.opentelemetry.io/otel/trace"
 )
 const typeNameForward = "ForwardAuth"
 const (
 	xForwardedURI    = "X-Forwarded-Uri"
 	xForwardedMethod = "X-Forwarded-Method"
 )
 const typeNameForward = "ForwardAuth"
 // hopHeaders Hop-by-hop headers to be removed in the authentication request.
 // http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
 // Proxy-Authorization header is forwarded to the authentication server (see https://tools.ietf.org/html/rfc7235#section-4.4).
@@ -52,6 +54,9 @@ type forwardAuth struct {
 	authRequestHeaders       []string
 	addAuthCookiesToResponse map[string]struct{}
 	headerField              string
 	forwardBody              bool
 	maxBodySize              int64
 	preserveLocationHeader   bool
 }
 // NewForward creates a forward auth middleware.
@@ -73,6 +78,13 @@ func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAu
 		authRequestHeaders:       config.AuthRequestHeaders,
 		addAuthCookiesToResponse: addAuthCookiesToResponse,
 		headerField:              config.HeaderField,
 		forwardBody:              config.ForwardBody,
 		maxBodySize:              dynamic.ForwardAuthDefaultMaxBodySize,
 		preserveLocationHeader:   config.PreserveLocationHeader,
 	}
 	if config.MaxBodySize != nil {
 		fa.maxBodySize = *config.MaxBodySize
 	}
 	// Ensure our request client does not follow redirects
@@ -125,13 +137,37 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	forwardReq, err := http.NewRequestWithContext(req.Context(), http.MethodGet, fa.address, nil)
 	if err != nil {
-		logger.Debug().Msgf("Error calling %s. Cause %s", fa.address, err)
+		logger.Debug().Err(err).Msgf("Error calling %s", fa.address)
 		observability.SetStatusErrorf(req.Context(), "Error calling %s. Cause %s", fa.address, err)
 		rw.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 	if fa.forwardBody {
 		bodyBytes, err := fa.readBodyBytes(req)
 		if errors.Is(err, errBodyTooLarge) {
 			logger.Debug().Msgf("Request body is too large, maxBodySize: %d", fa.maxBodySize)
 			observability.SetStatusErrorf(req.Context(), "Request body is too large, maxBodySize: %d", fa.maxBodySize)
 			rw.WriteHeader(http.StatusUnauthorized)
 			return
 		}
 		if err != nil {
 			logger.Debug().Err(err).Msg("Error while reading body")
 			observability.SetStatusErrorf(req.Context(), "Error while reading Body: %s", err)
 			rw.WriteHeader(http.StatusInternalServerError)
 			return
 		}
 		// bodyBytes is nil when the request has no body.
 		if bodyBytes != nil {
 			req.Body = io.NopCloser(bytes.NewReader(bodyBytes))
 			forwardReq.Body = io.NopCloser(bytes.NewReader(bodyBytes))
 		}
 	}
 	writeHeader(req, forwardReq, fa.trustForwardHeader, fa.authRequestHeaders)
 	var forwardSpan trace.Span
@@ -149,7 +185,7 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	forwardResponse, forwardErr := fa.client.Do(forwardReq)
 	if forwardErr != nil {
-		logger.Debug().Msgf("Error calling %s. Cause: %s", fa.address, forwardErr)
+		logger.Debug().Err(forwardErr).Msgf("Error calling %s", fa.address)
 		observability.SetStatusErrorf(req.Context(), "Error calling %s. Cause: %s", fa.address, forwardErr)
 		rw.WriteHeader(http.StatusInternalServerError)
@@ -159,7 +195,7 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	body, readError := io.ReadAll(forwardResponse.Body)
 	if readError != nil {
-		logger.Debug().Msgf("Error reading body %s. Cause: %s", fa.address, readError)
+		logger.Debug().Err(readError).Msgf("Error reading body %s", fa.address)
 		observability.SetStatusErrorf(req.Context(), "Error reading body %s. Cause: %s", fa.address, readError)
 		rw.WriteHeader(http.StatusInternalServerError)
@@ -189,12 +225,10 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		utils.CopyHeaders(rw.Header(), forwardResponse.Header)
 		utils.RemoveHeaders(rw.Header(), hopHeaders...)
-		// Grab the location header, if any.
+		redirectURL, err := fa.redirectURL(forwardResponse)
 		redirectURL, err := forwardResponse.Location()
 		if err != nil {
 			if !errors.Is(err, http.ErrNoLocation) {
-				logger.Debug().Msgf("Error reading response location header %s. Cause: %s", fa.address, err)
+				logger.Debug().Err(err).Msgf("Error reading response location header %s", fa.address)
 				observability.SetStatusErrorf(req.Context(), "Error reading response location header %s. Cause: %s", fa.address, err)
 				rw.WriteHeader(http.StatusInternalServerError)
@@ -249,6 +283,18 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	fa.next.ServeHTTP(middlewares.NewResponseModifier(rw, req, fa.buildModifier(authCookies)), req)
 }
 func (fa *forwardAuth) redirectURL(forwardResponse *http.Response) (*url.URL, error) {
 	if !fa.preserveLocationHeader {
 		return forwardResponse.Location()
 	}
 	// Preserve the Location header if it exists.
 	if lv := forwardResponse.Header.Get("Location"); lv != "" {
 		return url.Parse(lv)
 	}
 	return nil, http.ErrNoLocation
 }
 func (fa *forwardAuth) buildModifier(authCookies []*http.Cookie) func(res *http.Response) error {
 	return func(res *http.Response) error {
 		cookies := res.Cookies()
@@ -270,6 +316,27 @@ func (fa *forwardAuth) buildModifier(authCookies []*http.Cookie) func(res *http.
 	}
 }
 var errBodyTooLarge = errors.New("request body too large")
 func (fa *forwardAuth) readBodyBytes(req *http.Request) ([]byte, error) {
 	if fa.maxBodySize < 0 {
 		return io.ReadAll(req.Body)
 	}
 	body := make([]byte, fa.maxBodySize+1)
 	n, err := io.ReadFull(req.Body, body)
 	if errors.Is(err, io.EOF) {
 		return nil, nil
 	}
 	if err != nil && !errors.Is(err, io.ErrUnexpectedEOF) {
 		return nil, fmt.Errorf("reading body bytes: %w", err)
 	}
 	if errors.Is(err, io.ErrUnexpectedEOF) {
 		return body[:n], nil
 	}
 	return nil, errBodyTooLarge
 }
 func writeHeader(req, forwardReq *http.Request, trustForwardHeader bool, allowedHeaders []string) {
 	utils.CopyHeaders(forwardReq.Header, req.Header)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Romain	d9f58f94a2	Prepare release v3.3.0-rc2	2024-12-20 11:52:04 +01:00
Kevin Pollet	a29628fa2e	Fix fenced server status computation Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2024-12-20 11:26:04 +01:00
Romain	68a8650297	Prepare Release v3.3.0-rc1	2024-12-16 15:30:05 +01:00
kevinpollet	1a5ea1c597	Merge branch v3.2 into master	2024-12-16 11:30:15 +01:00
Kevin Pollet	8983e45fcf	Prepare release v3.2.3	2024-12-16 11:20:04 +01:00
kevinpollet	ec214fa825	Merge branch v2.11 into v3.2	2024-12-16 10:51:44 +01:00
Kevin Pollet	1c0094048b	Prepare release v2.11.16	2024-12-16 10:48:04 +01:00
Michel Loiseleur	3a3ffab689	Update reference install documentation with current chart default	2024-12-13 11:14:06 +01:00
Nelson Isioma	2302debac2	Add an option to preserve the ForwardAuth Server Location header	2024-12-13 10:38:37 +01:00
kevinpollet	4974d9e4d7	Merge branch v3.2 into master	2024-12-12 15:47:51 +01:00
kevinpollet	33cf06b36a	Merge branch v2.11 into v3.2	2024-12-12 15:20:22 +01:00
Romain	590ddfc990	Update nokogiri gem to v1.16.8	2024-12-12 15:12:04 +01:00
Kevin Pollet	39d7b77609	Bump Dockerfile to Alpine v3.21	2024-12-12 14:44:05 +01:00
Michael	e85d02c530	Add support dump API endpoint	2024-12-12 14:12:04 +01:00
Romain	74e0abf8bf	Update golang.org/x dependencies	2024-12-12 13:02:04 +01:00
Kevin Pollet	d953ee69b4	Add exprimental flag for OTLP logs integration	2024-12-12 12:22:05 +01:00
kyosuke	26738cbf93	Send request body to authorization server for forward auth	2024-12-12 10:18:05 +01:00
Romain	b1934231ca	Manage observability at entrypoint and router level Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-12-12 09:52:07 +01:00
Valéry Fouques	9588e51146	Implementation of serving not ready endpoints	2024-12-11 13:54:05 +01:00
Romain	e87da0f390	Prepare release v3.2.2	2024-12-10 15:48:04 +01:00
Emile Vauge	a4c0b1649d	Create FUNDING.yml	2024-12-09 14:46:05 +01:00
Romain	826a2b74aa	OpenTelemetry Logs and Access Logs Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-12-06 14:50:04 +01:00
Ludovic Fernandez	33c1d700c0	Add options to control ACME propagation checks	2024-11-26 09:08:04 +01:00
Romain	0ec12c7aa7	Configurable API & Dashboard base path Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2024-11-25 11:52:04 +01:00
kevinpollet	090db6d4b0	Merge branch v3.2 into master	2024-11-21 14:53:27 +01:00
IIpragmaII	ec00c4aa42	Configurable path for sticky cookies	2024-11-06 16:04:04 +01:00
Bmagic	552bd8f180	Add AbortOnPluginFailure option to abort startup on plugin load failure	2024-11-06 11:58:04 +01:00
Shreyas Kirtane	97caf758ef	Make the IngressRoute kind optional	2024-11-04 16:26:04 +01:00
Nikolai K	e8ff825ed2	Set Host header in HTTP provider request	2024-10-29 15:30:38 +01:00
kevinpollet	7004f0e750	Merge branch v3.2 into master	2024-10-29 09:29:27 +01:00
kevinpollet	06e64af9e9	Merge branch v3.2 into master	2024-10-10 11:32:18 +02:00
Michel Heusschen	6f469ee1ec	Only calculate basic auth hashes once for concurrent requests	2024-10-10 10:36:04 +02:00
		`@@ -0,0 +1,3 @@`
							`# These are supported funding model platforms`

							`github: traefik`
`@@ -1,4 +1,4 @@`
	`FROM alpine:3.20`	`FROM alpine:3.21`

	`ENV PATH="${PATH}:/venv/bin"`	`ENV PATH="${PATH}:/venv/bin"`