Prepare release v2.4.10

Co-authored-by: Romain <rtribotte@users.noreply.github.com>
Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>

.github/ISSUE_TEMPLATE/Bug_report.md

@@ -1,82 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-
----
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- the Traefik community forum: https://community.containo.us/
-
--->
-
-Bug
-
-<!--
-
-The configurations between 1.X and 2.X are NOT compatible.
-Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
-
--->
-
-### What did you do?
-
-<!--
-
-HOW TO WRITE A GOOD BUG REPORT?
-
-- Respect the issue template as much as possible.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->
-
-### What did you expect to see?
-
-
-
-### What did you see instead?
-
-
-
-### Output of `traefik version`: (_What version of Traefik are you using?_)
-
-<!--
-`latest` is not considered as a valid version.
-
-For the Traefik Docker image:
-    docker run [IMAGE] version
-    ex: docker run traefik version
-
--->
-
-```
-(paste your output here)
-```
-
-### What is your environment & configuration (arguments, toml, provider, platform, ...)?
-
-```toml
-# (paste your configuration here)
-```
-
-<!--
-Add more configuration information here.
--->
-
-
-### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
-
-```
-(paste your output here)
-```

.github/ISSUE_TEMPLATE/Feature_request.md

@@ -1,35 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-
----
-<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
-
-### Do you want to request a *feature* or report a *bug*?
-
-<!--
-DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
-
-The issue tracker is for reporting bugs and feature requests only.
-For end-user related support questions, please refer to one of the following:
-
-- the Traefik community forum: https://community.containo.us/
-
--->
-
-Feature
-
-### What did you expect to see?
-
-<!--
-
-HOW TO WRITE A GOOD ISSUE?
-
-- Respect the issue template as much as possible.
-- The title should be short and descriptive.
-- Explain the conditions which led you to report this issue: the context.
-- The context should lead to something, an idea or a problem that you’re facing.
-- Remain clear and concise.
-- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-
--->

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,80 @@
+name: Bug Report (Traefik)
+description: Create a report to help us improve.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.containo.us/
+
+        The configurations between 1.X and 2.X are NOT compatible. Please have a look [here](https://doc.traefik.io/traefik/getting-started/configuration-overview/).
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you do?
+      description: |
+        How to write a good bug report?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you do?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What did you see instead?
+      placeholder: What did you see instead?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What version of Traefik are you using?
+      description: |
+        `latest` is not considered as a valid version.
+
+        Output of `traefik version`.
+
+        For the Traefik Docker image (`docker run [IMAGE] version`), example:
+        ```console
+        $ docker run traefik version
+        ```
+      placeholder: Paste your output here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: What is your environment & configuration?
+      description: arguments, toml, provider, platform, ...
+      placeholder: Add information here.
+      value: |
+        ```yaml
+        # (paste your configuration here)
+        ```
+
+        Add more configuration information here.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: If applicable, please paste the log output in DEBUG level
+      description: "`--log.level=DEBUG` switch."
+      placeholder: Paste your output here.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,33 @@
+name: Feature Request (Traefik)
+description: Suggest an idea for this project.
+body:
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Welcome!
+      description: |
+        The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
+        - the Traefik community forum: https://community.containo.us/
+
+        DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
+      options:
+        - label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
+          required: true
+        - label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
+          required: true
+
+  - type: textarea
+    attributes:
+      label: What did you expect to see?
+      description: |
+        How to write a good issue?
+
+        - Respect the issue template as much as possible.
+        - The title should be short and descriptive.
+        - Explain the conditions which led you to report this issue: the context.
+        - The context should lead to something, an idea or a problem that you’re facing.
+        - Remain clear and concise.
+        - Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
+      placeholder: What did you expect to see?
+    validations:
+      required: true

.golangci.toml

@@ -67,6 +67,7 @@
     "scopelint", # Deprecated
     "interfacer", # Deprecated
     "maligned", # Deprecated
+    "golint", # Deprecated
     "sqlclosecheck", # Not relevant (SQL)
     "rowserrcheck", # Not relevant (SQL)
     "lll", # Not relevant
@@ -97,6 +98,7 @@
     "unparam", # Too strict
     "godox", # Too strict
     "forcetypeassert", # Too strict
+    "tagliatelle", # Not compatible with current tags.
   ]
 
 [issues]

CHANGELOG.md

@@ -1,3 +1,21 @@
+## [v2.4.10](https://github.com/traefik/traefik/tree/v2.4.10) (2021-07-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.10)
+
+**Bug fixes:**
+- **[k8s,k8s/crd,k8s/ingress]** Disable ExternalName Services by default on Kubernetes providers ([#8261](https://github.com/traefik/traefik/pull/8261) by [dtomcej](https://github.com/dtomcej))
+- **[k8s,k8s/crd,k8s/ingress]** Fix: malformed Kubernetes resource names and references in tests ([#8226](https://github.com/traefik/traefik/pull/8226) by [rtribotte](https://github.com/rtribotte))
+- **[k8s,k8s/crd]** Disable Cross-Namespace by default for IngressRoute provider ([#8260](https://github.com/traefik/traefik/pull/8260) by [dtomcej](https://github.com/dtomcej))
+- **[logs,middleware]** Accesslog: support multiple values for a given header ([#8258](https://github.com/traefik/traefik/pull/8258) by [ldez](https://github.com/ldez))
+- **[logs]** Ignore http 1.0 request host missing errors ([#8252](https://github.com/traefik/traefik/pull/8252) by [dtomcej](https://github.com/dtomcej))
+- **[middleware]** Headers Middleware: support http.CloseNotifier interface ([#8238](https://github.com/traefik/traefik/pull/8238) by [dtomcej](https://github.com/dtomcej))
+- **[tls]** Detect certificates content modifications ([#8243](https://github.com/traefik/traefik/pull/8243) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+**Documentation:**
+- **[middleware,k8s]** Fix invalid subdomain ([#8212](https://github.com/traefik/traefik/pull/8212) by [WLun001](https://github.com/WLun001))
+- Add the list of available provider names ([#8225](https://github.com/traefik/traefik/pull/8225) by [WLun001](https://github.com/WLun001))
+- Fix maintainers-guidelines page title ([#8216](https://github.com/traefik/traefik/pull/8216) by [kubopanda](https://github.com/kubopanda))
+- Typos in contributing section ([#8215](https://github.com/traefik/traefik/pull/8215) by [kubopanda](https://github.com/kubopanda))
+
 ## [v2.4.9](https://github.com/traefik/traefik/tree/v2.4.9) (2021-06-21)
 [All Commits](https://github.com/traefik/traefik/compare/v2.4.8...v2.4.9)
 

Makefile

@@ -96,6 +96,15 @@ test-integration: $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
 	TEST_HOST=1 ./script/make.sh test-integration
 
+## Run the container integration tests
+test-integration-container: $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
+
+## Run the host integration tests
+test-integration-host: $(PRE_TARGET)
+	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary
+	TEST_HOST=1 ./script/make.sh test-integration
+
 ## Validate code and docs
 validate-files: $(PRE_TARGET)
 	$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate validate-lint validate-misspell
@@ -123,7 +132,7 @@ shell: build-dev-image
 docs:
 	make -C ./docs docs
 
-## Serve the documentation site localy
+## Serve the documentation site locally
 docs-serve:
 	make -C ./docs docs-serve
 

README.md

@@ -6,7 +6,6 @@
 [![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
 [![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
 [![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
-[![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
 [![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)

build.Dockerfile

@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
     && chmod +x /usr/local/bin/go-bindata
 
 # Download golangci-lint binary to bin folder in $GOPATH
-RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.39.0
+RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.41.1
 
 # Download misspell binary to bin folder in $GOPATH
 RUN  curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

docs/content/contributing/maintainers-guidelines.md

@@ -1,6 +1,6 @@
-# The Maintainers Guidelines
+# Maintainer's Guidelines
 
-![Maintainers Guidelines](../assets/img/maintainers-guidelines.png)
+![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)
 
 Note: the document is a work in progress.
 
@@ -13,14 +13,14 @@ and firmly standing against the elitist closed approach.
 Being part of the core team should be accessible to anyone motivated
 and wants to be part of that journey!
 
-## Onboarding process
+## Onboarding Process
 
 If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
 We will schedule a quick call to meet you and learn more about your motivation.
 During the call, the team will discuss the process of becoming a maintainer.
 We will be happy to answer any questions and explain all your doubts.
 
-## Maintainers requirements
+## Maintainer's Requirements
 
 Note: you do not have to meet all the listed requirements,
 but must have achieved several.
@@ -34,7 +34,7 @@ but must have achieved several.
   or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
 - Have read and accepted the contributor guidelines.
 
-## Maintainers responsibilities and privileges
+## Maintainer's Responsibilities and Privileges
 
 There are lots of areas where you can contribute to the project,
 but we can suggest you start with activities such as:
@@ -103,7 +103,7 @@ maintainers' activity and involvement will be reviewed on a regular basis.
   non-threatening,
   and friendly behavior towards other people on the maintainer team and with our community?
 
-## Additional comments for (not only) maintainers
+## Additional Comments for (not only) Maintainers
 
 - Be able to put yourself in users’ shoes.
 - Be open-minded and respectful with other maintainers and other community members.

docs/content/contributing/maintainers.md

@@ -1,6 +1,6 @@
 # Maintainers
 
-## The team
+## The Team
 
 * Emile Vauge [@emilevauge](https://github.com/emilevauge)
 * Vincent Demeester [@vdemeester](https://github.com/vdemeester)
@@ -20,15 +20,15 @@
 * Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
 * Harold Ozouf [@jspdown](https://github.com/jspdown)
 
-## Maintainers guidelines
+## Maintainer's Guidelines
 
-Please read the [maintainers guidelines](maintainers-guidelines.md)
+Please read the [maintainer's guidelines](maintainers-guidelines.md)
 
 ## Issue Triage
 
 Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).
 
-## PR review process:
+## PR Review Process
 
 The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.
 
@@ -118,7 +118,7 @@ The `status/*` labels represent the desired state in the workflow.
 * `priority/P2`: need to be fixed in the future.
 * `priority/P3`: maybe.
 
-### PR size
+### PR Size
 
 Automatically set by a bot.
 

docs/content/getting-started/faq.md

@@ -124,3 +124,16 @@ http:
     If there is a need for a response code other than a `503` and/or a custom message,
     the principle of the above example above (a catchall router) still stands,
     but the `unavailable` service should be adapted to fit such a need.
+
+## Why Is My TLS Certificate Not Reloaded When Its Contents Change ? 
+
+With the file provider,
+a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
+
+Which is why, when a certificate is defined by path,
+and the actual contents of this certificate change,
+a configuration update is _not_ triggered.
+
+To take into account the new certificate contents, the update of the dynamic configuration must be forced.
+One way to achieve that, is to trigger a file notification,
+for example, by using the `touch` command on the configuration file.

docs/content/middlewares/headers.md

@@ -23,7 +23,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     customRequestHeaders:
@@ -86,7 +86,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     customRequestHeaders:
@@ -154,7 +154,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     frameDeny: true
@@ -212,7 +212,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testHeader
+  name: test-header
 spec:
   headers:
     accessControlAllowMethods:

docs/content/middlewares/ipwhitelist.md

@@ -92,8 +92,8 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
 ```yaml tab="Docker"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```
 
 ```yaml tab="Kubernetes"
@@ -101,7 +101,7 @@ labels:
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: testIPwhitelist
+  name: test-ipwhitelist
 spec:
   ipWhiteList:
     sourceRange:
@@ -113,22 +113,22 @@ spec:
 
 ```yaml tab="Consul Catalog"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
-- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```
 
 ```json tab="Marathon"
 "labels": {
-  "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
+  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
 }
 ```
 
 ```yaml tab="Rancher"
 # Whitelisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
 ```
 
 ```yaml tab="File (YAML)"

docs/content/migration/v1-to-v2.md

@@ -441,7 +441,7 @@ To apply a redirection:
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: http-redirect-ingressRoute
+      name: http-redirect-ingressroute
 
     spec:
       entryPoints:
@@ -459,7 +459,7 @@ To apply a redirection:
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: https-ingressRoute
+      name: https-ingressroute
 
     spec:
       entryPoints:
@@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: http-redirect-ingressRoute
+      name: http-redirect-ingressroute
       namespace: admin-web
     spec:
       entryPoints:

docs/content/migration/v2.md

@@ -189,7 +189,7 @@ metadata:
 
 spec:
   tls:
-  - secretName: myTlsSecret
+  - secretName: my-tls-secret
 
   rules:
   - host: example.com
@@ -256,7 +256,7 @@ metadata:
 
 spec:
   tls:
-  - secretName: myTlsSecret
+  - secretName: my-tls-secret
 
   rules:
   - host: example.com
@@ -364,3 +364,14 @@ For more information, please read the [HTTP routers rule](../routing/routers/ind
 ### Tracing Span
 
 In `v2.4.9`, we changed span error to log only server errors (>= 500).
+
+## v2.4.9 to v2.4.10
+
+### K8S CrossNamespace
+
+In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
+
+### K8S ExternalName Service
+
+In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
+To allow it, the `allowExternalNameServices` option should be set to `true`.

docs/content/providers/kubernetes-crd.md

@@ -260,29 +260,48 @@ providers:
 
 ### `allowCrossNamespace`
 
-_Optional, Default: true_
+_Optional, Default: false_
 
-If the parameter is set to `false`, IngressRoutes are not able to reference any resources in other namespaces than theirs.
-
-!!! warning "Deprecation"
-
-    Please note that the default value for this option will be set to `false` in a future version.
+If the parameter is set to `true`, IngressRoutes are  able to reference  resources in other namespaces than theirs.
 
 ```yaml tab="File (YAML)"
 providers:
   kubernetesCRD:
-    allowCrossNamespace: false
+    allowCrossNamespace: true
     # ...
 ```
 
 ```toml tab="File (TOML)"
 [providers.kubernetesCRD]
-  allowCrossNamespace = false
+  allowCrossNamespace = true
   # ...
 ```
 
 ```bash tab="CLI"
---providers.kubernetescrd.allowCrossNamespace=false
+--providers.kubernetescrd.allowCrossNamespace=true
+```
+
+### `allowExternalNameServices`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`, IngressRoutes are able to reference ExternalName services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesCRD:
+    allowExternalNameServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesCRD]
+  allowExternalNameServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetescrd.allowexternalnameservices=true
 ```
 
 ## Full Example

docs/content/providers/kubernetes-ingress.md

@@ -375,6 +375,29 @@ providers:
 --providers.kubernetesingress.throttleDuration=10s
 ```
 
+### `allowExternalNameServices`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`, Ingresses are able to reference ExternalName services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    allowExternalNameServices: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  allowExternalNameServices = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.allowexternalnameservices=true
+```
+
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,

docs/content/providers/overview.md

@@ -30,6 +30,8 @@ If you use multiple providers and wish to reference such an object declared in a
 (e.g. referencing a cross-provider object like middleware), then the object name should be suffixed by the `@`
 separator, and the provider name.
 
+For the list of the providers names, see the [supported providers](#supported-providers) table below.
+
 ```text
 <resource-name>@<provider-name>
 ```
@@ -125,20 +127,22 @@ separator, and the provider name.
 
 Below is the list of the currently supported providers in Traefik.
 
-| Provider                              | Type         | Configuration Type         |
-|---------------------------------------|--------------|----------------------------|
-| [Docker](./docker.md)                 | Orchestrator | Label                      |
-| [Kubernetes](./kubernetes-crd.md)     | Orchestrator | Custom Resource or Ingress |
-| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label                      |
-| [ECS](./ecs.md)                       | Orchestrator | Label                      |
-| [Marathon](./marathon.md)             | Orchestrator | Label                      |
-| [Rancher](./rancher.md)               | Orchestrator | Label                      |
-| [File](./file.md)                     | Manual       | YAML/TOML format           |
-| [Consul](./consul.md)                 | KV           | KV                         |
-| [Etcd](./etcd.md)                     | KV           | KV                         |
-| [ZooKeeper](./zookeeper.md)           | KV           | KV                         |
-| [Redis](./redis.md)                   | KV           | KV                         |
-| [HTTP](./http.md)                     | Manual       | JSON format                |
+| Provider                                          | Type         | Configuration Type   | Provider Name       |
+|---------------------------------------------------|--------------|----------------------|---------------------|
+| [Docker](./docker.md)                             | Orchestrator | Label                | `docker`            |
+| [Kubernetes IngressRoute](./kubernetes-crd.md)    | Orchestrator | Custom Resource      | `kubernetescrd`     |
+| [Kubernetes Ingress](./kubernetes-ingress.md)     | Orchestrator | Ingress              | `kubernetes`        |
+| [Kubernetes Gateway API](./kubernetes-gateway.md) | Orchestrator | Gateway API Resource | `kubernetesgateway` |
+| [Consul Catalog](./consul-catalog.md)             | Orchestrator | Label                | `consulcatalog`     |
+| [ECS](./ecs.md)                                   | Orchestrator | Label                | `ecs`               |
+| [Marathon](./marathon.md)                         | Orchestrator | Label                | `marathon`          |
+| [Rancher](./rancher.md)                           | Orchestrator | Label                | `rancher`           |
+| [File](./file.md)                                 | Manual       | YAML/TOML format     | `file`              |
+| [Consul](./consul.md)                             | KV           | KV                   | `consul`            |
+| [Etcd](./etcd.md)                                 | KV           | KV                   | `etcd`              |
+| [ZooKeeper](./zookeeper.md)                       | KV           | KV                   | `zookeeper`         |
+| [Redis](./redis.md)                               | KV           | KV                   | `redis`             |
+| [HTTP](./http.md)                                 | Manual       | JSON format          | `http`              |
 
 !!! info "More Providers"
 

docs/content/reference/static-configuration/cli-ref.md

@@ -556,7 +556,10 @@ TLS key
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
 `--providers.kubernetescrd.allowcrossnamespace`:  
-Allow cross namespace resource reference. (Default: ```true```)
+Allow cross namespace resource reference. (Default: ```false```)
+
+`--providers.kubernetescrd.allowexternalnameservices`:  
+Allow ExternalName services. (Default: ```false```)
 
 `--providers.kubernetescrd.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
@@ -603,6 +606,9 @@ Kubernetes bearer token (not needed for in-cluster client).
 `--providers.kubernetesingress`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
+`--providers.kubernetesingress.allowexternalnameservices`:  
+Allow ExternalName services. (Default: ```false```)
+
 `--providers.kubernetesingress.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
 

docs/content/reference/static-configuration/env-ref.md

@@ -556,7 +556,10 @@ TLS key
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWCROSSNAMESPACE`:  
-Allow cross namespace resource reference. (Default: ```true```)
+Allow cross namespace resource reference. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_KUBERNETESCRD_ALLOWEXTERNALNAMESERVICES`:  
+Allow ExternalName services. (Default: ```false```)
 
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
@@ -603,6 +606,9 @@ Kubernetes bearer token (not needed for in-cluster client).
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS`:  
 Enable Kubernetes backend with default settings. (Default: ```false```)
 
+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ALLOWEXTERNALNAMESERVICES`:  
+Allow ExternalName services. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).
 

docs/content/routing/providers/kubernetes-crd.md

@@ -385,7 +385,7 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
     apiVersion: traefik.containo.us/v1alpha1
     kind: IngressRoute
     metadata:
-      name: testName
+      name: test-name
       namespace: default
     spec:
       entryPoints:
@@ -1345,8 +1345,8 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
         - TLS_RSA_WITH_AES_256_GCM_SHA384
       clientAuth:                                   # [5]
         secretNames:                                # [6]
-          - secretCA1
-          - secretCA2
+          - secret-ca1
+          - secret-ca2
         clientAuthType: VerifyClientCertIfGiven     # [7]
       sniStrict: true                               # [8]
     ```
@@ -1379,8 +1379,8 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
         - TLS_RSA_WITH_AES_256_GCM_SHA384
       clientAuth:
         secretNames:
-          - secretCA1
-          - secretCA2
+          - secret-ca1
+          - secret-ca2
         clientAuthType: VerifyClientCertIfGiven
     ```
     
@@ -1409,7 +1409,7 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
     apiVersion: v1
     kind: Secret
     metadata:
-      name: secretCA1
+      name: secret-ca1
       namespace: default
     
     data:
@@ -1419,7 +1419,7 @@ or referencing TLS options in the [`IngressRoute`](#kind-ingressroute) / [`Ingre
     apiVersion: v1
     kind: Secret
     metadata:
-      name: secretCA2
+      name: secret-ca2
       namespace: default
     
     data:
@@ -1459,7 +1459,7 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
     
     spec:
       defaultCertificate:
-        secretName: mySecret                      # [1]
+        secretName: my-secret                      # [1]
     ```
 
 | Ref | Attribute    | Purpose                                                                                                                                                     |

integration/fixtures/k8s_crd.toml

@@ -17,3 +17,4 @@
 
 [providers.kubernetesCRD]
   allowCrossNamespace = false
+  allowExternalNameServices = true

pkg/middlewares/accesslog/logger.go

@@ -10,6 +10,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -344,7 +345,7 @@ func (h *Handler) redactHeaders(headers http.Header, fields logrus.Fields, prefi
 	for k := range headers {
 		v := h.config.Fields.KeepHeader(k)
 		if v == types.AccessLogKeep {
-			fields[prefix+k] = headers.Get(k)
+			fields[prefix+k] = strings.Join(headers.Values(k), ",")
 		} else if v == types.AccessLogRedact {
 			fields[prefix+k] = "REDACTED"
 		}

pkg/middlewares/accesslog/logger_test.go

@@ -114,7 +114,7 @@ func lineCount(t *testing.T, fileName string) int {
 }
 
 func TestLoggerHeaderFields(t *testing.T) {
-	expectedValue := "expectedValue"
+	expectedValues := []string{"AAA", "BBB"}
 
 	testCases := []struct {
 		desc            string
@@ -191,7 +191,10 @@ func TestLoggerHeaderFields(t *testing.T) {
 					Path: testPath,
 				},
 			}
-			req.Header.Set(test.header, expectedValue)
+
+			for _, s := range expectedValues {
+				req.Header.Add(test.header, s)
+			}
 
 			logger.ServeHTTP(httptest.NewRecorder(), req, http.HandlerFunc(func(writer http.ResponseWriter, r *http.Request) {
 				writer.WriteHeader(http.StatusOK)
@@ -201,9 +204,9 @@ func TestLoggerHeaderFields(t *testing.T) {
 			require.NoError(t, err)
 
 			if test.expected == types.AccessLogDrop {
-				assert.NotContains(t, string(logData), expectedValue)
+				assert.NotContains(t, string(logData), strings.Join(expectedValues, ","))
 			} else {
-				assert.Contains(t, string(logData), expectedValue)
+				assert.Contains(t, string(logData), strings.Join(expectedValues, ","))
 			}
 		})
 	}

pkg/middlewares/headers/responsewriter.go

@@ -10,8 +10,8 @@ import (
 )
 
 type responseModifier struct {
-	r *http.Request
-	w http.ResponseWriter
+	req *http.Request
+	rw  http.ResponseWriter
 
 	headersSent bool // whether headers have already been sent
 	code        int  // status code, must default to 200
@@ -24,71 +24,76 @@ type responseModifier struct {
 // modifier can be nil.
 func newResponseModifier(w http.ResponseWriter, r *http.Request, modifier func(*http.Response) error) *responseModifier {
 	return &responseModifier{
-		r:        r,
-		w:        w,
+		req:      r,
+		rw:       w,
 		modifier: modifier,
 		code:     http.StatusOK,
 	}
 }
 
-func (w *responseModifier) WriteHeader(code int) {
-	if w.headersSent {
+func (r *responseModifier) WriteHeader(code int) {
+	if r.headersSent {
 		return
 	}
 	defer func() {
-		w.code = code
-		w.headersSent = true
+		r.code = code
+		r.headersSent = true
 	}()
 
-	if w.modifier == nil || w.modified {
-		w.w.WriteHeader(code)
+	if r.modifier == nil || r.modified {
+		r.rw.WriteHeader(code)
 		return
 	}
 
 	resp := http.Response{
-		Header:  w.w.Header(),
-		Request: w.r,
+		Header:  r.rw.Header(),
+		Request: r.req,
 	}
 
-	if err := w.modifier(&resp); err != nil {
-		w.modifierErr = err
+	if err := r.modifier(&resp); err != nil {
+		r.modifierErr = err
 		// we are propagating when we are called in Write, but we're logging anyway,
 		// because we could be called from another place which does not take care of
 		// checking w.modifierErr.
 		log.WithoutContext().Errorf("Error when applying response modifier: %v", err)
-		w.w.WriteHeader(http.StatusInternalServerError)
+		r.rw.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 
-	w.modified = true
-	w.w.WriteHeader(code)
+	r.modified = true
+	r.rw.WriteHeader(code)
 }
 
-func (w *responseModifier) Header() http.Header {
-	return w.w.Header()
+func (r *responseModifier) Header() http.Header {
+	return r.rw.Header()
 }
 
-func (w *responseModifier) Write(b []byte) (int, error) {
-	w.WriteHeader(w.code)
-	if w.modifierErr != nil {
-		return 0, w.modifierErr
+func (r *responseModifier) Write(b []byte) (int, error) {
+	r.WriteHeader(r.code)
+	if r.modifierErr != nil {
+		return 0, r.modifierErr
 	}
 
-	return w.w.Write(b)
+	return r.rw.Write(b)
 }
 
 // Hijack hijacks the connection.
-func (w *responseModifier) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	if h, ok := w.w.(http.Hijacker); ok {
+func (r *responseModifier) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	if h, ok := r.rw.(http.Hijacker); ok {
 		return h.Hijack()
 	}
 
-	return nil, nil, fmt.Errorf("not a hijacker: %T", w.w)
+	return nil, nil, fmt.Errorf("not a hijacker: %T", r.rw)
 }
 
 // Flush sends any buffered data to the client.
-func (w *responseModifier) Flush() {
-	if flusher, ok := w.w.(http.Flusher); ok {
+func (r *responseModifier) Flush() {
+	if flusher, ok := r.rw.(http.Flusher); ok {
 		flusher.Flush()
 	}
 }
+
+// CloseNotify implements http.CloseNotifier.
+func (r *responseModifier) CloseNotify() <-chan bool {
+	return r.rw.(http.CloseNotifier).CloseNotify()
+}

pkg/middlewares/tracing/mock_tracing_test.go

@@ -56,7 +56,7 @@ func (n MockSpan) Tracer() opentracing.Tracer                             { retu
 func (n MockSpan) LogEvent(event string)                                  {}
 func (n MockSpan) LogEventWithPayload(event string, payload interface{})  {}
 func (n MockSpan) Log(data opentracing.LogData)                           {}
-func (n MockSpan) Reset() {
+func (n *MockSpan) Reset() {
 	n.Tags = make(map[string]interface{})
 }
 

pkg/provider/file/file.go

@@ -167,6 +167,86 @@ func (p *Provider) loadFileConfig(ctx context.Context, filename string, parseTem
 
 	if configuration.TLS != nil {
 		configuration.TLS.Certificates = flattenCertificates(ctx, configuration.TLS)
+
+		// TLS Options
+		if configuration.TLS.Options != nil {
+			for name, options := range configuration.TLS.Options {
+				var caCerts []tls.FileOrContent
+
+				for _, caFile := range options.ClientAuth.CAFiles {
+					content, err := caFile.Read()
+					if err != nil {
+						log.FromContext(ctx).Error(err)
+						continue
+					}
+
+					caCerts = append(caCerts, tls.FileOrContent(content))
+				}
+				options.ClientAuth.CAFiles = caCerts
+
+				configuration.TLS.Options[name] = options
+			}
+		}
+
+		// TLS stores
+		if len(configuration.TLS.Stores) > 0 {
+			for name, store := range configuration.TLS.Stores {
+				content, err := store.DefaultCertificate.CertFile.Read()
+				if err != nil {
+					log.FromContext(ctx).Error(err)
+					continue
+				}
+				store.DefaultCertificate.CertFile = tls.FileOrContent(content)
+
+				content, err = store.DefaultCertificate.KeyFile.Read()
+				if err != nil {
+					log.FromContext(ctx).Error(err)
+					continue
+				}
+				store.DefaultCertificate.KeyFile = tls.FileOrContent(content)
+
+				configuration.TLS.Stores[name] = store
+			}
+		}
+	}
+
+	// ServersTransport
+	if configuration.HTTP != nil && len(configuration.HTTP.ServersTransports) > 0 {
+		for name, st := range configuration.HTTP.ServersTransports {
+			var certificates []tls.Certificate
+			for _, cert := range st.Certificates {
+				content, err := cert.CertFile.Read()
+				if err != nil {
+					log.FromContext(ctx).Error(err)
+					continue
+				}
+				cert.CertFile = tls.FileOrContent(content)
+
+				content, err = cert.KeyFile.Read()
+				if err != nil {
+					log.FromContext(ctx).Error(err)
+					continue
+				}
+				cert.KeyFile = tls.FileOrContent(content)
+
+				certificates = append(certificates, cert)
+			}
+
+			configuration.HTTP.ServersTransports[name].Certificates = certificates
+
+			var rootCAs []tls.FileOrContent
+			for _, rootCA := range st.RootCAs {
+				content, err := rootCA.Read()
+				if err != nil {
+					log.FromContext(ctx).Error(err)
+					continue
+				}
+
+				rootCAs = append(rootCAs, tls.FileOrContent(content))
+			}
+
+			st.RootCAs = rootCAs
+		}
 	}
 
 	return configuration, nil

pkg/provider/file/file_test.go

@@ -25,19 +25,35 @@ type ProvideTestCase struct {
 	expectedNumTLSOptions int
 }
 
-func TestTLSContent(t *testing.T) {
+func TestTLSCertificateContent(t *testing.T) {
 	tempDir := t.TempDir()
 
 	fileTLS, err := createTempFile("./fixtures/toml/tls_file.cert", tempDir)
 	require.NoError(t, err)
 
+	fileTLSKey, err := createTempFile("./fixtures/toml/tls_file_key.cert", tempDir)
+	require.NoError(t, err)
+
 	fileConfig, err := os.CreateTemp(tempDir, "temp*.toml")
 	require.NoError(t, err)
 
 	content := `
 [[tls.certificates]]
   certFile = "` + fileTLS.Name() + `"
-  keyFile = "` + fileTLS.Name() + `"
+  keyFile = "` + fileTLSKey.Name() + `"
+
+[tls.options.default.clientAuth]
+  caFiles = ["` + fileTLS.Name() + `"]
+
+[tls.stores.default.defaultCertificate]
+  certFile = "` + fileTLS.Name() + `"
+  keyFile = "` + fileTLSKey.Name() + `"
+
+[http.serversTransports.default]
+  rootCAs = ["` + fileTLS.Name() + `"]
+  [[http.serversTransports.default.certificates]]
+    certFile = "` + fileTLS.Name() + `"
+    keyFile = "` + fileTLSKey.Name() + `"
 `
 
 	_, err = fileConfig.Write([]byte(content))
@@ -48,7 +64,16 @@ func TestTLSContent(t *testing.T) {
 	require.NoError(t, err)
 
 	require.Equal(t, "CONTENT", configuration.TLS.Certificates[0].Certificate.CertFile.String())
-	require.Equal(t, "CONTENT", configuration.TLS.Certificates[0].Certificate.KeyFile.String())
+	require.Equal(t, "CONTENTKEY", configuration.TLS.Certificates[0].Certificate.KeyFile.String())
+
+	require.Equal(t, "CONTENT", configuration.TLS.Options["default"].ClientAuth.CAFiles[0].String())
+
+	require.Equal(t, "CONTENT", configuration.TLS.Stores["default"].DefaultCertificate.CertFile.String())
+	require.Equal(t, "CONTENTKEY", configuration.TLS.Stores["default"].DefaultCertificate.KeyFile.String())
+
+	require.Equal(t, "CONTENT", configuration.HTTP.ServersTransports["default"].Certificates[0].CertFile.String())
+	require.Equal(t, "CONTENTKEY", configuration.HTTP.ServersTransports["default"].Certificates[0].KeyFile.String())
+	require.Equal(t, "CONTENT", configuration.HTTP.ServersTransports["default"].RootCAs[0].String())
 }
 
 func TestErrorWhenEmptyConfig(t *testing.T) {

pkg/provider/file/fixtures/toml/tls_file_key.cert

@@ -0,0 +1 @@
+CONTENTKEY

pkg/provider/kubernetes/crd/fixtures/tcp/with_bad_tls_options.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: default
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA2
+  name: secret-ca2
   namespace: default
 
 data:
@@ -32,9 +32,9 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretUnknown
-      - emptySecret
+      - secret-ca1
+      - secret-unknown
+      - empty-secret
     clientAuthType: VerifyClientCertIfGiven
 
 ---

pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: default
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA2
+  name: secret-ca2
   namespace: default
 
 data:
@@ -32,8 +32,8 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretCA2
+      - secret-ca1
+      - secret-ca2
     clientAuthType: VerifyClientCertIfGiven
   preferServerCipherSuites: true
 ---

pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_options_and_specific_namespace.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: myns
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA2
+  name: secret-ca2
   namespace: myns
 
 data:
@@ -32,8 +32,8 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretCA2
+      - secret-ca1
+      - secret-ca2
     clientAuthType: VerifyClientCertIfGiven
 
 ---

pkg/provider/kubernetes/crd/fixtures/udp/services.yml

@@ -160,3 +160,16 @@ subsets:
     ports:
       - name: myapp
         port: 8000
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: external.service.with.port
+  namespace: default
+spec:
+  externalName: external.domain
+  type: ExternalName
+  ports:
+    - name: http
+      port: 80
+

pkg/provider/kubernetes/crd/fixtures/udp/with_externalname_service.yml

@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteUDP
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  entryPoints:
+    - foo
+
+  routes:
+  - services:
+    - name: external.service.with.port
+      port: 80

pkg/provider/kubernetes/crd/fixtures/with_bad_tls_options.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: default
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: badSecret
+  name: bad-secret
   namespace: default
 
 data:
@@ -32,9 +32,9 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretUnknown
-      - emptySecret
+      - secret-ca1
+      - secret-unknown
+      - empty-secret
     clientAuthType: VerifyClientCertIfGiven
 
 ---

pkg/provider/kubernetes/crd/fixtures/with_default_tls_options.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCAdefault1
+  name: secret-ca-default1
   namespace: foo
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCAdefault2
+  name: secret-ca-default2
   namespace: foo
 
 data:
@@ -32,8 +32,8 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCAdefault1
-      - secretCAdefault2
+      - secret-ca-default1
+      - secret-ca-default2
     clientAuthType: VerifyClientCertIfGiven
   preferServerCipherSuites: true
 

pkg/provider/kubernetes/crd/fixtures/with_default_tls_options_default_namespace.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: default
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA2
+  name: secret-ca2
   namespace: default
 
 data:
@@ -32,8 +32,8 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretCA2
+      - secret-ca1
+      - secret-ca2
     clientAuthType: VerifyClientCertIfGiven
   preferServerCipherSuites: true
 

pkg/provider/kubernetes/crd/fixtures/with_servers_transport.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: rootCas1
+  name: root-ca1
   namespace: foo
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: rootCas2
+  name: root-ca2
   namespace: foo
 
 data:
@@ -51,8 +51,8 @@ spec:
   insecureSkipVerify: true
   maxIdleConnsPerHost: 42
   rootCAsSecrets:
-  - rootCas1
-  - rootCas2
+  - root-ca1
+  - root-ca2
   certificatesSecrets:
   - mtls1
   - mtls2

pkg/provider/kubernetes/crd/fixtures/with_tls_options.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: default
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA2
+  name: secret-ca2
   namespace: default
 
 data:
@@ -32,8 +32,8 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretCA2
+      - secret-ca1
+      - secret-ca2
     clientAuthType: VerifyClientCertIfGiven
   preferServerCipherSuites: true
 

pkg/provider/kubernetes/crd/fixtures/with_tls_options_and_specific_namespace.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA1
+  name: secret-ca1
   namespace: myns
 
 data:
@@ -11,7 +11,7 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: secretCA2
+  name: secret-ca2
   namespace: myns
 
 data:
@@ -32,8 +32,8 @@ spec:
     - TLS_RSA_WITH_AES_256_GCM_SHA384
   clientAuth:
     secretNames:
-      - secretCA1
-      - secretCA2
+      - secret-ca1
+      - secret-ca2
     clientAuthType: VerifyClientCertIfGiven
 
 ---

pkg/provider/kubernetes/crd/kubernetes.go

@@ -38,20 +38,16 @@ const (
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	Endpoint            string          `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
-	Token               string          `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
-	CertAuthFilePath    string          `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
-	Namespaces          []string        `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
-	AllowCrossNamespace *bool           `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
-	LabelSelector       string          `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
-	IngressClass        string          `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
-	ThrottleDuration    ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
-	lastConfiguration   safe.Safe
-}
-
-// SetDefaults sets the default values.
-func (p *Provider) SetDefaults() {
-	p.AllowCrossNamespace = func(b bool) *bool { return &b }(true)
+	Endpoint                  string          `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
+	Token                     string          `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
+	CertAuthFilePath          string          `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
+	Namespaces                []string        `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
+	AllowCrossNamespace       bool            `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
+	AllowExternalNameServices bool            `description:"Allow ExternalName services." json:"allowExternalNameServices,omitempty" toml:"allowExternalNameServices,omitempty" yaml:"allowExternalNameServices,omitempty" export:"true"`
+	LabelSelector             string          `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
+	IngressClass              string          `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
+	ThrottleDuration          ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
+	lastConfiguration         safe.Safe
 }
 
 func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
@@ -103,10 +99,14 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
 		return err
 	}
 
-	if p.AllowCrossNamespace == nil || *p.AllowCrossNamespace {
+	if p.AllowCrossNamespace {
 		logger.Warn("Cross-namespace reference between IngressRoutes and resources is enabled, please ensure that this is expected (see AllowCrossNamespace option)")
 	}
 
+	if p.AllowExternalNameServices {
+		logger.Warn("ExternalName service loading is enabled, please ensure that this is expected (see AllowExternalNameServices option)")
+	}
+
 	pool.GoCtx(func(ctxPool context.Context) {
 		operation := func() error {
 			eventsChan, err := k8sClient.WatchAll(p.Namespaces, ctxPool.Done())
@@ -245,7 +245,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
 		}
 	}
 
-	cb := configBuilder{client, p.AllowCrossNamespace}
+	cb := configBuilder{client: client, allowCrossNamespace: p.AllowCrossNamespace, allowExternalNameServices: p.AllowExternalNameServices}
 
 	for _, service := range client.GetTraefikServices() {
 		err := cb.buildTraefikService(ctx, service, conf.HTTP.Services)
@@ -365,7 +365,7 @@ func (p *Provider) createErrorPageMiddleware(client Client, namespace string, er
 		Query:  errorPage.Query,
 	}
 
-	balancerServerHTTP, err := configBuilder{client, p.AllowCrossNamespace}.buildServersLB(namespace, errorPage.Service.LoadBalancerSpec)
+	balancerServerHTTP, err := configBuilder{client: client, allowCrossNamespace: p.AllowCrossNamespace, allowExternalNameServices: p.AllowExternalNameServices}.buildServersLB(namespace, errorPage.Service.LoadBalancerSpec)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -826,7 +826,7 @@ func throttleEvents(ctx context.Context, throttleDuration time.Duration, pool *s
 	return eventsChanBuffered
 }
 
-func isNamespaceAllowed(allowCrossNamespace *bool, parentNamespace, namespace string) bool {
+func isNamespaceAllowed(allowCrossNamespace bool, parentNamespace, namespace string) bool {
 	// If allowCrossNamespace option is not defined the default behavior is to allow cross namespace references.
-	return allowCrossNamespace == nil || *allowCrossNamespace || parentNamespace == namespace
+	return allowCrossNamespace || parentNamespace == namespace
 }

pkg/provider/kubernetes/crd/kubernetes_http.go

@@ -49,7 +49,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
 			ingressName = ingressRoute.GenerateName
 		}
 
-		cb := configBuilder{client, p.AllowCrossNamespace}
+		cb := configBuilder{client: client, allowCrossNamespace: p.AllowCrossNamespace, allowExternalNameServices: p.AllowExternalNameServices}
 
 		for _, route := range ingressRoute.Spec.Routes {
 			if route.Kind != "Rule" {
@@ -172,8 +172,9 @@ func (p *Provider) makeMiddlewareKeys(ctx context.Context, ingRouteNamespace str
 }
 
 type configBuilder struct {
-	client              Client
-	allowCrossNamespace *bool
+	client                    Client
+	allowCrossNamespace       bool
+	allowExternalNameServices bool
 }
 
 // buildTraefikService creates the configuration for the traefik service defined in tService,
@@ -322,6 +323,10 @@ func (c configBuilder) loadServers(parentNamespace string, svc v1alpha1.LoadBala
 
 	var servers []dynamic.Server
 	if service.Spec.Type == corev1.ServiceTypeExternalName {
+		if !c.allowExternalNameServices {
+			return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, sanitizedName)
+		}
+
 		protocol, err := parseServiceProtocol(svc.Scheme, svcPort.Name, svcPort.Port)
 		if err != nil {
 			return nil, err

pkg/provider/kubernetes/crd/kubernetes_tcp.go

@@ -135,7 +135,7 @@ func (p *Provider) createLoadBalancerServerTCP(client Client, parentNamespace st
 		ns = service.Namespace
 	}
 
-	servers, err := loadTCPServers(client, ns, service)
+	servers, err := p.loadTCPServers(client, ns, service)
 	if err != nil {
 		return nil, err
 	}
@@ -162,7 +162,7 @@ func (p *Provider) createLoadBalancerServerTCP(client Client, parentNamespace st
 	return tcpService, nil
 }
 
-func loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([]dynamic.TCPServer, error) {
+func (p *Provider) loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([]dynamic.TCPServer, error) {
 	service, exists, err := client.GetService(namespace, svc.Name)
 	if err != nil {
 		return nil, err
@@ -172,6 +172,10 @@ func loadTCPServers(client Client, namespace string, svc v1alpha1.ServiceTCP) ([
 		return nil, errors.New("service not found")
 	}
 
+	if service.Spec.Type == corev1.ServiceTypeExternalName && !p.AllowExternalNameServices {
+		return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, svc.Name)
+	}
+
 	svcPort, err := getServicePort(service, svc.Port)
 	if err != nil {
 		return nil, err

pkg/provider/kubernetes/crd/kubernetes_test.go

@@ -1153,8 +1153,7 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
 				return
 			}
 
-			p := Provider{IngressClass: test.ingressClass}
-			p.SetDefaults()
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true, AllowExternalNameServices: true}
 
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@@ -3338,8 +3337,7 @@ func TestLoadIngressRoutes(t *testing.T) {
 				return
 			}
 
-			p := Provider{IngressClass: test.ingressClass}
-			p.SetDefaults()
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true, AllowExternalNameServices: true}
 
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@@ -3655,8 +3653,7 @@ func TestLoadIngressRouteUDPs(t *testing.T) {
 				return
 			}
 
-			p := Provider{IngressClass: test.ingressClass}
-			p.SetDefaults()
+			p := Provider{IngressClass: test.ingressClass, AllowCrossNamespace: true}
 
 			clientMock := newClientMock(test.paths...)
 			conf := p.loadConfigurationFromCRD(context.Background(), clientMock)
@@ -4438,10 +4435,292 @@ func TestCrossNamespace(t *testing.T) {
 				<-eventCh
 			}
 
-			p := Provider{}
-			p.SetDefaults()
+			p := Provider{AllowCrossNamespace: test.allowCrossNamespace}
+
+			conf := p.loadConfigurationFromCRD(context.Background(), client)
+			assert.Equal(t, test.expected, conf)
+		})
+	}
+}
+
+func TestExternalNameService(t *testing.T) {
+	testCases := []struct {
+		desc                     string
+		allowExternalNameService bool
+		ingressClass             string
+		paths                    []string
+		expected                 *dynamic.Configuration
+	}{
+		{
+			desc: "Empty",
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers:           map[string]*dynamic.Router{},
+					Middlewares:       map[string]*dynamic.Middleware{},
+					Services:          map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:                     "HTTP ExternalName services allowed",
+			paths:                    []string{"services.yml", "with_externalname_with_http.yml"},
+			allowExternalNameService: true,
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers: map[string]*dynamic.Router{
+						"default-test-route-6f97418635c7e18853da": {
+							EntryPoints: []string{"foo"},
+							Service:     "default-test-route-6f97418635c7e18853da",
+							Rule:        "Host(`foo.com`)",
+							Priority:    0,
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-test-route-6f97418635c7e18853da": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://external.domain:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "HTTP Externalname services disallowed",
+			paths: []string{"services.yml", "with_externalname_with_http.yml"},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers:           map[string]*dynamic.Router{},
+					Middlewares:       map[string]*dynamic.Middleware{},
+					Services:          map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:                     "TCP ExternalName services allowed",
+			paths:                    []string{"tcp/services.yml", "tcp/with_externalname_with_port.yml"},
+			allowExternalNameService: true,
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers:           map[string]*dynamic.Router{},
+					Middlewares:       map[string]*dynamic.Middleware{},
+					Services:          map[string]*dynamic.Service{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers: map[string]*dynamic.TCPRouter{
+						"default-test.route-fdd3e9338e47a45efefc": {
+							EntryPoints: []string{"foo"},
+							Service:     "default-test.route-fdd3e9338e47a45efefc",
+							Rule:        "HostSNI(`foo.com`)",
+						},
+					},
+					Services: map[string]*dynamic.TCPService{
+						"default-test.route-fdd3e9338e47a45efefc": {
+							LoadBalancer: &dynamic.TCPServersLoadBalancer{
+								Servers: []dynamic.TCPServer{
+									{
+										Address: "external.domain:80",
+										Port:    "",
+									},
+								},
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "TCP ExternalName services disallowed",
+			paths: []string{"tcp/services.yml", "tcp/with_externalname_with_port.yml"},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					// The router that references the invalid service will be discarded.
+					Routers: map[string]*dynamic.TCPRouter{
+						"default-test.route-fdd3e9338e47a45efefc": {
+							EntryPoints: []string{"foo"},
+							Service:     "default-test.route-fdd3e9338e47a45efefc",
+							Rule:        "HostSNI(`foo.com`)",
+						},
+					},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers:           map[string]*dynamic.Router{},
+					Middlewares:       map[string]*dynamic.Middleware{},
+					Services:          map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:                     "UDP ExternalName services allowed",
+			paths:                    []string{"udp/services.yml", "udp/with_externalname_service.yml"},
+			allowExternalNameService: true,
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers: map[string]*dynamic.UDPRouter{
+						"default-test.route-0": {
+							EntryPoints: []string{"foo"},
+							Service:     "default-test.route-0",
+						},
+					},
+					Services: map[string]*dynamic.UDPService{
+						"default-test.route-0": {
+							LoadBalancer: &dynamic.UDPServersLoadBalancer{
+								Servers: []dynamic.UDPServer{
+									{
+										Address: "external.domain:80",
+										Port:    "",
+									},
+								},
+							},
+						},
+					},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers:           map[string]*dynamic.Router{},
+					Middlewares:       map[string]*dynamic.Middleware{},
+					Services:          map[string]*dynamic.Service{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "UDP ExternalName service disallowed",
+			paths: []string{"udp/services.yml", "udp/with_externalname_service.yml"},
+			expected: &dynamic.Configuration{
+				// The router that references the invalid service will be discarded.
+				UDP: &dynamic.UDPConfiguration{
+					Routers: map[string]*dynamic.UDPRouter{
+						"default-test.route-0": {
+							EntryPoints: []string{"foo"},
+							Service:     "default-test.route-0",
+						},
+					},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					ServersTransports: map[string]*dynamic.ServersTransport{},
+					Routers:           map[string]*dynamic.Router{},
+					Middlewares:       map[string]*dynamic.Middleware{},
+					Services:          map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			var k8sObjects []runtime.Object
+			var crdObjects []runtime.Object
+			for _, path := range test.paths {
+				yamlContent, err := os.ReadFile(filepath.FromSlash("./fixtures/" + path))
+				if err != nil {
+					panic(err)
+				}
+
+				objects := k8s.MustParseYaml(yamlContent)
+				for _, obj := range objects {
+					switch o := obj.(type) {
+					case *corev1.Service, *corev1.Endpoints, *corev1.Secret:
+						k8sObjects = append(k8sObjects, o)
+					case *v1alpha1.IngressRoute:
+						crdObjects = append(crdObjects, o)
+					case *v1alpha1.IngressRouteTCP:
+						crdObjects = append(crdObjects, o)
+					case *v1alpha1.IngressRouteUDP:
+						crdObjects = append(crdObjects, o)
+					case *v1alpha1.Middleware:
+						crdObjects = append(crdObjects, o)
+					case *v1alpha1.TraefikService:
+						crdObjects = append(crdObjects, o)
+					case *v1alpha1.TLSOption:
+						crdObjects = append(crdObjects, o)
+					case *v1alpha1.TLSStore:
+						crdObjects = append(crdObjects, o)
+					default:
+					}
+				}
+			}
+
+			kubeClient := kubefake.NewSimpleClientset(k8sObjects...)
+			crdClient := crdfake.NewSimpleClientset(crdObjects...)
+
+			client := newClientImpl(kubeClient, crdClient)
+
+			stopCh := make(chan struct{})
+
+			eventCh, err := client.WatchAll([]string{"default", "cross-ns"}, stopCh)
+			require.NoError(t, err)
+
+			if k8sObjects != nil || crdObjects != nil {
+				// just wait for the first event
+				<-eventCh
+			}
+
+			p := Provider{AllowExternalNameServices: test.allowExternalNameService}
 
-			p.AllowCrossNamespace = func(b bool) *bool { return &b }(test.allowCrossNamespace)
 			conf := p.loadConfigurationFromCRD(context.Background(), client)
 			assert.Equal(t, test.expected, conf)
 		})

pkg/provider/kubernetes/crd/kubernetes_udp.go

@@ -87,7 +87,7 @@ func (p *Provider) createLoadBalancerServerUDP(client Client, parentNamespace st
 		ns = service.Namespace
 	}
 
-	servers, err := loadUDPServers(client, ns, service)
+	servers, err := p.loadUDPServers(client, ns, service)
 	if err != nil {
 		return nil, err
 	}
@@ -101,7 +101,7 @@ func (p *Provider) createLoadBalancerServerUDP(client Client, parentNamespace st
 	return udpService, nil
 }
 
-func loadUDPServers(client Client, namespace string, svc v1alpha1.ServiceUDP) ([]dynamic.UDPServer, error) {
+func (p *Provider) loadUDPServers(client Client, namespace string, svc v1alpha1.ServiceUDP) ([]dynamic.UDPServer, error) {
 	service, exists, err := client.GetService(namespace, svc.Name)
 	if err != nil {
 		return nil, err
@@ -111,6 +111,10 @@ func loadUDPServers(client Client, namespace string, svc v1alpha1.ServiceUDP) ([
 		return nil, errors.New("service not found")
 	}
 
+	if service.Spec.Type == corev1.ServiceTypeExternalName && !p.AllowExternalNameServices {
+		return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, svc.Name)
+	}
+
 	var portSpec *corev1.ServicePort
 	for _, p := range service.Spec.Ports {
 		p := p

pkg/provider/kubernetes/ingress/fixtures/Ingress-with-IPv6-endpoints-externalname-enabled_ingress.yml

@@ -0,0 +1,14 @@
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: example.com
+  namespace: testing
+
+spec:
+  rules:
+    - http:
+        paths:
+          - path: /foo
+            backend:
+              serviceName: service-foo
+              servicePort: 8080

pkg/provider/kubernetes/ingress/fixtures/Ingress-with-IPv6-endpoints-externalname-enabled_service.yml

@@ -0,0 +1,13 @@
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: service-foo
+  namespace: testing
+
+spec:
+  ports:
+  - name: http
+    port: 8080
+  type: ExternalName
+  externalName: "2001:0db8:3c4d:0015:0000:0000:1a2f:2a3b"

pkg/provider/kubernetes/ingress/fixtures/Ingress-with-service-with-externalName-enabled_ingress.yml

@@ -0,0 +1,15 @@
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: ""
+  namespace: testing
+
+spec:
+  rules:
+  - host: traefik.tchouk
+    http:
+      paths:
+      - path: /bar
+        backend:
+          serviceName: service1
+          servicePort: 8080

pkg/provider/kubernetes/ingress/fixtures/Ingress-with-service-with-externalName-enabled_service.yml

@@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: service1
+  namespace: testing
+
+spec:
+  ports:
+  - port: 8080
+  clusterIP: 10.0.0.1
+  type: ExternalName
+  externalName: traefik.wtf
+

pkg/provider/kubernetes/ingress/fixtures/TLS-support_ingress.yml

@@ -8,7 +8,7 @@ metadata:
 
 spec:
   tls:
-  - secretName: myTlsSecret
+  - secretName: my-tls-secret
   rules:
   - host: example.com
     http:
@@ -27,7 +27,7 @@ metadata:
 
 spec:
   tls:
-  - secretName: myUndefinedSecret
+  - secretName: my-undefined-secret
   rules:
   - host: example.fail
     http:

pkg/provider/kubernetes/ingress/fixtures/TLS-support_secret.yml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: myTlsSecret
+  name: my-tls-secret
   namespace: testing
 
 data:

pkg/provider/kubernetes/ingress/kubernetes.go

@@ -37,15 +37,16 @@ const (
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	Endpoint          string           `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
-	Token             string           `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
-	CertAuthFilePath  string           `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
-	Namespaces        []string         `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
-	LabelSelector     string           `description:"Kubernetes Ingress label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
-	IngressClass      string           `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
-	IngressEndpoint   *EndpointIngress `description:"Kubernetes Ingress Endpoint." json:"ingressEndpoint,omitempty" toml:"ingressEndpoint,omitempty" yaml:"ingressEndpoint,omitempty" export:"true"`
-	ThrottleDuration  ptypes.Duration  `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
-	lastConfiguration safe.Safe
+	Endpoint                  string           `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
+	Token                     string           `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
+	CertAuthFilePath          string           `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
+	Namespaces                []string         `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
+	LabelSelector             string           `description:"Kubernetes Ingress label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
+	IngressClass              string           `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
+	IngressEndpoint           *EndpointIngress `description:"Kubernetes Ingress Endpoint." json:"ingressEndpoint,omitempty" toml:"ingressEndpoint,omitempty" yaml:"ingressEndpoint,omitempty" export:"true"`
+	ThrottleDuration          ptypes.Duration  `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
+	AllowExternalNameServices bool             `description:"Allow ExternalName services." json:"allowExternalNameServices,omitempty" toml:"allowExternalNameServices,omitempty" yaml:"allowExternalNameServices,omitempty" export:"true"`
+	lastConfiguration         safe.Safe
 }
 
 // EndpointIngress holds the endpoint information for the Kubernetes provider.
@@ -107,6 +108,10 @@ func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.
 		return err
 	}
 
+	if p.AllowExternalNameServices {
+		logger.Warn("ExternalName service loading is enabled, please ensure that this is expected (see AllowExternalNameServices option)")
+	}
+
 	pool.GoCtx(func(ctxPool context.Context) {
 		operation := func() error {
 			eventsChan, err := k8sClient.WatchAll(p.Namespaces, ctxPool.Done())
@@ -228,7 +233,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
 				continue
 			}
 
-			service, err := loadService(client, ingress.Namespace, *ingress.Spec.Backend)
+			service, err := p.loadService(client, ingress.Namespace, *ingress.Spec.Backend)
 			if err != nil {
 				log.FromContext(ctx).
 					WithField("serviceName", ingress.Spec.Backend.ServiceName).
@@ -265,7 +270,7 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
 			}
 
 			for _, pa := range rule.HTTP.Paths {
-				service, err := loadService(client, ingress.Namespace, pa.Backend)
+				service, err := p.loadService(client, ingress.Namespace, pa.Backend)
 				if err != nil {
 					log.FromContext(ctx).
 						WithField("serviceName", pa.Backend.ServiceName).
@@ -460,7 +465,7 @@ func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores
 	return configs
 }
 
-func loadService(client Client, namespace string, backend networkingv1beta1.IngressBackend) (*dynamic.Service, error) {
+func (p *Provider) loadService(client Client, namespace string, backend networkingv1beta1.IngressBackend) (*dynamic.Service, error) {
 	service, exists, err := client.GetService(namespace, backend.ServiceName)
 	if err != nil {
 		return nil, err
@@ -470,6 +475,10 @@ func loadService(client Client, namespace string, backend networkingv1beta1.Ingr
 		return nil, errors.New("service not found")
 	}
 
+	if !p.AllowExternalNameServices && service.Spec.Type == corev1.ServiceTypeExternalName {
+		return nil, fmt.Errorf("externalName services not allowed: %s/%s", namespace, backend.ServiceName)
+	}
+
 	var portName string
 	var portSpec corev1.ServicePort
 	var match bool

pkg/provider/kubernetes/ingress/kubernetes_test.go

@@ -732,33 +732,6 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
 				},
 			},
 		},
-		{
-			desc: "Ingress with service with externalName",
-			expected: &dynamic.Configuration{
-				TCP: &dynamic.TCPConfiguration{},
-				HTTP: &dynamic.HTTPConfiguration{
-					Middlewares: map[string]*dynamic.Middleware{},
-					Routers: map[string]*dynamic.Router{
-						"testing-traefik-tchouk-bar": {
-							Rule:    "Host(`traefik.tchouk`) && PathPrefix(`/bar`)",
-							Service: "testing-service1-8080",
-						},
-					},
-					Services: map[string]*dynamic.Service{
-						"testing-service1-8080": {
-							LoadBalancer: &dynamic.ServersLoadBalancer{
-								PassHostHeader: Bool(true),
-								Servers: []dynamic.Server{
-									{
-										URL: "http://traefik.wtf:8080",
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-		},
 		{
 			desc: "Ingress with port invalid for one service",
 			expected: &dynamic.Configuration{
@@ -786,47 +759,6 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
 				},
 			},
 		},
-		{
-			desc: "Ingress with IPv6 endpoints",
-			expected: &dynamic.Configuration{
-				TCP: &dynamic.TCPConfiguration{},
-				HTTP: &dynamic.HTTPConfiguration{
-					Middlewares: map[string]*dynamic.Middleware{},
-					Routers: map[string]*dynamic.Router{
-						"example-com-testing-bar": {
-							Rule:    "PathPrefix(`/bar`)",
-							Service: "testing-service-bar-8080",
-						},
-						"example-com-testing-foo": {
-							Rule:    "PathPrefix(`/foo`)",
-							Service: "testing-service-foo-8080",
-						},
-					},
-					Services: map[string]*dynamic.Service{
-						"testing-service-bar-8080": {
-							LoadBalancer: &dynamic.ServersLoadBalancer{
-								Servers: []dynamic.Server{
-									{
-										URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b]:8080",
-									},
-								},
-								PassHostHeader: Bool(true),
-							},
-						},
-						"testing-service-foo-8080": {
-							LoadBalancer: &dynamic.ServersLoadBalancer{
-								Servers: []dynamic.Server{
-									{
-										URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:2a3b]:8080",
-									},
-								},
-								PassHostHeader: Bool(true),
-							},
-						},
-					},
-				},
-			},
-		},
 		{
 			desc: "TLS support",
 			expected: &dynamic.Configuration{
@@ -1332,6 +1264,152 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
 		},
 	}
 
+	for _, test := range testCases {
+		test := test
+
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			var paths []string
+			_, err := os.Stat(generateTestFilename("_ingress", test.desc))
+			if err == nil {
+				paths = append(paths, generateTestFilename("_ingress", test.desc))
+			}
+			_, err = os.Stat(generateTestFilename("_endpoint", test.desc))
+			if err == nil {
+				paths = append(paths, generateTestFilename("_endpoint", test.desc))
+			}
+			_, err = os.Stat(generateTestFilename("_service", test.desc))
+			if err == nil {
+				paths = append(paths, generateTestFilename("_service", test.desc))
+			}
+			_, err = os.Stat(generateTestFilename("_secret", test.desc))
+			if err == nil {
+				paths = append(paths, generateTestFilename("_secret", test.desc))
+			}
+			_, err = os.Stat(generateTestFilename("_ingressclass", test.desc))
+			if err == nil {
+				paths = append(paths, generateTestFilename("_ingressclass", test.desc))
+			}
+
+			serverVersion := test.serverVersion
+			if serverVersion == "" {
+				serverVersion = "v1.17"
+			}
+
+			clientMock := newClientMock(serverVersion, paths...)
+			p := Provider{IngressClass: test.ingressClass}
+			conf := p.loadConfigurationFromIngresses(context.Background(), clientMock)
+
+			assert.Equal(t, test.expected, conf)
+		})
+	}
+}
+
+func TestLoadConfigurationFromIngressesWithExternalNameServices(t *testing.T) {
+	testCases := []struct {
+		desc                      string
+		ingressClass              string
+		serverVersion             string
+		allowExternalNameServices bool
+		expected                  *dynamic.Configuration
+	}{
+		{
+			desc: "Ingress with service with externalName",
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{},
+				HTTP: &dynamic.HTTPConfiguration{
+					Middlewares: map[string]*dynamic.Middleware{},
+					Routers:     map[string]*dynamic.Router{},
+					Services:    map[string]*dynamic.Service{},
+				},
+			},
+		},
+		{
+			desc:                      "Ingress with service with externalName enabled",
+			allowExternalNameServices: true,
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{},
+				HTTP: &dynamic.HTTPConfiguration{
+					Middlewares: map[string]*dynamic.Middleware{},
+					Routers: map[string]*dynamic.Router{
+						"testing-traefik-tchouk-bar": {
+							Rule:    "Host(`traefik.tchouk`) && PathPrefix(`/bar`)",
+							Service: "testing-service1-8080",
+						},
+					},
+					Services: map[string]*dynamic.Service{
+						"testing-service1-8080": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								PassHostHeader: Bool(true),
+								Servers: []dynamic.Server{
+									{
+										URL: "http://traefik.wtf:8080",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc: "Ingress with IPv6 endpoints",
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{},
+				HTTP: &dynamic.HTTPConfiguration{
+					Middlewares: map[string]*dynamic.Middleware{},
+					Routers: map[string]*dynamic.Router{
+						"example-com-testing-bar": {
+							Rule:    "PathPrefix(`/bar`)",
+							Service: "testing-service-bar-8080",
+						},
+					},
+					Services: map[string]*dynamic.Service{
+						"testing-service-bar-8080": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b]:8080",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc:                      "Ingress with IPv6 endpoints externalname enabled",
+			allowExternalNameServices: true,
+			expected: &dynamic.Configuration{
+				TCP: &dynamic.TCPConfiguration{},
+				HTTP: &dynamic.HTTPConfiguration{
+					Middlewares: map[string]*dynamic.Middleware{},
+					Routers: map[string]*dynamic.Router{
+						"example-com-testing-foo": {
+							Rule:    "PathPrefix(`/foo`)",
+							Service: "testing-service-foo-8080",
+						},
+					},
+					Services: map[string]*dynamic.Service{
+						"testing-service-foo-8080": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://[2001:0db8:3c4d:0015:0000:0000:1a2f:2a3b]:8080",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
 	for _, test := range testCases {
 		test := test
 
@@ -1368,6 +1446,7 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
 			clientMock := newClientMock(serverVersion, paths...)
 
 			p := Provider{IngressClass: test.ingressClass}
+			p.AllowExternalNameServices = test.allowExternalNameServices
 			conf := p.loadConfigurationFromIngresses(context.Background(), clientMock)
 
 			assert.Equal(t, test.expected, conf)

pkg/rules/rules.go

@@ -113,7 +113,11 @@ func host(route *mux.Route, hosts ...string) error {
 	route.MatcherFunc(func(req *http.Request, _ *mux.RouteMatch) bool {
 		reqHost := requestdecorator.GetCanonizedHost(req.Context())
 		if len(reqHost) == 0 {
-			log.FromContext(req.Context()).Warnf("Could not retrieve CanonizedHost, rejecting %s", req.Host)
+			// If the request is an HTTP/1.0 request, then a Host may not be defined.
+			if req.ProtoAtLeast(1, 1) {
+				log.FromContext(req.Context()).Warnf("Could not retrieve CanonizedHost, rejecting %s", req.Host)
+			}
+
 			return false
 		}
 

pkg/server/configurationwatcher.go

@@ -12,6 +12,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/provider"
 	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/tls"
 )
 
 // ConfigurationWatcher watches configuration changes.
@@ -164,6 +165,16 @@ func (c *ConfigurationWatcher) preLoadConfiguration(configMsg dynamic.Message) {
 		if copyConf.TLS != nil {
 			copyConf.TLS.Certificates = nil
 
+			if copyConf.TLS.Options != nil {
+				cleanedOptions := make(map[string]tls.Options, len(copyConf.TLS.Options))
+				for name, option := range copyConf.TLS.Options {
+					option.ClientAuth.CAFiles = []tls.FileOrContent{}
+					cleanedOptions[name] = option
+				}
+
+				copyConf.TLS.Options = cleanedOptions
+			}
+
 			for k := range copyConf.TLS.Stores {
 				st := copyConf.TLS.Stores[k]
 				st.DefaultCertificate = nil
@@ -171,6 +182,13 @@ func (c *ConfigurationWatcher) preLoadConfiguration(configMsg dynamic.Message) {
 			}
 		}
 
+		if copyConf.HTTP != nil {
+			for _, transport := range copyConf.HTTP.ServersTransports {
+				transport.Certificates = tls.Certificates{}
+				transport.RootCAs = []tls.FileOrContent{}
+			}
+		}
+
 		jsonConf, err := json.Marshal(copyConf)
 		if err != nil {
 			logger.Errorf("Could not marshal dynamic configuration: %v", err)

script/gcg/traefik-bugfix.toml

@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example new bugfix v2.4.9
+# example new bugfix v2.4.10
 CurrentRef = "v2.4"
-PreviousRef = "v2.4.8"
+PreviousRef = "v2.4.9"
 BaseBranch = "v2.4"
-FutureCurrentRefName = "v2.4.9"
+FutureCurrentRefName = "v2.4.10"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10