Merge pull request 'master' (#4 ) from Ivasoft/traefik:master into master

Reviewed-on: #4
Merge branch v3.0 into master
2023-04-21 07:07:09 +00:00 · 2023-03-22 16:54:12 +01:00 · 2023-03-22 16:53:41 +01:00 · 2023-03-22 16:40:06 +01:00 · 2023-03-22 12:52:38 +01:00 · 2023-03-22 11:06:05 +01:00
916 changed files with 31497 additions and 26750 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -0,0 +1,17 @@
+kind: pipeline
+name: default
+
+steps:
+- name: docker  
+  image: plugins/docker
+  settings:
+    dockerfile: exp.Dockerfile
+    registry: https://git.ivasoft.cz
+    username:
+      from_secret: repo_user
+    password:
+      from_secret: repo_pass
+    repo: git.ivasoft.cz/sw/traefik
+    tags:
+      - latest
+      - ${DRONE_TAG:-latest}
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,16 +2,16 @@
 PLEASE READ THIS MESSAGE.

 Documentation fixes or enhancements:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.9
+- for Traefik v2: use branch v2.10
+- for Traefik v3: use branch master

 Bug fixes:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.9
+- for Traefik v2: use branch v2.10
+- for Traefik v3: use branch master

 Enhancements:
- for Traefik v1: we only accept bug fixes
- for Traefik v2: use branch master
+- for Traefik v2: we only accept bug fixes
+- for Traefik v3: use branch master

 HOW TO WRITE A GOOD PULL REQUEST? https://doc.traefik.io/traefik/contributing/submitting-pull-requests/

--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -6,7 +6,7 @@ on:
      - '*'

 env:
-  GO_VERSION: 1.19
+  GO_VERSION: '1.20'
  CGO_ENABLED: 0
  IN_DOCKER: ""

--- a/.github/workflows/check_doc.yml
+++ b/.github/workflows/check_doc.yml
@@ -19,3 +19,7 @@ jobs:

      - name: Check documentation
        run: make docs-pull-images docs
+        env:
+          # These variables are not passed to workflows that are triggered by a pull request from a fork.
+          DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
+          DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -7,7 +7,7 @@ on:
      - v*

 env:
-  STRUCTOR_VERSION: v1.11.2
+  STRUCTOR_VERSION: v1.13.1
  MIXTUS_VERSION: v0.4.1

 jobs:
@@ -41,12 +41,12 @@ jobs:
      - name: Build documentation
        run: $HOME/bin/structor -o traefik -r traefik --dockerfile-url="https://raw.githubusercontent.com/traefik/traefik/v1.7/docs.Dockerfile" --menu.js-url="https://raw.githubusercontent.com/traefik/structor/master/traefik-menu.js.gotmpl" --rqts-url="https://raw.githubusercontent.com/traefik/structor/master/requirements-override.txt" --force-edit-url --exp-branch=master --debug
        env:
-          STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
+          STRUCTOR_LATEST_TAG: ${{ vars.STRUCTOR_LATEST_TAG }}

      - name: Apply seo
        run: $HOME/bin/seo -path=./site -product=traefik

      - name: Publish documentation
-        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
+        run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=traefik --src-repo-name=traefik
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_REPO }}
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@@ -6,7 +6,7 @@ on:
      - '*'

 env:
-  GO_VERSION: 1.19
+  GO_VERSION: '1.20'
  IN_DOCKER: ""

 jobs:
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -6,8 +6,8 @@ on:
      - '*'

 env:
-  GO_VERSION: 1.19
-  GOLANGCI_LINT_VERSION: v1.50.0
+  GO_VERSION: '1.20'
+  GOLANGCI_LINT_VERSION: v1.51.2
  MISSSPELL_VERSION: v0.4.0
  IN_DOCKER: ""

--- a/.golangci.yml
+++ b/.golangci.yml
@@ -134,14 +134,6 @@ issues:
  exclude:
    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
    - "should have a package comment, unless it's in another file for this package"
-    - 'SA1019: http.CloseNotifier has been deprecated' # FIXME must be fixed
-    - 'SA1019: cfg.SSLRedirect is deprecated'
-    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
-    - 'SA1019: cfg.SSLHost is deprecated'
-    - 'SA1019: cfg.SSLForceHost is deprecated'
-    - 'SA1019: cfg.FeaturePolicy is deprecated'
-    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
-    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
  exclude-rules:
    - path: '(.+)_test.go'
      linters:
@@ -162,7 +154,7 @@ issues:
      text: "Function 'buildConstructor' has too many statements"
      linters:
        - funlen
-    - path: pkg/tracing/haystack/logger.go
+    - path: pkg/logs/haystack.go
      linters:
        - goprintffuncname
    - path: pkg/tracing/tracing.go
@@ -187,3 +179,7 @@ issues:
      text: 'Duplicate words \(sub\) found'
      linters:
        - dupword
+    - path: pkg/provider/kubernetes/crd/kubernetes.go
+      text: "Function 'loadConfigurationFromCRD' has too many statements"
+      linters:
+        - funlen
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -11,7 +11,7 @@ builds:
    env:
      - CGO_ENABLED=0
    ldflags:
-      - -s -w -X github.com/traefik/traefik/v2/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v2/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v2/pkg/version.BuildDate={{.Date}}
+      - -s -w -X github.com/traefik/traefik/v3/pkg/version.Version={{.Version}} -X github.com/traefik/traefik/v3/pkg/version.Codename={{.Env.CODENAME}} -X github.com/traefik/traefik/v3/pkg/version.BuildDate={{.Date}}
    flags:
      - -trimpath
    goos:
@@ -22,22 +22,23 @@ builds:
      - openbsd
    goarch:
      - amd64
-      - 386
+      - '386'
      - arm
      - arm64
      - ppc64le
      - s390x
    goarm:
-      - 7
-      - 6
-      - 5
+      - '7'
+      - '6'
    ignore:
      - goos: darwin
-        goarch: 386
+        goarch: '386'
      - goos: openbsd
        goarch: arm
      - goos: openbsd
        goarch: arm64
+      - goos: freebsd
+        goarch: arm
      - goos: freebsd
        goarch: arm64
      - goos: windows
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -19,7 +19,7 @@ global_job_config:
  prologue:
    commands:
      - curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
-      - sudo semgo go1.19
+      - sudo semgo go1.20
      - export "GOPATH=$(go env GOPATH)"
      - export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
      - export "PATH=${GOPATH}/bin:${PATH}"
@@ -64,7 +64,7 @@ blocks:
        - name: GH_VERSION
          value: 1.12.1
        - name: CODENAME
-          value: "banon"
+          value: "beaufort"
        - name: IN_DOCKER
          value: ""
      prologue:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,161 @@
-## [v2.9.2](https://github.com/traefik/traefik/tree/v2.9.2) (2022-10-27)
-[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.2)
+## [v2.10.0-rc1](https://github.com/traefik/traefik/tree/v2.10.0-rc1) (2023-03-22)
+[All Commits](https://github.com/traefik/traefik/compare/b3f162a8a61d89beaa9edc8adc12cc4cb3e1de0f...v2.10.0-rc1)
+
+**Enhancements:**
+- **[docker]** Expose ContainerName in Docker provider ([#9770](https://github.com/traefik/traefik/pull/9770) by [quinot](https://github.com/quinot))
+- **[hub]** hub: get out of experimental. ([#9792](https://github.com/traefik/traefik/pull/9792) by [mpl](https://github.com/mpl))
+- **[k8s/crd]** Introduce traefik.io API Group CRDs ([#9765](https://github.com/traefik/traefik/pull/9765) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress,k8s/crd,k8s]** Native Kubernetes service load-balancing ([#9740](https://github.com/traefik/traefik/pull/9740) by [rtribotte](https://github.com/rtribotte))
+- **[middleware,metrics]** Add prometheus metric requests_total with headers ([#9783](https://github.com/traefik/traefik/pull/9783) by [rtribotte](https://github.com/rtribotte))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9794](https://github.com/traefik/traefik/pull/9794) by [rtribotte](https://github.com/rtribotte))
+- **[tracing]** Add support to send DataDog traces via Unix Socket ([#9714](https://github.com/traefik/traefik/pull/9714) by [der-eismann](https://github.com/der-eismann))
+
+**Documentation:**
+- docs: update order of log levels ([#9791](https://github.com/traefik/traefik/pull/9791) by [svx](https://github.com/svx))
+
+**Misc:**
+- Merge current v2.9 into v2.10 ([#9798](https://github.com/traefik/traefik/pull/9798) by [ldez](https://github.com/ldez))
+
+## [v2.9.9](https://github.com/traefik/traefik/tree/v2.9.9) (2023-03-21)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.8...v2.9.9)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.10.2 ([#9749](https://github.com/traefik/traefik/pull/9749) by [ldez](https://github.com/ldez))
+- **[http3]** Update quic-go to v0.33.0 ([#9737](https://github.com/traefik/traefik/pull/9737) by [ldez](https://github.com/ldez))
+- **[metrics]** Include user-defined default cert for traefik_tls_certs_not_after metric ([#9742](https://github.com/traefik/traefik/pull/9742) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Update vulcand/oxy to a0e9f7ff1040 ([#9750](https://github.com/traefik/traefik/pull/9750) by [ldez](https://github.com/ldez))
+- **[nomad]** Fix default configuration settings for Nomad Provider ([#9758](https://github.com/traefik/traefik/pull/9758) by [aofei](https://github.com/aofei))
+- **[nomad]** Fix Nomad client TLS defaults ([#9795](https://github.com/traefik/traefik/pull/9795) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Remove User-Agent header removal from ReverseProxy director func ([#9752](https://github.com/traefik/traefik/pull/9752) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[middleware]** Clarify ratelimit middleware ([#9777](https://github.com/traefik/traefik/pull/9777) by [mpl](https://github.com/mpl))
+- **[tcp]** Correcting variable name &#39;server address&#39; in TCP Router ([#9743](https://github.com/traefik/traefik/pull/9743) by [ralphg6](https://github.com/ralphg6))
+
+## [v2.9.8](https://github.com/traefik/traefik/tree/v2.9.8) (2023-02-15)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.7...v2.9.8)
+
+**Bug fixes:**
+- **[server]** Update golang.org/x/net to v0.7.0 ([#9716](https://github.com/traefik/traefik/pull/9716) by [ldez](https://github.com/ldez))
+
+## [v2.9.7](https://github.com/traefik/traefik/tree/v2.9.7) (2023-02-14)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.6...v2.9.7)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.10.0 ([#9705](https://github.com/traefik/traefik/pull/9705) by [ldez](https://github.com/ldez))
+- **[ecs]** Prevent panicking when a container has no network interfaces ([#9661](https://github.com/traefik/traefik/pull/9661) by [rtribotte](https://github.com/rtribotte))
+- **[file]** Make file provider more resilient wrt first configuration ([#9595](https://github.com/traefik/traefik/pull/9595) by [mpl](https://github.com/mpl))
+- **[logs]** Differentiate UDP stream and TCP connection in logs ([#9687](https://github.com/traefik/traefik/pull/9687) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Prevent from no rate limiting when average is zero ([#9621](https://github.com/traefik/traefik/pull/9621) by [witalisoft](https://github.com/witalisoft))
+- **[middleware]** Prevents superfluous WriteHeader call in the error middleware ([#9620](https://github.com/traefik/traefik/pull/9620) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Sanitize X-Forwarded-Proto header in RedirectScheme middleware ([#9598](https://github.com/traefik/traefik/pull/9598) by [ldez](https://github.com/ldez))
+- **[plugins]** Update paerser to v0.2.0 ([#9671](https://github.com/traefik/traefik/pull/9671) by [ldez](https://github.com/ldez))
+- **[plugins]** Update Yaegi to v0.15.0 ([#9700](https://github.com/traefik/traefik/pull/9700) by [ldez](https://github.com/ldez))
+- **[tls,http3]** Bump quic-go to 89769f409f ([#9685](https://github.com/traefik/traefik/pull/9685) by [mpl](https://github.com/mpl))
+- **[tls,tcp]** Adds the support for IPv6 in the TCP HostSNI matcher ([#9692](https://github.com/traefik/traefik/pull/9692) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[acme]** Add CNAME support and gotchas ([#9698](https://github.com/traefik/traefik/pull/9698) by [mpl](https://github.com/mpl))
+- **[acme]** Further Let&#39;s Encrypt ratelimit warnings ([#9627](https://github.com/traefik/traefik/pull/9627) by [hcooper](https://github.com/hcooper))
+- **[k8s]** Add info admonition about routing to k8 services ([#9645](https://github.com/traefik/traefik/pull/9645) by [svx](https://github.com/svx))
+- **[k8s]** Improve TLSStore CRD documentation ([#9579](https://github.com/traefik/traefik/pull/9579) by [mloiseleur](https://github.com/mloiseleur))
+- **[middleware]** doc: add note about remoteaddr strategy ([#9701](https://github.com/traefik/traefik/pull/9701) by [mpl](https://github.com/mpl))
+- Update copyright to match new standard ([#9651](https://github.com/traefik/traefik/pull/9651) by [paulocfjunior](https://github.com/paulocfjunior))
+- Update copyright for 2023 ([#9631](https://github.com/traefik/traefik/pull/9631) by [kevinpollet](https://github.com/kevinpollet))
+- Update submitting pull requests to include language about drafts ([#9609](https://github.com/traefik/traefik/pull/9609) by [tfny](https://github.com/tfny))
+
+## [v3.0.0-beta2](https://github.com/traefik/traefik/tree/v3.0.0-beta2) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.0.0-beta1...v3.0.0-beta2)
+
+**Enhancements:**
+- **[http3]** Moves HTTP/3 outside the experimental section ([#9570](https://github.com/traefik/traefik/pull/9570) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Change traefik cmd error log to error level ([#9569](https://github.com/traefik/traefik/pull/9569) by [tomMoulard](https://github.com/tomMoulard))
+- **[rules]** Rework Host and HostRegexp matchers ([#9559](https://github.com/traefik/traefik/pull/9559) by [tomMoulard](https://github.com/tomMoulard))
+
+**Misc:**
+- Merge current v2.9 into master ([#9586](https://github.com/traefik/traefik/pull/9586) by [tomMoulard](https://github.com/tomMoulard))
+
+## [v2.9.6](https://github.com/traefik/traefik/tree/v2.9.6) (2022-12-07)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.5...v2.9.6)
+
+**Bug fixes:**
+- **[acme]** Update go-acme/lego to v4.9.1 ([#9550](https://github.com/traefik/traefik/pull/9550) by [ldez](https://github.com/ldez))
+- **[k8s/crd]** Support of allowEmptyServices in TraefikService ([#9424](https://github.com/traefik/traefik/pull/9424) by [jeromeguiard](https://github.com/jeromeguiard))
+- **[logs]** Remove logs of the request ([#9574](https://github.com/traefik/traefik/pull/9574) by [ldez](https://github.com/ldez))
+- **[plugins]** Increase the timeout on plugin download ([#9529](https://github.com/traefik/traefik/pull/9529) by [ldez](https://github.com/ldez))
+- **[server]** Update golang.org/x/net ([#9582](https://github.com/traefik/traefik/pull/9582) by [ldez](https://github.com/ldez))
+- **[tls]** Handle broken TLS conf better ([#9572](https://github.com/traefik/traefik/pull/9572) by [mpl](https://github.com/mpl))
+- **[tracing]** Update DataDog tracing dependency to v1.43.1 ([#9526](https://github.com/traefik/traefik/pull/9526) by [rtribotte](https://github.com/rtribotte))
+- **[webui]** Add missing serialNumber passTLSClientCert option to middleware panel ([#9539](https://github.com/traefik/traefik/pull/9539) by [rtribotte](https://github.com/rtribotte))
+
+**Documentation:**
+- **[docker]** Add networking example ([#9542](https://github.com/traefik/traefik/pull/9542) by [Janik-Haag](https://github.com/Janik-Haag))
+- **[hub]** Add information about the Hub Agent ([#9560](https://github.com/traefik/traefik/pull/9560) by [nmengin](https://github.com/nmengin))
+- **[k8s/helm]** Update Helm installation section ([#9564](https://github.com/traefik/traefik/pull/9564) by [mloiseleur](https://github.com/mloiseleur))
+- **[middleware]** Clarify PathPrefix matcher greediness ([#9519](https://github.com/traefik/traefik/pull/9519) by [mpl](https://github.com/mpl))
+
+## [v3.0.0-beta1](https://github.com/traefik/traefik/tree/v3.0.0-beta1) (2022-12-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v3.0.0-beta1)
+
+**Enhancements:**
+- **[ecs]** Add option to keep only healthy ECS tasks ([#8027](https://github.com/traefik/traefik/pull/8027) by [Michampt](https://github.com/Michampt))
+- **[healthcheck]** Support gRPC healthcheck ([#8583](https://github.com/traefik/traefik/pull/8583) by [jjacque](https://github.com/jjacque))
+- **[healthcheck]** Add a status option to the service health check ([#9463](https://github.com/traefik/traefik/pull/9463) by [guoard](https://github.com/guoard))
+- **[http]** Support custom headers when fetching configuration through HTTP ([#9421](https://github.com/traefik/traefik/pull/9421) by [kevinpollet](https://github.com/kevinpollet))
+- **[logs,performance]** New logger for the Traefik logs ([#9515](https://github.com/traefik/traefik/pull/9515) by [ldez](https://github.com/ldez))
+- **[logs,plugins]** Retry on plugin API calls ([#9530](https://github.com/traefik/traefik/pull/9530) by [ldez](https://github.com/ldez))
+- **[logs,provider]** Improve provider logs ([#9562](https://github.com/traefik/traefik/pull/9562) by [ldez](https://github.com/ldez))
+- **[logs]** Improve test logger assertions ([#9533](https://github.com/traefik/traefik/pull/9533) by [ldez](https://github.com/ldez))
+- **[metrics]** Support gRPC and gRPC-Web protocol in metrics ([#9483](https://github.com/traefik/traefik/pull/9483) by [longit644](https://github.com/longit644))
+- **[middleware,accesslogs]** Log TLS client subject ([#9285](https://github.com/traefik/traefik/pull/9285) by [xmessi](https://github.com/xmessi))
+- **[middleware,metrics,tracing]** Add OpenTelemetry tracing and metrics support ([#8999](https://github.com/traefik/traefik/pull/8999) by [tomMoulard](https://github.com/tomMoulard))
+- **[middleware]** Disable Content-Type auto-detection by default ([#9546](https://github.com/traefik/traefik/pull/9546) by [sdelicata](https://github.com/sdelicata))
+- **[middleware]** Add gRPC-Web middleware ([#9451](https://github.com/traefik/traefik/pull/9451) by [juliens](https://github.com/juliens))
+- **[middleware]** Add support for Brotli ([#9387](https://github.com/traefik/traefik/pull/9387) by [glinton](https://github.com/glinton))
+- **[middleware]** Renaming IPWhiteList to IPAllowList  ([#9457](https://github.com/traefik/traefik/pull/9457) by [wxmbugu](https://github.com/wxmbugu))
+- **[nomad]** Support multiple namespaces in the Nomad Provider ([#9332](https://github.com/traefik/traefik/pull/9332) by [0teh](https://github.com/0teh))
+- **[rules]** Update routing syntax ([#9531](https://github.com/traefik/traefik/pull/9531) by [skwair](https://github.com/skwair))
+- **[server]** Rework servers load-balancer to use the WRR ([#9431](https://github.com/traefik/traefik/pull/9431) by [juliens](https://github.com/juliens))
+- **[server]** Allow default entrypoints definition ([#9100](https://github.com/traefik/traefik/pull/9100) by [jilleJr](https://github.com/jilleJr))
+- **[tls,service]** Support SPIFFE mTLS between Traefik and Backend servers ([#9394](https://github.com/traefik/traefik/pull/9394) by [jlevesy](https://github.com/jlevesy))
+- **[tls]** Add Tailscale certificate resolver ([#9237](https://github.com/traefik/traefik/pull/9237) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls]** Support SNI routing with Postgres STARTTLS connections ([#9377](https://github.com/traefik/traefik/pull/9377) by [rtribotte](https://github.com/rtribotte))
+- Remove deprecated options ([#9527](https://github.com/traefik/traefik/pull/9527) by [sdelicata](https://github.com/sdelicata))
+
+**Bug fixes:**
+- **[logs]** Fix log level ([#9545](https://github.com/traefik/traefik/pull/9545) by [ldez](https://github.com/ldez))
+- **[metrics]** Fix ServerUp metric ([#9534](https://github.com/traefik/traefik/pull/9534) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls,service]** Enforce default servers transport SPIFFE config ([#9444](https://github.com/traefik/traefik/pull/9444) by [jlevesy](https://github.com/jlevesy))
+
+**Documentation:**
+- **[metrics]** Update and publish official Grafana Dashboard ([#9493](https://github.com/traefik/traefik/pull/9493) by [mloiseleur](https://github.com/mloiseleur))
+
+**Misc:**
+- Merge branch v2.9 into master ([#9554](https://github.com/traefik/traefik/pull/9554) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9536](https://github.com/traefik/traefik/pull/9536) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9532](https://github.com/traefik/traefik/pull/9532) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9482](https://github.com/traefik/traefik/pull/9482) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9464](https://github.com/traefik/traefik/pull/9464) by [ldez](https://github.com/ldez))
+- Merge branch v2.9 into master ([#9449](https://github.com/traefik/traefik/pull/9449) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9419](https://github.com/traefik/traefik/pull/9419) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v2.9 into master ([#9351](https://github.com/traefik/traefik/pull/9351) by [rtribotte](https://github.com/rtribotte))
+
+## [v2.9.5](https://github.com/traefik/traefik/tree/v2.9.5) (2022-11-17)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.4...v2.9.5)
+
+**Bug fixes:**
+- **[logs,middleware]** Create a new capture instance for each incoming request ([#9510](https://github.com/traefik/traefik/pull/9510) by [sdelicata](https://github.com/sdelicata))
+
+**Documentation:**
+- **[k8s/helm]** Update helm repository ([#9506](https://github.com/traefik/traefik/pull/9506) by [charlie-haley](https://github.com/charlie-haley))
+- Enhance wording of building-testing page ([#9509](https://github.com/traefik/traefik/pull/9509) by [svx](https://github.com/svx))
+- Add link descriptions and update wording ([#9507](https://github.com/traefik/traefik/pull/9507) by [svx](https://github.com/svx))
+- Removes the experimental tag on the Traefik Hub header ([#9498](https://github.com/traefik/traefik/pull/9498) by [tfny](https://github.com/tfny))
+
+## [v2.9.4](https://github.com/traefik/traefik/tree/v2.9.4) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.4)

 **Bug fixes:**
 - **[acme]** Update go-acme/lego to v4.9.0 ([#9413](https://github.com/traefik/traefik/pull/9413) by [tony-defa](https://github.com/tony-defa))
@@ -14,6 +170,16 @@
 - Simplify dashboard rule example ([#9454](https://github.com/traefik/traefik/pull/9454) by [sosoba](https://github.com/sosoba))
 - Add v2.9 to release page ([#9438](https://github.com/traefik/traefik/pull/9438) by [kevinpollet](https://github.com/kevinpollet))

+## [v2.9.3](https://github.com/traefik/traefik/tree/v2.9.3) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.3)
+
+Release canceled.
+
+## [v2.9.2](https://github.com/traefik/traefik/tree/v2.9.2) (2022-10-27)
+[All Commits](https://github.com/traefik/traefik/compare/v2.9.1...v2.9.2)
+
+Release canceled.
+
 ## [v2.9.1](https://github.com/traefik/traefik/tree/v2.9.1) (2022-10-03)
 [All Commits](https://github.com/traefik/traefik/compare/v2.9.0-rc1...v2.9.1)

@@ -42,13 +208,7 @@
 - **[acme]** Fix ACME panic ([#9365](https://github.com/traefik/traefik/pull/9365) by [ldez](https://github.com/ldez))

 **Documentation:**
- Prepare release v2.9.0 ([#9409](https://github.com/traefik/traefik/pull/9409) by [tomMoulard](https://github.com/tomMoulard))
 - **[metrics]** Rework metrics overview page ([#9366](https://github.com/traefik/traefik/pull/9366) by [ddtmachado](https://github.com/ddtmachado))
- Prepare release v2.9.0-rc5 ([#9402](https://github.com/traefik/traefik/pull/9402) by [ldez](https://github.com/ldez))
- Prepare release v2.9.0-rc4 ([#9372](https://github.com/traefik/traefik/pull/9372) by [kevinpollet](https://github.com/kevinpollet))
- Prepare release v2.9.0-rc3 ([#9344](https://github.com/traefik/traefik/pull/9344) by [kevinpollet](https://github.com/kevinpollet))
- Prepare release v2.9.0-rc2 ([6c2c561](https://github.com/traefik/traefik/commit/6c2c561d8f935d76ccd07d28e1455c7768adc153) by [ldez](https://github.com/ldez))
- Prepare release v2.9.0-rc1 ([#9334](https://github.com/traefik/traefik/pull/9334) by [rtribotte](https://github.com/rtribotte))

 **Misc:**
 - Merge current v2.8 into v2.9 ([#9400](https://github.com/traefik/traefik/pull/9400) by [ldez](https://github.com/ldez))
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,6 +1,6 @@
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS; 2020-2022 Traefik Labs
+Copyright (c) 2016-2020 Containous SAS; 2020-2023 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/2
+++ b/2
@@ -189,7 +189,7 @@ generate-genconf:
 .PHONY: release-packages
 release-packages: generate-webui build-dev-image
 	rm -rf dist
-	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
+	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish -p 4 --timeout="90m"
 	$(if $(IN_DOCKER),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
 		--exclude-vcs \
 		--exclude .idea \
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@
 [![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)

 Traefik (pronounced _traffic_) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy.
-Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Marathon](https://mesosphere.github.io/marathon/), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
+Traefik integrates with your existing infrastructure components ([Docker](https://www.docker.com/), [Swarm mode](https://docs.docker.com/engine/swarm/), [Kubernetes](https://kubernetes.io), [Consul](https://www.consul.io/), [Etcd](https://coreos.com/etcd/), [Rancher v2](https://rancher.com), [Amazon ECS](https://aws.amazon.com/ecs), ...) and configures itself automatically and dynamically.
 Pointing Traefik at your orchestrator should be the _only_ configuration step you need.

 ---
@@ -57,8 +57,8 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t
 - Provides HTTPS to your microservices by leveraging [Let's Encrypt](https://letsencrypt.org)  (wildcard certificates support)
 - Circuit breakers, retry
 - See the magic through its clean web UI
- Websocket, HTTP/2, GRPC ready
- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB)
+- Websocket, HTTP/2, gRPC ready
+- Provides metrics (Rest, Prometheus, Datadog, Statsd, InfluxDB 2.X)
 - Keeps access logs (JSON, CLF)
 - Fast
 - Exposes a Rest API
@@ -68,8 +68,6 @@ _(But if you'd rather configure some of your routes manually, Traefik supports t

 - [Docker](https://doc.traefik.io/traefik/providers/docker/) / [Swarm mode](https://doc.traefik.io/traefik/providers/docker/)
 - [Kubernetes](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
- [Marathon](https://doc.traefik.io/traefik/providers/marathon/)
- [Rancher](https://doc.traefik.io/traefik/providers/rancher/) (Metadata)
 - [File](https://doc.traefik.io/traefik/providers/file/)

 ## Quickstart
--- a/build.Dockerfile
+++ b/build.Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.19-alpine
+FROM golang:1.20-alpine

 RUN apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
    && update-ca-certificates \
--- a/cmd/configuration.go
+++ b/cmd/configuration.go
@@ -4,7 +4,7 @@ import (
 	"time"

 	ptypes "github.com/traefik/paerser/types"
-	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/config/static"
 )

 // TraefikCmdConfiguration wraps the static configuration and extra parameters.
@@ -28,6 +28,10 @@ func NewTraefikConfiguration() *TraefikCmdConfiguration {
 			ServersTransport: &static.ServersTransport{
 				MaxIdleConnsPerHost: 200,
 			},
+			TCPServersTransport: &static.TCPServersTransport{
+				DialTimeout:   ptypes.Duration(30 * time.Second),
+				DialKeepAlive: ptypes.Duration(15 * time.Second),
+			},
 		},
 		ConfigFile: "",
 	}
--- a/cmd/healthcheck/healthcheck.go
+++ b/cmd/healthcheck/healthcheck.go
@@ -8,7 +8,7 @@ import (
 	"time"

 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/config/static"
 )

 // NewCmd builds a new HealthCheck command.
--- a/cmd/internal/gen/main.go
+++ b/cmd/internal/gen/main.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 )

-const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
+const rootPkg = "github.com/traefik/traefik/v3/pkg/config/dynamic"

 const (
 	destModuleName = "github.com/traefik/genconf"
@@ -57,8 +57,8 @@ func run(dest string) error {
 	}

 	centrifuge.IncludedImports = []string{
-		"github.com/traefik/traefik/v2/pkg/tls",
-		"github.com/traefik/traefik/v2/pkg/types",
+		"github.com/traefik/traefik/v3/pkg/tls",
+		"github.com/traefik/traefik/v3/pkg/types",
 	}

 	centrifuge.ExcludedTypes = []string{
@@ -71,8 +71,8 @@ func run(dest string) error {
 	}

 	centrifuge.ExcludedFiles = []string{
-		"github.com/traefik/traefik/v2/pkg/types/logs.go",
-		"github.com/traefik/traefik/v2/pkg/types/metrics.go",
+		"github.com/traefik/traefik/v3/pkg/types/logs.go",
+		"github.com/traefik/traefik/v3/pkg/types/metrics.go",
 	}

 	centrifuge.TypeCleaner = cleanType
@@ -87,11 +87,11 @@ func run(dest string) error {
 }

 func cleanType(typ types.Type, base string) string {
-	if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+	if typ.String() == "github.com/traefik/traefik/v3/pkg/tls.FileOrContent" {
 		return "string"
 	}

-	if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
+	if typ.String() == "[]github.com/traefik/traefik/v3/pkg/tls.FileOrContent" {
 		return "[]string"
 	}

@@ -103,8 +103,8 @@ func cleanType(typ types.Type, base string) string {
 		return strings.ReplaceAll(typ.String(), base+".", "")
 	}

-	if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
-		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
+	if strings.Contains(typ.String(), "github.com/traefik/traefik/v3/pkg/") {
+		return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v3/pkg/", "")
 	}

 	return typ.String()
@@ -114,9 +114,9 @@ func cleanPackage(src string) string {
 	switch src {
 	case "github.com/traefik/paerser/types":
 		return ""
-	case "github.com/traefik/traefik/v2/pkg/tls":
+	case "github.com/traefik/traefik/v3/pkg/tls":
 		return path.Join(destModuleName, destPkg, "tls")
-	case "github.com/traefik/traefik/v2/pkg/types":
+	case "github.com/traefik/traefik/v3/pkg/types":
 		return path.Join(destModuleName, destPkg, "types")
 	default:
 		return src
--- a/cmd/traefik/logger.go
+++ b/cmd/traefik/logger.go
@@ -0,0 +1,89 @@
+package main
+
+import (
+	"io"
+	stdlog "log"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/natefinch/lumberjack"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/sirupsen/logrus"
+	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/logs"
+)
+
+func init() {
+	// hide the first logs before the setup of the logger.
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+}
+
+func setupLogger(staticConfiguration *static.Configuration) {
+	// configure log format
+	w := getLogWriter(staticConfiguration)
+
+	// configure log level
+	logLevel := getLogLevel(staticConfiguration)
+
+	// create logger
+	logCtx := zerolog.New(w).With().Timestamp()
+	if logLevel <= zerolog.DebugLevel {
+		logCtx = logCtx.Caller()
+	}
+
+	log.Logger = logCtx.Logger().Level(logLevel)
+	zerolog.DefaultContextLogger = &log.Logger
+	zerolog.SetGlobalLevel(logLevel)
+
+	// Global logrus replacement (related to lib like go-rancher-metadata, docker, etc.)
+	logrus.StandardLogger().Out = logs.NoLevel(log.Logger, zerolog.DebugLevel)
+
+	// configure default standard log.
+	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
+	stdlog.SetOutput(logs.NoLevel(log.Logger, zerolog.DebugLevel))
+}
+
+func getLogWriter(staticConfiguration *static.Configuration) io.Writer {
+	var w io.Writer = os.Stderr
+
+	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
+		_, _ = os.Create(staticConfiguration.Log.FilePath)
+		w = &lumberjack.Logger{
+			Filename:   staticConfiguration.Log.FilePath,
+			MaxSize:    staticConfiguration.Log.MaxSize,
+			MaxBackups: staticConfiguration.Log.MaxBackups,
+			MaxAge:     staticConfiguration.Log.MaxAge,
+			Compress:   true,
+		}
+	}
+
+	if staticConfiguration.Log == nil || staticConfiguration.Log.Format != "json" {
+		w = zerolog.ConsoleWriter{
+			Out:        w,
+			TimeFormat: time.RFC3339,
+			NoColor:    staticConfiguration.Log != nil && (staticConfiguration.Log.NoColor || len(staticConfiguration.Log.FilePath) > 0),
+		}
+	}
+
+	return w
+}
+
+func getLogLevel(staticConfiguration *static.Configuration) zerolog.Level {
+	levelStr := "error"
+	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
+		levelStr = strings.ToLower(staticConfiguration.Log.Level)
+	}
+
+	logLevel, err := zerolog.ParseLevel(strings.ToLower(levelStr))
+	if err != nil {
+		log.Error().Err(err).
+			Str("logLevel", levelStr).
+			Msg("Unspecified or invalid log level, setting the level to default (ERROR)...")
+
+		logLevel = zerolog.ErrorLevel
+	}
+
+	return logLevel
+}
--- a/cmd/traefik/plugins.go
+++ b/cmd/traefik/plugins.go
@@ -3,8 +3,8 @@ package main
 import (
 	"fmt"

-	"github.com/traefik/traefik/v2/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/plugins"
+	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/plugins"
 )

 const outputDir = "./plugins-storage/"
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"sort"
 	"strings"
 	"syscall"
@@ -18,33 +17,36 @@ import (
 	"github.com/coreos/go-systemd/daemon"
 	"github.com/go-acme/lego/v4/challenge"
 	gokitmetrics "github.com/go-kit/kit/metrics"
+	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
+	"github.com/spiffe/go-spiffe/v2/workloadapi"
 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/cmd"
-	"github.com/traefik/traefik/v2/cmd/healthcheck"
-	cmdVersion "github.com/traefik/traefik/v2/cmd/version"
-	tcli "github.com/traefik/traefik/v2/pkg/cli"
-	"github.com/traefik/traefik/v2/pkg/collector"
-	"github.com/traefik/traefik/v2/pkg/config/dynamic"
-	"github.com/traefik/traefik/v2/pkg/config/runtime"
-	"github.com/traefik/traefik/v2/pkg/config/static"
-	"github.com/traefik/traefik/v2/pkg/log"
-	"github.com/traefik/traefik/v2/pkg/metrics"
-	"github.com/traefik/traefik/v2/pkg/middlewares/accesslog"
-	"github.com/traefik/traefik/v2/pkg/provider/acme"
-	"github.com/traefik/traefik/v2/pkg/provider/aggregator"
-	"github.com/traefik/traefik/v2/pkg/provider/hub"
-	"github.com/traefik/traefik/v2/pkg/provider/traefik"
-	"github.com/traefik/traefik/v2/pkg/safe"
-	"github.com/traefik/traefik/v2/pkg/server"
-	"github.com/traefik/traefik/v2/pkg/server/middleware"
-	"github.com/traefik/traefik/v2/pkg/server/service"
-	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
-	"github.com/traefik/traefik/v2/pkg/tracing"
-	"github.com/traefik/traefik/v2/pkg/tracing/jaeger"
-	"github.com/traefik/traefik/v2/pkg/types"
-	"github.com/traefik/traefik/v2/pkg/version"
-	"github.com/vulcand/oxy/roundrobin"
+	"github.com/traefik/traefik/v3/cmd"
+	"github.com/traefik/traefik/v3/cmd/healthcheck"
+	cmdVersion "github.com/traefik/traefik/v3/cmd/version"
+	tcli "github.com/traefik/traefik/v3/pkg/cli"
+	"github.com/traefik/traefik/v3/pkg/collector"
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	"github.com/traefik/traefik/v3/pkg/config/runtime"
+	"github.com/traefik/traefik/v3/pkg/config/static"
+	"github.com/traefik/traefik/v3/pkg/logs"
+	"github.com/traefik/traefik/v3/pkg/metrics"
+	"github.com/traefik/traefik/v3/pkg/middlewares/accesslog"
+	"github.com/traefik/traefik/v3/pkg/provider/acme"
+	"github.com/traefik/traefik/v3/pkg/provider/aggregator"
+	"github.com/traefik/traefik/v3/pkg/provider/hub"
+	"github.com/traefik/traefik/v3/pkg/provider/tailscale"
+	"github.com/traefik/traefik/v3/pkg/provider/traefik"
+	"github.com/traefik/traefik/v3/pkg/safe"
+	"github.com/traefik/traefik/v3/pkg/server"
+	"github.com/traefik/traefik/v3/pkg/server/middleware"
+	"github.com/traefik/traefik/v3/pkg/server/service"
+	"github.com/traefik/traefik/v3/pkg/tcp"
+	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
+	"github.com/traefik/traefik/v3/pkg/tracing"
+	"github.com/traefik/traefik/v3/pkg/tracing/jaeger"
+	"github.com/traefik/traefik/v3/pkg/types"
+	"github.com/traefik/traefik/v3/pkg/version"
 )

 func main() {
@@ -78,7 +80,7 @@ Complete documentation is available at https://traefik.io`,

 	err = cli.Execute(cmdTraefik)
 	if err != nil {
-		stdlog.Println(err)
+		log.Error().Err(err).Msg("Command error")
 		logrus.Exit(1)
 	}

@@ -86,27 +88,24 @@ Complete documentation is available at https://traefik.io`,
 }

 func runCmd(staticConfiguration *static.Configuration) error {
-	configureLogging(staticConfiguration)
+	setupLogger(staticConfiguration)

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

-	if err := roundrobin.SetDefaultWeight(0); err != nil {
-		log.WithoutContext().Errorf("Could not set round robin default weight: %v", err)
-	}
-
 	staticConfiguration.SetEffectiveConfiguration()
 	if err := staticConfiguration.ValidateConfiguration(); err != nil {
 		return err
 	}

-	log.WithoutContext().Infof("Traefik version %s built on %s", version.Version, version.BuildDate)
+	log.Info().Str("version", version.Version).
+		Msgf("Traefik version %s built on %s", version.Version, version.BuildDate)

 	jsonConf, err := json.Marshal(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not marshal static configuration: %v", err)
-		log.WithoutContext().Debugf("Static configuration loaded [struct] %#v", staticConfiguration)
+		log.Error().Err(err).Msg("Could not marshal static configuration")
+		log.Debug().Interface("staticConfiguration", staticConfiguration).Msg("Static configuration loaded [struct]")
 	} else {
-		log.WithoutContext().Debugf("Static configuration loaded %s", string(jsonConf))
+		log.Debug().RawJSON("staticConfiguration", jsonConf).Msg("Static configuration loaded [json]")
 	}

 	if staticConfiguration.Global.CheckNewVersion {
@@ -131,16 +130,16 @@ func runCmd(staticConfiguration *static.Configuration) error {

 	sent, err := daemon.SdNotify(false, "READY=1")
 	if !sent && err != nil {
-		log.WithoutContext().Errorf("Failed to notify: %v", err)
+		log.Error().Err(err).Msg("Failed to notify")
 	}

 	t, err := daemon.SdWatchdogEnabled(false)
 	if err != nil {
-		log.WithoutContext().Errorf("Could not enable Watchdog: %v", err)
+		log.Error().Err(err).Msg("Could not enable Watchdog")
 	} else if t != 0 {
 		// Send a ping each half time given
 		t /= 2
-		log.WithoutContext().Infof("Watchdog activated with timer duration %s", t)
+		log.Info().Msgf("Watchdog activated with timer duration %s", t)
 		safe.Go(func() {
 			tick := time.Tick(t)
 			for range tick {
@@ -151,17 +150,17 @@ func runCmd(staticConfiguration *static.Configuration) error {

 				if staticConfiguration.Ping == nil || errHealthCheck == nil {
 					if ok, _ := daemon.SdNotify(false, "WATCHDOG=1"); !ok {
-						log.WithoutContext().Error("Fail to tick watchdog")
+						log.Error().Msg("Fail to tick watchdog")
 					}
 				} else {
-					log.WithoutContext().Error(errHealthCheck)
+					log.Error().Err(errHealthCheck).Send()
 				}
 			}
 		})
 	}

 	svr.Wait()
-	log.WithoutContext().Info("Shutting down")
+	log.Info().Msg("Shutting down")
 	return nil
 }

@@ -190,9 +189,18 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	acmeProviders := initACMEProvider(staticConfiguration, &providerAggregator, tlsManager, httpChallengeProvider, tlsChallengeProvider)

+	// Tailscale
+
+	tsProviders := initTailscaleProviders(staticConfiguration, &providerAggregator)
+
+	// Metrics
+
+	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
+	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
+
 	// Entrypoints

-	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver)
+	serverEntryPointsTCP, err := server.NewTCPEntryPoints(staticConfiguration.EntryPoints, staticConfiguration.HostResolver, metricsRegistry)
 	if err != nil {
 		return nil, err
 	}
@@ -202,15 +210,11 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}

-	if staticConfiguration.Pilot != nil {
-		log.WithoutContext().Warn("Traefik Pilot has been removed.")
-	}
-
 	// Plugins

 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
+		log.Error().Err(err).Msg("Plugins are disabled because an error has occurred.")
 	}

 	// Providers plugins
@@ -244,14 +248,29 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		}
 	}

-	// Metrics
-
-	metricRegistries := registerMetricClients(staticConfiguration.Metrics)
-	metricsRegistry := metrics.NewMultiRegistry(metricRegistries)
-
 	// Service manager factory

-	roundTripperManager := service.NewRoundTripperManager()
+	var spiffeX509Source *workloadapi.X509Source
+	if staticConfiguration.Spiffe != nil && staticConfiguration.Spiffe.WorkloadAPIAddr != "" {
+		log.Info().Str("workloadAPIAddr", staticConfiguration.Spiffe.WorkloadAPIAddr).
+			Msg("Waiting on SPIFFE SVID delivery")
+
+		spiffeX509Source, err = workloadapi.NewX509Source(
+			ctx,
+			workloadapi.WithClientOptions(
+				workloadapi.WithAddr(
+					staticConfiguration.Spiffe.WorkloadAPIAddr,
+				),
+			),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("unable to create SPIFFE x509 source: %w", err)
+		}
+		log.Info().Msg("Successfully obtained SPIFFE SVID.")
+	}
+
+	roundTripperManager := service.NewRoundTripperManager(spiffeX509Source)
+	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
 	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, metricsRegistry, roundTripperManager, acmeHTTPHandler)

@@ -261,7 +280,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	tracer := setupTracing(staticConfiguration.Tracing)

 	chainBuilder := middleware.NewChainBuilder(metricsRegistry, accessLog, tracer)
-	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
+	routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry, dialerManager)

 	// Watcher

@@ -278,7 +297,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)

 		gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
-		for _, certificate := range tlsManager.GetCertificates() {
+		for _, certificate := range tlsManager.GetServerCertificates() {
 			appendCertMetric(gauge, certificate)
 		}
 	})
@@ -292,6 +311,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// Server Transports
 	watcher.AddListener(func(conf dynamic.Configuration) {
 		roundTripperManager.Update(conf.HTTP.ServersTransports)
+		dialerManager.Update(conf.TCP.ServersTransports)
 	})

 	// Switch router
@@ -311,13 +331,22 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 	// TLS challenge
 	watcher.AddListener(tlsChallengeProvider.ListenConfiguration)

-	// ACME
+	// Certificate Resolvers
+
 	resolverNames := map[string]struct{}{}
+
+	// ACME
 	for _, p := range acmeProviders {
 		resolverNames[p.ResolverName] = struct{}{}
 		watcher.AddListener(p.ListenConfiguration)
 	}

+	// Tailscale
+	for _, p := range tsProviders {
+		resolverNames[p.ResolverName] = struct{}{}
+		watcher.AddListener(p.HandleConfigUpdate)
+	}
+
 	// Certificate resolver logs
 	watcher.AddListener(func(config dynamic.Configuration) {
 		for rtName, rt := range config.HTTP.Routers {
@@ -329,7 +358,8 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 				// "traefik-hub" is an allowed certificate resolver name in a Traefik Hub Experimental feature context.
 				// It is used to activate its own certificate resolution, even though it is not a "classical" traefik certificate resolver.
 				(staticConfiguration.Hub == nil || rt.TLS.CertResolver != "traefik-hub") {
-				log.WithoutContext().Errorf("the router %s uses a non-existent resolver: %s", rtName, rt.TLS.CertResolver)
+				log.Error().Err(err).Str(logs.RouterName, rtName).Str("certificateResolver", rt.TLS.CertResolver).
+					Msg("Router uses a non-existent certificate resolver")
 			}
 		}
 	})
@@ -350,8 +380,24 @@ func getHTTPChallengeHandler(acmeProviders []*acme.Provider, httpChallengeProvid

 func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string {
 	var defaultEntryPoints []string
+
+	// Determines if at least one EntryPoint is configured to be used by default.
+	var hasDefinedDefaults bool
+	for _, ep := range staticConfiguration.EntryPoints {
+		if ep.AsDefault {
+			hasDefinedDefaults = true
+			break
+		}
+	}
+
 	for name, cfg := range staticConfiguration.EntryPoints {
-		// Traefik Hub entryPoint should not be part of the set of default entryPoints.
+		// By default all entrypoints are considered.
+		// If at least one is flagged, then only flagged entrypoints are included.
+		if hasDefinedDefaults && !cfg.AsDefault {
+			continue
+		}
+
+		// Traefik Hub entryPoint should not be used as a default entryPoint.
 		if hub.APIEntrypoint == name || hub.TunnelEntrypoint == name {
 			continue
 		}
@@ -359,7 +405,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 		protocol, err := cfg.GetProtocol()
 		if err != nil {
 			// Should never happen because Traefik should not start if protocol is invalid.
-			log.WithoutContext().Errorf("Invalid protocol: %v", err)
+			log.Error().Err(err).Msg("Invalid protocol")
 		}

 		if protocol != "udp" && name != static.DefaultInternalEntryPointName {
@@ -382,7 +428,7 @@ func switchRouter(routerFactory *server.RouterFactory, serverEntryPointsTCP serv
 	}
 }

-// initACMEProvider creates an acme provider from the ACME part of globalConfiguration.
+// initACMEProvider creates and registers acme.Provider instances corresponding to the configured ACME certificate resolvers.
 func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.ProviderAggregator, tlsManager *traefiktls.Manager, httpChallengeProvider, tlsChallengeProvider challenge.Provider) []*acme.Provider {
 	localStores := map[string]*acme.LocalStore{}

@@ -405,7 +451,7 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 		}

 		if err := providerAggregator.AddProvider(p); err != nil {
-			log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
+			log.Error().Err(err).Str("resolver", name).Msg("The ACME resolve is skipped from the resolvers list")
 			continue
 		}

@@ -419,6 +465,27 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
 	return resolvers
 }

+// initTailscaleProviders creates and registers tailscale.Provider instances corresponding to the configured Tailscale certificate resolvers.
+func initTailscaleProviders(cfg *static.Configuration, providerAggregator *aggregator.ProviderAggregator) []*tailscale.Provider {
+	var providers []*tailscale.Provider
+	for name, resolver := range cfg.CertificatesResolvers {
+		if resolver.Tailscale == nil {
+			continue
+		}
+
+		tsProvider := &tailscale.Provider{ResolverName: name}
+
+		if err := providerAggregator.AddProvider(tsProvider); err != nil {
+			log.Error().Err(err).Str(logs.ProviderName, name).Msg("Unable to create Tailscale provider")
+			continue
+		}
+
+		providers = append(providers, tsProvider)
+	}
+
+	return providers
+}
+
 func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	if metricsConfig == nil {
 		return nil
@@ -427,42 +494,60 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 	var registries []metrics.Registry

 	if metricsConfig.Prometheus != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "prometheus"))
-		prometheusRegister := metrics.RegisterPrometheus(ctx, metricsConfig.Prometheus)
+		logger := log.With().Str(logs.MetricsProviderName, "prometheus").Logger()
+
+		prometheusRegister := metrics.RegisterPrometheus(logger.WithContext(context.Background()), metricsConfig.Prometheus)
 		if prometheusRegister != nil {
 			registries = append(registries, prometheusRegister)
-			log.FromContext(ctx).Debug("Configured Prometheus metrics")
+			logger.Debug().Msg("Configured Prometheus metrics")
 		}
 	}

 	if metricsConfig.Datadog != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "datadog"))
-		registries = append(registries, metrics.RegisterDatadog(ctx, metricsConfig.Datadog))
-		log.FromContext(ctx).Debugf("Configured Datadog metrics: pushing to %s once every %s",
-			metricsConfig.Datadog.Address, metricsConfig.Datadog.PushInterval)
+		logger := log.With().Str(logs.MetricsProviderName, "datadog").Logger()
+
+		registries = append(registries, metrics.RegisterDatadog(logger.WithContext(context.Background()), metricsConfig.Datadog))
+		logger.Debug().
+			Str("address", metricsConfig.Datadog.Address).
+			Str("pushInterval", metricsConfig.Datadog.PushInterval.String()).
+			Msgf("Configured Datadog metrics")
 	}

 	if metricsConfig.StatsD != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "statsd"))
-		registries = append(registries, metrics.RegisterStatsd(ctx, metricsConfig.StatsD))
-		log.FromContext(ctx).Debugf("Configured StatsD metrics: pushing to %s once every %s",
-			metricsConfig.StatsD.Address, metricsConfig.StatsD.PushInterval)
-	}
+		logger := log.With().Str(logs.MetricsProviderName, "statsd").Logger()

-	if metricsConfig.InfluxDB != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb"))
-		registries = append(registries, metrics.RegisterInfluxDB(ctx, metricsConfig.InfluxDB))
-		log.FromContext(ctx).Debugf("Configured InfluxDB metrics: pushing to %s once every %s",
-			metricsConfig.InfluxDB.Address, metricsConfig.InfluxDB.PushInterval)
+		registries = append(registries, metrics.RegisterStatsd(logger.WithContext(context.Background()), metricsConfig.StatsD))
+		logger.Debug().
+			Str("address", metricsConfig.StatsD.Address).
+			Str("pushInterval", metricsConfig.StatsD.PushInterval.String()).
+			Msg("Configured StatsD metrics")
 	}

 	if metricsConfig.InfluxDB2 != nil {
-		ctx := log.With(context.Background(), log.Str(log.MetricsProviderName, "influxdb2"))
-		influxDB2Register := metrics.RegisterInfluxDB2(ctx, metricsConfig.InfluxDB2)
+		logger := log.With().Str(logs.MetricsProviderName, "influxdb2").Logger()
+
+		influxDB2Register := metrics.RegisterInfluxDB2(logger.WithContext(context.Background()), metricsConfig.InfluxDB2)
 		if influxDB2Register != nil {
 			registries = append(registries, influxDB2Register)
-			log.FromContext(ctx).Debugf("Configured InfluxDB v2 metrics: pushing to %s (%s org/%s bucket) once every %s",
-				metricsConfig.InfluxDB2.Address, metricsConfig.InfluxDB2.Org, metricsConfig.InfluxDB2.Bucket, metricsConfig.InfluxDB2.PushInterval)
+			logger.Debug().
+				Str("address", metricsConfig.InfluxDB2.Address).
+				Str("bucket", metricsConfig.InfluxDB2.Bucket).
+				Str("organization", metricsConfig.InfluxDB2.Org).
+				Str("pushInterval", metricsConfig.InfluxDB2.PushInterval.String()).
+				Msg("Configured InfluxDB v2 metrics")
+		}
+	}
+
+	if metricsConfig.OpenTelemetry != nil {
+		logger := log.With().Str(logs.MetricsProviderName, "openTelemetry").Logger()
+
+		openTelemetryRegistry := metrics.RegisterOpenTelemetry(logger.WithContext(context.Background()), metricsConfig.OpenTelemetry)
+		if openTelemetryRegistry != nil {
+			registries = append(registries, openTelemetryRegistry)
+			logger.Debug().
+				Str("address", metricsConfig.OpenTelemetry.Address).
+				Str("pushInterval", metricsConfig.OpenTelemetry.PushInterval.String()).
+				Msg("Configured OpenTelemetry metrics")
 		}
 	}

@@ -490,7 +575,7 @@ func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {

 	accessLoggerMiddleware, err := accesslog.NewHandler(conf)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create access logger: %v", err)
+		log.Warn().Err(err).Msg("Unable to create access logger")
 		return nil
 	}

@@ -510,7 +595,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Zipkin != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Zipkin backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Zipkin backend.")
 		} else {
 			backend = conf.Zipkin
 		}
@@ -518,7 +603,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Datadog != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Datadog backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Datadog backend.")
 		} else {
 			backend = conf.Datadog
 		}
@@ -526,7 +611,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Instana != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Instana backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Instana backend.")
 		} else {
 			backend = conf.Instana
 		}
@@ -534,7 +619,7 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Haystack != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Haystack backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Haystack backend.")
 		} else {
 			backend = conf.Haystack
 		}
@@ -542,14 +627,22 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	if conf.Elastic != nil {
 		if backend != nil {
-			log.WithoutContext().Error("Multiple tracing backend are not supported: cannot create Elastic backend.")
+			log.Error().Msg("Multiple tracing backend are not supported: cannot create Elastic backend.")
 		} else {
 			backend = conf.Elastic
 		}
 	}

+	if conf.OpenTelemetry != nil {
+		if backend != nil {
+			log.Error().Msg("Tracing backends are all mutually exclusive: cannot create OpenTelemetry backend.")
+		} else {
+			backend = conf.OpenTelemetry
+		}
+	}
+
 	if backend == nil {
-		log.WithoutContext().Debug("Could not initialize tracing, using Jaeger by default")
+		log.Debug().Msg("Could not initialize tracing, using Jaeger by default")
 		defaultBackend := &jaeger.Config{}
 		defaultBackend.SetDefaults()
 		backend = defaultBackend
@@ -557,65 +650,12 @@ func setupTracing(conf *static.Tracing) *tracing.Tracing {

 	tracer, err := tracing.NewTracing(conf.ServiceName, conf.SpanNameLimit, backend)
 	if err != nil {
-		log.WithoutContext().Warnf("Unable to create tracer: %v", err)
+		log.Warn().Err(err).Msg("Unable to create tracer")
 		return nil
 	}
 	return tracer
 }

-func configureLogging(staticConfiguration *static.Configuration) {
-	// configure default log flags
-	stdlog.SetFlags(stdlog.Lshortfile | stdlog.LstdFlags)
-
-	// configure log level
-	// an explicitly defined log level always has precedence. if none is
-	// given and debug mode is disabled, the default is ERROR, and DEBUG
-	// otherwise.
-	levelStr := "error"
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Level != "" {
-		levelStr = strings.ToLower(staticConfiguration.Log.Level)
-	}
-
-	level, err := logrus.ParseLevel(levelStr)
-	if err != nil {
-		log.WithoutContext().Errorf("Error getting level: %v", err)
-	}
-	log.SetLevel(level)
-
-	var logFile string
-	if staticConfiguration.Log != nil && len(staticConfiguration.Log.FilePath) > 0 {
-		logFile = staticConfiguration.Log.FilePath
-	}
-
-	// configure log format
-	var formatter logrus.Formatter
-	if staticConfiguration.Log != nil && staticConfiguration.Log.Format == "json" {
-		formatter = &logrus.JSONFormatter{}
-	} else {
-		disableColors := len(logFile) > 0
-		formatter = &logrus.TextFormatter{DisableColors: disableColors, FullTimestamp: true, DisableSorting: true}
-	}
-	log.SetFormatter(formatter)
-
-	if len(logFile) > 0 {
-		dir := filepath.Dir(logFile)
-
-		if err := os.MkdirAll(dir, 0o755); err != nil {
-			log.WithoutContext().Errorf("Failed to create log path %s: %s", dir, err)
-		}
-
-		err = log.OpenFile(logFile)
-		logrus.RegisterExitHandler(func() {
-			if err := log.CloseFile(); err != nil {
-				log.WithoutContext().Errorf("Error while closing log: %v", err)
-			}
-		})
-		if err != nil {
-			log.WithoutContext().Errorf("Error while opening log file %s: %v", logFile, err)
-		}
-	}
-}
-
 func checkNewVersion() {
 	ticker := time.Tick(24 * time.Hour)
 	safe.Go(func() {
@@ -626,16 +666,16 @@ func checkNewVersion() {
 }

 func stats(staticConfiguration *static.Configuration) {
-	logger := log.WithoutContext()
+	logger := log.Info()

 	if staticConfiguration.Global.SendAnonymousUsage {
-		logger.Info(`Stats collection is enabled.`)
-		logger.Info(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
-		logger.Info(`Help us improve Traefik by leaving this feature on :)`)
-		logger.Info(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
+		logger.Msg(`Stats collection is enabled.`)
+		logger.Msg(`Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.`)
+		logger.Msg(`Help us improve Traefik by leaving this feature on :)`)
+		logger.Msg(`More details on: https://doc.traefik.io/traefik/contributing/data-collection/`)
 		collect(staticConfiguration)
 	} else {
-		logger.Info(`
+		logger.Msg(`
 Stats collection is disabled.
 Help us improve Traefik by turning this feature on :)
 More details on: https://doc.traefik.io/traefik/contributing/data-collection/
@@ -648,7 +688,7 @@ func collect(staticConfiguration *static.Configuration) {
 	safe.Go(func() {
 		for time.Sleep(10 * time.Minute); ; <-ticker {
 			if err := collector.Collect(staticConfiguration); err != nil {
-				log.WithoutContext().Debug(err)
+				log.Debug().Err(err).Send()
 			}
 		}
 	})
--- a/cmd/traefik/traefik_test.go
+++ b/cmd/traefik/traefik_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-kit/kit/metrics"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v3/pkg/config/static"
 )

 // FooCert is a PEM-encoded TLS cert.
@@ -114,3 +115,79 @@ func TestAppendCertMetric(t *testing.T) {
 		})
 	}
 }
+
+func TestGetDefaultsEntrypoints(t *testing.T) {
+	testCases := []struct {
+		desc        string
+		entrypoints static.EntryPoints
+		expected    []string
+	}{
+		{
+			desc: "Skips special names",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"traefik": {
+					Address: ":8080",
+				},
+				"traefikhub-api": {
+					Address: ":9900",
+				},
+				"traefikhub-tunl": {
+					Address: ":9901",
+				},
+			},
+			expected: []string{"web"},
+		},
+		{
+			desc: "Two EntryPoints not attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+		{
+			desc: "Two EntryPoints only one attachable",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"websecure"},
+		},
+		{
+			desc: "Two attachable EntryPoints",
+			entrypoints: map[string]*static.EntryPoint{
+				"web": {
+					Address:   ":80",
+					AsDefault: true,
+				},
+				"websecure": {
+					Address:   ":443",
+					AsDefault: true,
+				},
+			},
+			expected: []string{"web", "websecure"},
+		},
+	}
+
+	for _, test := range testCases {
+		t.Run(test.desc, func(t *testing.T) {
+			actual := getDefaultsEntrypoints(&static.Configuration{
+				EntryPoints: test.entrypoints,
+			})
+
+			assert.ElementsMatch(t, test.expected, actual)
+		})
+	}
+}
--- a/cmd/version/version.go
+++ b/cmd/version/version.go
@@ -8,7 +8,7 @@ import (
 	"text/template"

 	"github.com/traefik/paerser/cli"
-	"github.com/traefik/traefik/v2/pkg/version"
+	"github.com/traefik/traefik/v3/pkg/version"
 )

 var versionTemplate = `Version:      {{.Version}}
--- a/contrib/grafana/traefik-kubernetes.json
+++ b/contrib/grafana/traefik-kubernetes.json
--- a/contrib/grafana/traefik.json
+++ b/contrib/grafana/traefik.json
--- a/docs/content/assets/img/middleware/ipwhitelist.png
+++ b/docs/content/assets/img/middleware/ipwhitelist.png
--- a/docs/content/contributing/building-testing.md
+++ b/docs/content/contributing/building-testing.md
@@ -8,17 +8,22 @@ description: "Compile and test your own Traefik Proxy! Learn how to build your o
 Compile and Test Your Own Traefik!
 {: .subtitle }

-So you want to build your own Traefik binary from the sources?
+You want to build your own Traefik binary from the sources?
 Let's see how.

 ## Building

-You need either [Docker](https://github.com/docker/docker) and `make` (Method 1), or `go` (Method 2) in order to build Traefik.
+You need either [Docker](https://github.com/docker/docker "Link to website of Docker") and `make` (Method 1), or [Go](https://go.dev/ "Link to website of Go") (Method 2) in order to build Traefik.
 For changes to its dependencies, the `dep` dependency management tool is required.

 ### Method 1: Using `Docker` and `Makefile`

 Run make with the `binary` target.
+
+```bash
+make binary
+```
+
 This will create binaries for the Linux platform in the `dist` folder.

 In case when you run build on CI, you may probably want to run docker in non-interactive mode. To achieve that define `DOCKER_NON_INTERACTIVE=true` environment variable.
@@ -160,7 +165,7 @@ TESTFLAGS="-check.f MyTestSuite.My" make test-integration
 TESTFLAGS="-check.f MyTestSuite.*Test" make test-integration
 ```

-More: https://labix.org/gocheck
+Check [gocheck](https://labix.org/gocheck "Link to website of gocheck") for more information.

 ### Method 2: `go`

--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@@ -15,10 +15,14 @@ Let's see how.

 ### General

-This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](https://mkdocs.org/).
+This [documentation](https://doc.traefik.io/traefik/ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").

 ### Method 1: `Docker` and `make`

+Please make sure you have the following requirements installed:
+
+- [Docker](https://www.docker.com/ "Link to website of Docker")
+
 You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:

 ```bash
@@ -43,9 +47,12 @@ $ make docs-build
 ...
 ```

-### Method 2: `mkdocs`
+### Method 2: `MkDocs`

-First, make sure you have `python` and `pip` installed.
+Please make sure you have the following requirements installed:
+
+- [Python](https://www.python.org/ "Link to website of Python")
+- [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")

 ```bash
 $ python --version
@@ -54,7 +61,7 @@ $ pip --version
 pip 1.5.2
 ```

-Then, install mkdocs with `pip`.
+Then, install MkDocs with `pip`.

 ```bash
 pip install --user -r requirements.txt
@@ -87,7 +94,7 @@ Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/bas

 !!! note "Clean & Verify"

-    If you've made changes to the documentation, it's safter to clean it before verifying it.
+    If you've made changes to the documentation, it's safer to clean it before verifying it.

    ```bash
    $ make docs
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -107,7 +107,6 @@ The `status/*` labels represent the desired state in the workflow.
 * `area/provider/kv`: KV related.
 * `area/provider/marathon`: Marathon related.
 * `area/provider/mesos`: Mesos related.
-* `area/provider/rancher`: Rancher related.
 * `area/provider/servicefabric`: Azure service fabric related.
 * `area/provider/zk`: Zoo Keeper related.
 * `area/rules`: Rules related.
--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -56,6 +56,7 @@ Merging a PR requires the following steps to be completed before it is merged au
    * Do not open the PR from an organization repository.
    * Keep "allows edit from maintainer" checked.
    * Use semantic line breaks for documentation.
+    * Ensure your PR is not a draft. We do not review drafts, but do answer questions and confer with developers on them as needed.
 * Pass the validation check.
 * Pass all tests.
 * Receive 3 approving reviews maintainers.
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@@ -2,27 +2,12 @@

 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.

-| Feature                                                     | Deprecated | End of Support | Removal |
-|-------------------------------------------------------------|------------|----------------|---------|
-| [Pilot](#pilot)                                             | 2.7        | 2.8            | 2.9     |
-| [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8        | N/A            | 3.0     |
-| [TLS 1.0 and 1.1 Support](#tls-10-and-11)                   | N/A        | 2.8            | N/A     |
+| Feature                                                                                             | Deprecated | End of Support | Removal |
+|-----------------------------------------------------------------------------------------------------|------------|----------------|---------|
+| [Kubernetes CRDs API Version `traefik.io/v1alpha1`](#kubernetes-crds-api-version-traefikiov1alpha1) | N/A        | N/A            | 3.0     |

 ## Impact

-### Pilot
+### Kubernetes CRDs API Version `traefik.io/v1alpha1`

-Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
-
-Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
-Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
-
-### Consul Enterprise Namespace
-
-Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
-please use the `namespaces` options instead.  
-
-### TLS 1.0 and 1.1
-
-Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
+The newly introduced Kubernetes CRD API Version `traefik.io/v1alpha1` will subsequently be removed in Traefik v3. The following version will be `traefik.io/v1`.
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -79,7 +79,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v2.9 --help
+# ex: docker run traefik:v3.0 --help
 ```

 All available arguments can also be found [here](../reference/static-configuration/cli.md).
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -181,3 +181,23 @@ and the message should help in figuring out the mistake(s) in the configuration,

 When using the file provider,
 one easy way to check if the dynamic configuration is well-formed is to validate it with the [JSON Schema of the dynamic configuration](https://json.schemastore.org/traefik-v2-file-provider.json).
+
+## Why does Let's Encrypt wildcard certificate renewal/generation with DNS challenge fail?
+
+If you're trying to renew wildcard certificates, with DNS challenge,
+and you're getting errors such as:
+
+```txt
+msg="Error renewing certificate from LE: {example.com [*.example.com]}"
+providerName=letsencrypt.acme error="error: one or more domains had a problem:
+[example.com] acme: error presenting token: gandiv5: unexpected authZone example.com. for fqdn example.com."
+```
+
+then it could be due to `CNAME` support.
+
+In which case, you should make sure your infrastructure is properly set up for a
+`DNS` challenge that does not rely on `CNAME`, and you should try disabling `CNAME` support with:
+
+```bash
+LEGO_DISABLE_CNAME_SUPPORT=true
+```
--- a/docs/content/getting-started/install-traefik.md
+++ b/docs/content/getting-started/install-traefik.md
@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:

 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:

-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.9/traefik.sample.toml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.yml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.0/traefik.sample.toml)

 ```bash
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.9
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.0
 ```

 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip

    * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v2.9`
+    ex: `traefik:v3.0`
    * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
    * Any orchestrator using docker images can fetch the official Traefik docker image.

@@ -44,13 +44,13 @@ Traefik can be installed in Kubernetes using the Helm chart from <https://github

 Ensure that the following requirements are met:

-* Kubernetes 1.14+
-* Helm version 3.x is [installed](https://helm.sh/docs/intro/install/)
+* Kubernetes 1.16+
+* Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)

-Add Traefik's chart repository to Helm:
+Add Traefik Labs chart repository to Helm:

 ```bash
-helm repo add traefik https://helm.traefik.io/traefik
+helm repo add traefik https://traefik.github.io/charts
 ```

 You can update the chart repository by running:
@@ -68,6 +68,9 @@ helm install traefik traefik/traefik
 !!! tip "Helm Features"

    All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
+
+    Examples are provided [here](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md). 
+
    For instance, installing the chart in a dedicated namespace:

    ```bash tab="Install in a Dedicated Namespace"
@@ -83,8 +86,7 @@ helm install traefik traefik/traefik
    as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
    {: #helm-custom-values }

-    The values are not (yet) documented, but are self-explanatory:
-    you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
+    All parameters are documented in the default [`values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).

    You can also set Traefik command line flags using `additionalArguments`.
    Example of installation with logging set to `DEBUG`:
@@ -119,7 +121,7 @@ by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`)

 ```yaml
 # dashboard.yaml
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: dashboard
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ b/docs/content/getting-started/quick-start-with-kubernetes.md
@@ -130,7 +130,7 @@ spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
-          image: traefik:v2.9
+          image: traefik:v3.0
          args:
            - --api.insecure
            - --providers.kubernetesingress
--- a/docs/content/getting-started/quick-start.md
+++ b/docs/content/getting-started/quick-start.md
@@ -1,11 +1,11 @@
 ---
 title: "Traefik Getting Started Quickly"
-description: "Looking to get started with Traefik Proxy quickly? Read the technical documentation to learn a simple use case that leverages Docker."
+description: "Looking to get started with Traefik Proxy quickly? Read the technical documentation to see a basic use case that leverages Docker."
 ---

 # Quick Start

-A Simple Use Case Using Docker
+A Basic Use Case Using Docker
 {: .subtitle }

 ![quickstart-diagram](../assets/img/quickstart-diagram.png)
@@ -19,9 +19,9 @@ version: '3'

 services:
  reverse-proxy:
-    # The official v2 Traefik docker image
-    image: traefik:v2.9
-    # Enables the web UI and tells Traefik to listen to docker
+    # The official v3 Traefik Docker image
+    image: traefik:v3.0
+    # Enables the web UI and tells Traefik to listen to Docker
    command: --api.insecure=true --providers.docker
    ports:
      # The HTTP port
@@ -50,7 +50,12 @@ Now that we have a Traefik instance up and running, we will deploy new services.
 Edit your `docker-compose.yml` file and add the following at the end of your file.

 ```yaml
-# ...
+version: '3'
+
+services:
+
+  ...
+
  whoami:
    # A container that exposes an API to show its IP address
    image: traefik/whoami
@@ -58,7 +63,7 @@ Edit your `docker-compose.yml` file and add the following at the end of your fil
      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
 ```

-The above defines `whoami`: a simple web service that outputs information about the machine it is deployed on (its IP address, host, and so on).
+The above defines [`whoami`](https://github.com/traefik/whoami "Link to whoami app on GitHub"), a web service that outputs information about the machine it is deployed on (its IP address, host, etc.).

 Start the `whoami` service with the following command:

@@ -66,9 +71,9 @@ Start the `whoami` service with the following command:
 docker-compose up -d whoami
 ```

-Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.
+Browse `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new container and updated its own configuration.

-When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_  (Here, we're using curl)
+When Traefik detects new services, it creates the corresponding routes, so you can call them ... _let's see!_  (Here, we're using curl)

 ```shell
 curl -H Host:whoami.docker.localhost http://127.0.0.1
@@ -90,7 +95,7 @@ Run more instances of your `whoami` service with the following command:
 docker-compose up -d --scale whoami=2
 ```

-Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
+Browse to `http://localhost:8080/api/rawdata` and see that Traefik has automatically detected the new instance of the container.

 Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:

@@ -114,6 +119,6 @@ IP: 172.27.0.4

 !!! question "Where to Go Next?"

-    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
+    Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/ "Link to the docs landing page") and let Traefik work for you!

 {!traefik-for-business-applications.md!}
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@@ -11,7 +11,11 @@ Automatic HTTPS
 You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.

 !!! warning "Let's Encrypt and Rate Limiting"
-    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
+    Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to __one week__, and can not be overridden.
+    
+    When running Traefik in a container this file should be persisted across restarts. 
+    If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
+    To configure where certificates are stored, please take a look at the [storage](#storage) configuration.

    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
    when experimenting to avoid hitting this limit too fast.
@@ -279,8 +283,19 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
    # ...
    ```

-    !!! important
-        A `provider` is mandatory.
+!!! warning "`CNAME` support"
+
+    `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
+    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
+
+    If needed, `CNAME` support can be disabled with the following environment variable:
+
+    ```bash
+    LEGO_DISABLE_CNAME_SUPPORT=true
+    ```
+
+!!! important
+    A `provider` is mandatory.

 #### `providers`

@@ -315,6 +330,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [deSEC](https://desec.io)                                                                          | `desec`            | `DESEC_TOKEN`                                                                                                                               | [Additional configuration](https://go-acme.github.io/lego/dns/desec)            |
 | [DigitalOcean](https://www.digitalocean.com)                                                       | `digitalocean`     | `DO_AUTH_TOKEN`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean)     |
 | [DNS Made Easy](https://dnsmadeeasy.com)                                                           | `dnsmadeeasy`      | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX`                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy)      |
+| [dnsHome.de](https://www.dnshome.de)                                                               | `dnsHomede`        | `DNSHOMEDE_CREDENTIALS`                                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede)        |
 | [DNSimple](https://dnsimple.com)                                                                   | `dnsimple`         | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL`                                                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple)         |
 | [DNSPod](https://www.dnspod.com/)                                                                  | `dnspod`           | `DNSPOD_API_KEY`                                                                                                                            | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod)           |
 | [Domain Offensive (do.de)](https://www.do.de/)                                                     | `dode`             | `DODE_TOKEN`                                                                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/dode)             |
@@ -350,6 +366,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [ionos](https://ionos.com/)                                                                        | `ionos`            | `IONOS_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/ionos)            |
 | [iwantmyname](https://iwantmyname.com)                                                             | `iwantmyname`      | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD`                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname)      |
 | [Joker.com](https://joker.com)                                                                     | `joker`            | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD`                                                                 | [Additional configuration](https://go-acme.github.io/lego/dns/joker)            |
+| [Liara](https://liara.ir)                                                                          | `liara`            | `LIARA_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liara)            |
 | [Lightsail](https://aws.amazon.com/lightsail/)                                                     | `lightsail`        | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE`                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail)        |
 | [Linode v4](https://www.linode.com)                                                                | `linode`           | `LINODE_TOKEN`                                                                                                                              | [Additional configuration](https://go-acme.github.io/lego/dns/linode)           |
 | [Liquid Web](https://www.liquidweb.com/)                                                           | `liquidweb`        | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb)        |
@@ -388,6 +405,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [Tencent Cloud DNS](https://cloud.tencent.com/product/cns)                                         | `tencentcloud`     | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`                                                                                         | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud)     |
 | [TransIP](https://www.transip.nl/)                                                                 | `transip`          | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/transip)          |
 | [UKFast SafeDNS](https://www.ans.co.uk/cloud-and-infrastructure/dedicated-servers/dns-management/) | `safedns`          | `SAFEDNS_AUTH_TOKEN`                                                                                                                        | [Additional configuration](https://go-acme.github.io/lego/dns/safedns)          |
+| [Ultradns](https://neustarsecurityservices.com/dns-services)                                       | `ultradns`         | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD`                                                                                                    | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns)         |
 | [Variomedia](https://www.variomedia.de/)                                                           | `variomedia`       | `VARIOMEDIA_API_TOKEN`                                                                                                                      | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia)       |
 | [VegaDNS](https://github.com/shupp/VegaDNS-API)                                                    | `vegadns`          | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL`                                                                                | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns)          |
 | [Vercel](https://vercel.com)                                                                       | `vercel`           | `VERCEL_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vercel)           |
@@ -396,6 +414,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
 | [VK Cloud](https://mcs.mail.ru/)                                                                   | `vkcloud`          | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME`                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud)          |
 | [Vscale](https://vscale.io/)                                                                       | `vscale`           | `VSCALE_API_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/vscale)           |
 | [VULTR](https://www.vultr.com)                                                                     | `vultr`            | `VULTR_API_KEY`                                                                                                                             | [Additional configuration](https://go-acme.github.io/lego/dns/vultr)            |
+| [Websupport](https://websupport.sk)                                                                | `websupport`       | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET`                                                                                                   | [Additional configuration](https://go-acme.github.io/lego/dns/websupport)       |
 | [WEDOS](https://www.wedos.com)                                                                     | `wedos`            | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD`                                                                                                     | [Additional configuration](https://go-acme.github.io/lego/dns/wedos)            |
 | [Yandex Cloud](https://cloud.yandex.com/en/)                                                       | `yandexcloud`      | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN`                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud)      |
 | [Yandex](https://yandex.com)                                                                       | `yandex`           | `YANDEX_PDD_TOKEN`                                                                                                                          | [Additional configuration](https://go-acme.github.io/lego/dns/yandex)           |
--- a/docs/content/https/include-acme-multiple-domains-example.md
+++ b/docs/content/https/include-acme-multiple-domains-example.md
@@ -22,7 +22,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blogtls
@@ -43,27 +43,6 @@ spec:
      - '*.example.org'
 ```

-```json tab="Marathon"
-labels: {
-  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
-  "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.routers.blog.tls.domains[0].main": "example.com",
-  "traefik.http.routers.blog.tls.domains[0].sans": "*.example.com",
-  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
-}
-```
-
-```yaml tab="Rancher"
-## Dynamic configuration
-labels:
-  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-  - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=myresolver
-  - traefik.http.routers.blog.tls.domains[0].main=example.org
-  - traefik.http.routers.blog.tls.domains[0].sans=*.example.org
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
--- a/docs/content/https/include-acme-multiple-domains-from-rule-example.md
+++ b/docs/content/https/include-acme-multiple-domains-from-rule-example.md
@@ -18,7 +18,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blogtls
@@ -35,23 +35,6 @@ spec:
    certResolver: myresolver
 ```

-```json tab="Marathon"
-labels: {
-  "traefik.http.routers.blog.rule": "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)",
-  "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
-}
-```
-
-```yaml tab="Rancher"
-## Dynamic configuration
-labels:
-  - traefik.http.routers.blog.rule=(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)
-  - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=myresolver
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
--- a/docs/content/https/include-acme-single-domain-example.md
+++ b/docs/content/https/include-acme-single-domain-example.md
@@ -18,7 +18,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: blogtls
@@ -35,23 +35,6 @@ spec:
    certResolver: myresolver
 ```

-```json tab="Marathon"
-labels: {
-  "traefik.http.routers.blog.rule": "Host(`example.com`) && Path(`/blog`)",
-  "traefik.http.routers.blog.tls": "true",
-  "traefik.http.routers.blog.tls.certresolver": "myresolver",
-  "traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
-}
-```
-
-```yaml tab="Rancher"
-## Dynamic configuration
-labels:
-  - traefik.http.routers.blog.rule=Host(`example.com`) && Path(`/blog`)
-  - traefik.http.routers.blog.tls=true
-  - traefik.http.routers.blog.tls.certresolver=myresolver
-```
-
 ```yaml tab="File (YAML)"
 ## Dynamic configuration
 http:
--- a/docs/content/https/spiffe.md
+++ b/docs/content/https/spiffe.md
@@ -0,0 +1,56 @@
+---
+title: "Traefik SPIFFE Documentation"
+description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
+---
+
+# SPIFFE
+
+Secure the backend connection with SPIFFE.
+{: .subtitle }
+
+[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone), 
+provides a secure identity in the form of a specially crafted X.509 certificate, 
+to every workload in an environment.
+
+Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
+
+## Configuration
+
+### General
+
+Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
+It can be defined by using a file (YAML or TOML) or CLI arguments.
+
+### Workload API
+
+The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
+
+!!! info "Enabling SPIFFE in ServersTransports"
+
+    Enabling SPIFFE does not imply that backend connections are going to use it automatically.
+    Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
+	that is meant to be secured with SPIFFE,
+	must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
+
+!!! warning "SPIFFE can cause Traefik to stall"
+	When using SPIFFE,
+	Traefik will wait for the first SVID to be delivered before starting.
+	If Traefik is hanging when waiting on SPIFFE SVID delivery,
+	please double check that it is correctly registered as workload in your SPIFFE infrastructure.
+
+```yaml tab="File (YAML)"
+## Static configuration
+spiffe:
+    workloadAPIAddr: localhost
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[spiffe]
+    workloadAPIAddr: localhost
+```
+
+```bash tab="CLI"
+## Static configuration
+--spiffe.workloadAPIAddr=localhost
+```
--- a/docs/content/https/tailscale.md
+++ b/docs/content/https/tailscale.md
@@ -0,0 +1,207 @@
+---
+title: "Traefik Tailscale Documentation"
+description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
+---
+
+# Tailscale
+
+Provision TLS certificates for your internal Tailscale services.
+{: .subtitle }
+
+To protect a service with TLS, a certificate from a public Certificate Authority is needed.
+In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
+
+## Certificate resolvers
+
+To obtain a TLS certificate from the Tailscale daemon,
+a Tailscale certificate resolver needs to be configured as below.
+
+!!! info "Referencing a certificate resolver"
+
+    Defining a certificate resolver does not imply that routers are going to use it automatically.
+    Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+    myresolver:
+        tailscale: {}
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.tailscale]
+```
+
+```bash tab="CLI"
+--certificatesresolvers.myresolver.tailscale=true
+```
+
+## Domain Definition
+
+A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
+
+- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
+  then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
+
+- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
+  in the [router's rule](../routing/routers/index.md#rule).
+
+!!! info "Tailscale Domain Format"
+
+    The domain is only taken into account if it is a Tailscale-specific one,
+    i.e. of the form `machine-name.domains-alias.ts.net`.
+
+## Configuration Example
+
+!!! example "Enabling Tailscale certificate resolution"
+
+    ```yaml tab="File (YAML)"
+    entryPoints:
+      web:
+        address: ":80"
+
+      websecure:
+        address: ":443"
+
+    certificatesResolvers:
+      myresolver:
+        tailscale: {}
+    ```
+
+    ```toml tab="File (TOML)"
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+      [entryPoints.websecure]
+        address = ":443"
+
+    [certificatesResolvers.myresolver.tailscale]
+    ```
+
+    ```bash tab="CLI"
+    --entrypoints.web.address=:80
+    --entrypoints.websecure.address=:443
+    # ...
+    --certificatesresolvers.myresolver.tailscale=true
+    ```
+
+!!! example "Domain from Router's Rule Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+      rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
+      [http.routers.blog.tls]
+        certResolver = "myresolver"
+    ```
+
+!!! example "Domain from Router's tls.domain Example"
+
+    ```yaml tab="Docker"
+    ## Dynamic configuration
+    labels:
+      - traefik.http.routers.blog.rule=Path(`/metrics`)
+      - traefik.http.routers.blog.tls.certresolver=myresolver
+      - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Docker (Swarm)"
+    ## Dynamic configuration
+    deploy:
+      labels:
+        - traefik.http.routers.blog.rule=Path(`/metrics`)
+        - traefik.http.routers.blog.tls.certresolver=myresolver
+        - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="Kubernetes"
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: blogtls
+    spec:
+      entryPoints:
+        - websecure
+      routes:
+        - match: Path(`/metrics`)
+          kind: Rule
+          services:
+            - name: blog
+              port: 8080
+      tls:
+        certResolver: myresolver
+        domains:
+          - main: monitoring.yak-bebop.ts.net
+    ```
+
+    ```yaml tab="File (YAML)"
+    ## Dynamic configuration
+    http:
+      routers:
+        blog:
+          rule: "Path(`/metrics`)"
+          tls:
+            certResolver: myresolver
+            domains:
+              - main: "monitoring.yak-bebop.ts.net"
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Dynamic configuration
+    [http.routers]
+      [http.routers.blog]
+        rule = "Path(`/metrics`)"
+        [http.routers.blog.tls]
+          certResolver = "myresolver"
+          [[http.routers.blog.tls.domains]]
+            main = "monitoring.yak-bebop.ts.net"
+    ```
+
+## Automatic Renewals
+
+Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
+and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -134,7 +134,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSStore
 metadata:
  name: default
@@ -195,7 +195,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSStore
 metadata:
  name: default
@@ -219,14 +219,6 @@ labels:
  - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
 ```

-```json tab="Marathon"
-labels: {
-  "traefik.tls.stores.default.defaultgeneratedcert.resolver": "myresolver",
-  "traefik.tls.stores.default.defaultgeneratedcert.domain.main": "example.org",
-  "traefik.tls.stores.default.defaultgeneratedcert.domain.sans": "foo.example.org, bar.example.org",
-}
-```
-
 ## TLS Options

 The TLS options allow one to configure some parameters of the TLS connection.
@@ -277,7 +269,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -287,7 +279,7 @@ spec:
  minVersion: VersionTLS12

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: mintls13
@@ -328,7 +320,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -338,7 +330,7 @@ spec:
  maxVersion: VersionTLS13

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: maxtls12
@@ -373,7 +365,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -418,7 +410,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -454,7 +446,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -493,7 +485,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
@@ -545,7 +537,7 @@ tls:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: TLSOption
 metadata:
  name: default
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -13,7 +13,7 @@ It receives requests on behalf of your system and finds out which components are
 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 

-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
 
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
 With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   
--- a/docs/content/middlewares/http/addprefix.md
+++ b/docs/content/middlewares/http/addprefix.md
@@ -22,7 +22,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Prefixing with /foo
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: add-foo
@@ -36,18 +36,6 @@ spec:
 - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.add-foo.addprefix.prefix": "/foo"
-}
-```
-
-```yaml tab="Rancher"
-# Prefixing with /foo
-labels:
-  - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
-```
-
 ```yaml tab="File (YAML)"
 # Prefixing with /foo
 http:
--- a/docs/content/middlewares/http/basicauth.md
+++ b/docs/content/middlewares/http/basicauth.md
@@ -28,7 +28,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -41,18 +41,6 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -114,7 +102,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -157,18 +145,6 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -207,7 +183,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -232,17 +208,6 @@ data:
 - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.usersfile": "/path/to/my/usersfile"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -274,7 +239,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -287,17 +252,6 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.realm": "MyRealm"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -322,7 +276,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: my-auth
@@ -336,12 +290,6 @@ spec:
 - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.my-auth.basicauth.headerField": "X-WebAuth-User"
-}
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -367,7 +315,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -380,17 +328,6 @@ spec:
 - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.basicauth.removeheader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/http/buffering.md
+++ b/docs/content/middlewares/http/buffering.md
@@ -26,7 +26,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Sets the maximum request body to 2MB
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -40,18 +40,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-# Sets the maximum request body to 2MB
-labels:
-  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 # Sets the maximum request body to 2MB
 http:
@@ -84,7 +72,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -97,17 +85,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -134,7 +111,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -147,17 +124,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.memRequestBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -186,7 +152,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -199,17 +165,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -236,7 +191,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit
@@ -249,17 +204,6 @@ spec:
 - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.limit.buffering.memResponseBodyBytes": "2000000"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -288,7 +232,7 @@ You can have the Buffering middleware replay the request using `retryExpression`
    ```

    ```yaml tab="Kubernetes"
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: limit
@@ -301,17 +245,6 @@ You can have the Buffering middleware replay the request using `retryExpression`
    - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
    ```

-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
-    }
-    ```
-
-    ```yaml tab="Rancher"
-    labels:
-      - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
-    ```
-
    ```yaml tab="File (YAML)"
    http:
      middlewares:
--- a/docs/content/middlewares/http/chain.md
+++ b/docs/content/middlewares/http/chain.md
@@ -15,7 +15,7 @@ It makes reusing the same groups easier.

 ## Configuration Example

-Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
+Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.

 ```yaml tab="Docker"
 labels:
@@ -25,12 +25,12 @@ labels:
  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+  - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
  - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: test
@@ -47,7 +47,7 @@ spec:
      middlewares:
        - name: secured
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: secured
@@ -58,7 +58,7 @@ spec:
    - name: known-ips
    - name: auth-users
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth-users
@@ -67,7 +67,7 @@ spec:
    users:
    - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: https-only
@@ -75,12 +75,12 @@ spec:
  redirectScheme:
    scheme: https
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: known-ips
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
    - 192.168.1.7
    - 127.0.0.1/32
@@ -93,35 +93,10 @@ spec:
 - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
 - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
 - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
+- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
 - "traefik.http.services.service1.loadbalancer.server.port=80"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.router1.service": "service1",
-  "traefik.http.routers.router1.middlewares": "secured",
-  "traefik.http.routers.router1.rule": "Host(`mydomain`)",
-  "traefik.http.middlewares.secured.chain.middlewares": "https-only,known-ips,auth-users",
-  "traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
-  "traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
-  "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
-  "traefik.http.services.service1.loadbalancer.server.port": "80"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.routers.router1.service=service1"
-  - "traefik.http.routers.router1.middlewares=secured"
-  - "traefik.http.routers.router1.rule=Host(`mydomain`)"
-  - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-  - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-  - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
-  - "traefik.http.services.service1.loadbalancer.server.port=80"
-```
-
 ```yaml tab="File (YAML)"
 # ...
 http:
@@ -150,7 +125,7 @@ http:
        scheme: https

    known-ips:
-      ipWhiteList:
+      ipAllowList:
        sourceRange:
          - "192.168.1.7"
          - "127.0.0.1/32"
@@ -180,7 +155,7 @@ http:
  [http.middlewares.https-only.redirectScheme]
    scheme = "https"

-  [http.middlewares.known-ips.ipWhiteList]
+  [http.middlewares.known-ips.ipAllowList]
    sourceRange = ["192.168.1.7", "127.0.0.1/32"]

 [http.services]
--- a/docs/content/middlewares/http/circuitbreaker.md
+++ b/docs/content/middlewares/http/circuitbreaker.md
@@ -38,7 +38,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Latency Check
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: latency-check
@@ -52,18 +52,6 @@ spec:
 - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.latency-check.circuitbreaker.expression": "LatencyAtQuantileMS(50.0) > 100"
-}
-```
-
-```yaml tab="Rancher"
-# Latency Check
-labels:
-  - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-```
-
 ```yaml tab="File (YAML)"
 # Latency Check
 http:
--- a/docs/content/middlewares/http/compress.md
+++ b/docs/content/middlewares/http/compress.md
@@ -5,24 +5,25 @@ description: "Traefik Proxy's HTTP middleware lets you compress responses before

 # Compress

-Compress Responses before Sending them to the Client
+Compress Allows Compressing Responses before Sending them to the Client
 {: .subtitle }

 ![Compress](../../assets/img/middleware/compress.png)

-The Compress middleware uses gzip compression.
+The Compress middleware supports gzip and Brotli compression.
+The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.

 ## Configuration Examples

 ```yaml tab="Docker"
-# Enable gzip compression
+# Enable compression
 labels:
  - "traefik.http.middlewares.test-compress.compress=true"
 ```

 ```yaml tab="Kubernetes"
-# Enable gzip compression
-apiVersion: traefik.containo.us/v1alpha1
+# Enable compression
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-compress
@@ -31,24 +32,12 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Enable gzip compression
+# Enable compression
 - "traefik.http.middlewares.test-compress.compress=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Enable gzip compression
-labels:
-  - "traefik.http.middlewares.test-compress.compress=true"
-```
-
 ```yaml tab="File (YAML)"
-# Enable gzip compression
+# Enable compression
 http:
  middlewares:
    test-compress:
@@ -56,7 +45,7 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Enable gzip compression
+# Enable compression
 [http.middlewares]
  [http.middlewares.test-compress.compress]
 ```
@@ -65,30 +54,41 @@ http:

    Responses are compressed when the following criteria are all met:

-    * The response body is larger than the configured minimum amount of bytes (default is `1024`).
-    * The `Accept-Encoding` request header contains `gzip`.
+    * The `Accept-Encoding` request header contains `gzip`, `*`, and/or `br` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
+    If the `Accept-Encoding` request header is absent, it is meant as br compression is requested.
+    If it is present, but its value is the empty string, then compression is disabled.
    * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
-
-    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
-    It will also set the `Content-Type` header according to the detected MIME type.
+    * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes).
+    * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).

 ## Configuration Options

 ### `excludedContentTypes`

+_Optional, Default=""_ 
+
 `excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.

 The responses with content types defined in `excludedContentTypes` are not compressed.

 Content types are compared in a case-insensitive, whitespace-ignored manner.

+!!! info "In the case of gzip"
+
+    If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
+    It will also set the `Content-Type` header according to the detected MIME type.
+
+!!! info "gRPC"
+
+    Note that `application/grpc` is never compressed.
+
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-compress
@@ -102,17 +102,6 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress.excludedcontenttypes": "text/event-stream"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -130,9 +119,9 @@ http:

 ### `minResponseBodyBytes`

-`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
+_Optional, Default=1024_

-The default value is `1024`, which should be a reasonable value for most cases.
+`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.

 Responses smaller than the specified values will not be compressed.

@@ -142,7 +131,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-compress
@@ -155,17 +144,6 @@ spec:
 - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-compress.compress.minresponsebodybytes": 1200
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/http/contenttype.md
+++ b/docs/content/middlewares/http/contenttype.md
@@ -1,6 +1,6 @@
 ---
 title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware can automatically specify the content-type header if it has not been defined by the backend. Read the technical documentation."
+description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
 ---

 # ContentType
@@ -8,84 +8,47 @@ description: "Traefik Proxy's HTTP middleware can automatically specify the cont
 Handling Content-Type auto-detection
 {: .subtitle }

-The Content-Type middleware - or rather its `autoDetect` option -
-specifies whether to let the `Content-Type` header,
-if it has not been defined by the backend,
-be automatically set to a value derived from the contents of the response.
-
-As a proxy, the default behavior should be to leave the header alone,
-regardless of what the backend did with it.
-However, the historic default was to always auto-detect and set the header if it was not already defined,
-and altering this behavior would be a breaking change which would impact many users.
-
-This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
+The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
+when it is not set by the backend.

 !!! info

-    As explained above, for compatibility reasons the default behavior on a router (without this middleware),
-    is still to automatically set the `Content-Type` header.
-    Therefore, given the default value of the `autoDetect` option (false),
-    simply enabling this middleware for a router switches the router's behavior.
-
    The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
    Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).

 ## Configuration Examples

 ```yaml tab="Docker"
-# Disable auto-detection
+# Enable auto-detection
 labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+  - "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```yaml tab="Kubernetes"
-# Disable auto-detection
-apiVersion: traefik.containo.us/v1alpha1
+# Enable auto-detection
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: autodetect
 spec:
-  contentType:
-    autoDetect: false
+  contentType: {}
 ```

 ```yaml tab="Consul Catalog"
-# Disable auto-detection
- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.autodetect.contenttype.autodetect": "false"
-}
-```
-
-```yaml tab="Rancher"
-# Disable auto-detection
-labels:
-  - "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
+# Enable auto-detection
+- "traefik.http.middlewares.autodetect.contenttype=true"
 ```

 ```yaml tab="File (YAML)"
-# Disable auto-detection
+# Enable auto-detection
 http:
  middlewares:
    autodetect:
-      contentType:
-        autoDetect: false
+      contentType: {}
 ```

 ```toml tab="File (TOML)"
-# Disable auto-detection
+# Enable auto-detection
 [http.middlewares]
  [http.middlewares.autodetect.contentType]
-     autoDetect=false
 ```
-
-## Configuration Options
-
-### `autoDetect`
-
-`autoDetect` specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
-be automatically set to a value derived from the contents of the response.
--- a/docs/content/middlewares/http/digestauth.md
+++ b/docs/content/middlewares/http/digestauth.md
@@ -22,7 +22,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Declaring the user list
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -36,18 +36,6 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-}
-```
-
-```yaml tab="Rancher"
-# Declaring the user list
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
 ```yaml tab="File (YAML)"
 # Declaring the user list
 http:
@@ -90,7 +78,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -114,17 +102,6 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.users": "test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -161,7 +138,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -186,17 +163,6 @@ data:
 - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.usersfile": "/path/to/my/usersfile"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -228,7 +194,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -241,17 +207,6 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.realm": "MyRealm"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -276,7 +231,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: my-auth
@@ -290,17 +245,6 @@ spec:
 - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.my-auth.digestauth.headerField": "X-WebAuth-User"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -326,7 +270,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -339,17 +283,6 @@ spec:
 - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.digestauth.removeheader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/http/errorpages.md
+++ b/docs/content/middlewares/http/errorpages.md
@@ -27,7 +27,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-errors
@@ -48,22 +48,6 @@ spec:
 - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-errors.errors.status": "500-599",
-  "traefik.http.middlewares.test-errors.errors.service": "serviceError",
-  "traefik.http.middlewares.test-errors.errors.query": "/{status}.html"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Custom Error Page for 5XX Status Code
-labels:
-  - "traefik.http.middlewares.test-errors.errors.status=500-599"
-  - "traefik.http.middlewares.test-errors.errors.service=serviceError"
-  - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
-```
-
 ```yaml tab="File (YAML)"
 # Custom Error Page for 5XX
 http:
--- a/docs/content/middlewares/http/forwardauth.md
+++ b/docs/content/middlewares/http/forwardauth.md
@@ -24,7 +24,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Forward authentication to example.com
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -38,18 +38,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
-}
-```
-
-```yaml tab="Rancher"
-# Forward authentication to example.com
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 # Forward authentication to example.com
 http:
@@ -90,7 +78,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -103,17 +91,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.address": "https://example.com/auth"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -138,7 +115,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -152,17 +129,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -190,7 +156,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -206,17 +172,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders": "X-Auth-User,X-Secret"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -248,7 +203,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -262,17 +217,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex": "^X-"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -307,7 +251,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -323,17 +267,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders": "Accept,X-CustomHeader"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -371,7 +304,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -397,17 +330,6 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.ca": "path/to/local.crt"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -440,7 +362,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -467,19 +389,6 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -518,7 +427,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -545,19 +454,6 @@ data:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.cert": "path/to/foo.cert",
-  "traefik.http.middlewares.test-auth.forwardauth.tls.key": "path/to/foo.key"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -594,7 +490,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-auth
@@ -609,17 +505,6 @@ spec:
 - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/http/grpcweb.md
+++ b/docs/content/middlewares/http/grpcweb.md
@@ -0,0 +1,66 @@
+---
+title: "Traefik GrpcWeb Documentation"
+description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
+---
+
+# GrpcWeb
+
+Converting gRPC Web requests to HTTP/2 gRPC requests.
+{: .subtitle }
+
+The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
+
+!!! tip
+
+    Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
+    Check out the [gRPC](../../user-guides/grpc.md) user guide for more details.
+
+## Configuration Examples
+
+```yaml tab="Docker"
+labels:
+  - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-grpcweb
+spec:
+  grpcWeb:
+    allowOrigins:
+      - "*"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-grpcweb:
+      grpcWeb:
+        allowOrigins:
+          - "*"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-grpcweb.grpcWeb]
+    allowOrigins = ["*"]
+```
+
+## Configuration Options
+
+### `allowOrigins`
+
+The `allowOrigins` contains the list of allowed origins.
+A wildcard origin `*` can also be configured to match all requests.
+
+More information including how to use the settings can be found at:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@@ -27,7 +27,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -44,19 +44,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
-  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "value"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -90,7 +77,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -109,21 +96,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
-  "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
-  "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-  - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
-  - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -158,7 +130,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -173,19 +145,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.framedeny": "true",
-  "traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.framedeny=true"
-  - "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -218,7 +177,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-header
@@ -242,23 +201,6 @@ spec:
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
-  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
-  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
-  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -364,43 +306,11 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.

 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.

-### `sslRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-The `sslRedirect` only allow HTTPS requests when set to `true`.
-
-### `sslTemporaryRedirect`
-
-!!! warning
-
-    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-
-### `sslHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
-
 ### `sslProxyHeaders`

 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).

-### `sslForceHost`
-
-!!! warning
-
-    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
-
 ### `stsSeconds`

 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@@ -452,14 +362,6 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates

 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.

-### `featurePolicy`
-
-!!! warning
-
-    Deprecated in favor of `permissionsPolicy`
-
-The `featurePolicy` allows sites to control browser features.
-
 ### `permissionsPolicy`

 The `permissionsPolicy` allows sites to control browser features.
--- a/docs/content/middlewares/http/inflightreq.md
+++ b/docs/content/middlewares/http/inflightreq.md
@@ -20,7 +20,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -34,18 +34,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -75,7 +63,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -89,18 +77,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections
 http:
@@ -127,6 +103,8 @@ If none are set, the default is to use the `requestHost`.

 The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

+!!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."
+
 ##### `ipStrategy.depth`

 The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
@@ -150,7 +128,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -165,17 +143,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -215,7 +182,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -232,17 +199,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -272,7 +228,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -286,17 +242,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername": "username"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -323,7 +268,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-inflightreq
@@ -337,17 +282,6 @@ spec:
 - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/http/ipallowlist.md
+++ b/docs/content/middlewares/http/ipallowlist.md
@@ -1,32 +1,30 @@
 ---
-title: "Traefik HTTP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik HTTP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---

-# IPWhiteList
+# IPAllowList

 Limiting Clients to Specific IPs
 {: .subtitle }

-![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
-
-IPWhitelist accepts / refuses requests based on the client IP.
+IPAllowList accepts / refuses requests based on the client IP.

 ## Configuration Examples

 ```yaml tab="Docker"
 # Accepts request from defined IP
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -34,27 +32,15 @@ spec:

 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Accepts request from defined IP
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="File (YAML)"
 # Accepts request from defined IP
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -63,7 +49,7 @@ http:
 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

@@ -75,7 +61,10 @@ The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using

 ### `ipStrategy`

-The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
+The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.  
+If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
+
+!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."

 #### `ipStrategy.depth`

@@ -86,7 +75,7 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th

 !!! example "Examples of Depth & X-Forwarded-For"

-    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
+    If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).

    | `X-Forwarded-For`                       | `depth` | clientIP     |
    |-----------------------------------------|---------|--------------|
@@ -95,20 +84,20 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5`     | `""`         |

 ```yaml tab="Docker"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```yaml tab="Kubernetes"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-apiVersion: traefik.containo.us/v1alpha1
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -117,31 +106,17 @@ spec:
 ```

 ```yaml tab="Consul Catalog"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
 ```

 ```yaml tab="File (YAML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -150,11 +125,11 @@ http:
 ```

 ```toml tab="File (TOML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
+# Allowlisting Based on `X-Forwarded-For` with `depth=2`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
+  [http.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      depth = 2
 ```

@@ -177,17 +152,17 @@ http:
 ```yaml tab="Docker"
 # Exclude from `X-Forwarded-For`
 labels:
-    - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+    - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
 # Exclude from `X-Forwarded-For`
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    ipStrategy:
      excludedIPs:
        - 127.0.0.1/32
@@ -196,27 +171,15 @@ spec:

 ```yaml tab="Consul Catalog"
 # Exclude from `X-Forwarded-For`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Exclude from `X-Forwarded-For`
-labels:
-  - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
+- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="File (YAML)"
 # Exclude from `X-Forwarded-For`
 http:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        ipStrategy:
          excludedIPs:
            - "127.0.0.1/32"
@@ -226,7 +189,7 @@ http:
 ```toml tab="File (TOML)"
 # Exclude from `X-Forwarded-For`
 [http.middlewares]
-  [http.middlewares.test-ipwhitelist.ipWhiteList]
-    [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
+  [http.middlewares.test-ipallowlist.ipAllowList]
+    [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
--- a/docs/content/middlewares/http/overview.md
+++ b/docs/content/middlewares/http/overview.md
@@ -29,9 +29,9 @@ whoami:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewares.traefik.containo.us
+  name: middlewares.traefik.io
 spec:
-  group: traefik.containo.us
+  group: traefik.io
  version: v1alpha1
  names:
    kind: Middleware
@@ -40,7 +40,7 @@ spec:
  scope: Namespaced

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
@@ -50,7 +50,7 @@ spec:
      - /stripit

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: ingressroute
@@ -69,22 +69,6 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
-}
-```
-
-```yaml tab="Rancher"
-# As a Rancher Label
-labels:
-  # Create a middleware named `foo-add-prefix`
-  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-  # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
-```
-
 ```toml tab="File (TOML)"
 # As TOML Configuration File
 [http.routers]
@@ -142,7 +126,7 @@ http:
 | [Errors](errorpages.md)                   | Defines custom error pages                        | Request Lifecycle           |
 | [ForwardAuth](forwardauth.md)             | Delegates Authentication                          | Security, Authentication    |
 | [Headers](headers.md)                     | Adds / Updates headers                            | Security                    |
-| [IPWhiteList](ipwhitelist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limits the allowed client IPs                     | Security, Request lifecycle |
 | [InFlightReq](inflightreq.md)             | Limits the number of simultaneous connections     | Security, Request lifecycle |
 | [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header              | Security                    |
 | [RateLimit](ratelimit.md)                 | Limits the call frequency                         | Security, Request lifecycle |
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ b/docs/content/middlewares/http/passtlsclientcert.md
@@ -25,7 +25,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-passtlsclientcert
@@ -39,18 +39,6 @@ spec:
 - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
-labels:
-  - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
-```
-
 ```yaml tab="File (YAML)"
 # Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
 http:
@@ -95,7 +83,7 @@ http:

    ```yaml tab="Kubernetes"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: test-passtlsclientcert
@@ -146,52 +134,6 @@ http:
    - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    ```

-    ```json tab="Marathon"
-    "labels": {
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
-      "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
-    }
-    ```
-
-    ```yaml tab="Rancher"
-    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
-    labels:
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
-      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
-    ```
-
    ```yaml tab="File (YAML)"
    # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    http:
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@@ -10,6 +10,8 @@ To Control the Number of Requests Going to a Service

 The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.

+It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation. In this analogy, the [average](#average) parameter (defined below) is the rate at which the bucket refills, and the [burst](#burst) is the size (volume) of the bucket.
+
 ## Configuration Example

 ```yaml tab="Docker"
@@ -23,7 +25,7 @@ labels:
 ```yaml tab="Kubernetes"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -40,21 +42,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "50"
-}
-```
-
-```yaml tab="Rancher"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
-```
-
 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
@@ -94,7 +81,7 @@ labels:

 ```yaml tab="Kubernetes"
 # 100 reqs/s
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -108,17 +95,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-```
-
 ```yaml tab="File (YAML)"
 # 100 reqs/s
 http:
@@ -154,7 +130,7 @@ labels:

 ```yaml tab="Kubernetes"
 # 6 reqs/minute
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -170,20 +146,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
-  "traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
-}
-```
-
-```yaml tab="Rancher"
-# 6 reqs/minute
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
-```
-
 ```yaml tab="File (YAML)"
 # 6 reqs/minute
 http:
@@ -214,7 +176,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -227,17 +189,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -262,6 +213,8 @@ If none are set, the default is to use the request's remote address field (as an

 The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.

+!!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."
+
 ##### `ipStrategy.depth`

 The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
@@ -285,7 +238,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -300,17 +253,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -377,7 +319,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -394,17 +336,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -434,7 +365,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -448,17 +379,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@@ -485,7 +405,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-ratelimit
@@ -499,17 +419,6 @@ spec:
 - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/http/redirectregex.md
+++ b/docs/content/middlewares/http/redirectregex.md
@@ -26,7 +26,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect with domain replacement
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectregex
@@ -43,21 +43,6 @@ spec:
 - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-redirectregex.redirectregex.regex": "^http://localhost/(.*)",
-  "traefik.http.middlewares.test-redirectregex.redirectregex.replacement": "http://mydomain/${1}"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect with domain replacement
-# Note: all dollar signs need to be doubled for escaping.
-labels:
-  - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-  - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect with domain replacement
 http:
--- a/docs/content/middlewares/http/redirectscheme.md
+++ b/docs/content/middlewares/http/redirectscheme.md
@@ -34,7 +34,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -51,20 +51,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -98,7 +84,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -115,20 +101,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
 ```

-```json tab="Marathon"
-"labels": {
-
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent": "true"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  # ...
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -159,7 +131,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -174,18 +146,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme": "https"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
@@ -215,7 +175,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Redirect to https
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-redirectscheme
@@ -232,20 +192,6 @@ labels:
  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
 ```

-```json tab="Marathon"
-"labels": {
-
-  "traefik.http.middlewares.test-redirectscheme.redirectscheme.port": "443"
-}
-```
-
-```yaml tab="Rancher"
-# Redirect to https
-labels:
-  # ...
-  - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
-```
-
 ```yaml tab="File (YAML)"
 # Redirect to https
 http:
--- a/docs/content/middlewares/http/replacepath.md
+++ b/docs/content/middlewares/http/replacepath.md
@@ -24,7 +24,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Replace the path with /foo
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-replacepath
@@ -38,18 +38,6 @@ spec:
 - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-replacepath.replacepath.path": "/foo"
-}
-```
-
-```yaml tab="Rancher"
-# Replace the path with /foo
-labels:
-  - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
-```
-
 ```yaml tab="File (YAML)"
 # Replace the path with /foo
 http:
--- a/docs/content/middlewares/http/replacepathregex.md
+++ b/docs/content/middlewares/http/replacepathregex.md
@@ -25,7 +25,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Replace path with regex
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-replacepathregex
@@ -41,20 +41,6 @@ spec:
 - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex": "^/foo/(.*)",
-  "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement": "/bar/$1"
-}
-```
-
-```yaml tab="Rancher"
-# Replace path with regex
-labels:
-  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-  - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
-```
-
 ```yaml tab="File (YAML)"
 # Replace path with regex
 http:
--- a/docs/content/middlewares/http/retry.md
+++ b/docs/content/middlewares/http/retry.md
@@ -27,7 +27,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Retry 4 times with exponential backoff
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-retry
@@ -43,20 +43,6 @@ spec:
 - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-retry.retry.attempts": "4",
-  "traefik.http.middlewares.test-retry.retry.initialinterval": "100ms",
-}
-```
-
-```yaml tab="Rancher"
-# Retry 4 times with exponential backoff
-labels:
-  - "traefik.http.middlewares.test-retry.retry.attempts=4"
-  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
-```
-
 ```yaml tab="File (YAML)"
 # Retry 4 times with exponential backoff
 http:
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@@ -24,7 +24,7 @@ labels:

 ```yaml tab="Kubernetes"
 # Strip prefix /foobar and /fiibar
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefix
@@ -40,18 +40,6 @@ spec:
 - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes": "/foobar,/fiibar"
-}
-```
-
-```yaml tab="Rancher"
-# Strip prefix /foobar and /fiibar
-labels:
-  - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
-```
-
 ```yaml tab="File (YAML)"
 # Strip prefix /foobar and /fiibar
 http:
@@ -88,85 +76,3 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.

 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
-
-### `forceSlash`
-
-_Optional, Default=true_
-
-The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
-
-It is recommended to explicitly set `forceSlash` to `false`.
-
-??? info "Behavior examples"
-
-    - `forceSlash=true`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | `/`    |
-    | `/foo`     | `/foo`          | `/`    |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | `/`    |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-    - `forceSlash=false`
-
-    | Path       | Prefix to strip | Result |
-    |------------|-----------------|--------|
-    | `/`        | `/`             | empty  |
-    | `/foo`     | `/foo`          | empty  |
-    | `/foo/`    | `/foo`          | `/`    |
-    | `/foo/`    | `/foo/`         | empty  |
-    | `/bar`     | `/foo`          | `/bar` |
-    | `/foo/bar` | `/foo`          | `/bar` |
-
-```yaml tab="Docker"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: example
-spec:
-  stripPrefix:
-    prefixes:
-      - "/foobar"
-    forceSlash: false
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
-  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
-  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="File (YAML)"
-http:
-  middlewares:
-    example:
-      stripPrefix:
-        prefixes:
-          - "/foobar"
-        forceSlash: false
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.example.stripPrefix]
-    prefixes = ["/foobar"]
-    forceSlash = false
-```
--- a/docs/content/middlewares/http/stripprefixregex.md
+++ b/docs/content/middlewares/http/stripprefixregex.md
@@ -18,7 +18,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: test-stripprefixregex
@@ -32,17 +32,6 @@ spec:
 - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex": "/foo/[a-z0-9]+/[0-9]+/"
-}
-```
-
-```yaml tab="Rancher"
-labels:
-  - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
--- a/docs/content/middlewares/overview.md
+++ b/docs/content/middlewares/overview.md
@@ -37,7 +37,7 @@ whoami:

 ```yaml tab="Kubernetes IngressRoute"
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: stripprefix
@@ -47,7 +47,7 @@ spec:
      - /stripit

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: ingressroute
@@ -66,22 +66,6 @@ spec:
 - "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
-  "traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
-}
-```
-
-```yaml tab="Rancher"
-# As a Rancher Label
-labels:
-  # Create a middleware named `foo-add-prefix`
-  - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-  # Apply the middleware named `foo-add-prefix` to the router named `router1`
-  - "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
-```
-
 ```yaml tab="File (YAML)"
 # As YAML Configuration File
 http:
--- a/docs/content/middlewares/tcp/inflightconn.md
+++ b/docs/content/middlewares/tcp/inflightconn.md
@@ -13,7 +13,7 @@ labels:
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
  name: test-inflightconn
@@ -27,18 +27,6 @@ spec:
 - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount": "10"
-}
-```
-
-```yaml tab="Rancher"
-# Limiting to 10 simultaneous connections.
-labels:
-  - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
-```
-
 ```yaml tab="File (YAML)"
 # Limiting to 10 simultaneous connections.
 tcp:
--- a/docs/content/middlewares/tcp/ipallowlist.md
+++ b/docs/content/middlewares/tcp/ipallowlist.md
@@ -1,30 +1,30 @@
 ---
-title: "Traefik TCP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
+title: "Traefik TCP Middlewares IPAllowList"
+description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
 ---

-# IPWhiteList
+# IPAllowList

 Limiting Clients to Specific IPs
 {: .subtitle }

-IPWhitelist accepts / refuses connections based on the client IP.
+IPAllowList accepts / refuses connections based on the client IP.

 ## Configuration Examples

 ```yaml tab="Docker"
 # Accepts connections from defined IP
 labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+  - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```yaml tab="Kubernetes"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: test-ipwhitelist
+  name: test-ipallowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
@@ -32,25 +32,13 @@ spec:

 ```yaml tab="Consul Catalog"
 # Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
-}
-```
-
-```yaml tab="Rancher"
-# Accepts request from defined IP
-labels:
-  - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
+- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
 ```

 ```toml tab="File (TOML)"
 # Accepts request from defined IP
 [tcp.middlewares]
-  [tcp.middlewares.test-ipwhitelist.ipWhiteList]
+  [tcp.middlewares.test-ipallowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

@@ -58,8 +46,8 @@ labels:
 # Accepts request from defined IP
 tcp:
  middlewares:
-    test-ipwhitelist:
-      ipWhiteList:
+    test-ipallowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
--- a/docs/content/middlewares/tcp/overview.md
+++ b/docs/content/middlewares/tcp/overview.md
@@ -18,10 +18,10 @@ whoami:
  #  A container that exposes an API to show its IP address
  image: traefik/whoami
  labels:
-    # Create a middleware named `foo-ip-whitelist`
-    - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-    # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-    - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
+    # Create a middleware named `foo-ip-allowlist`
+    - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+    # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+    - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
 ```

 ```yaml tab="Kubernetes IngressRoute"
@@ -29,9 +29,9 @@ whoami:
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: middlewaretcps.traefik.containo.us
+  name: middlewaretcps.traefik.io
 spec:
-  group: traefik.containo.us
+  group: traefik.io
  version: v1alpha1
  names:
    kind: MiddlewareTCP
@@ -40,18 +40,18 @@ spec:
  scope: Namespaced

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: MiddlewareTCP
 metadata:
-  name: foo-ip-whitelist
+  name: foo-ip-allowlist
 spec:
-  ipWhiteList:
+  ipAllowList:
    sourcerange:
      - 127.0.0.1/32
      - 192.168.1.7

 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
  name: ingressroute
@@ -60,30 +60,14 @@ spec:
  routes:
    # more fields...
    middlewares:
-      - name: foo-ip-whitelist
+      - name: foo-ip-allowlist
 ```

 ```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
-```
-
-```json tab="Marathon"
-"labels": {
-  "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
-  "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
-}
-```
-
-```yaml tab="Rancher"
-# As a Rancher Label
-labels:
-  # Create a middleware named `foo-ip-whitelist`
-  - "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-  # Apply the middleware named `foo-ip-whitelist` to the router named `router1`
-  - "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
+# Create a middleware named `foo-ip-allowlist`
+- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
+# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
+- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
 ```

 ```toml tab="File (TOML)"
@@ -91,11 +75,11 @@ labels:
 [tcp.routers]
  [tcp.routers.router1]
    service = "myService"
-    middlewares = ["foo-ip-whitelist"]
+    middlewares = ["foo-ip-allowlist"]
    rule = "Host(`example.com`)"

 [tcp.middlewares]
-  [tcp.middlewares.foo-ip-whitelist.ipWhiteList]
+  [tcp.middlewares.foo-ip-allowlist.ipAllowList]
    sourceRange = ["127.0.0.1/32", "192.168.1.7"]

 [tcp.services]
@@ -114,12 +98,12 @@ tcp:
    router1:
      service: myService
      middlewares:
-        - "foo-ip-whitelist"
+        - "foo-ip-allowlist"
      rule: "Host(`example.com`)"

  middlewares:
-    foo-ip-whitelist:
-      ipWhiteList:
+    foo-ip-allowlist:
+      ipAllowList:
        sourceRange:
          - "127.0.0.1/32"
          - "192.168.1.7"
@@ -137,4 +121,4 @@ tcp:
 | Middleware                                | Purpose                                           | Area                        |
 |-------------------------------------------|---------------------------------------------------|-----------------------------|
 | [InFlightConn](inflightconn.md)           | Limits the number of simultaneous connections.    | Security, Request lifecycle |
-| [IPWhiteList](ipwhitelist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
+| [IPAllowList](ipallowlist.md)             | Limit the allowed client IPs.                     | Security, Request lifecycle |
--- a/docs/content/migration/v1-to-v2.md
+++ b/docs/content/migration/v1-to-v2.md
@@ -110,7 +110,7 @@ Then any router can refer to an instance of the wanted middleware.
    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the Middleware and IngressRoute kinds.
    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: basicauth
@@ -123,7 +123,7 @@ Then any router can refer to an instance of the wanted middleware.
          - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutebar
@@ -281,7 +281,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
    ```yaml tab="K8s IngressRoute"
    # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
    # https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: TLSOption
    metadata:
      name: mytlsoption
@@ -297,7 +297,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
 	    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutebar
@@ -443,7 +443,7 @@ To apply a redirection:
    ```

    ```yaml tab="K8s IngressRoute"
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: http-redirect-ingressroute
@@ -461,7 +461,7 @@ To apply a redirection:
            - name: https-redirect

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: https-ingressroute
@@ -478,7 +478,7 @@ To apply a redirection:
      tls: {}

    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: https-redirect
@@ -597,7 +597,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo

    ```yaml tab="Kubernetes IngressRoute"
    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: http-redirect-ingressroute
@@ -614,7 +614,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
          middlewares:
            - name: admin-stripprefix
    ---
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: admin-stripprefix
--- a/docs/content/migration/v2-to-v3.md
+++ b/docs/content/migration/v2-to-v3.md
@@ -0,0 +1,89 @@
+---
+title: "Traefik V3 Migration Documentation"
+description: "Migrate from Traefik Proxy v2 to v3 and update all the necessary configurations to take advantage of all the improvements. Read the technical documentation."
+---
+
+# Migration Guide: From v2 to v3
+
+How to Migrate from Traefik v2 to Traefik v3.
+{: .subtitle }
+
+The version 3 of Traefik introduces a number of breaking changes,
+which require one to update their configuration when they migrate from v2 to v3.
+The goal of this page is to recapitulate all of these changes, and in particular to give examples,
+feature by feature, of how the configuration looked like in v2, and how it now looks like in v3.
+
+## IPWhiteList
+
+In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing anything to the configuration. 
+
+## gRPC Metrics
+
+In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
+
+## Deprecated Options Removal
+
+- The `pilot` option has been removed from the static configuration.
+- The `tracing.datadog.globaltag` option has been removed.
+- The `namespace` option of Consul, Consul Catalog and Nomad providers has been removed.
+- The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Consul Catalog, and Docker providers.
+- `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
+- The `forceSlash` option of the StripPrefix middleware has been removed.
+- The `preferServerCipherSuites` option has been removed.
+
+## Matchers
+
+In v3, the `Headers` and `HeadersRegexp` matchers have been renamed to `Header` and `HeaderRegexp` respectively.
+
+`PathPrefix` no longer uses regular expressions to match path prefixes.
+
+`QueryRegexp` has been introduced to match query values using a regular expression.
+
+`HeaderRegexp`, `HostRegexp`, `PathRegexp`, `QueryRegexp`, and `HostSNIRegexp` matchers now uses the [Go regexp syntax](https://golang.org/pkg/regexp/syntax/).
+
+All matchers now take a single value (except `Header`, `HeaderRegexp`, `Query`, and `QueryRegexp` which take two)
+and should be explicitly combined using logical operators to mimic previous behavior.
+
+`Query` can take a single value to match is the query value that has no value (e.g. `/search?mobile`).
+
+`HostHeader` has been removed, use `Host` instead.
+
+## Content-Type Auto-Detection
+
+In v3, the `Content-Type` header is not auto-detected anymore when it is not set by the backend.
+One should use the `ContentType` middleware to enable the `Content-Type` header value auto-detection.
+
+## HTTP/3
+
+In v3, HTTP/3 is no longer an experimental feature.
+The `experimental.http3` option has been removed from the static configuration.
+
+## TCP ServersTransport
+
+In v3, the support of `TCPServersTransport` has been introduced.
+When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
+
+### TCP LoadBalancer `terminationDelay` option
+
+The TCP LoadBalancer `terminationDelay` option has been removed.
+This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
+
+## Rancher v1
+
+In v3, the rancher v1 provider has been removed because Rancher v1 is [no longer actively maintaned](https://rancher.com/docs/os/v1.x/en/support/) and v2 is supported as a standard Kubernetes provider.
+
+Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
+As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
+
+## Marathon provider
+
+In v3, the Marathon provider has been removed.
+
+## InfluxDB v1
+
+In v3, the InfluxDB v1 metrics provider has been removed because InfluxDB v1.x maintenance [ended in 2021](https://www.influxdata.com/blog/influxdb-oss-and-enterprise-roadmap-update-from-influxdays-emea/).
+
+### Kubernetes CRDs API Group `traefik.containo.us`
+
+In v3 the Kubernetes CRDs API Group `traefik.containo.us` has been removed. 
+Please use the API Group `traefik.io` instead.
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -65,13 +65,19 @@ rules:
    verbs:
      - update
  - apiGroups:
+      - traefik.io
      - traefik.containo.us
    resources:
      - middlewares
+      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
+      - ingressrouteudps
      - tlsoptions
+      - tlsstores
+      - serverstransports
+      - serverstransporttcps
    verbs:
      - get
      - list
@@ -164,20 +170,23 @@ rules:
    verbs:
      - update
  - apiGroups:
+      - traefik.io
      - traefik.containo.us
    resources:
      - middlewares
+      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
+      - serverstransports
+      - serverstransporttcps
    verbs:
      - get
      - list
      - watch
-
 ```

 After having both resources applied, Traefik will work properly.
@@ -490,3 +499,24 @@ In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function
 ### Traefik Pilot

 In `v2.9`, Traefik Pilot support has been removed.
+
+## v2.10
+
+### Nomad Namespace
+
+In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
+
+## v2.10
+
+### Kubernetes CRDs
+
+In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
+
+As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
+it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.
+
+In addition, the Kubernetes CRDs API Version `traefik.io/v1alpha1` will not be supported in Traefik v3 itself.
+
+### Traefik Hub
+
+In `v2.10`, Traefik Hub is GA and the `experimental.hub` flag is deprecated.
--- a/docs/content/observability/access-logs.md
+++ b/docs/content/observability/access-logs.md
@@ -229,6 +229,7 @@ accessLog:
    | `RetryAttempts`         | The amount of attempts the request was retried.                                                                                                                     |
    | `TLSVersion`            | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).                                                                                         |
    | `TLSCipher`             | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS)                                                           |
+    | `TLSClientSubject`      | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`)                                                               |

 ## Log Rotation

@@ -254,7 +255,7 @@ version: "3.7"

 services:
  traefik:
-    image: traefik:v2.9
+    image: traefik:v3.0
    environment:
      - TZ=US/Alaska
    command:
--- a/docs/content/observability/logs.md
+++ b/docs/content/observability/logs.md
@@ -64,7 +64,9 @@ log:

 #### `level`

-By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
+By default, the `level` is set to `ERROR`.
+
+Alternative logging levels are `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.

 ```yaml tab="File (YAML)"
 log:
@@ -80,10 +82,101 @@ log:
 --log.level=DEBUG
 ```

+#### `noColor`
+
+When using the 'common' format, disables the colorized output.
+
+```yaml tab="File (YAML)"
+log:
+  noColor: true
+```
+
+```toml tab="File (TOML)"
+[log]
+  noColor = true
+```
+
+```bash tab="CLI"
+--log.nocolor=true
+```
+
 ## Log Rotation

-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
+The rotation of the log files can be configured with the following options.

-!!! warning
-    This does not work on Windows due to the lack of USR signals.
+### `maxSize`
+
+`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
+It defaults to 100 megabytes.
+
+```yaml tab="File (YAML)"
+log:
+  maxSize: 1
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxSize = 1
+```
+
+```bash tab="CLI"
+--log.maxsize=1
+```
+
+### `maxBackups`
+
+`maxBackups` is the maximum number of old log files to retain.
+The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
+
+```yaml tab="File (YAML)"
+log:
+  maxBackups: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxBackups = 3
+```
+
+```bash tab="CLI"
+--log.maxbackups=3
+```
+
+### `maxAge`
+
+`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
+Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
+The default is not to remove old log files based on age.
+
+```yaml tab="File (YAML)"
+log:
+  maxAge: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  maxAge = 3
+```
+
+```bash tab="CLI"
+--log.maxage=3
+```
+
+### `compress`
+
+`compress` determines if the rotated log files should be compressed using gzip.
+The default is not to perform compression.
+
+```yaml tab="File (YAML)"
+log:
+  compress: 3
+```
+
+```toml tab="File (TOML)"
+[log]
+  compress = 3
+```
+
+```bash tab="CLI"
+--log.compress=3
+```
--- a/docs/content/observability/metrics/influxdb.md
+++ b/docs/content/observability/metrics/influxdb.md
@@ -1,268 +0,0 @@
---
-title: "Traefik InfluxDB Documentation"
-description: "Traefik supports several metrics backends, including InfluxDB. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
---
-
-# InfluxDB
-
-To enable the InfluxDB:
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-```
-
-```bash tab="CLI"
--metrics.influxdb=true
-```
-
-#### `address`
-
-_Required, Default="localhost:8089"_
-
-Address instructs exporter to send metrics to influxdb at this address.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    address: localhost:8089
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    address = "localhost:8089"
-```
-
-```bash tab="CLI"
--metrics.influxdb.address=localhost:8089
-```
-
-#### `protocol`
-
-_Required, Default="udp"_
-
-InfluxDB's address protocol (udp or http).
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    protocol: udp
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    protocol = "udp"
-```
-
-```bash tab="CLI"
--metrics.influxdb.protocol=udp
-```
-
-#### `database`
-
-_Optional, Default=""_
-
-InfluxDB database used when protocol is http.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    database: db
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    database = "db"
-```
-
-```bash tab="CLI"
--metrics.influxdb.database=db
-```
-
-#### `retentionPolicy`
-
-_Optional, Default=""_
-
-InfluxDB retention policy used when protocol is http.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    retentionPolicy: two_hours
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    retentionPolicy = "two_hours"
-```
-
-```bash tab="CLI"
--metrics.influxdb.retentionPolicy=two_hours
-```
-
-#### `username`
-
-_Optional, Default=""_
-
-InfluxDB username (only with http).
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    username: john
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    username = "john"
-```
-
-```bash tab="CLI"
--metrics.influxdb.username=john
-```
-
-#### `password`
-
-_Optional, Default=""_
-
-InfluxDB password (only with http).
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    password: secret
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    password = "secret"
-```
-
-```bash tab="CLI"
--metrics.influxdb.password=secret
-```
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
--metrics.influxdb.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    addRoutersLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addRoutersLabels = true
-```
-
-```bash tab="CLI"
--metrics.influxdb.addrouterslabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    addServicesLabels = true
-```
-
-```bash tab="CLI"
--metrics.influxdb.addServicesLabels=true
-```
-
-#### `pushInterval`
-
-_Optional, Default=10s_
-
-The interval used by the exporter to push metrics to influxdb.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    pushInterval: 10s
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    pushInterval = "10s"
-```
-
-```bash tab="CLI"
--metrics.influxdb.pushInterval=10s
-```
-
-#### `additionalLabels`
-
-_Optional, Default={}_
-
-Additional labels (influxdb tags) on all metrics.
-
-```yaml tab="File (YAML)"
-metrics:
-  influxDB:
-    additionalLabels:
-      host: example.com
-      environment: production
-```
-
-```toml tab="File (TOML)"
-[metrics]
-  [metrics.influxDB]
-    [metrics.influxDB.additionalLabels]
-      host = "example.com"
-      environment = "production"
-```
-
-```bash tab="CLI"
--metrics.influxdb.additionallabels.host=example.com --metrics.influxdb.additionallabels.environment=production
-```
--- a/docs/content/observability/metrics/opentelemetry.md
+++ b/docs/content/observability/metrics/opentelemetry.md
@@ -0,0 +1,353 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several metrics backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry:
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry exporter will export metrics to the collector by using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send metrics to.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.address=localhost:4318
+```
+
+#### `addEntryPointsLabels`
+
+_Optional, Default=true_
+
+Enable metrics on entry points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addEntryPointsLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addEntryPointsLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addEntryPointsLabels=true
+```
+
+#### `addRoutersLabels`
+
+_Optional, Default=false_
+
+Enable metrics on routers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addRoutersLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addRoutersLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addRoutersLabels=true
+```
+
+#### `addServicesLabels`
+
+_Optional, Default=true_
+
+Enable metrics on services.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    addServicesLabels: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    addServicesLabels = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.addServicesLabels=true
+```
+
+#### `explicitBoundaries`
+
+_Optional, Default=".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10"_
+
+Explicit boundaries for Histogram data points.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    explicitBoundaries:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    explicitBoundaries = [0.1,0.3,1.2,5.0]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.explicitBoundaries=0.1,0.3,1.2,5.0
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.headers.foo=bar --metrics.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.insecure=true
+```
+
+#### `pushInterval`
+
+_Optional, Default=10s_
+
+Interval at which metrics are sent to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    pushInterval: 10s
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    pushInterval = "10s"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.pushInterval=10s
+```
+
+#### `path`
+
+_Required, Default="/v1/metrics"_
+
+Allows to override the default URL path used for sending metrics.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    path: /foo/v1/metrics
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry]
+    path = "/foo/v1/metrics"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.path=/foo/v1/metrics
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.cert=path/to/foo.cert
+--metrics.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[metrics.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+metrics:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--metrics.openTelemetry.grpc=true
+```
--- a/docs/content/observability/metrics/overview.md
+++ b/docs/content/observability/metrics/overview.md
@@ -1,6 +1,6 @@
 ---
 title: "Traefik Metrics Overview"
-description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB, Prometheus, and StatsD. Read the full documentation to get started."
+description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB 2.X, Prometheus, and StatsD. Read the full documentation to get started."
 ---

 # Metrics
@@ -8,34 +8,39 @@ description: "Traefik Proxy supports these metrics backend systems: Datadog, Inf
 Traefik supports these metrics backends:

 - [Datadog](./datadog.md)
- [InfluxDB](./influxdb.md)
 - [InfluxDB2](./influxdb2.md)
 - [Prometheus](./prometheus.md)
 - [StatsD](./statsd.md)

+Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346) and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
+
 ## Global Metrics

-| Metric                                      | Type    | Description                                             |
-|---------------------------------------------|---------|---------------------------------------------------------|
-| Config reload total                         | Count   | The total count of configuration reloads.               |
-| Config reload last success                  | Gauge   | The timestamp of the last configuration reload success. |
-| TLS certificates not after                  | Gauge   | The expiration date of certificates.                    |
+| Metric                     | Type  | [Labels](#labels)        | Description                                                        |
+|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
+| Config reload total        | Count |                          | The total count of configuration reloads.                          |
+| Config reload last success | Gauge |                          | The timestamp of the last configuration reload success.            |
+| Open connections           | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
+| TLS certificates not after | Gauge |                          | The expiration date of certificates.                               |

 ```prom tab="Prometheus"
 traefik_config_reloads_total
 traefik_config_last_reload_success
+traefik_open_connections
 traefik_tls_certs_not_after
 ```

 ```dd tab="Datadog"
 config.reload.total
 config.reload.lastSuccessTimestamp
+open.connections
 tls.certs.notAfterTimestamp
 ```

-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.config.reload.total
 traefik.config.reload.lastSuccessTimestamp
+traefik.open.connections
 traefik.tls.certs.notAfterTimestamp
 ```

@@ -43,17 +48,35 @@ traefik.tls.certs.notAfterTimestamp
 # Default prefix: "traefik"
 {prefix}.config.reload.total
 {prefix}.config.reload.lastSuccessTimestamp
+{prefix}.open.connections
 {prefix}.tls.certs.notAfterTimestamp
 ```

-## EntryPoint Metrics
+```opentelemetry tab="OpenTelemetry"
+traefik_config_reloads_total
+traefik_config_last_reload_success
+traefik_open_connections
+traefik_tls_certs_not_after
+```
+
+### Labels
+
+Here is a comprehensive list of labels that are provided by the global metrics:
+
+| Label         | Description                            | example              |
+|---------------|----------------------------------------|----------------------|
+| `entrypoint`  | Entrypoint that handled the connection | "example_entrypoint" |
+| `protocol`    | Connection protocol                    | "TCP"                |
+
+## HTTP Metrics
+
+### EntryPoint Metrics

 | Metric                | Type      | [Labels](#labels)                          | Description                                                         |
 |-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
 | Requests total        | Count     | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint.         |
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `entrypoint`  | The total count of HTTPS requests received by an entrypoint.        |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint.             |
-| Open connections      | Count     | `method`, `protocol`, `entrypoint`         | The current count of open connections on an entrypoint.             |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint.  |
 | Responses bytes total | Count     | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |

@@ -61,7 +84,6 @@ traefik.tls.certs.notAfterTimestamp
 traefik_entrypoint_requests_total
 traefik_entrypoint_requests_tls_total
 traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_open_connections
 traefik_entrypoint_requests_bytes_total
 traefik_entrypoint_responses_bytes_total
 ```
@@ -70,16 +92,14 @@ traefik_entrypoint_responses_bytes_total
 entrypoint.request.total
 entrypoint.request.tls.total
 entrypoint.request.duration
-entrypoint.connections.open
 entrypoint.requests.bytes.total
 entrypoint.responses.bytes.total
 ```

-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.entrypoint.requests.total
 traefik.entrypoint.requests.tls.total
 traefik.entrypoint.request.duration
-traefik.entrypoint.connections.open
 traefik.entrypoint.requests.bytes.total
 traefik.entrypoint.responses.bytes.total
 ```
@@ -89,19 +109,26 @@ traefik.entrypoint.responses.bytes.total
 {prefix}.entrypoint.request.total
 {prefix}.entrypoint.request.tls.total
 {prefix}.entrypoint.request.duration
-{prefix}.entrypoint.connections.open
 {prefix}.entrypoint.requests.bytes.total
 {prefix}.entrypoint.responses.bytes.total
 ```

-## Router Metrics
+```opentelemetry tab="OpenTelemetry"
+traefik_entrypoint_requests_total
+traefik_entrypoint_requests_tls_total
+traefik_entrypoint_request_duration_seconds
+traefik_entrypoint_open_connections
+traefik_entrypoint_requests_bytes_total
+traefik_entrypoint_responses_bytes_total
+```
+
+### Router Metrics

 | Metric                | Type      | [Labels](#labels)                                 | Description                                                    |
 |-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
 | Requests total        | Count     | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router.          |
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `router`, `service`  | The total count of HTTPS requests handled by a router.         |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router.             |
-| Open connections      | Count     | `method`, `protocol`, `router`, `service`         | The current count of open connections on a router.             |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router.  |
 | Responses bytes total | Count     | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |

@@ -109,7 +136,6 @@ traefik.entrypoint.responses.bytes.total
 traefik_router_requests_total
 traefik_router_requests_tls_total
 traefik_router_request_duration_seconds
-traefik_router_open_connections
 traefik_router_requests_bytes_total
 traefik_router_responses_bytes_total
 ```
@@ -118,16 +144,14 @@ traefik_router_responses_bytes_total
 router.request.total
 router.request.tls.total
 router.request.duration
-router.connections.open
 router.requests.bytes.total
 router.responses.bytes.total
 ```

-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.router.requests.total
 traefik.router.requests.tls.total
 traefik.router.request.duration
-traefik.router.connections.open
 traefik.router.requests.bytes.total
 traefik.router.responses.bytes.total
 ```
@@ -137,19 +161,26 @@ traefik.router.responses.bytes.total
 {prefix}.router.request.total
 {prefix}.router.request.tls.total
 {prefix}.router.request.duration
-{prefix}.router.connections.open
 {prefix}.router.requests.bytes.total
 {prefix}.router.responses.bytes.total
 ```

-## Service Metrics
+```opentelemetry tab="OpenTelemetry"
+traefik_router_requests_total
+traefik_router_requests_tls_total
+traefik_router_request_duration_seconds
+traefik_router_open_connections
+traefik_router_requests_bytes_total
+traefik_router_responses_bytes_total
+```
+
+### Service Metrics

 | Metric                | Type      | Labels                                  | Description                                                 |
 |-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
 | Requests total        | Count     | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service.    |
 | Requests TLS total    | Count     | `tls_version`, `tls_cipher`, `service`  | The total count of HTTPS requests processed on a service.   |
 | Request duration      | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service.         |
-| Open connections      | Count     | `method`, `protocol`, `service`         | The current count of open connections on a service.         |
 | Retries total         | Count     | `service`                               | The count of requests retries on a service.                 |
 | Server UP             | Gauge     | `service`, `url`                        | Current service's server status, 0 for a down or 1 for up.  |
 | Requests bytes total  | Count     | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service.  |
@@ -159,7 +190,6 @@ traefik.router.responses.bytes.total
 traefik_service_requests_total
 traefik_service_requests_tls_total
 traefik_service_request_duration_seconds
-traefik_service_open_connections
 traefik_service_retries_total
 traefik_service_server_up
 traefik_service_requests_bytes_total
@@ -170,18 +200,16 @@ traefik_service_responses_bytes_total
 service.request.total
 router.service.tls.total
 service.request.duration
-service.connections.open
 service.retries.total
 service.server.up
 service.requests.bytes.total
 service.responses.bytes.total
 ```

-```influxdb tab="InfluxDB / InfluxDB2"
+```influxdb tab="InfluxDB2"
 traefik.service.requests.total
 traefik.service.requests.tls.total
 traefik.service.request.duration
-traefik.service.connections.open
 traefik.service.retries.total
 traefik.service.server.up
 traefik.service.requests.bytes.total
@@ -193,14 +221,24 @@ traefik.service.responses.bytes.total
 {prefix}.service.request.total
 {prefix}.service.request.tls.total
 {prefix}.service.request.duration
-{prefix}.service.connections.open
 {prefix}.service.retries.total
 {prefix}.service.server.up
 {prefix}.service.requests.bytes.total
 {prefix}.service.responses.bytes.total
 ```

-## Labels
+```opentelemetry tab="OpenTelemetry"
+traefik_service_requests_total
+traefik_service_requests_tls_total
+traefik_service_request_duration_seconds
+traefik_service_open_connections
+traefik_service_retries_total
+traefik_service_server_up
+traefik_service_requests_bytes_total
+traefik_service_responses_bytes_total
+```
+
+### Labels

 Here is a comprehensive list of labels that are provided by the metrics:

--- a/docs/content/observability/metrics/prometheus.md
+++ b/docs/content/observability/metrics/prometheus.md
@@ -165,3 +165,66 @@ metrics:
 ```bash tab="CLI"
 --metrics.prometheus.manualrouting=true
 ```
+
+#### `headerLabels`
+
+_Optional_
+
+Defines the extra labels for the `requests_total` metrics, and for each of them, the request header containing the value for this label.
+Please note that if the header is not present in the request it will be added nonetheless with an empty value.
+In addition, the label should be a valid label name for Prometheus metrics, 
+otherwise, the Prometheus metrics provider will fail to serve any Traefik-related metric.
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    headerLabels:
+      label: headerKey
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    [metrics.prometheus.headerLabels]
+      label = "headerKey"
+```
+
+```bash tab="CLI"
+--metrics.prometheus.headerlabels.label=headerKey
+```
+
+##### Example
+
+Here is an example of the entryPoint `requests_total` metric with an additional "useragent" label.
+
+When configuring the label in Static Configuration:
+
+```yaml tab="File (YAML)"
+metrics:
+  prometheus:
+    headerLabels:
+      useragent: User-Agent
+```
+
+```toml tab="File (TOML)"
+[metrics]
+  [metrics.prometheus]
+    [metrics.prometheus.headerLabels]
+      useragent = "User-Agent"
+```
+
+```bash tab="CLI"
+--metrics.prometheus.headerlabels.useragent=User-Agent
+```
+
+And performing a request with a custom User-Agent:
+
+```bash
+curl -H "User-Agent: foobar" http://localhost
+```
+
+The following metric is produced :
+
+```bash
+traefik_entrypoint_requests_total{code="200",entrypoint="web",method="GET",protocol="http",useragent="foobar"} 1
+```
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@@ -23,24 +23,46 @@ tracing:

 #### `localAgentHostPort`

-_Required, Default="127.0.0.1:8126"_
+_Optional, Default="localhost:8126"_

 Local Agent Host Port instructs the reporter to send spans to the Datadog Agent at this address (host:port).

 ```yaml tab="File (YAML)"
 tracing:
  datadog:
-    localAgentHostPort: 127.0.0.1:8126
+    localAgentHostPort: localhost:8126
 ```

 ```toml tab="File (TOML)"
 [tracing]
  [tracing.datadog]
-    localAgentHostPort = "127.0.0.1:8126"
+    localAgentHostPort = "localhost:8126"
 ```

 ```bash tab="CLI"
--tracing.datadog.localAgentHostPort=127.0.0.1:8126
+--tracing.datadog.localAgentHostPort=localhost:8126
+```
+
+#### `localAgentSocket`
+
+_Optional, Default=""_
+
+Local Agent Socket instructs the reporter to send spans to the Datadog Agent at this UNIX socket.
+
+```yaml tab="File (YAML)"
+tracing:
+  datadog:
+    localAgentSocket: /var/run/datadog/apm.socket
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.datadog]
+    localAgentSocket = "/var/run/datadog/apm.socket"
+```
+
+```bash tab="CLI"
+--tracing.datadog.localAgentSocket=/var/run/datadog/apm.socket
 ```

 #### `debug`
@@ -65,30 +87,6 @@ tracing:
 --tracing.datadog.debug=true
 ```

-#### `globalTag`
-
-??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
-
-    _Optional, Default=empty_
-    
-    Applies a shared key:value tag on all spans.
-    
-    ```yaml tab="File (YAML)"
-    tracing:
-      datadog:
-        globalTag: sample
-    ```
-    
-    ```toml tab="File (TOML)"
-    [tracing]
-      [tracing.datadog]
-        globalTag = "sample"
-    ```
-    
-    ```bash tab="CLI"
-    --tracing.datadog.globalTag=sample
-    ```
-
 #### `globalTags`

 _Optional, Default=empty_
--- a/docs/content/observability/tracing/opentelemetry.md
+++ b/docs/content/observability/tracing/opentelemetry.md
@@ -0,0 +1,246 @@
+---
+title: "Traefik OpenTelemetry Documentation"
+description: "Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
+---
+
+# OpenTelemetry
+
+To enable the OpenTelemetry tracer:
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry=true
+```
+
+!!! info "The OpenTelemetry trace reporter will export traces to the collector using HTTP by default, see the [gRPC Section](#grpc-configuration) to use gRPC."
+
+!!! info "Trace sampling"
+
+	By default, the OpenTelemetry trace reporter will sample 100% of traces.
+	See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
+
+#### `address`
+
+_Required, Default="localhost:4318", Format="`<host>:<port>`"_
+
+Address of the OpenTelemetry Collector to send spans to.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    address: localhost:4318
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    address = "localhost:4318"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.address=localhost:4318
+```
+
+#### `headers`
+
+_Optional, Default={}_
+
+Additional headers sent with spans by the reporter to the OpenTelemetry Collector.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    headers:
+      foo: bar
+      baz: buz
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.headers]
+    foo = "bar"
+    baz = "buz"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.headers.foo=bar --tracing.openTelemetry.headers.baz=buz
+```
+
+#### `insecure`
+
+_Optional, Default=false_
+
+Allows reporter to send spans to the OpenTelemetry Collector without using a secured protocol.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    insecure: true
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    insecure = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.insecure=true
+```
+
+#### `path`
+
+_Required, Default="/v1/traces"_
+
+Allows to override the default URL path used for sending traces.
+This option has no effect when using gRPC transport.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    path: /foo/v1/traces
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry]
+    path = "/foo/v1/traces"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.path=/foo/v1/traces
+```
+
+#### `tls`
+
+_Optional_
+
+Defines the TLS configuration used by the reporter to send spans to the OpenTelemetry Collector.
+
+##### `ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
+it defaults to the system bundle.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  ca = "path/to/ca.crt"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.ca=path/to/ca.crt
+```
+
+##### `cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `key` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
+When using this option, setting the `cert` option is required.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      cert: path/to/foo.cert
+      key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  cert = "path/to/foo.cert"
+  key = "path/to/foo.key"
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.cert=path/to/foo.cert
+--tracing.openTelemetry.tls.key=path/to/foo.key
+```
+
+##### `insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`,
+the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    tls:
+      insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[tracing.openTelemetry.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.tls.insecureSkipVerify=true
+```
+
+#### gRPC configuration
+
+_Optional_
+
+This instructs the reporter to send spans to the OpenTelemetry Collector using gRPC.
+
+```yaml tab="File (YAML)"
+tracing:
+  openTelemetry:
+    grpc: {}
+```
+
+```toml tab="File (TOML)"
+[tracing]
+  [tracing.openTelemetry.grpc]
+```
+
+```bash tab="CLI"
+--tracing.openTelemetry.grpc=true
+```
--- a/docs/content/observability/tracing/overview.md
+++ b/docs/content/observability/tracing/overview.md
@@ -12,7 +12,7 @@ The tracing system allows developers to visualize call flows in their infrastruc

 Traefik uses OpenTracing, an open standard designed for distributed tracing.

-Traefik supports six tracing backends:
+Traefik supports seven tracing backends:

 - [Jaeger](./jaeger.md)
 - [Zipkin](./zipkin.md)
@@ -20,6 +20,7 @@ Traefik supports six tracing backends:
 - [Instana](./instana.md)
 - [Haystack](./haystack.md)
 - [Elastic](./elastic.md)
+- [OpenTelemetry](./opentelemetry.md)

 ## Configuration

--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@@ -72,7 +72,7 @@ to allow defining:

 - One or more security features through [middlewares](../middlewares/overview.md)
  like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
-  [forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
+  [forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).

 - A [router rule](#dashboard-router-rule) for accessing the dashboard,
  through Traefik itself (sometimes referred as "Traefik-ception").
@@ -93,12 +93,12 @@ rule = "Host(`traefik.example.com`)"

 ```bash tab="Path Prefix Rule"
 # The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
-rule = "PathPrefix(`/api`, `/dashboard`)"
+rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
 ```

 ```bash tab="Combination of Rules"
 # The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.example.com`) && PathPrefix(`/api`, `/dashboard`)"
+rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
 ```

 ??? example "Dashboard Dynamic Configuration Examples"
--- a/docs/content/operations/include-api-examples.md
+++ b/docs/content/operations/include-api-examples.md
@@ -20,7 +20,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes CRD"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: traefik-dashboard
@@ -34,7 +34,7 @@ spec:
    middlewares:
      - name: auth
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth
@@ -51,24 +51,6 @@ spec:
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.api.rule": "Host(`traefik.example.com`)",
-  "traefik.http.routers.api.service": "api@internal",
-  "traefik.http.routers.api.middlewares": "auth",
-  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Configuration
-labels:
-  - "traefik.http.routers.api.rule=Host(`traefik.example.com`)"
-  - "traefik.http.routers.api.service=api@internal"
-  - "traefik.http.routers.api.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:
--- a/docs/content/operations/include-dashboard-examples.md
+++ b/docs/content/operations/include-dashboard-examples.md
@@ -20,7 +20,7 @@ deploy:
 ```

 ```yaml tab="Kubernetes CRD"
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: traefik-dashboard
@@ -34,7 +34,7 @@ spec:
    middlewares:
      - name: auth
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: auth
@@ -51,24 +51,6 @@ spec:
 - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
 ```

-```json tab="Marathon"
-"labels": {
-  "traefik.http.routers.dashboard.rule": "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))",
-  "traefik.http.routers.dashboard.service": "api@internal",
-  "traefik.http.routers.dashboard.middlewares": "auth",
-  "traefik.http.middlewares.auth.basicauth.users": "test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-}
-```
-
-```yaml tab="Rancher"
-# Dynamic Configuration
-labels:
-  - "traefik.http.routers.dashboard.rule=Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
-  - "traefik.http.routers.dashboard.service=api@internal"
-  - "traefik.http.routers.dashboard.middlewares=auth"
-  - "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
 ```yaml tab="File (YAML)"
 # Dynamic Configuration
 http:
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@@ -667,41 +667,6 @@ providers:

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consulCatalog:
-        namespace: "production" 
-        # ...
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consulCatalog]
-      namespace = "production"
-      # ...
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consulcatalog.namespace=production
-    # ...
-    ```
-
 ### `namespaces`

 _Optional, Default=""_
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```

-### `namespace`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
-    _Optional, Default=""_
-    
-    The `namespace` option defines the namespace to query.
-    
-    !!! warning
-    
-        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
-        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-    
-    !!! warning
-    
-        One should only define either the `namespaces` option or the `namespace` option.
-    
-    ```yaml tab="File (YAML)"
-    providers:
-      consul:
-        # ...
-        namespace: "production"
-    ```
-    
-    ```toml tab="File (TOML)"
-    [providers.consul]
-      # ...
-      namespace = "production"
-    ```
-    
-    ```bash tab="CLI"
-    --providers.consul.namespace=production
-    ```
-
 ### `namespaces`

 _Optional, Default=""_
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@@ -95,7 +95,7 @@ and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
 ## Routing Configuration

 When using Docker as a [provider](./overview.md),
-Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#set-metadata-on-container--l---label---label-file) to retrieve its routing configuration.
+Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.

 See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.

@@ -265,7 +265,7 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A

    services:
      traefik:
-         image: traefik:v2.9 # The official v2 Traefik docker image
+         image: traefik:v3.0 # The official v2 Traefik docker image
         ports:
           - "80:80"
         volumes:
@@ -440,10 +440,11 @@ _Optional, Default=```Host(`{{ normalize .Name }}`)```_

 The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.

-It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
-[sprig template functions](https://masterminds.github.io/sprig/).
-The container service name can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this container.
+It must be a valid [Go template](https://pkg.go.dev/text/template/),
+and can use [sprig template functions](https://masterminds.github.io/sprig/).
+The container name can be accessed with the `ContainerName` identifier.
+The service name can be accessed with the `Name` identifier.
+The template has access to all the labels defined on this container with the `Labels` identifier.

 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@@ -234,6 +234,30 @@ providers:
 # ...
 ```

+### `healthyTasksOnly`
+
+_Optional, Default=false_
+
+Determines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).
+
+```yaml tab="File (YAML)"
+providers:
+  ecs:
+    healthyTasksOnly: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.ecs]
+  healthyTasksOnly = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.ecs.healthyTasksOnly=true
+# ...
+```
+
 ### `defaultRule`

 _Optional, Default=```Host(`{{ normalize .Name }}`)```_
--- a/docs/content/providers/file.md
+++ b/docs/content/providers/file.md
@@ -18,7 +18,7 @@ It supports providing configuration through a [single configuration file](#filen

 !!! tip

-    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
+    The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)

 ## Configuration Examples

--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@@ -76,6 +76,26 @@ providers:
 --providers.http.pollTimeout=5s
 ```

+### `headers`
+
+_Optional_
+
+Defines custom headers to be sent to the endpoint.
+
+```yaml tab="File (YAML)"
+providers:
+  headers:
+    name: value
+```
+
+```toml tab="File (TOML)"
+[providers.http.headers]
+  name = "value"
+```
+
+```bash tab="CLI"
+--providers.http.headers.name=value
+
 ### `tls`

 _Optional_
--- a/docs/content/providers/kubernetes-crd.md
+++ b/docs/content/providers/kubernetes-crd.md
@@ -35,10 +35,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku

    ```bash
    # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
    
    # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
    ```

 ## Resource Configuration
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@@ -344,6 +344,35 @@ providers:
 --providers.kubernetesingress.ingressclass=traefik-internal
 ```

+### `disableIngressClassLookup`
+
+_Optional, Default: false_
+
+If the parameter is set to `true`,
+Traefik will not discover IngressClasses in the cluster.
+By doing so, it alleviates the requirement of giving Traefik the rights to look IngressClasses up.
+Furthermore, when this option is set to `true`,
+Traefik is not able to handle Ingresses with IngressClass references,
+therefore such Ingresses will be ignored.
+Please note that annotations are not affected by this option.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disableIngressClassLookup: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disableIngressClassLookup = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disableingressclasslookup=true
+```
+
 ### `ingressEndpoint`

 #### `hostname`
@@ -502,6 +531,6 @@ providers:
 ### Further

 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.9/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.0/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

 {!traefik-for-business-applications.md!}
--- a/docs/content/providers/marathon.md
+++ b/docs/content/providers/marathon.md
@@ -1,583 +0,0 @@
---
-title: "Traefik Configuration for Marathon"
-description: "Traefik Proxy can be configured to use Marathon as a provider. Read the technical documentation to learn how."
---
-
-# Traefik & Marathon
-
-Traefik can be configured to use Marathon as a provider.
-{: .subtitle }
-
-For additional information, refer to [Marathon user guide](../user-guides/marathon.md).
-
-## Configuration Examples
-
-??? example "Configuring Marathon & Deploying / Exposing Applications"
-
-    Enabling the Marathon provider
-
-    ```yaml tab="File (YAML)"
-    providers:
-      marathon: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.marathon]
-    ```
-
-    ```bash tab="CLI"
-    --providers.marathon=true
-    ```
-
-    Attaching labels to Marathon applications
-
-    ```json
-	{
-		"id": "/whoami",
-		"container": {
-			"type": "DOCKER",
-			"docker": {
-				"image": "traefik/whoami",
-				"network": "BRIDGE",
-				"portMappings": [
-					{
-						"containerPort": 80,
-						"hostPort": 0,
-						"protocol": "tcp"
-					}
-				]
-			}
-		},
-		"labels": {
-			"traefik.http.Routers.app.Rule": "PathPrefix(`/app`)"
-		}
-	}
-    ```
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/marathon.md).
-
-## Provider Configuration
-
-### `basic`
-
-_Optional_
-
-Enables Marathon basic authentication.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    basic:
-      httpBasicAuthUser: foo
-      httpBasicPassword: bar
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.basic]
-  httpBasicAuthUser = "foo"
-  httpBasicPassword = "bar"
-```
-
-```bash tab="CLI"
--providers.marathon.basic.httpbasicauthuser=foo
--providers.marathon.basic.httpbasicpassword=bar
-```
-
-### `dcosToken`
-
-_Optional_
-
-Datacenter Operating System (DCOS) Token for DCOS environment.
-
-If set, it overrides the Authorization header.
-
-```toml tab="File (YAML)"
-providers:
-  marathon:
-    dcosToken: "xxxxxx"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  dcosToken = "xxxxxx"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.dcosToken=xxxxxx
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The default host rule for all services.
-
-For a given application, if no routing rule was defined by a label, it is defined by this `defaultRule` instead.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/),
-and can include [sprig template functions](https://masterminds.github.io/sprig/).
-
-The app ID can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this Marathon application.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
-# ...
-```
-
-### `dialerTimeout`
-
-_Optional, Default=5s_
-
-Amount of time the Marathon provider should wait before timing out,
-when trying to open a TCP connection to a Marathon master.
-
-The value of `dialerTimeout` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    dialerTimeout: "10s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  dialerTimeout = "10s"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.dialerTimeout=10s
-```
-
-### `endpoint`
-
-_Optional, Default=http://127.0.0.1:8080_
-
-Marathon server endpoint.
-
-You can optionally specify multiple endpoints.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    endpoint: "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Exposes Marathon applications by default through Traefik.
-
-If set to `false`, applications that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    exposedByDefault: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  exposedByDefault = false
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.exposedByDefault=false
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the application labels to determine whether
-to create any route for that application. If none of the application labels match the expression, no route for that application is
-created. In addition, the expression is also matched against the application constraints, such as described
-in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
-If the expression is empty, all detected applications are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic.
-In addition, to match against Marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are concatenated in a single string using the `:` separator.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only applications having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-
-    ```toml
-    # Excludes applications having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-
-    ```toml
-    # Includes only applications having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-    ```toml
-    # Includes only applications having a Marathon constraint with field `A`, operator `B`, and value `C`.
-    constraints = "MarathonConstraint(`A:B:C`)"
-    ```
-
-    ```toml
-    # Uses both Marathon constraint and application label with logical operator.
-    constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
-    ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    constraints: "Label(`a.label.name`,`foo`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  constraints = "Label(`a.label.name`,`foo`)"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
-
-### `forceTaskHostname`
-
-_Optional, Default=false_
-
-By default, the task IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
-otherwise, the name of the host running the task is used.
-The latter behavior can be enforced by setting this option to `true`.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    forceTaskHostname: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  forceTaskHostname = true
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.forceTaskHostname=true
-# ...
-```
-
-### `keepAlive`
-
-_Optional, Default=10s_
-
-Set the TCP Keep Alive duration for the Marathon HTTP Client.
-The value of `keepAlive` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    keepAlive: "30s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  keepAlive = "30s"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.keepAlive=30s
-# ...
-```
-
-### `respectReadinessChecks`
-
-_Optional, Default=false_
-
-Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
-Enabling `respectReadinessChecks` causes Traefik to filter out tasks whose readiness checks have not succeeded.
-Note that the checks are only valid during deployments.
-
-See the Marathon guide for details.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    respectReadinessChecks: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  respectReadinessChecks = true
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.respectReadinessChecks=true
-# ...
-```
-
-### `responseHeaderTimeout`
-
-_Optional, Default=60s_
-
-Amount of time the Marathon provider should wait before timing out when waiting for the first response header
-from a Marathon master.
-
-The value of `responseHeaderTimeout` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    responseHeaderTimeout: "66s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  responseHeaderTimeout = "66s"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.responseHeaderTimeout=66s
-# ...
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Marathon.
-
-#### `ca`
-
-`ca` is the path to the certificate authority used for the secure connection to Marathon,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
--providers.marathon.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to Marathon.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      cert: path/to/foo.cert
-      key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--providers.marathon.tls.cert=path/to/foo.cert
--providers.marathon.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to Marathon.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      cert: path/to/foo.cert
-      key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  cert = "path/to/foo.cert"
-  key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
--providers.marathon.tls.cert=path/to/foo.cert
--providers.marathon.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tls:
-      insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.marathon.tls]
-  insecureSkipVerify = true
-```
-
-```bash tab="CLI"
--providers.marathon.tls.insecureSkipVerify=true
-```
-
-### `tlsHandshakeTimeout`
-
-_Optional, Default=5s_
-
-Amount of time the Marathon provider should wait before timing out,
-when waiting for the TLS handshake to complete.
-
-The value of `tlsHandshakeTimeout` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    tlsHandshakeTimeout: "10s"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  tlsHandshakeTimeout = "10s"
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.tlsHandshakeTimeout=10s
-# ...
-```
-
-### `trace`
-
-_Optional, Default=false_
-
-Displays additional provider logs when available.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    trace: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  trace = true
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.trace=true
-# ...
-```
-
-### `watch`
-
-_Optional, Default=true_
-
-When set to `true`, watches for Marathon changes.
-
-```yaml tab="File (YAML)"
-providers:
-  marathon:
-    watch: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.marathon]
-  watch = false
-  # ...
-```
-
-```bash tab="CLI"
--providers.marathon.watch=false
-# ...
-```
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@@ -440,26 +440,67 @@ providers:

 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

-### `namespace`
+### `namespaces`
+
+??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
+
+    _Optional, Default=""_
+
+    The `namespace` option defines the namespace in which the Nomad services will be discovered.
+    
+    !!! warning
+    
+        One should only define either the `namespaces` option or the `namespace` option.
+
+    ```yaml tab="File (YAML)"
+    providers:
+      nomad:
+        namespace: "production"
+        # ...
+    ```
+
+    ```toml tab="File (TOML)"
+    [providers.nomad]
+      namespace = "production"
+      # ...
+    ```
+
+    ```bash tab="CLI"
+    --providers.nomad.namespace=production
+    # ...
+    ```
+
+### `namespaces`

 _Optional, Default=""_

-The `namespace` option defines the namespace in which the Nomad services will be discovered.
+The `namespaces` option defines the namespaces in which the nomad services will be discovered.
+When using the `namespaces` option, the discovered object names will be suffixed as shown below:
+
+```text
+<resource-name>@nomad-<namespace>
+```
+
+!!! warning
+  
+    One should only define either the `namespaces` option or the `namespace` option.

 ```yaml tab="File (YAML)"
 providers:
  nomad:
-    namespace: "production"
+    namespaces:
+      - "ns1"
+      - "ns2"
    # ...
 ```

 ```toml tab="File (TOML)"
 [providers.nomad]
-  namespace = "production"
+  namespaces = ["ns1", "ns2"]
  # ...
 ```

 ```bash tab="CLI"
--providers.nomad.namespace=production
+--providers.nomad.namespaces=ns1,ns2
 # ...
 ```
--- a/docs/content/providers/overview.md
+++ b/docs/content/providers/overview.md
@@ -82,7 +82,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
    ```

    ```yaml tab="Kubernetes Ingress Route"
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: IngressRoute
    metadata:
      name: ingressroutestripprefix
@@ -104,7 +104,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
    ```

    ```yaml tab="Kubernetes Ingress"
-    apiVersion: traefik.containo.us/v1alpha1
+    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
      name: stripprefix
@@ -141,8 +141,6 @@ Below is the list of the currently supported providers in Traefik.
 | [Consul Catalog](./consul-catalog.md)             | Orchestrator | Label                | `consulcatalog`     |
 | [Nomad](./nomad.md)                               | Orchestrator | Label                | `nomad`             |
 | [ECS](./ecs.md)                                   | Orchestrator | Label                | `ecs`               |
-| [Marathon](./marathon.md)                         | Orchestrator | Label                | `marathon`          |
-| [Rancher](./rancher.md)                           | Orchestrator | Label                | `rancher`           |
 | [File](./file.md)                                 | Manual       | YAML/TOML format     | `file`              |
 | [Consul](./consul.md)                             | KV           | KV                   | `consul`            |
 | [Etcd](./etcd.md)                                 | KV           | KV                   | `etcd`              |
@@ -216,8 +214,6 @@ List of providers that support these features:
 - [ECS](./ecs.md#exposedbydefault)
 - [Consul Catalog](./consul-catalog.md#exposedbydefault)
 - [Nomad](./nomad.md#exposedbydefault)
- [Rancher](./rancher.md#exposedbydefault)
- [Marathon](./marathon.md#exposedbydefault)

 ### Constraints

@@ -227,8 +223,6 @@ List of providers that support constraints:
 - [ECS](./ecs.md#constraints)
 - [Consul Catalog](./consul-catalog.md#constraints)
 - [Nomad](./nomad.md#constraints)
- [Rancher](./rancher.md#constraints)
- [Marathon](./marathon.md#constraints)
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
 - [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
--- a/docs/content/providers/rancher.md
+++ b/docs/content/providers/rancher.md
@@ -1,286 +0,0 @@
---
-title: ""Traefik Configuration Discovery: Rancher""
-description: "Read the official Traefik documentation to learn how to expose Rancher services by default in Traefik Proxy."
---
-
-# Traefik & Rancher
-
-A Story of Labels, Services & Containers
-{: .subtitle }
-
-![Rancher](../assets/img/providers/rancher.png)
-
-Attach labels to your services and let Traefik do the rest!
-
-!!! important "This provider is specific to Rancher 1.x."
-
-    Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-    As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](./kubernetes-crd.md) directly.
-
-## Configuration Examples
-
-??? example "Configuring Rancher & Deploying / Exposing Services"
-
-    Enabling the Rancher provider
-
-    ```yaml tab="File (YAML)"
-    providers:
-      rancher: {}
-    ```
-
-    ```toml tab="File (TOML)"
-    [providers.rancher]
-    ```
-
-    ```bash tab="CLI"
-    --providers.rancher=true
-    ```
-
-    Attaching labels to services
-
-    ```yaml
-    labels:
-      - traefik.http.services.my-service.rule=Host(`example.com`)
-    ```
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/rancher.md).
-
-## Provider Configuration
-
-??? tip "Browse the Reference"
-
-    For an overview of all the options that can be set with the Rancher provider, see the following snippets:
-
-    ```yaml tab="File (YAML)"
-    --8<-- "content/providers/rancher.yml"
-    ```
-
-    ```toml tab="File (TOML)"
-    --8<-- "content/providers/rancher.toml"
-    ```
-
-    ```bash tab="CLI"
-    --8<-- "content/providers/rancher.txt"
-    ```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose Rancher services by default in Traefik.
-If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    exposedByDefault: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  exposedByDefault = false
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.exposedByDefault=false
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The default host rule for all services.
-
-The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
-[sprig template functions](https://masterminds.github.io/sprig/).
-The service name can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
-This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
-# ...
-```
-
-### `enableServiceHealthFilter`
-
-_Optional, Default=true_
-
-Filter out services with unhealthy states and inactive states.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    enableServiceHealthFilter: false
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  enableServiceHealthFilter = false
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.enableServiceHealthFilter=false
-# ...
-```
-
-### `refreshSeconds`
-
-_Optional, Default=15_
-
-Defines the polling interval (in seconds).
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    refreshSeconds: 30
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  refreshSeconds = 30
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.refreshSeconds=30
-# ...
-```
-
-### `intervalPoll`
-
-_Optional, Default=false_
-
-Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
-which is less accurate than the default long polling technique which provides near instantaneous updates to Traefik.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    intervalPoll: true
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  intervalPoll = true
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.intervalPoll=true
-# ...
-```
-
-### `prefix`
-
-_Optional, Default="/latest"_
-
-Prefix used for accessing the Rancher metadata service.
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    prefix: "/test"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  prefix = "/test"
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.prefix=/test
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
-to create any route for that container. If none of the container tags match the expression, no route for that container is
-created. If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as
-the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and value `foo`
-    constraints = "Label(`a.label.name`, `foo`)"
-    ```
-
-    ```toml
-    # Excludes containers having any label with key `a.label.name` and value `foo`
-    constraints = "!Label(`a.label.name`, `value`)"
-    ```
-
-    ```toml
-    # With logical AND.
-    constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical OR.
-    constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
-    ```
-
-    ```toml
-    # With logical AND and OR, with precedence set by parentheses.
-    constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
-    ```
-
-    ```toml
-    # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
-    constraints = "LabelRegex(`a.label.name`, `a.+`)"
-    ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
-
-```yaml tab="File (YAML)"
-providers:
-  rancher:
-    constraints: "Label(`a.label.name`,`foo`)"
-    # ...
-```
-
-```toml tab="File (TOML)"
-[providers.rancher]
-  constraints = "Label(`a.label.name`,`foo`)"
-  # ...
-```
-
-```bash tab="CLI"
--providers.rancher.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
--- a/docs/content/providers/rancher.toml
+++ b/docs/content/providers/rancher.toml
@@ -1,20 +0,0 @@
-# Enable Rancher Provider.
-[providers.rancher]
-
-  # Expose Rancher services by default in Traefik.
-  exposedByDefault = true
-
-  # Enable watch Rancher changes.
-  watch = true
-
-  # Filter services with unhealthy states and inactive states.
-  enableServiceHealthFilter = true
-
-  # Defines the polling interval (in seconds).
-  refreshSeconds = 15
-
-  # Poll the Rancher metadata service for changes every `rancher.refreshSeconds`, which is less accurate
-  intervalPoll = false
-
-  # Prefix used for accessing the Rancher metadata service
-  prefix = "/latest"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Administrator	32469331f2	Merge pull request 'master' (#4 ) from Ivasoft/traefik:master into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #4	2023-04-21 07:07:09 +00:00
Fernandez Ludovic	8174860770	Merge branch v3.0 into master	2023-03-22 16:54:12 +01:00
sven	598caf6f78	Adjust quick start	2023-03-22 16:53:41 +01:00
Ludovic Fernandez	8b47c5adf7	Remove deprecated code	2023-03-22 16:40:06 +01:00
Fernandez Ludovic	a3bcf0f39e	Merge branch v2.10 into v3.0	2023-03-22 12:52:38 +01:00
Ludovic Fernandez	be702c2b61	Prepare release v2.10.0-rc1	2023-03-22 11:06:05 +01:00
Fernandez Ludovic	54f6144ef2	Merge branch v2.9 into v2.10	2023-03-21 17:11:20 +01:00
Romain	a020ab640d	Prepare release v2.9.9	2023-03-21 16:47:43 +01:00
Fernandez Ludovic	7875826bd9	Merge branch v2.10 into v3.0	2023-03-21 16:45:33 +01:00
Romain	f7be1e97df	Support multiple namespaces in the Nomad Provider	2023-03-21 15:50:06 +01:00
Romain	48a2c8e41c	Fix Nomad client TLS defaults	2023-03-21 15:32:06 +01:00
mpl	358f47443e	hub: get out of experimental. Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2023-03-20 21:14:05 +01:00
sven	3b9e155807	docs: update order of log levels	2023-03-20 18:56:06 +01:00
Michael	2083e4bc16	feat: use env variable in github actions	2023-03-20 18:30:08 +01:00
Romain	c823879097	Add prometheus metric requests_total with headers Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2023-03-20 18:06:07 +01:00
Thomas Quinot	4bc2305ed3	Expose ContainerName in Docker provider	2023-03-20 17:42:06 +01:00
Philipp Trulson	99d779a546	Add support to send DataDog traces via Unix Socket	2023-03-20 17:16:08 +01:00
Romain	6e460cd652	Native Kubernetes service load-balancing	2023-03-20 16:46:05 +01:00
mpl	7c2af10bbd	Fix open connections metric Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2023-03-20 16:02:06 +01:00
Romain	7af9d16208	Introduce traefik.io API Group CRDs	2023-03-20 15:38:08 +01:00
Romain	598a257ae1	Remove config reload failure metrics	2023-03-20 15:14:05 +01:00
Aofei Sheng	b3f162a8a6	Fix default configuration settings for Nomad Provider	2023-03-20 10:44:05 +01:00
Romain	4aa3496092	Add HTTP 103 early hints unit test Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2023-03-17 16:46:06 +01:00
mpl	bbe6a5c07b	doc: clarify ratelimit middleware	2023-03-14 14:58:06 +01:00
mpl	20e47d9102	compress: add no compress unit tests	2023-03-02 10:26:05 +01:00
Romain	21c455cf20	Remove User-Agent header removal from ReverseProxy director func	2023-02-28 17:06:05 +01:00
Ludovic Fernandez	667b2a4078	Update vulcand/oxy to a0e9f7ff1040 Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2023-02-27 15:24:21 +01:00
Ludovic Fernandez	4ae07d91a4	Update go-acme/lego to v4.10.2	2023-02-27 09:36:06 +01:00
Raphael Pinto	7bdf13ebdc	Correcting variable name 'server address' in TCP Router	2023-02-23 23:38:05 +01:00
Romain	807feef176	Include user-defined default cert for traefik_tls_certs_not_after metric Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2023-02-23 16:14:06 +01:00
Ludovic Fernandez	7202038649	chore: update to go1.20	2023-02-23 15:06:05 +01:00
Ludovic Fernandez	dd710dbeb7	chore: update quic-go to v0.33.0	2023-02-23 10:54:05 +01:00
Aofei Sheng	f26e250648	Mention PathPrefix matcher changes in V3 Migration Guide	2023-02-16 15:54:05 +01:00
Ben Iofel	80790cba17	Fix yaml indentation in the HTTP3 example	2023-02-16 14:36:05 +01:00
Romain	2e6e5cbd03	Prepare release v2.9.8	2023-02-15 16:02:06 +01:00
romain	241fb5093a	Merge current v2.9 into v3.0	2023-02-15 11:29:28 +01:00
Ludovic Fernandez	ab36ea7844	fix: update golang.org/x/net to v0.7.0	2023-02-15 09:56:19 +01:00
Romain	cfef9d9df2	Prepare release v2.9.7	2023-02-14 16:09:19 +01:00
Fernandez Ludovic	9ce69fbdef	chore: update some dependencies	2023-02-14 15:44:21 +01:00
Romain	1a6dfe1f6b	Adds the support for IPv6 in the TCP HostSNI matcher	2023-02-14 15:04:05 +01:00
Ludovic Fernandez	e053eb6f17	Update go-acme/lego to v4.10.0	2023-02-10 11:36:10 +01:00
mpl	780936eff9	doc: add note about remoteaddr strategy	2023-02-09 17:34:06 +01:00
mpl	0503253cfe	doc: add CNAME support and gotchas	2023-02-09 17:12:06 +01:00
Ludovic Fernandez	39331e41a8	Update Yaegi to v0.15.0	2023-02-09 11:52:05 +01:00
Roman Vaníček	fb86f5ea8f	Merge pull request 'Use DDNS for swarm load balancing' (#2 ) from rv/traefik:master into master All checks were successful continuous-integration/drone/push Build is passing Details Reviewed-on: #2	2023-02-03 16:18:36 +00:00
Ludovic Fernandez	044dc6a221	fix: go module	2023-02-03 15:24:05 +01:00
Roman Vaníček	1c0b30963b	In DNSRR there is no Endpoint.VirtualIPs - use Spec.TaskTemplate.Networks All checks were successful continuous-integration/drone/pr Build is passing Details	2023-02-03 00:11:24 +01:00
Roman Vaníček	c757750ff3	Merge branch 'master' of https://git.ivasoft.cz/rv/traefik All checks were successful continuous-integration/drone/pr Build is passing Details	2023-02-02 21:27:19 +01:00
Roman Vaníček	a2089c3a5d	CI build trigger.	2023-02-02 21:26:49 +01:00
Romain	38f5024ed0	Differentiate UDP stream and TCP connection in logs	2023-01-31 16:00:10 +01:00
mpl	479878503d	quic-go: bump to 89769f409f	2023-01-31 14:38:05 +01:00
Ludovic Fernandez	6f6c1f7fec	Update dependencies	2023-01-30 09:34:44 +01:00
Roman Vaníček	881bfb4b11	Merge branch 'master' into master Some checks failed continuous-integration/drone/pr Build is failing Details	2023-01-26 08:57:22 +00:00
Roman Vaníček	d1899ff250	Use DDNS for swarm load balancing Some checks failed continuous-integration/drone/pr Build was killed Details	2023-01-26 09:40:23 +01:00
Roman Vaníček	7a284c0840	Merge pull request 'master' (#1 ) from rv/traefik:master into master Some checks are pending continuous-integration/drone/push Build is running Details continuous-integration/drone Build is passing Details Reviewed-on: #1	2023-01-25 23:14:34 +00:00
Roman Vaníček	48f3e5cf1c	FIX Drone CI repo	2023-01-25 23:55:20 +01:00
Roman Vaníček	34c3effdde	Drone CI	2023-01-25 23:53:15 +01:00
Ludovic Fernandez	e50bf21a84	Update Structor to v1.12.0	2023-01-23 10:44:04 +01:00
Ludovic Fernandez	d66875f903	Update paerser to v0.2.0	2023-01-23 09:34:04 +01:00
Romain	707f84e2e4	Don't log EOF or timeout errors while peeking first bytes in Postgres StartTLS hook	2023-01-12 12:28:04 +01:00
Pedro González Serrano	f94298e867	Fix datasource variable of the Grafana dashboard	2023-01-11 15:16:06 +01:00
Romain	b995a11d63	Prevent panicking when a container has no network interfaces Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2023-01-11 15:14:05 +01:00
Tom Moulard	e1abf103c0	Add OpenTelemetry in observability overview Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2023-01-10 17:06:04 +01:00
Paulo Júnior	f01a668d53	feat: update copyright to match new standard	2023-01-09 19:56:04 +01:00
bendre90	8cd4923e72	Added router priority to webui's list and detail page	2023-01-09 17:24:05 +01:00
Tom Moulard	cd90b9761a	Merge current v2.9 into v3.0	2023-01-09 16:21:45 +01:00
sven	e82976e001	Add info admonition about routing to k8 services	2023-01-09 16:07:09 +01:00
Tom Moulard	f0f5f41fb9	Fix OpenTelemetry service name Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2023-01-06 09:10:05 +01:00
hcooper	c9e9e8dee2	Further Let's Encrypt ratelimit warnings	2023-01-04 12:10:05 +01:00
Witold Duranek	0861c47e54	fix no rate limiting if average is 0	2023-01-03 16:16:05 +01:00
Baptiste Mayelle	8bf68b7efd	Grafana dashboard showing ms instead of s	2023-01-02 17:34:04 +01:00
Tom Moulard	e1e86763e3	Prevents superfluous WriteHeader call in the error middleware Co-authored-by: LandryBe <lbenguigui@gmail.com>	2023-01-02 17:00:05 +01:00
kevinpollet	b22aef7fff	Merge branch v2.9 into v3.0	2023-01-02 15:20:39 +01:00
Kevin Pollet	b9a175f5c2	Update copyright for 2023	2023-01-02 12:12:05 +01:00
Tom Moulard	a2016a2953	Detect dashboard assets content types Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-12-29 09:46:04 +01:00
Tom Moulard	c38d405cfd	Remove containous/mux from HTTP muxer Co-authored-by: Simon Delicata <simon.delicata@traefik.io>	2022-12-22 17:16:04 +01:00
jandillenkofer	8c98234c07	Add option to the Ingress provider to disable IngressClass lookup	2022-12-22 16:30:05 +01:00
Roman Tomjak	d046af2e91	Add support for HTTPRequestRedirectFilter in k8s Gateway API	2022-12-22 15:02:05 +01:00
Tom Moulard	943238faba	Remove InfluxDB v1 metrics middleware	2022-12-19 14:32:04 +01:00
Romain	2b67f1f66f	Remove Marathon provider	2022-12-19 11:52:05 +01:00
tfny	943811fad6	Update submitting pull requests to include language about drafts	2022-12-19 11:42:04 +01:00
Tom Moulard	2ad1fd725a	Remove Rancher v1 provider	2022-12-19 10:42:05 +01:00
Charlie Haley	7129f03dc9	fix: update opentelemetry dependency versions	2022-12-19 09:54:04 +01:00
Ludovic Fernandez	29b8b6911e	fix: sanitize X-Forwarded-Proto header in RedirectScheme middleware Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-12-16 10:34:04 +01:00
mloiseleur	e7baf44a2e	doc: Improve TLSStore CRD documentation	2022-12-15 14:32:06 +01:00
mpl	74ef79ea23	mitigate race against server readiness in test Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-12-15 11:18:05 +01:00
mloiseleur	748254b6c5	doc: Update Grafana Official Dashboards	2022-12-13 16:16:06 +01:00
Douglas De Toni Machado	a08a428787	Support HostSNIRegexp in GatewayAPI TLS routes	2022-12-12 16:30:05 +01:00
Simon Delicata	3eeea2bb2b	Add TCP Servers Transports support Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-12-09 09:58:05 +01:00
mpl	da93dab828	make file provider more resilient wrt first configuration Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2022-12-09 09:48:04 +01:00
Ludovic Fernandez	c2dac39da1	fix: detect dashboard content types Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>	2022-12-09 08:24:05 +01:00
Tom Moulard	e54ee89330	Prepare release v3.0.0-beta2	2022-12-07 17:26:04 +01:00
Simon Delicata	fdd3f2abef	Moves HTTP/3 outside the experimental section	2022-12-07 17:02:05 +01:00
Tom Moulard	517917cd7c	Merge current v2.9 into master	2022-12-07 15:55:46 +01:00
Tom Moulard	d97d3a6726	Prepare release v2.9.6	2022-12-07 15:14:05 +01:00
Tom Moulard	6c75052a13	Change traefik cmd error log to error level	2022-12-07 11:34:06 +01:00
Ludovic Fernandez	a8df674dcf	fix: flaky tests	2022-12-07 10:56:05 +01:00
Ludovic Fernandez	abd569701f	fix: update golang.org/x/net	2022-12-07 10:02:04 +01:00
mpl	7e3fe48b80	Handle broken TLS conf better Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com> Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-12-06 18:28:05 +01:00
Tom Moulard	8cf9385938	Rework Host and HostRegexp matchers Co-authored-by: Simon Delicata <simon.delicata@traefik.io>	2022-12-06 10:40:06 +01:00
Romain	519ed8bde5	Prepare release v3.0.0-beta1	2022-12-05 16:58:04 +01:00
romain	46a61ce9c8	Merge remote-tracking branch 'upstream/v2.9' into merge-branch-v2.9-into-master	2022-12-05 15:23:06 +01:00
Ludovic Fernandez	778188ed34	fix: remove logs of the request	2022-12-05 11:30:05 +01:00
Nicolas Mengin	88603810a8	Add information about the Hub Agent	2022-12-01 14:30:06 +01:00
mloiseleur	c7647b4938	doc: Update Helm installation section	2022-12-01 10:10:05 +01:00
Janik	af71443b61	Added networking example	2022-11-30 15:04:05 +01:00
Ludovic Fernandez	c57876c116	Improve provider logs	2022-11-30 09:50:05 +01:00
Tom Moulard	0d81fac3fc	Add OpenTelemetry tracing and metrics support	2022-11-29 15:34:05 +01:00
Simon Delicata	db287c4d31	Disable Content-Type auto-detection by default	2022-11-29 11:48:05 +01:00
Antoine	4d86668af3	Update routing syntax Co-authored-by: Tom Moulard <tom.moulard@traefik.io>	2022-11-28 15:48:05 +01:00
Fernandez Ludovic	b93141992e	Merge branch v2.9 into master	2022-11-28 09:01:53 +01:00
Ludovic Fernandez	18d66d7432	Update go-acme/lego to v4.9.1	2022-11-28 08:48:04 +01:00
Simon Delicata	a3e4c85ec0	Remove deprecated options	2022-11-25 10:50:06 +01:00
Ludovic Fernandez	bee86b5ac7	fix: log level	2022-11-25 09:52:04 +01:00
Ludovic Fernandez	0ba51d62fa	fix: flaky with shutdown tests	2022-11-24 17:06:07 +01:00
Kevin Pollet	268d1edc8f	Fix flaky healthcheck test	2022-11-24 16:32:05 +01:00
Ludovic Fernandez	580e7fa774	fix: flaky tests on the configuration watcher	2022-11-24 16:00:06 +01:00
Romain	7c72780820	Add missing serialNumber passTLSClientCert option to middleware panel	2022-11-24 12:30:05 +01:00
Ali Afsharzadeh	46c266661c	Add a status option to the service health check	2022-11-24 11:40:05 +01:00
Fernandez Ludovic	61325d7b91	Merge branch v2.9 into master	2022-11-23 17:30:49 +01:00
Kevin Pollet	68e8eb2435	Update k3s image to rancher/k3s:v1.20.15-k3s1	2022-11-23 17:28:04 +01:00
Kevin Pollet	3f8aa13e68	Fix error when setting ServerUp metric labels	2022-11-23 16:04:05 +01:00
Ludovic Fernandez	08279047ae	Improve test logger assertions	2022-11-23 12:14:04 +01:00
Ludovic Fernandez	3dd4968c41	Retry on plugin API calls	2022-11-23 11:42:04 +01:00
Fernandez Ludovic	ba1ca68977	Merge branch v2.9 into master	2022-11-23 09:22:52 +01:00
Ludovic Fernandez	81a5b1b4c8	Increase the timeout on plugin download	2022-11-22 18:30:05 +01:00
Romain	52e6ce95cf	Update DataDog tracing dependency to v1.43.1	2022-11-22 15:12:06 +01:00
Jérôme Guiard	d547718fdd	Support of allowEmptyServices in TraefikService	2022-11-22 10:18:04 +01:00
Ludovic Fernandez	56f7515ecd	New logger for the Traefik logs	2022-11-21 18:36:05 +01:00
mpl	af4e74c39d	doc: clarify PathPrefix greediness	2022-11-21 17:30:06 +01:00
xmessi	27c02b5a56	Log TLS client subject	2022-11-21 10:18:05 +01:00
Romain	f6b7940b76	Prepare release v2.9.5 (#9513 )	2022-11-17 15:57:23 +01:00
Simon Delicata	f1b91a119d	Create a new capture instance for each incoming request Co-authored-by: Romain <rtribotte@users.noreply.github.com>	2022-11-17 10:26:06 +01:00
Romain	630de7481e	Support SNI routing with Postgres STARTTLS connections Co-authored-by: Michael Kuhnt <michael.kuhnt@daimler.com> Co-authored-by: Julien Salleyron <julien@containo.us> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-11-16 15:34:10 +01:00
Julien Salleyron	fadee5e87b	Rework servers load-balancer to use the WRR Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-11-16 11:38:07 +01:00
sven	35d8281f4d	docs(contributing): enhance wording of building-testing page	2022-11-15 19:34:04 +01:00
Greg	67d9c8da0b	Add support for Brotli Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> Co-authored-by: Tom Moulard <tom.moulard@traefik.io> Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-11-15 10:56:08 +01:00
sven	00de5c711a	docs(contributing): add link descriptions and update wording	2022-11-15 10:28:07 +01:00
Charlie Haley	b935c80dbd	docs: update helm repository	2022-11-14 16:04:16 +01:00
tfny	22c6630412	Removes the experimental tag on the Traefik Hub header	2022-11-09 00:12:05 +01:00
mloiseleur	1a1cfd1adc	Update and publish official Grafana Dashboard	2022-11-08 15:32:06 +01:00
Ngọc Long	240fb871b6	Support gRPC and gRPC-Web protocol in metrics	2022-11-08 10:52:09 +01:00
Kevin Pollet	b2c4221429	Update vulcand/oxy to v1.4.2	2022-11-07 10:28:08 +01:00
Ludovic Fernandez	d131ef57da	chore: update nhooyr.io/websocket	2022-11-03 16:30:08 +01:00
Ludovic Fernandez	97de552e06	chore: update github.com/opencontainers/runc	2022-11-03 16:28:05 +01:00
kevinpollet	281fa25844	Merge branch v2.9 into master	2022-10-28 09:22:36 +02:00
Fernandez Ludovic	454f552691	Prepare release v2.9.4	2022-10-27 20:40:05 +02:00
Fernandez Ludovic	7258048403	Prepare release v2.9.3	2022-10-27 17:50:54 +02:00
Julien Salleyron	bd3eaf4f5e	Add GrpcWeb middleware Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2022-10-27 17:34:06 +02:00
Ludovic Fernandez	7a6bfd3336	chore: change TCP middleware package	2022-10-26 17:42:07 +02:00
Wambugu	1b9873cae9	Renaming IPWhiteList to IPAllowList	2022-10-26 17:16:05 +02:00
Fernandez Ludovic	e86f21ae7b	Merge branch 'v2.9' into master	2022-10-24 11:24:41 +02:00
Julien Levesy	194247caae	Check if default servers transport spiffe config is not nil	2022-10-18 10:28:07 +02:00
kevinpollet	cd0654026a	Merge branch v2.9 into master	2022-10-17 18:53:37 +02:00
Julien Levesy	b39ce8cc58	Support SPIFFE mTLS between Traefik and Backend servers	2022-10-14 17:16:08 +02:00
Kevin Pollet	33f0aed5ea	Support custom headers when fetching configuration through HTTP	2022-10-14 15:10:10 +02:00
kalle (jag)	188ef84c4f	Allow to define default entrypoints (for HTTP/TCP)	2022-10-11 09:36:08 +02:00
kevinpollet	a5c520664a	Merge branch v2.9 into master	2022-10-06 16:40:09 +02:00
Kevin Pollet	38d7011487	Add Tailscale certificate resolver Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>	2022-09-30 15:20:08 +02:00
jjacque	033fccccc7	Support gRPC healthcheck	2022-09-20 16:54:08 +02:00
Michael Hampton	df99a9fb57	Add option to keep only healthy ECS tasks	2022-09-20 15:42:08 +02:00
Thomas Harris	d6b69e1347	Support multiple namespaces in the Nomad Provider	2022-09-19 16:26:08 +02:00
romain	4bd055cf97	Merge branch v2.9 into master	2022-09-19 13:52:58 +02:00